Default Provided Unbound Config Does Not Work With DnsCrypt about adguard-wireguard-unbound-dnscrypt HOT 35 CLOSED

@kashalls hmm i rule out its a issue with UniFi cause you mention earlier you used vultr vps and have the same issue ?? my account is currently closed on vultur lol. can you create a new machine on vultr and send me login details at [email protected] and let me install it and see if issue still occurs

from adguard-wireguard-unbound-dnscrypt.

Sure, I will have it done later today.

from adguard-wireguard-unbound-dnscrypt.

Oh okay it makes more sense to me now. Thanks for helping out I appreciate it.

from adguard-wireguard-unbound-dnscrypt.

Thanks for opening your first issue here 🙋🕵️

from adguard-wireguard-unbound-dnscrypt.

Tried updating to 1.17.0, was unsuccessful in getting it going. Continuing to get tcperror and a SERVFAIL status.

from adguard-wireguard-unbound-dnscrypt.

@kashalls hi

This issue does not reproduce for me

Version 1.13.1

Not sure why this is happening but can you try another port other than 5353 and see if same error occurs.

from adguard-wireguard-unbound-dnscrypt.

@kashalls hi

This issue does not reproduce for me

Version 1.13.1

powershell_Lg0xo2PHvk.mp4

Not sure why this is happening but can you try another port other than 5353 and see if same error occurs.

I eventually got the latest build of unbound done and working but the same issue. I tried 6565 and 4200 and got the same result. I have a feeling it's certificate related but I lack the knowledge to debug this.

from adguard-wireguard-unbound-dnscrypt.

@kashalls hi

This issue does not reproduce for me

Version 1.13.1

powershell_Lg0xo2PHvk.mp4
Not sure why this is happening but can you try another port other than 5353 and see if same error occurs.

I have been able to reproduce this issue quite considerably. Debating whether or not to try getting a public instance up to test my theory.

from adguard-wireguard-unbound-dnscrypt.

@kashalls you said

When I toggle forward-ssl-upstream: yes to no

apart from in default config which is forward-tls-upstream: yes which means tls security is not being used(which is better)

it baffles me to see DNScrypt to cause this issue. Forgive me for asking what was understood by you already, I would like to know if this happens with Stubby or cloudflared or unbound by itself.

from adguard-wireguard-unbound-dnscrypt.

@kashalls you said

When I toggle forward-ssl-upstream: yes to no

apart from in default config which is forward-tls-upstream: yes which means tls security is not being used(which is better)

it baffles me to see DNScrypt to cause this issue. Forgive me for asking what was understood by you already, I would like to know if this happens with Stubby or cloudflared or unbound by itself.

I'd be willing to get in a call with you on something like Discord if you want to take a look at the instance. I had to switch to no in order for unbound to query dnscrypt.

from adguard-wireguard-unbound-dnscrypt.

If it does happen only with dnscrypt I suggest trying it on a vps if you can to rule out that it has nothing to do with your network.. this "SERVFAIL" error in unbound upstreams according in forums sounds like a DNS server side issue

from adguard-wireguard-unbound-dnscrypt.

If it does happen only with dnscrypt I suggest trying it on a vps if you can to rule out that it has nothing to do with your network.. this "SERVFAIL" error in unbound upstreams according in forums sounds like a DNS server side issue

In a weird turn of events, on a seperate machine I installed ubuntu server (64bit) in a minimal configuration on a desktop pc of mine I use for testing. It setup immediately and did not have the issues I was presented on the Raspberry Pi 4B.

from adguard-wireguard-unbound-dnscrypt.

In a extremely weird turn of events, rebooting now causes it to come up with the same SERVFAIL.

lsb_release -a

Distributor ID: Ubuntu
Description:    Ubuntu 22.04.1 LTS
Release:        22.04
Codename:       jammy

DNScrypt-proxy: 2.1.2
Unbound: 1.13.1

Now trying a VPS approach.

from adguard-wireguard-unbound-dnscrypt.

Used vultr to deploy a $5/mnth with Ubuntu 22.04.1. Issue still persists. I've tried changing the upstream servers in dnscrypt to quad9, no dice.

Process of Installation Taken:

1. Follow the entirety of this section: https://github.com/trinib/AdGuard-WireGuard-Unbound-DNScrypt#install-adguard-home-
2. follow the entirety of this https://github.com/trinib/AdGuard-WireGuard-Unbound-DNScrypt#install-adguard-home- and disabling DNSStubListener
3. Download unbound configuration from repo.
4. Follow https://github.com/trinib/AdGuard-WireGuard-Unbound-Cloudflare/wiki/Install-DNScrypt-proxy-(DoH)(oDoH)(Anonymized-DNS) as per document
5. Configure adguard with 127.0.0.1:53 and 127.0.0.1:5353 parallel requests
6. Reboot
7. dig @127.0.0.1 -p 53 google.com -> SERVFAIL

from adguard-wireguard-unbound-dnscrypt.

@kashalls i rebooted a couple times(fyi, my date is not set) i do not get SERVFAIL.

on your raspberry pi , check nano /etc/resolvconf.conf to see what is your nameservers

from adguard-wireguard-unbound-dnscrypt.

@kashalls i rebooted a couple times(fyi, my date is not set) i do not get SERVFAIL.

on your raspberry pi , check nano /etc/resolvconf.conf to see what is your nameservers

Seems to be wrong, what should they be set to?

from adguard-wireguard-unbound-dnscrypt.

@kashalls hmmm you should have nameserver 127.0.0.1 in /etc/resolvconf. it should be added automatically after installing unbound

when you ping google.com you should be reachable to internet right ?

Do you have cloudflare dns on your router or somewhere else before installing unbound? My config shows:

# Generated by resolvconf

forward-zone:
        name: "."
        forward-addr: 192.168.100.1
        forward-addr: fe80::1%eth0

192.168.100.1 is my default gateway/dns address

can you add nameserver 127.0.0.1 using this guide https://github.com/trinib/AdGuard-WireGuard-Unbound-DNScrypt/wiki/Set-permanent-DNS-nameservers. Ping google and check if internet access if not try adding other nameserver in another line

from adguard-wireguard-unbound-dnscrypt.

Followed instructions to the T.

As soon as I turn forward-tls-upstream from no to yes, SERVFAIL's begin showing up at the unbound side.

from adguard-wireguard-unbound-dnscrypt.

add nameserver 127.0.0.1 in /etc/resolvconf and check unbound again

from adguard-wireguard-unbound-dnscrypt.

add nameserver 127.0.0.1 in /etc/resolvconf and check unbound again

Local DNS is now being resolved by the router.

Just the same output from unbound:

[1149:0] debug: outnettcp got tcp error -1
Oct 20 07:00:46 adguardhome unbound[1149]: [1149:0] debug: outnettcp got tcp error -1
Oct 20 07:00:46 adguardhome unbound[1149]: [1149:0] debug: outnettcp got tcp error -1

from adguard-wireguard-unbound-dnscrypt.

@kashalls Nice i see now you get no answer section with dig google.com @127.0.0.1 which really confirms nameserver 127.0.0.1 is not configured properly. I do not know why it do not set for you when unbound is installed🤷‍♂️ use this this guide https://github.com/trinib/AdGuard-WireGuard-Unbound-DNScrypt/wiki/Set-permanent-DNS-nameservers and set it from there and see if it works

and btw is 10.0.0.1 your home network default dns and gateway address ??

from adguard-wireguard-unbound-dnscrypt.

@kashalls Nice i see now you get no answer section with dig google.com @127.0.0.1 which really means confirms nameserver 127.0.0.1 is not configured properly. I do not know why it do not set for you when unbound is installed🤷‍♂️ use this this guide https://github.com/trinib/AdGuard-WireGuard-Unbound-DNScrypt/wiki/Set-permanent-DNS-nameservers and set it from there and see if it works

and btw is 10.0.0.1 your home network default dns and gateway address ??

I have a Unifi Dream Machine Pro acting as my gateway, the Pi is on vlan 5 so that I may use iptables to force port 53 from my IOT devices lan to use adguard. So I have 5 subnets, each with its own gateway. 10.0.0.1 is the main main main gateway xD

What is the expected contents of /etc/unbound/unbound.conf.d/resolvconf_resolvers.conf

from adguard-wireguard-unbound-dnscrypt.

What is the expected contents of /etc/unbound/unbound.conf.d/resolvconf_resolvers.conf

i have

# Generated by resolvconf

forward-zone:
        name: "."
        forward-addr: 192.168.100.1
        forward-addr: fe80::1%eth0

192.168.100.1 is my default gateway/dns address

when you ping google is it reachable to internet ?

and what do you have when you run ifconfig ?

from adguard-wireguard-unbound-dnscrypt.

and what do you have when you run ifconfig ?

when you ping google is it reachable to internet ?
Yes.

PING  (142.250.72.206) 56(84) bytes of data.
64 bytes from sfo03s21-in-f14.1e100.net (142.250.72.206): icmp_seq=1 ttl=56 time=18.3 ms
64 bytes from sfo03s21-in-f14.1e100.net (142.250.72.206): icmp_seq=2 ttl=56 time=18.0 ms

Tried all above suggestions, not entirely sure where the problem lies now. For now, turning of tls upstream in unbound allows everything to work.

from adguard-wireguard-unbound-dnscrypt.

@kashalls everything seems to be working fine on vps, test it out for yourself. It looks like you did not follow this guide.

When i installed unbound on this machine it do not set nameserver 127.0.0.1 in /etc/resolv.conf. So resolv package needs to install to set it but when it does you lose internet to host and setting permanent nameserver is needed to regain internet. Before unbound nameserver was set, the machine default nameserver was 127.0.0.53 which can be added to fix, or the IPv4 address can be used as well👍

from adguard-wireguard-unbound-dnscrypt.

if you still get server error, something is wrong on your network side with router or something.

from adguard-wireguard-unbound-dnscrypt.

@kashalls everything seems to be working fine on vps, test it out for yourself. It looks like you did not follow this guide.

When i installed unbound on this machine it do not set nameserver 127.0.0.1 in /etc/resolv.conf. So resolv package needs to install to set it but when it does you lose internet to host and setting permanent nameserver is needed to regain internet. Before unbound nameserver was set the machine default nameserver was 127.0.0.53 which can be added to fix, or the IPv4 address can be used as well👍

Hmm 🤔 I was confused when you got to the unbound part. Were you able to get it setup to forward to dnscrypt?

from adguard-wireguard-unbound-dnscrypt.

First thing I notice is that there is no /etc/unbound/unbound.conf.d/ resolvconf_resolvers.conf is not present as it is on rpi.

Actually, you had enabled the unbound config for both dnscrypt and cloudflare, so unbound was using your cloudflare config to resolve dns. As soon as I commented out that, it started resolving to SERVFAIL.

from adguard-wireguard-unbound-dnscrypt.

You absolutely need to add in forward zone, a dns server that uses port 853 in unbound config for DoT to work .

Forwarding to DNScrypt(127.0.0.1:5353) uses DoH from dnscrpyt servers

although its same cloudflare. it is using different servers and security protocol👍

from adguard-wireguard-unbound-dnscrypt.

You absolutely need to add in forward zone, a dns server that uses port 853 in unbound config for DoT to work .

Forwarding to DNScrypt(127.0.0.1:5353) uses DoH from dnscrpyt servers

although its same cloudflare. it is using different servers and security protocol👍

So you have to enable BOTH DoT and DoH on Unbound, otherwise you can't use DNSCrypt?

I was under the impression you could only use just oDoH by forwarding to just dnscrypt.

from adguard-wireguard-unbound-dnscrypt.

So you have to enable BOTH DoT and DoH on Unbound, otherwise you can't use DNSCrypt?

using dnscrypt(port 5353) in unbound(port 53) forward queries from dnscrypt listen interface - 127.0.0.1:5353. yes dnscrypt can work without unbound, If you want to use it only replace port 5353 with 53 in dnscrypt config so 127.0.0.1:53 which was unbound local cache is now dnscrypt local cache

from adguard-wireguard-unbound-dnscrypt.

I still want to use Unbound as a cache, the way I understood it was that it was: Adguard Home -> Unbound -> DNSCrypt-Proxy.

On the server, you had both forwarding addr's for dnscrypt doh and cloudflare dot like so:

The thing I am trying to understand is that in this configuration, nothing is ever resolved by dnscrypt. No traffic, no logs nothing. Whenever unbound queries this, it gets the tcperror interally, results in a SERVFAIL if dnscyrpt is the only forwarding-addr.

from adguard-wireguard-unbound-dnscrypt.

The thing I am trying to understand is that in this configuration, nothing is ever resolved by dnscrypt. No traffic, no logs nothing. Whenever unbound queries this, it gets the tcperror interally, results in a SERVFAIL if dnscyrpt is the only forwarding-addr.

you can use logs and get queries from unbound but im not sure if there is a way to show queries of dnscrpyt in unbound logs itself. if you are using unbound from package manager you need to create log file in /var/log/unbound.log using touch command and set permission sudo chown unbound:unbound /var/log/unbound.log and restart unbound.

ps : You can use tail -f /var/log/unbound.log to see logs read in realtime

you can get dnscrypt query logs in /var/log/dnscrypt-proxy/query.log and you will see queries. Here is wiki for more test https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Checking

not sure you can see what dnsscypt is querying from unbound to know it works but I see in logs it selects server ip4/ipv6 127.0.0.1 port 5353 in DelegationPoint that has rtt(round-trip time) which mean it is receiving a response

[1666447115] unbound[2443:0] debug: iter_handle processing q with state QUERY TARGETS STATE
[1666447115] unbound[2443:0] info: processQueryTargets: . DNSKEY IN
[1666447115] unbound[2443:0] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 1
[1666447115] unbound[2443:0] info: DelegationPoint<.>: 0 names (0 missing), 6 addrs (6 result, 0 avail) parentNS
[1666447115] unbound[2443:0] debug:   [cloudflare-dns.com] ip6 2606:4700:4700::1001 port 853 (len 28)
[1666447115] unbound[2443:0] debug:   [cloudflare-dns.com] ip6 2606:4700:4700::1111 port 853 (len 28)
[1666447115] unbound[2443:0] debug:   [cloudflare-dns.com] ip4 1.0.0.1 port 853 (len 16)
[1666447115] unbound[2443:0] debug:   [cloudflare-dns.com] ip4 1.1.1.1 port 853 (len 16)
[1666447115] unbound[2443:0] debug:    ip6 ::1 port 5353 (len 28)
[1666447115] unbound[2443:0] debug:    ip4 127.0.0.1 port 5353 (len 16)
[1666447115] unbound[2443:0] debug: attempt to get extra 3 targets
[1666447115] unbound[2443:0] debug: servselect ip6 2606:4700:4700::1111 port 853 (len 28)
[1666447115] unbound[2443:0] debug:    rtt=518
[1666447115] unbound[2443:0] debug: servselect ip4 1.1.1.1 port 853 (len 16)
[1666447115] unbound[2443:0] debug:    rtt=376
[1666447115] unbound[2443:0] debug: servselect ip4 127.0.0.1 port 5353 (len 16)
[1666447115] unbound[2443:0] debug:    rtt=752
[1666447115] unbound[2443:0] debug: selrtt 376
[1666447115] unbound[2443:0] info: sending query: . DNSKEY IN
[1666447115] unbound[2443:0] debug: sending to target: <.> 127.0.0.1#5353

from adguard-wireguard-unbound-dnscrypt.

@kashalls

results in a SERVFAIL if dnscyrpt is the only forwarding-addr.

i tried using dnscrypt only and i still do not get SERVFAIL.

from adguard-wireguard-unbound-dnscrypt.

@kashalls i get SERVFAIL with dig @127.0.0.1 google.com cause like what is said in #59 (comment)

also according to unbound docs

from adguard-wireguard-unbound-dnscrypt.