-
Notifications
You must be signed in to change notification settings - Fork 58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Default Provided Unbound Config Does Not Work With DnsCrypt #59
Comments
Tried updating to 1.17.0, was unsuccessful in getting it going. Continuing to get tcperror and a SERVFAIL status. |
@kashalls hi This issue does not reproduce for me Version 1.13.1 powershell_Lg0xo2PHvk.mp4Not sure why this is happening but can you try another port other than |
I eventually got the latest build of unbound done and working but the same issue. I tried 6565 and 4200 and got the same result. I have a feeling it's certificate related but I lack the knowledge to debug this. |
I have been able to reproduce this issue quite considerably. Debating whether or not to try getting a public instance up to test my theory. |
@kashalls you said
apart from in default config which is it baffles me to see DNScrypt to cause this issue. Forgive me for asking what was understood by you already, I would like to know if this happens with Stubby or cloudflared or unbound by itself. |
I'd be willing to get in a call with you on something like Discord if you want to take a look at the instance. I had to switch to no in order for unbound to query dnscrypt. |
If it does happen only with dnscrypt I suggest trying it on a vps if you can to rule out that it has nothing to do with your network.. this "SERVFAIL" error in unbound upstreams according in forums sounds like a DNS server side issue |
In a weird turn of events, on a seperate machine I installed ubuntu server (64bit) in a minimal configuration on a desktop pc of mine I use for testing. It setup immediately and did not have the issues I was presented on the Raspberry Pi 4B. |
In a extremely weird turn of events, rebooting now causes it to come up with the same SERVFAIL.
DNScrypt-proxy: Now trying a VPS approach. |
Used vultr to deploy a $5/mnth with Ubuntu 22.04.1. Issue still persists. I've tried changing the upstream servers in dnscrypt to quad9, no dice. Process of Installation Taken:
|
@kashalls i rebooted a couple times(fyi, my date is not set) i do not get SERVFAIL. on your raspberry pi , check |
Seems to be wrong, what should they be set to? |
@kashalls hmmm you should have when you Do you have cloudflare dns on your router or somewhere else before installing unbound? My config shows:
192.168.100.1 is my default gateway/dns address can you add |
Followed instructions to the T. As soon as I turn |
add |
@kashalls Nice i see now you get no answer section with and btw is 10.0.0.1 your home network default dns and gateway address ?? |
I have a Unifi Dream Machine Pro acting as my gateway, the Pi is on vlan 5 so that I may use iptables to force port 53 from my IOT devices lan to use adguard. So I have 5 subnets, each with its own gateway. 10.0.0.1 is the main main main gateway xD What is the expected contents of |
i have
192.168.100.1 is my default gateway/dns address when you ping google is it reachable to internet ? and what do you have when you run |
Tried all above suggestions, not entirely sure where the problem lies now. For now, turning of tls upstream in unbound allows everything to work. |
@kashalls hmm i rule out its a issue with UniFi cause you mention earlier you used vultr vps and have the same issue ?? my account is currently closed on vultur lol. can you create a new machine on vultr and send me login details at trinib.tt@gmail.com and let me install it and see if issue still occurs |
Sure, I will have it done later today. |
@kashalls everything seems to be working fine on vps, test it out for yourself. It looks like you did not follow this guide. When i installed unbound on this machine it do not set |
if you still get server error, something is wrong on your network side with router or something. |
Hmm 🤔 I was confused when you got to the unbound part. Were you able to get it setup to forward to dnscrypt? |
First thing I notice is that there is no Actually, you had enabled the unbound config for both dnscrypt and cloudflare, so unbound was using your cloudflare config to resolve dns. As soon as I commented out that, it started resolving to SERVFAIL. |
You absolutely need to add in forward zone, a dns server that uses port 853 in unbound config for DoT to work . Forwarding to DNScrypt(127.0.0.1:5353) uses DoH from dnscrpyt servers although its same cloudflare. it is using different servers and security protocol👍 |
So you have to enable BOTH DoT and DoH on Unbound, otherwise you can't use DNSCrypt? I was under the impression you could only use just oDoH by forwarding to just dnscrypt. |
using dnscrypt(port 5353) in unbound(port 53) forward queries from dnscrypt listen interface - 127.0.0.1:5353. yes dnscrypt can work without unbound, If you want to use it only replace port 5353 with 53 in dnscrypt config so 127.0.0.1:53 which was unbound local cache is now dnscrypt local cache |
you can use logs and get queries from unbound but im not sure if there is a way to show queries of dnscrpyt in unbound logs itself. if you are using unbound from package manager you need to create log file in ps : You can use you can get dnscrypt query logs in not sure you can see what dnsscypt is querying from unbound to know it works but I see in logs it selects server
|
i tried using dnscrypt only and i still do not get SERVFAIL. powershell_Wv2wBOhQeS.mp4 |
@kashalls i get SERVFAIL with |
Oh okay it makes more sense to me now. Thanks for helping out I appreciate it. |
Operating System
Raspberry Pi
Architecture
64-bit
Platform
Windows, Linux, Android
Project
Aduard Home, Wireguard, Unbound, DNScrypt
Browser
Chrome
Issue
Not working
Issue Description
Using the default configurations of Unbound <-> DNSCrypt causes an issue where Unbound will consistantly return a
SERVFAIL
.Increasing the verbosity from 0 to 3 in the unbound.conf file results in these visible errors.
Using
dig
to check dnscrypt, it shows NOERROR on the responses. When I toggleforward-ssl-upstream: yes
tono
, this issue is resolved however the first request results in an over 300ms request time. Basic dns query results in 23msec.Using Raspi 4B.
Unbound:
Version 1.13.1
The text was updated successfully, but these errors were encountered: