Comments (35)
@kashalls hmm i rule out its a issue with UniFi cause you mention earlier you used vultr vps and have the same issue ?? my account is currently closed on vultur lol. can you create a new machine on vultr and send me login details at [email protected] and let me install it and see if issue still occurs
from adguard-wireguard-unbound-dnscrypt.
Sure, I will have it done later today.
from adguard-wireguard-unbound-dnscrypt.
Oh okay it makes more sense to me now. Thanks for helping out I appreciate it.
from adguard-wireguard-unbound-dnscrypt.
Thanks for opening your first issue here 🙋🕵️
from adguard-wireguard-unbound-dnscrypt.
Tried updating to 1.17.0, was unsuccessful in getting it going. Continuing to get tcperror and a SERVFAIL status.
from adguard-wireguard-unbound-dnscrypt.
@kashalls hi
This issue does not reproduce for me
Version 1.13.1
powershell_Lg0xo2PHvk.mp4
Not sure why this is happening but can you try another port other than 5353
and see if same error occurs.
from adguard-wireguard-unbound-dnscrypt.
@kashalls hi
This issue does not reproduce for me
Version 1.13.1
powershell_Lg0xo2PHvk.mp4
Not sure why this is happening but can you try another port other than
5353
and see if same error occurs.
I eventually got the latest build of unbound done and working but the same issue. I tried 6565 and 4200 and got the same result. I have a feeling it's certificate related but I lack the knowledge to debug this.
from adguard-wireguard-unbound-dnscrypt.
@kashalls hi
This issue does not reproduce for me
Version 1.13.1
powershell_Lg0xo2PHvk.mp4
Not sure why this is happening but can you try another port other than5353
and see if same error occurs.
I have been able to reproduce this issue quite considerably. Debating whether or not to try getting a public instance up to test my theory.
from adguard-wireguard-unbound-dnscrypt.
@kashalls you said
When I toggle forward-ssl-upstream: yes to no
apart from in default config which is forward-tls-upstream: yes
which means tls security is not being used(which is better)
it baffles me to see DNScrypt to cause this issue. Forgive me for asking what was understood by you already, I would like to know if this happens with Stubby or cloudflared or unbound by itself.
from adguard-wireguard-unbound-dnscrypt.
@kashalls you said
When I toggle forward-ssl-upstream: yes to no
apart from in default config which is
forward-tls-upstream: yes
which means tls security is not being used(which is better)it baffles me to see DNScrypt to cause this issue. Forgive me for asking what was understood by you already, I would like to know if this happens with Stubby or cloudflared or unbound by itself.
I'd be willing to get in a call with you on something like Discord if you want to take a look at the instance. I had to switch to no in order for unbound to query dnscrypt.
from adguard-wireguard-unbound-dnscrypt.
If it does happen only with dnscrypt I suggest trying it on a vps if you can to rule out that it has nothing to do with your network.. this "SERVFAIL" error in unbound upstreams according in forums sounds like a DNS server side issue
from adguard-wireguard-unbound-dnscrypt.
If it does happen only with dnscrypt I suggest trying it on a vps if you can to rule out that it has nothing to do with your network.. this "SERVFAIL" error in unbound upstreams according in forums sounds like a DNS server side issue
In a weird turn of events, on a seperate machine I installed ubuntu server (64bit) in a minimal configuration on a desktop pc of mine I use for testing. It setup immediately and did not have the issues I was presented on the Raspberry Pi 4B.
from adguard-wireguard-unbound-dnscrypt.
In a extremely weird turn of events, rebooting now causes it to come up with the same SERVFAIL.
lsb_release -a
Distributor ID: Ubuntu
Description: Ubuntu 22.04.1 LTS
Release: 22.04
Codename: jammy
DNScrypt-proxy: 2.1.2
Unbound: 1.13.1
Now trying a VPS approach.
from adguard-wireguard-unbound-dnscrypt.
Used vultr to deploy a $5/mnth with Ubuntu 22.04.1. Issue still persists. I've tried changing the upstream servers in dnscrypt to quad9, no dice.
Process of Installation Taken:
- Follow the entirety of this section: https://github.com/trinib/AdGuard-WireGuard-Unbound-DNScrypt#install-adguard-home-
- follow the entirety of this https://github.com/trinib/AdGuard-WireGuard-Unbound-DNScrypt#install-adguard-home- and disabling DNSStubListener
- Download unbound configuration from repo.
- Follow https://github.com/trinib/AdGuard-WireGuard-Unbound-Cloudflare/wiki/Install-DNScrypt-proxy-(DoH)(oDoH)(Anonymized-DNS) as per document
- Configure adguard with
127.0.0.1:53
and127.0.0.1:5353
parallel requests - Reboot
dig @127.0.0.1 -p 53 google.com
->SERVFAIL
from adguard-wireguard-unbound-dnscrypt.
@kashalls i rebooted a couple times(fyi, my date is not set) i do not get SERVFAIL.
on your raspberry pi , check nano /etc/resolvconf.conf
to see what is your nameservers
from adguard-wireguard-unbound-dnscrypt.
@kashalls i rebooted a couple times(fyi, my date is not set) i do not get SERVFAIL.
on your raspberry pi , check
nano /etc/resolvconf.conf
to see what is your nameservers
Seems to be wrong, what should they be set to?
from adguard-wireguard-unbound-dnscrypt.
@kashalls hmmm you should have nameserver 127.0.0.1
in /etc/resolvconf
. it should be added automatically after installing unbound
when you ping google.com
you should be reachable to internet right ?
Do you have cloudflare dns on your router or somewhere else before installing unbound? My config shows:
# Generated by resolvconf
forward-zone:
name: "."
forward-addr: 192.168.100.1
forward-addr: fe80::1%eth0
192.168.100.1 is my default gateway/dns address
can you add nameserver 127.0.0.1
using this guide https://github.com/trinib/AdGuard-WireGuard-Unbound-DNScrypt/wiki/Set-permanent-DNS-nameservers. Ping google and check if internet access if not try adding other nameserver in another line
from adguard-wireguard-unbound-dnscrypt.
Followed instructions to the T.
As soon as I turn forward-tls-upstream
from no
to yes
, SERVFAIL's begin showing up at the unbound side.
from adguard-wireguard-unbound-dnscrypt.
add nameserver 127.0.0.1
in /etc/resolvconf
and check unbound again
from adguard-wireguard-unbound-dnscrypt.
add
nameserver 127.0.0.1
in/etc/resolvconf
and check unbound again
Local DNS is now being resolved by the router.
Just the same output from unbound:
[1149:0] debug: outnettcp got tcp error -1
Oct 20 07:00:46 adguardhome unbound[1149]: [1149:0] debug: outnettcp got tcp error -1
Oct 20 07:00:46 adguardhome unbound[1149]: [1149:0] debug: outnettcp got tcp error -1
from adguard-wireguard-unbound-dnscrypt.
@kashalls Nice i see now you get no answer section with dig google.com @127.0.0.1
which really confirms nameserver 127.0.0.1
is not configured properly. I do not know why it do not set for you when unbound is installed🤷♂️ use this this guide https://github.com/trinib/AdGuard-WireGuard-Unbound-DNScrypt/wiki/Set-permanent-DNS-nameservers and set it from there and see if it works
and btw is 10.0.0.1 your home network default dns and gateway address ??
from adguard-wireguard-unbound-dnscrypt.
@kashalls Nice i see now you get no answer section with
dig google.com @127.0.0.1
which really means confirmsnameserver 127.0.0.1
is not configured properly. I do not know why it do not set for you when unbound is installed🤷♂️ use this this guide https://github.com/trinib/AdGuard-WireGuard-Unbound-DNScrypt/wiki/Set-permanent-DNS-nameservers and set it from there and see if it worksand btw is 10.0.0.1 your home network default dns and gateway address ??
I have a Unifi Dream Machine Pro acting as my gateway, the Pi is on vlan 5 so that I may use iptables to force port 53 from my IOT devices lan to use adguard. So I have 5 subnets, each with its own gateway. 10.0.0.1 is the main main main gateway xD
What is the expected contents of /etc/unbound/unbound.conf.d/resolvconf_resolvers.conf
from adguard-wireguard-unbound-dnscrypt.
What is the expected contents of /etc/unbound/unbound.conf.d/resolvconf_resolvers.conf
i have
# Generated by resolvconf
forward-zone:
name: "."
forward-addr: 192.168.100.1
forward-addr: fe80::1%eth0
192.168.100.1 is my default gateway/dns address
when you ping google is it reachable to internet ?
and what do you have when you run ifconfig
?
from adguard-wireguard-unbound-dnscrypt.
when you ping google is it reachable to internet ?
Yes.
PING (142.250.72.206) 56(84) bytes of data.
64 bytes from sfo03s21-in-f14.1e100.net (142.250.72.206): icmp_seq=1 ttl=56 time=18.3 ms
64 bytes from sfo03s21-in-f14.1e100.net (142.250.72.206): icmp_seq=2 ttl=56 time=18.0 ms
Tried all above suggestions, not entirely sure where the problem lies now. For now, turning of tls upstream in unbound allows everything to work.
from adguard-wireguard-unbound-dnscrypt.
@kashalls everything seems to be working fine on vps, test it out for yourself. It looks like you did not follow this guide.
When i installed unbound on this machine it do not set nameserver 127.0.0.1
in /etc/resolv.conf
. So resolv package needs to install to set it but when it does you lose internet to host and setting permanent nameserver is needed to regain internet. Before unbound nameserver was set, the machine default nameserver was 127.0.0.53
which can be added to fix, or the IPv4 address can be used as well👍
from adguard-wireguard-unbound-dnscrypt.
if you still get server error, something is wrong on your network side with router or something.
from adguard-wireguard-unbound-dnscrypt.
@kashalls everything seems to be working fine on vps, test it out for yourself. It looks like you did not follow this guide.
When i installed unbound on this machine it do not set
nameserver 127.0.0.1
in/etc/resolv.conf
. So resolv package needs to install to set it but when it does you lose internet to host and setting permanent nameserver is needed to regain internet. Before unbound nameserver was set the machine default nameserver was 127.0.0.53 which can be added to fix, or the IPv4 address can be used as well👍
Hmm 🤔 I was confused when you got to the unbound part. Were you able to get it setup to forward to dnscrypt?
from adguard-wireguard-unbound-dnscrypt.
First thing I notice is that there is no /etc/unbound/unbound.conf.d/
resolvconf_resolvers.conf
is not present as it is on rpi.
Actually, you had enabled the unbound config for both dnscrypt and cloudflare, so unbound was using your cloudflare config to resolve dns. As soon as I commented out that, it started resolving to SERVFAIL.
from adguard-wireguard-unbound-dnscrypt.
You absolutely need to add in forward zone, a dns server that uses port 853 in unbound config for DoT to work .
Forwarding to DNScrypt(127.0.0.1:5353) uses DoH from dnscrpyt servers
although its same cloudflare. it is using different servers and security protocol👍
from adguard-wireguard-unbound-dnscrypt.
You absolutely need to add in forward zone, a dns server that uses port 853 in unbound config for DoT to work .
Forwarding to DNScrypt(127.0.0.1:5353) uses DoH from dnscrpyt servers
although its same cloudflare. it is using different servers and security protocol👍
So you have to enable BOTH DoT and DoH on Unbound, otherwise you can't use DNSCrypt?
I was under the impression you could only use just oDoH by forwarding to just dnscrypt.
from adguard-wireguard-unbound-dnscrypt.
So you have to enable BOTH DoT and DoH on Unbound, otherwise you can't use DNSCrypt?
using dnscrypt(port 5353) in unbound(port 53) forward queries from dnscrypt listen interface - 127.0.0.1:5353. yes dnscrypt can work without unbound, If you want to use it only replace port 5353 with 53 in dnscrypt config so 127.0.0.1:53 which was unbound local cache is now dnscrypt local cache
from adguard-wireguard-unbound-dnscrypt.
I still want to use Unbound as a cache, the way I understood it was that it was: Adguard Home
-> Unbound
-> DNSCrypt-Proxy
.
On the server, you had both forwarding addr's for dnscrypt doh and cloudflare dot like so:
The thing I am trying to understand is that in this configuration, nothing is ever resolved by dnscrypt. No traffic, no logs nothing. Whenever unbound queries this, it gets the tcperror interally, results in a SERVFAIL if dnscyrpt is the only forwarding-addr.
from adguard-wireguard-unbound-dnscrypt.
The thing I am trying to understand is that in this configuration, nothing is ever resolved by dnscrypt. No traffic, no logs nothing. Whenever unbound queries this, it gets the tcperror interally, results in a SERVFAIL if dnscyrpt is the only forwarding-addr.
you can use logs and get queries from unbound but im not sure if there is a way to show queries of dnscrpyt in unbound logs itself. if you are using unbound from package manager you need to create log file in /var/log/unbound.log
using touch command and set permission sudo chown unbound:unbound /var/log/unbound.log
and restart unbound.
ps : You can use tail -f /var/log/unbound.log
to see logs read in realtime
you can get dnscrypt query logs in /var/log/dnscrypt-proxy/query.log
and you will see queries. Here is wiki for more test https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Checking
not sure you can see what dnsscypt is querying from unbound to know it works but I see in logs it selects server ip4/ipv6 127.0.0.1 port 5353
in DelegationPoint that has rtt(round-trip time) which mean it is receiving a response
[1666447115] unbound[2443:0] debug: iter_handle processing q with state QUERY TARGETS STATE
[1666447115] unbound[2443:0] info: processQueryTargets: . DNSKEY IN
[1666447115] unbound[2443:0] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 1
[1666447115] unbound[2443:0] info: DelegationPoint<.>: 0 names (0 missing), 6 addrs (6 result, 0 avail) parentNS
[1666447115] unbound[2443:0] debug: [cloudflare-dns.com] ip6 2606:4700:4700::1001 port 853 (len 28)
[1666447115] unbound[2443:0] debug: [cloudflare-dns.com] ip6 2606:4700:4700::1111 port 853 (len 28)
[1666447115] unbound[2443:0] debug: [cloudflare-dns.com] ip4 1.0.0.1 port 853 (len 16)
[1666447115] unbound[2443:0] debug: [cloudflare-dns.com] ip4 1.1.1.1 port 853 (len 16)
[1666447115] unbound[2443:0] debug: ip6 ::1 port 5353 (len 28)
[1666447115] unbound[2443:0] debug: ip4 127.0.0.1 port 5353 (len 16)
[1666447115] unbound[2443:0] debug: attempt to get extra 3 targets
[1666447115] unbound[2443:0] debug: servselect ip6 2606:4700:4700::1111 port 853 (len 28)
[1666447115] unbound[2443:0] debug: rtt=518
[1666447115] unbound[2443:0] debug: servselect ip4 1.1.1.1 port 853 (len 16)
[1666447115] unbound[2443:0] debug: rtt=376
[1666447115] unbound[2443:0] debug: servselect ip4 127.0.0.1 port 5353 (len 16)
[1666447115] unbound[2443:0] debug: rtt=752
[1666447115] unbound[2443:0] debug: selrtt 376
[1666447115] unbound[2443:0] info: sending query: . DNSKEY IN
[1666447115] unbound[2443:0] debug: sending to target: <.> 127.0.0.1#5353
from adguard-wireguard-unbound-dnscrypt.
results in a SERVFAIL if dnscyrpt is the only forwarding-addr.
i tried using dnscrypt only and i still do not get SERVFAIL.
powershell_Wv2wBOhQeS.mp4
from adguard-wireguard-unbound-dnscrypt.
@kashalls i get SERVFAIL with dig @127.0.0.1 google.com
cause like what is said in #59 (comment)
also according to unbound docs
from adguard-wireguard-unbound-dnscrypt.
Related Issues (20)
- Auto update for pi HOT 2
- DoT not working with own public domain and SSL certificate HOT 2
- [feature]: Leverage Black Mirror to handle general blacklisting HOT 4
- Turn off DNSStubListener
- Raspberry Pi OS doesn't seem to adhere to DoH but clients do? HOT 21
- AdGuard - CloudFlare - DoH sporadically Yes via 1.1.1.1/help HOT 23
- warning: so-rcvbuf HOT 2
- AdGuard Home memory issue HOT 1
- How to: Make AdGuard UI and DNS service ports only accessible via VPN HOT 1
- More complete tutorial for Adguard+Wireguard+Knot+DnsCrypt(oDoH) HOT 4
- Got error about Unbound (so-rcvbuf and so-sendbuf) HOT 5
- Adguard home all interface HOT 26
- Stop promoting Cloudflare and DoH services! HOT 38
- Website stops loading due to DNS HOT 5
- DOH not working and not showing on cloudfare website. HOT 35
- SERVFAIL ISSUES HOT 8
- Unbound self-compiling from latest source HOT 10
- How can i setup netmaker + adguard + unbound HOT 3
- Updating block lists HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from adguard-wireguard-unbound-dnscrypt.