Default Provided Unbound Config Does Not Work With DnsCrypt

[kashalls]

Operating System

Raspberry Pi

Architecture

64-bit

Platform

Windows, Linux, Android

Project

Aduard Home, Wireguard, Unbound, DNScrypt

Browser

Chrome

Issue

Not working

Issue Description

Using the default configurations of Unbound <-> DNSCrypt causes an issue where Unbound will consistantly return a SERVFAIL.

Increasing the verbosity from 0 to 3 in the unbound.conf file results in these visible errors.

debug: validator[module 1] operate: extstate:module_wait_module event:module_event_moddone
debug: return error response SERVFAIL
debug: configured stub or forward servers failed -- returning SERVFAIL

debug: iterator[module 2] operate: extstate:module_wait_reply event:module_event_noreply
debug: tcp error for address 127.0.0.1 port 5353
debug: outnettcp got tcp error -1
debug: outnettcp got tcp error -1
debug: cache memory msg=66072 rrset=66072 infra=8402 val=66368 subnet=74504
debug: sending to target: <.> 127.0.0.1#5353

Using dig to check dnscrypt, it shows NOERROR on the responses. When I toggle forward-ssl-upstream: yes to no, this issue is resolved however the first request results in an over 300ms request time. Basic dns query results in 23msec.

Using Raspi 4B.

Unbound: Version 1.13.1

[welcome]

Thanks for opening your first issue here 🙋🕵️

[kashalls]

Tried updating to 1.17.0, was unsuccessful in getting it going. Continuing to get tcperror and a SERVFAIL status.

[trinib]

@kashalls hi

This issue does not reproduce for me

Version 1.13.1

powershell_Lg0xo2PHvk.mp4

Not sure why this is happening but can you try another port other than 5353 and see if same error occurs.

[kashalls]

@kashalls hi

This issue does not reproduce for me

Version 1.13.1

powershell_Lg0xo2PHvk.mp4

Not sure why this is happening but can you try another port other than 5353 and see if same error occurs.

I eventually got the latest build of unbound done and working but the same issue. I tried 6565 and 4200 and got the same result. I have a feeling it's certificate related but I lack the knowledge to debug this.

[kashalls]

@kashalls hi

This issue does not reproduce for me

Version 1.13.1

powershell_Lg0xo2PHvk.mp4
Not sure why this is happening but can you try another port other than 5353 and see if same error occurs.

I have been able to reproduce this issue quite considerably. Debating whether or not to try getting a public instance up to test my theory.

[trinib]

@kashalls you said

When I toggle forward-ssl-upstream: yes to no

apart from in default config which is forward-tls-upstream: yes which means tls security is not being used(which is better)

it baffles me to see DNScrypt to cause this issue. Forgive me for asking what was understood by you already, I would like to know if this happens with Stubby or cloudflared or unbound by itself.

[kashalls]

@kashalls you said

When I toggle forward-ssl-upstream: yes to no

apart from in default config which is forward-tls-upstream: yes which means tls security is not being used(which is better)

it baffles me to see DNScrypt to cause this issue. Forgive me for asking what was understood by you already, I would like to know if this happens with Stubby or cloudflared or unbound by itself.

I'd be willing to get in a call with you on something like Discord if you want to take a look at the instance. I had to switch to no in order for unbound to query dnscrypt.

[trinib]

If it does happen only with dnscrypt I suggest trying it on a vps if you can to rule out that it has nothing to do with your network.. this "SERVFAIL" error in unbound upstreams according in forums sounds like a DNS server side issue

[kashalls]

If it does happen only with dnscrypt I suggest trying it on a vps if you can to rule out that it has nothing to do with your network.. this "SERVFAIL" error in unbound upstreams according in forums sounds like a DNS server side issue

In a weird turn of events, on a seperate machine I installed ubuntu server (64bit) in a minimal configuration on a desktop pc of mine I use for testing. It setup immediately and did not have the issues I was presented on the Raspberry Pi 4B.

[kashalls]

In a extremely weird turn of events, rebooting now causes it to come up with the same SERVFAIL.

lsb_release -a

Distributor ID: Ubuntu
Description:    Ubuntu 22.04.1 LTS
Release:        22.04
Codename:       jammy

DNScrypt-proxy: 2.1.2
Unbound: 1.13.1

Now trying a VPS approach.

[kashalls]

Used vultr to deploy a $5/mnth with Ubuntu 22.04.1. Issue still persists. I've tried changing the upstream servers in dnscrypt to quad9, no dice.

Process of Installation Taken:

1. Follow the entirety of this section: https://github.com/trinib/AdGuard-WireGuard-Unbound-DNScrypt#install-adguard-home-
2. follow the entirety of this https://github.com/trinib/AdGuard-WireGuard-Unbound-DNScrypt#install-adguard-home- and disabling DNSStubListener
3. Download unbound configuration from repo.
4. Follow https://github.com/trinib/AdGuard-WireGuard-Unbound-Cloudflare/wiki/Install-DNScrypt-proxy-(DoH)(oDoH)(Anonymized-DNS) as per document
5. Configure adguard with 127.0.0.1:53 and 127.0.0.1:5353 parallel requests
6. Reboot
7. dig @127.0.0.1 -p 53 google.com -> SERVFAIL

[trinib]

@kashalls i rebooted a couple times(fyi, my date is not set) i do not get SERVFAIL.

on your raspberry pi , check nano /etc/resolvconf.conf to see what is your nameservers

[kashalls]

@kashalls i rebooted a couple times(fyi, my date is not set) i do not get SERVFAIL.

on your raspberry pi , check nano /etc/resolvconf.conf to see what is your nameservers

Seems to be wrong, what should they be set to?

[trinib]

@kashalls hmmm you should have nameserver 127.0.0.1 in /etc/resolvconf. it should be added automatically after installing unbound

when you ping google.com you should be reachable to internet right ?

Do you have cloudflare dns on your router or somewhere else before installing unbound? My config shows:

# Generated by resolvconf

forward-zone:
        name: "."
        forward-addr: 192.168.100.1
        forward-addr: fe80::1%eth0

192.168.100.1 is my default gateway/dns address

can you add nameserver 127.0.0.1 using this guide https://github.com/trinib/AdGuard-WireGuard-Unbound-DNScrypt/wiki/Set-permanent-DNS-nameservers. Ping google and check if internet access if not try adding other nameserver in another line

[kashalls]

Followed instructions to the T.

As soon as I turn forward-tls-upstream from no to yes, SERVFAIL's begin showing up at the unbound side.

[trinib]

add nameserver 127.0.0.1 in /etc/resolvconf and check unbound again

[kashalls]

add nameserver 127.0.0.1 in /etc/resolvconf and check unbound again

Local DNS is now being resolved by the router.

Just the same output from unbound:

[1149:0] debug: outnettcp got tcp error -1
Oct 20 07:00:46 adguardhome unbound[1149]: [1149:0] debug: outnettcp got tcp error -1
Oct 20 07:00:46 adguardhome unbound[1149]: [1149:0] debug: outnettcp got tcp error -1

[trinib]

@kashalls Nice i see now you get no answer section with dig google.com @127.0.0.1 which really confirms nameserver 127.0.0.1 is not configured properly. I do not know why it do not set for you when unbound is installed🤷‍♂️ use this this guide https://github.com/trinib/AdGuard-WireGuard-Unbound-DNScrypt/wiki/Set-permanent-DNS-nameservers and set it from there and see if it works

and btw is 10.0.0.1 your home network default dns and gateway address ??

[kashalls]

@kashalls Nice i see now you get no answer section with dig google.com @127.0.0.1 which really means confirms nameserver 127.0.0.1 is not configured properly. I do not know why it do not set for you when unbound is installed🤷‍♂️ use this this guide https://github.com/trinib/AdGuard-WireGuard-Unbound-DNScrypt/wiki/Set-permanent-DNS-nameservers and set it from there and see if it works

and btw is 10.0.0.1 your home network default dns and gateway address ??

I have a Unifi Dream Machine Pro acting as my gateway, the Pi is on vlan 5 so that I may use iptables to force port 53 from my IOT devices lan to use adguard. So I have 5 subnets, each with its own gateway. 10.0.0.1 is the main main main gateway xD

What is the expected contents of /etc/unbound/unbound.conf.d/resolvconf_resolvers.conf

[trinib]

What is the expected contents of /etc/unbound/unbound.conf.d/resolvconf_resolvers.conf

i have

# Generated by resolvconf

forward-zone:
        name: "."
        forward-addr: 192.168.100.1
        forward-addr: fe80::1%eth0

192.168.100.1 is my default gateway/dns address

when you ping google is it reachable to internet ?

and what do you have when you run ifconfig ?

[kashalls]

and what do you have when you run ifconfig ?

when you ping google is it reachable to internet ?
Yes.

PING  (142.250.72.206) 56(84) bytes of data.
64 bytes from sfo03s21-in-f14.1e100.net (142.250.72.206): icmp_seq=1 ttl=56 time=18.3 ms
64 bytes from sfo03s21-in-f14.1e100.net (142.250.72.206): icmp_seq=2 ttl=56 time=18.0 ms

Tried all above suggestions, not entirely sure where the problem lies now. For now, turning of tls upstream in unbound allows everything to work.

[trinib]

@kashalls hmm i rule out its a issue with UniFi cause you mention earlier you used vultr vps and have the same issue ?? my account is currently closed on vultur lol. can you create a new machine on vultr and send me login details at trinib.tt@gmail.com and let me install it and see if issue still occurs

[kashalls]

Sure, I will have it done later today.

[trinib]

@kashalls everything seems to be working fine on vps, test it out for yourself. It looks like you did not follow this guide.

When i installed unbound on this machine it do not set nameserver 127.0.0.1 in /etc/resolv.conf. So resolv package needs to install to set it but when it does you lose internet to host and setting permanent nameserver is needed to regain internet. Before unbound nameserver was set, the machine default nameserver was 127.0.0.53 which can be added to fix, or the IPv4 address can be used as well👍

[trinib]

if you still get server error, something is wrong on your network side with router or something.

[kashalls]

@kashalls everything seems to be working fine on vps, test it out for yourself. It looks like you did not follow this guide.

When i installed unbound on this machine it do not set nameserver 127.0.0.1 in /etc/resolv.conf. So resolv package needs to install to set it but when it does you lose internet to host and setting permanent nameserver is needed to regain internet. Before unbound nameserver was set the machine default nameserver was 127.0.0.53 which can be added to fix, or the IPv4 address can be used as well👍

Hmm 🤔 I was confused when you got to the unbound part. Were you able to get it setup to forward to dnscrypt?

[kashalls]

First thing I notice is that there is no /etc/unbound/unbound.conf.d/ resolvconf_resolvers.conf is not present as it is on rpi.

Actually, you had enabled the unbound config for both dnscrypt and cloudflare, so unbound was using your cloudflare config to resolve dns. As soon as I commented out that, it started resolving to SERVFAIL.

[trinib]

You absolutely need to add in forward zone, a dns server that uses port 853 in unbound config for DoT to work .

Forwarding to DNScrypt(127.0.0.1:5353) uses DoH from dnscrpyt servers

although its same cloudflare. it is using different servers and security protocol👍

[kashalls]

You absolutely need to add in forward zone, a dns server that uses port 853 in unbound config for DoT to work .

Forwarding to DNScrypt(127.0.0.1:5353) uses DoH from dnscrpyt servers

although its same cloudflare. it is using different servers and security protocol👍

So you have to enable BOTH DoT and DoH on Unbound, otherwise you can't use DNSCrypt?

I was under the impression you could only use just oDoH by forwarding to just dnscrypt.

[trinib]

So you have to enable BOTH DoT and DoH on Unbound, otherwise you can't use DNSCrypt?

using dnscrypt(port 5353) in unbound(port 53) forward queries from dnscrypt listen interface - 127.0.0.1:5353. yes dnscrypt can work without unbound, If you want to use it only replace port 5353 with 53 in dnscrypt config so 127.0.0.1:53 which was unbound local cache is now dnscrypt local cache

[kashalls]

I still want to use Unbound as a cache, the way I understood it was that it was: Adguard Home -> Unbound -> DNSCrypt-Proxy.

On the server, you had both forwarding addr's for dnscrypt doh and cloudflare dot like so:

The thing I am trying to understand is that in this configuration, nothing is ever resolved by dnscrypt. No traffic, no logs nothing. Whenever unbound queries this, it gets the tcperror interally, results in a SERVFAIL if dnscyrpt is the only forwarding-addr.

[trinib]

The thing I am trying to understand is that in this configuration, nothing is ever resolved by dnscrypt. No traffic, no logs nothing. Whenever unbound queries this, it gets the tcperror interally, results in a SERVFAIL if dnscyrpt is the only forwarding-addr.

you can use logs and get queries from unbound but im not sure if there is a way to show queries of dnscrpyt in unbound logs itself. if you are using unbound from package manager you need to create log file in /var/log/unbound.log using touch command and set permission sudo chown unbound:unbound /var/log/unbound.log and restart unbound.

ps : You can use tail -f /var/log/unbound.log to see logs read in realtime

you can get dnscrypt query logs in /var/log/dnscrypt-proxy/query.log and you will see queries. Here is wiki for more test https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Checking

not sure you can see what dnsscypt is querying from unbound to know it works but I see in logs it selects server ip4/ipv6 127.0.0.1 port 5353 in DelegationPoint that has rtt(round-trip time) which mean it is receiving a response

[1666447115] unbound[2443:0] debug: iter_handle processing q with state QUERY TARGETS STATE
[1666447115] unbound[2443:0] info: processQueryTargets: . DNSKEY IN
[1666447115] unbound[2443:0] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 1
[1666447115] unbound[2443:0] info: DelegationPoint<.>: 0 names (0 missing), 6 addrs (6 result, 0 avail) parentNS
[1666447115] unbound[2443:0] debug:   [cloudflare-dns.com] ip6 2606:4700:4700::1001 port 853 (len 28)
[1666447115] unbound[2443:0] debug:   [cloudflare-dns.com] ip6 2606:4700:4700::1111 port 853 (len 28)
[1666447115] unbound[2443:0] debug:   [cloudflare-dns.com] ip4 1.0.0.1 port 853 (len 16)
[1666447115] unbound[2443:0] debug:   [cloudflare-dns.com] ip4 1.1.1.1 port 853 (len 16)
[1666447115] unbound[2443:0] debug:    ip6 ::1 port 5353 (len 28)
[1666447115] unbound[2443:0] debug:    ip4 127.0.0.1 port 5353 (len 16)
[1666447115] unbound[2443:0] debug: attempt to get extra 3 targets
[1666447115] unbound[2443:0] debug: servselect ip6 2606:4700:4700::1111 port 853 (len 28)
[1666447115] unbound[2443:0] debug:    rtt=518
[1666447115] unbound[2443:0] debug: servselect ip4 1.1.1.1 port 853 (len 16)
[1666447115] unbound[2443:0] debug:    rtt=376
[1666447115] unbound[2443:0] debug: servselect ip4 127.0.0.1 port 5353 (len 16)
[1666447115] unbound[2443:0] debug:    rtt=752
[1666447115] unbound[2443:0] debug: selrtt 376
[1666447115] unbound[2443:0] info: sending query: . DNSKEY IN
[1666447115] unbound[2443:0] debug: sending to target: <.> 127.0.0.1#5353

[trinib]

@kashalls

results in a SERVFAIL if dnscyrpt is the only forwarding-addr.

i tried using dnscrypt only and i still do not get SERVFAIL.

powershell_Wv2wBOhQeS.mp4

[trinib]

@kashalls i get SERVFAIL with dig @127.0.0.1 google.com cause like what is said in #59 (comment)

also according to unbound docs

[kashalls]

Oh okay it makes more sense to me now. Thanks for helping out I appreciate it.