Hi! i am selfhosting my services and using a DNSMasq setup to provide ad-blocking to my home network.
I was thinkering with Unbound to add a fully independent DNS resolver and not depend on Google/Adblock/Whatever upstream DNS server but i am unable to make Unbound work.
Top Level Domains (like com, org…) are resolved fine, but anything at second level doesn’t. I am using “dig” (of course i am on linux) and Unbound logging to find out what’s going on, but i am at a loss.
Could be my ISP blocking my requests? If i switch back to google DNS (for example) all works fine, but using my Unbound will only resolve TLDs and some random names. For example, it will resolve google.com but not kde.org…
Edit: somehow fixed by nuking config file and starting over.
this might be what your looking for -> https://docs.pi-hole.net/guides/dns/unbound/
I have followed this guide, but still no way. “it” is resolved, but “polito.it” does not resolve, for example.
what does your trace give? You are setting up a recursive resolver, make sure settings allow for this
not sure your example domain is the best, can you lookup hrowood.biz?
Old thread, but I have somehow solved by reinstalling unbound and nuking the old config file…
Assuming you are logged in to the server running unbound, are the ns for .it reachable? Do all .com domains work and no .org?
Can you run dig +trace on a domain that doesn’t work
What do the Unbound logs say?
What upstream servers are you using?
not depend on Google/Adblock/Whatever upstream DNS server
I mean, you’re gonna have to get your DNS information somewhere. You can choose and pick your upstream but you still need one. You can cache the DNS info but you will still need to refresh it eventually. You can use a DoT or DoH upstream server so your ISP cannot spy on your DNS traffic but, again, you still need an upstream.
I want to go directly to the source, i mean, if i want to resolve, for example www.polito.it, i want to ask “it”, then “polito.it”… This is what Unbound should be doing.
Instead, i can resolve it:
server /etc # dig it @127.0.0.1 ; <<>> DiG 9.16.48 <<>> it @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59860 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;it. IN A ;; AUTHORITY SECTION: it. 3194 IN SOA dns.nic.it. hostmaster.nic.it. 2024062114 10800 900 604800 3600 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Jun 21 14:50:06 CEST 2024 ;; MSG SIZE rcvd: 86
Instead i cannot resolve polito.it:
server /etc # dig polito.it @127.0.0.1 ; <<>> DiG 9.16.48 <<>> polito.it @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60832 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;polito.it. IN A ;; Query time: 1180 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Jun 21 14:50:40 CEST 2024 ;; MSG SIZE rcvd: 38
Nothing appears in the logs. It resolve fine using 8.8.8.8 as upstream DNS.
polito.it
may not be the best example because itsA
records point at private IPs (192.168.x.x). Such records are often filtered by ISP DNS servers because they are used in certain kinds of attacks.Double check your results using DNSChecker.
Edit: also, using just
dig
will not resolve all possible records related to a domain. I use a script that asks dig explicitly for a variety of record types:#!/bin/bash echo "SOA NS A AAAA MX CNAME TXT SRV DNSKEY"|\ xargs -n1 dig +noall +answer +nocrypto "$@"|\ sort -u -k4