AMINUL ISLAM SHAMIM

User Tools

Site Tools

Trace: unbound_v6
unbound_v6
  • root@cloudns0:~# cat /etc/resolv.conf
  • search xxx.net
  • nameserver xxx.4.77.135
  • nameserver 2403:4000:0:2::2
''root@cloudns0:~# ifconfig'' 
* ens13: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
*         inet xxx.4.77.135  netmask 255.255.255.192  broadcast xxx.4.77.191
*         inet6 fe80::a800:ff:fe79:5a1  prefixlen 64  scopeid 0x20<link>
*         inet6 2403:4000:0:2::2  prefixlen 64  scopeid 0x0<global>
*         ether aa:00:00:79:05:a1  txqueuelen 1000  (Ethernet)
*         RX packets 213715417  bytes 14053348903 (13.0 GiB)
*         RX errors 0  dropped 1  overruns 0  frame 0
*         TX packets 9511552  bytes 958058087 (913.6 MiB)
*         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
* 
* lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
*         inet 127.0.0.1  netmask 255.0.0.0
*         inet6 ::1  prefixlen 128  scopeid 0x10<host>
*         loop  txqueuelen 1000  (Local Loopback)
*         RX packets 78633600  bytes 7941971840 (7.3 GiB)
*         RX errors 0  dropped 0  overruns 0  frame 0
*         TX packets 78633600  bytes 7941971840 (7.3 GiB)
*         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
*

root@cloudns0:~# cat /etc/network/interfaces

  • # This file describes the network interfaces available on your system
  • # and how to activate them. For more information, see interfaces(5).
  • source /etc/network/interfaces.d/*
  • # The loopback network interface
  • auto lo
  • iface lo inet loopback
  • # The primary network interface
  • allow-hotplug ens13
  • iface ens13 inet static
  • address 210.xxx.77.1xxx/26
  • gateway 210.xxx.77.129
  • # dns-* options are implemented by the resolvconf package, if installed
  • dns-nameservers 210.4.77.135
  • dns-search bdcom.net
  • iface ens13 inet6 static
  • address 2403:xxx:0:2::2
  • netmask 64
  • gateway 2403:xxx:0:2::1
  • dns-nameservers 2403:xxx:0:2::2
  • root@cloudns0:~# cat /etc/unbound/unbound.conf
  • # Unbound configuration file for Debian.
  • #
  • # See the unbound.conf(5) man page.
  • #
  • # See /usr/share/doc/unbound/examples/unbound.conf for a commented
  • # reference config file.
  • #
  • # The following line includes additional configuration files from the
  • # /etc/unbound/unbound.conf.d directory.
  • include: “/etc/unbound/unbound.conf.d/*.conf”
  • #The configuration file is located at /etc/unbound/unbound.conf. Configure the interface to listen to using the “interface” directive. 0.0.0.0 will instruct unbound to listen on all interfaces.
  • #
  • # Enable logs
  • verbosity: 1 # uncomment and increase to get more
  • logfile: /var/log/unbound/unbound.log
  • log-queries: yes
  • #server:
  • # chroot: “”
  • # logfile: /var/log/unbound.log
  • # verbosity: 1
  • # log-queries: yes
  • #interface: 0.0.0.0@53
  • #interface: ::/0@53
  • interface: 0.0.0.0@53
  • interface: ::0@53
  • # DNS request port, IP and protocol
  • port: 53
  • do-ip4: yes
  • do-ip6: yes
  • do-udp: yes
  • do-tcp: yes
  • #Setup clients that may make recursive queries:
  • # Authorized IPs to access the DNS Server
  • access-control: 0.0.0.0/0 refuse
  • access-control: 127.0.0.1 allow
  • access-control: ::1 allow
  • access-control: 210.4.64.0/24 allow
  • access-control: 210.4.77.0/24 allow
  • access-control: 10.255.0.0/16 allow
  • access-control: 2403:4000::/32 allow
  • #To require DNSSEC data for trust-anchored zones, use the “harden-dnssec-stripped” option:
  • harden-dnssec-stripped: yes
  • #Configure the TTLs for the DNS cache in seconds. It is good practice to not keep the minimum higher than an hour since it could result in reading stale data which might have changed. This could especially be the case for the hostname resolutions to dynamic IP addresses.
  • #
  • cache-min-ttl: 3600
  • cache-max-ttl: 86400
  • #Performance tuning parameters to tune unbound depending on the number of clients that will depend on this server as well as the hardware on which it is running. My unbound server is on a 512MB 1vcpu VM and will only serve requests for clients within my home network, so I have deliberately tuned these down
  • #
  • num-threads: 2
  • msg-cache-slabs: 4
  • rrset-cache-slabs: 4
  • infra-cache-slabs: 4
  • key-cache-slabs: 4
  • rrset-cache-size: 128m
  • msg-cache-size: 32m
  • so-rcvbuf: 1m
  • #Lets now setup the private domain which this DNS server will be an authority for. You should add all your local hosts that are present within your network for which this server will act as an authority for as local-data entries similar to below.
  • #
  • #private-domain: “home.asrivas.me”
  • #local-zone: “home.asrivas.me” static
  • #local-data: “webserver.home.asrivas.me IN A 192.168.1.143”
  • #One really useful aspect of running your own DNS server is the ability to block a number of ad servers by creating a blackhole for those domains. This is especially useful for mobile devices where it is difficult to configure ad-blocking. The following servers actually server majority of the ads over the internet:
  • local-zone: “doubleclick.net” redirect
  • local-data: “doubleclick.net A 127.0.0.1”
  • local-zone: “googlesyndication.com” redirect
  • local-data: “googlesyndication.com A 127.0.0.1”
  • local-zone: “googleadservices.com” redirect
  • local-data: “googleadservices.com A 127.0.0.1”
  • local-zone: “google-analytics.com” redirect
  • local-data: “google-analytics.com A 127.0.0.1”
  • local-zone: “ads.youtube.com” redirect
  • local-data: “ads.youtube.com A 127.0.0.1”
  • local-zone: “adserver.yahoo.com” redirect
  • local-data: “adserver.yahoo.com A 127.0.0.1”
  • local-zone: “ask.com” redirect
  • local-data: “ask.com A 127.0.0.1”
  • #Lastly, you should setup forwarding queries to the appropriate public DNS server for queries that cannot be answered by this server:
  • forward-zone:
  • name: “.”
  • forward-addr: 1.0.0.1@53#one.one.one.one
  • forward-addr: 1.1.1.1@53#one.one.one.one
  • forward-addr: 8.8.4.4@53#dns.google
  • forward-addr: 8.8.8.8@53#dns.google
  • forward-addr: 9.9.9.9@53#dns.quad9.net
  • forward-addr: 149.112.112.112@53#dns.quad9.net
  • forward-addr: 2606:4700:4700::1003@53#cloudfare.ipv6
  • forward-addr: 2606:4700:4700::1113@53#cloudfare.ipv6
  • forward-addr: 2403:4000:0:2::3@53#BDCOM.ipv6
  • forward-addr: 2403:4000:0:2::4@53#BDCOM.ipv6

—————— logs ———– https://askubuntu.com/questions/1082972/unbound-dns-sever-does-not-log-anything-when-i-make-a-query

Step 2

Make sure BOTH the log file & parent folder are owned by unbound user:

sudo chown unbound:unbound /var/log/unbound /var/log/unbound/unbound.log At this point it was still not working for me (or you).

After this I noticed it was still logging to syslog after turning up verbosity to debug. I also noticed kernel logging showing “apparmor” was logging “DENIED” for the unbound log location access:

sudo cat /var/log/syslog | grep DENIED Example in syslog:

Dec 30 16:41:48 ip-192-168-1-1 kernel: [ 1368.641789] audit: type=1400 audit(1577724108.624:29): apparmor=“DENIED” operation=“open” profile=“/usr/sbin/unbound” name=“/var/log/unbound/unbound.log” pid=2247 comm=“unbound” requested_mask=“ac” denied_mask=“ac” fsuid=112 ouid=112 Step 3

To correct this, I added a local override to apparmor.d area:

sudo nano /etc/apparmor.d/local/usr.sbin.unbound Add this single line to it:

/var/log/unbound/unbound.log rw, (Yes, with comma on end) Save.

Step 4

Reload apparmor entries for unbound:

sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.unbound Step 5

Restart Unbound:

sudo systemctl restart unbound Check log:

https://askubuntu.com/questions/1285370/trying-to-allocate-more-ram-to-unbound-and-getting-a-warning-to-fix-start-with warning: so-rcvbuf 1048576 was not granted. Got 425984. To fix: start with root

https://aacable.wordpress.com/tag/unbound-debug-mode/

$ sudo tail -f /var/log/unbound/unbound.log [1577725445] unbound[2721:0] info: start of service (unbound 1.6.7).

unbound_v6.txt · Last modified: 2023/03/06 11:31 by 127.0.0.1