trinib / adguard-wireguard-unbound-dnscrypt Goto Github PK

Operating System

32-bit

Project

Cloudflare

Platform

Linux

Browser

Chrome

Issue

Not working, Other (explain in description)

Issue Description

My Rasperry Pi when testing via 1.1.1.1/help seems to not show that DoH is working
Only DoT indicates that it is working
But all my client devices are able to correctly show it
I even checked the service on the raspberry pi and it is running

This is on my RPI

I have followed these articles
https://github.com/trinib/AdGuard-WireG ... TTPS-proxy
https://github.com/trinib/AdGuard-WireG ... d-with-doh

To reiterate :
All my devices that are on my LAN are able to get the DoH and DoT working.

It's only when I test it on the RPI that runs it and only for DoH that I see this happening.

this error in config file for unbound related with

 # Ensure kernel buffer is large enough to not lose messages in traffix spikes
    so-rcvbuf: 4m
    so-sndbuf: 4m 

@jo20201 yea your right. 4m seems to work fine on PI.
You can set it in unbound.conf in kb. For example if it shows :

Open sudo nano /etc/unbound/unbound.conf.d/unbound.conf and set

Restart service:

sudo systemctl restart unbound

and no error

Originally posted by @trinib in #29 (comment)

https://github.com/T145/black-mirror

Any non-deprecated sources used here can be added into Black Mirror. The exports directory holds raw source lists.

Operating System

Raspberry Pi

Architecture

64-bit

Platform

Windows, Linux, Android

Project

Aduard Home, Wireguard, Unbound, DNScrypt

Browser

Chrome

Issue

Not working

Issue Description

Using the default configurations of Unbound <-> DNSCrypt causes an issue where Unbound will consistantly return a SERVFAIL.

Increasing the verbosity from 0 to 3 in the unbound.conf file results in these visible errors.

debug: validator[module 1] operate: extstate:module_wait_module event:module_event_moddone
debug: return error response SERVFAIL
debug: configured stub or forward servers failed -- returning SERVFAIL

debug: iterator[module 2] operate: extstate:module_wait_reply event:module_event_noreply
debug: tcp error for address 127.0.0.1 port 5353
debug: outnettcp got tcp error -1
debug: outnettcp got tcp error -1
debug: cache memory msg=66072 rrset=66072 infra=8402 val=66368 subnet=74504
debug: sending to target: <.> 127.0.0.1#5353

Using dig to check dnscrypt, it shows NOERROR on the responses. When I toggle forward-ssl-upstream: yes to no, this issue is resolved however the first request results in an over 300ms request time. Basic dns query results in 23msec.

Using Raspi 4B.

Unbound: Version 1.13.1

Why to stop using Cloudflare: https://framagit.org/dCF/deCloudflare/-/blob/master/readme/en.md

As for DoH: https://github.com/T145/white-bear

Please prefer and use Quad9 and DoT/DNSCryptV2.

Hi, thank you very much for such a great project. Im trying to find a way to use adguard & unbound with netmaker ui (https://github.com/gravitl/netmaker). I know this is not in your jurisdiction, but I have no one else to turn to, I also created an issue in the netmaker repository hoping for help

Edited

Even after reboot memory does not get freed. So until AGH gets this fixed use limited blockist

EDITED
it looks like pi hole as well does get this issue https://discourse.pi-hole.net/t/latest-pi-hole-has-a-memory-leak/14523/6

same reason of many urls processing memory for blocking. Same theory as "the more apps/sofwares running will result in more memory", so more ram, more capability of running multiple programs, in this case those blocklists.

I was fiddling around a bit with ufw and decided to share my results with you: How to Make AdGuard UI and DNS service ports only accessible via VPN
Note: by enabling ufw you can block new connections required to manage your server (SSH). Make sure you keep an SSH connection to your server open and test the rules by opening a another SSH connection. Otherwise you risk loosing access to your server!

1. Reset ufw to defaults

sudo ufw default deny incoming
sudo ufw default allow outgoing

2. Allow SSH access

sudo ufw allow ssh

3. Allow access to the Wireguard VPN server (in this case the default port used in this tutorial)

sudo ufw allow 51820

4. Identify network adapter used by Wireguard (can be identified by a name starting with "wg" followed by a number, if you start with a fresh install and follow this tutorial it should be wg0)

ip link show

5. Allow access to all ports by requests coming from the Wireguard network adapter

sudo ufw allow in on wg0

6. Enable ufw

sudo ufw enable

7. Check the status of ufw

sudo ufw status numbered

I hope you find these rules useful. Feedback, modifications and suggestions are welcome 😊

Hi,

This is not really a issue but could you update your tutorial if we want to use OpenVPN instead of Wireguard, please?

Thank you in advance for your help.

Apart from self hosting

Jun 03 04:29:01 instance-1 unbound[12631]: [1654230541] unbound[12631:0] warning: so-sndbuf 4194304 was not granted. Got 425984. To fix: start with root permissions(linux) or sysctl bigger net.core.wmem_max(linux) or kern.ipc.maxsockbuf(...
Jun 03 04:29:01 instance-1 unbound[12631]: [1654230541] unbound[12631:0] warning: so-rcvbuf 4194304 was not granted. Got 425984. To fix: start with root permissions(linux) or sysctl bigger net.core.rmem_max(linux) or kern.ipc.maxsockbuf(...
Jun 03 04:29:01 instance-1 unbound[12631]: [1654230541] unbound[12631:0] warning: so-sndbuf 4194304 was not granted. Got 425984. To fix: start with root permissions(linux) or sysctl bigger net.core.wmem_max(linux) or kern.ipc.maxsockbuf(...

It doesn't cause any issue though just it seems like something is going on.

I've come across a few things that occur when following this guide they are

1. When unbound is installed you are then unable to get the root.hint file or any of the DoH files. However stopping the unbound service after installing it ,and restarting the service after step 4 as per the guide is a work around. (sudo service unbound stop)

2. Downloading the cloudflared 32bit gives a 404 error. But is fixed by downloading from the officical github -> wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm .

3. After cloudflared-linux-arm is downloaded it needs to be renamed to cloudflared before the copy step is carried out. (mv cloudflared-linux-arm cloudflared)

4. After all of this I end with DoH working but not DoT (this is with or without alternative dns on pc) ->
   ![Capture](https://user-images.githubusercontent.com/15659183/144603760-7745702c-8d3c-416e-8491-3201c876c80f.PNG)
   I tried just having DoT configured and all I get is ->
   ![Capture2](https://user-images.githubusercontent.com/15659183/144604035-ea48c50a-415a-4a96-bcdc-13bd0c9f91c1.PNG)
   At this point I have no idea what to do.
   ps. I have followed this guide 6 or so months ago and it was working.
   pps. I have tried the fix in the previous issue.

same issue for me with https://1.1.1.1/help and i even tried older version unbound 1.13.1 and no luck.. But its confirmed unbound is working from https://dnssec.vs.uni-due.de/ and terminal commands test validation :

dig sigfail.verteiltesysteme.net @127.0.0.1 -p 53
dig sigok.verteiltesysteme.net @127.0.0.1 -p 53

The first command should give a status report of SERVFAIL and no IP address. The second should give NOERROR plus an IP address. (From https://docs.pi-hole.net/guides/dns/unbound/#test-validation)

So i dont know if it could be the website https://1.1.1.1/help or browsers not showing TLS cause recently with firefox and chrome i see from https://www.cloudflare.com/ssl/encrypted-sni/ TLS 1.3 is on by default so i really can't tell..I'll try a whole different method for DOT and see but for now i guess unbound still works but ill find another way for DNS OVER TLS

Originally posted by @trinib in #5 (comment)

Sometimes you get a hit and miss with DoH or DoT from 1.1.1.1 on pc/windows upon refreshing page multiple times, but it don't seem to have that issue on android browsers. But when Fastest IP Address option is selected the whole issue stops but have slower response time on websites. But with Parallel Request its noticeably faster browsing/loading times. In my opinion 1.1.1.1 website sometimes don't detect DoH or DoT in time because of browser windows architecture ?🤔Maybe it will resolve itself or i'll find the problem from adgaurdhome team.

UPDATE : Tested on Linux Firefox and I absolutely get no miss .. Here is a video preview ..So that confirmed it to be just a issue with windows.

UPDATED 2/20/2022

FINALLY A FIX FOR WINDOWS
Windows has a funny way of resolving multiple DNS according in Microsoft forums . I tried everything from changing windows adapter settings , registry , group policies and multiple windows DNS changers and nothing worked .Then i found this program called Acrylic DNS Proxy that helps windows resolves it perfectly🎉.

Install Acrylic DNS Proxy

• Go to C:\Program Files (x86)\Acrylic DNS Proxy and open AcrylicConfiguration.ini file. Delete everything and copy these 👉SETTINGS👈 only change PrimaryServerAddres to your pi's address.

• In same folder run RestartAcrylicService.bat

TIP: Troubleshoot IP/DNS Commands

ipconfig /release
ipconfig /renew
ipconfig /flushdns

• For android, whatever browser you use, turn off Use Secure DNS option.

Originally posted by @trinib in #1 (comment)

I've come across a few things that occur when following this guide they are

1. When unbound is installed you are then unable to get the root.hint file or any of the DoH files. However stopping the unbound service after installing it ,and restarting the service after step 4 as per the guide is a work around. (sudo service unbound stop)

2. Downloading the cloudflared 32bit gives a 404 error. But is fixed by downloading from the officical github -> wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm .

3. After cloudflared-linux-arm is downloaded it needs to be renamed to cloudflared before the copy step is carried out. (mv cloudflared-linux-arm cloudflared)

4. After all of this I end with DoH working but not DoT (this is with or without alternative dns on pc) ->
   
   I tried just having DoT configured and all I get is ->
   
   At this point I have no idea what to do.
   ps. I have followed this guide 6 or so months ago and it was working.
   pps. I have tried the fix in the previous issue.

I have been trying all day to download and extract Cloudflare:
wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-arm.tgz && tar -xvzf cloudflared-stable-linux-arm.tgz

I keep getting wget: unable to resolve host address ‘bin.equinox.io’
I've tried changing the namerserver, I've refreshed and started over. Nothing seems to work. I can't find a solution.

Hi,

DoT doesn't work. Please see my 1.1.1.1/help report.
I installed AdGuard-Unbound-Cloudflare on a public domain and installed Let's Encrypt SSL certificate. Do you think that's affecting it?

Operating System

Raspberry Pi

Architecture

32-bit

Platform

Linux

Project

Stubby

Browser

Chrome

Issue

Other (explain in description)

Issue Description

Hey boss @trinib i followed the guide to the T and i cant seem to get it to work with my pi.

everything returns for me in SERVFAIL

`pi@raspberrypi:~ $ dig amazon.com @127.0.0.1 -p 8053

; <<>> DiG 9.16.33-Raspbian <<>> amazon.com @127.0.0.1 -p 8053
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45089
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;amazon.com.                    IN      A

;; Query time: 4809 msec
;; SERVER: 127.0.0.1#8053(127.0.0.1)
;; WHEN: Fri Nov 04 16:26:44 CST 2022
;; MSG SIZE  rcvd: 28`

`pi@raspberrypi:~ $ dig amazon.com @127.0.0.1 -p 53

; <<>> DiG 9.16.33-Raspbian <<>> amazon.com @127.0.0.1 -p 53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26920
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;amazon.com.                    IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Nov 04 16:29:04 CST 2022
;; MSG SIZE  rcvd: 39`

`pi@raspberrypi:~ $ dig amazon.com @127.0.0.1 -p 5053

; <<>> DiG 9.16.33-Raspbian <<>> amazon.com @127.0.0.1 -p 5053
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7403
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 8cabb3405906d479 (echoed)
;; QUESTION SECTION:
;amazon.com.                    IN      A

;; ANSWER SECTION:
amazon.com.             871     IN      A       52.94.236.248
amazon.com.             871     IN      A       54.239.28.85
amazon.com.             871     IN      A       205.251.242.103

;; Query time: 309 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1)
;; WHEN: Fri Nov 04 16:30:35 CST 2022
;; MSG SIZE  rcvd: 129`

Operating System

DietPi

Architecture

32-bit

Platform

Windows, Linux

Project

Aduard Home, Unbound, DNScrypt

Browser

Edge

Issue

Not working

Issue Description

tried your Dnscrypt config code but cloudfare showing that i'm not using DOH, here i have attached the Dnscrypt config

### More info about dnscrypt-proxy configuration settings
##go to: https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml

### List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
### Example with both IPv4 and IPv6:
## listen_addresses = ['127.0.0.1:53', '[::1]:53']
## To listen to all IPv4 addresses, use `listen_addresses = ['0.0.0.0:53']`
## To listen to all IPv4+IPv6 addresses, use `listen_addresses = ['[::]:53']`
listen_addresses = ['127.0.0.1:6053', '[::1]:6053']
 
### Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
ipv6_servers = true
block_ipv6 = false

### Enable a DNS cache to reduce latency and outgoing traffic(set false if using Unbound)
cache = false

### Use servers implementing the specific protocol
dnscrypt_servers = false
odoh_servers = false
doh_servers = true

### You can choose other servers from public resolver list that is fastest for you
##go to: https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
#or for easier readable & searchable server database: https://theummahentrepreneur.notion.site/DNScrypt-DOH-servers-75553dc433194fd1a4e641f4918611ab
##(not all servers support anonymized DNS feature). Using dnscrypt.ca-1 as example that supports it

### For oDoH, REPLACE cloudflare/cloudflare-ipv6 with 'odoh-cloudflare'
### For DoH(dnscrypt) and anonymized dns, REPLACE cloudflare/cloudflare-ipv6 with 'dnscrypt.ca-1'
### For DoH(dnscrypt) and anonymized dns with Cloudflare, only ADD 'dnscrypt.ca-1' to server_names
server_names = ['cloudflare', 'cloudflare-ipv6']
### Example of Quad9 DNS servers with Quad9_DNScrypt anonymized servers:
#server_names = ['quad9-doh-ip4-port5053-filter-ecs-pri', 'quad9-doh-ip6-port5053-filter-ecs-pri', 'quad9-dnscrypt-ip4-filter-pri', 'quad9-dnscrypt-ip6-filter-pri']

### Servers ###
### For more sources and resolver lists: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/DNS-server-sources
[sources]
  [sources.'public-resolvers']
  url = 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md'
  cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  refresh_delay = 72
  prefix = ''

### Anonymized DNS relays ####
  [sources.'relays']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md']
  cache_file = '/var/cache/dnscrypt-proxy/relays.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  refresh_delay = 72
  prefix = ''

### oDoH server and relay is already set here. For more servers and relays 
##go to: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Oblivious-DoH
### For DoH(dnscrypt) server with anonymized DNS, replace odoh-cloudflare with 'dnscrypt.ca-1'
### For DoH(dnscrypt) relays set to ['*'] for random server(could get a slow 1) 
##or choose a relay server that is fastest for you: https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/relays.md
[anonymized_dns]
routes = [
    { server_name='odoh-cloudflare', via=['odohrelay-koki-ams', 'odohrelay-crypto-sx']}
]

### ODoH (Oblivious DoH) servers and relays ###
  [sources.'odoh-servers']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-servers.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-servers.md']
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  cache_file = '/var/cache/dnscrypt-proxy/odoh-servers.md'
  refresh_delay = 72
  prefix = ''
  [sources.'odoh-relays']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-relays.md']
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  cache_file = '/var/cache/dnscrypt-proxy/odoh-relays.md'
  refresh_delay = 72
  prefix = ''

[query_log]
  file = '/var/log/dnscrypt-proxy/query.log'

[nx_log]
  file = '/var/log/dnscrypt-proxy/nx.log'

Hi, thanks for a great project
Would you mind if make a docker version of this pj
Or tutorial how to use with adguard (docker)

On vps ununtu is work?

Operating System

64-bit

Project

Aduard Home

Platform

Linux

Browser

Other

Issue

Other (explain in description)

Issue Description

Hello

Config crontab for auto update pi is work on ubuntu?

Thanks for answer.

Operating System

64-bit

Project

Cloudflare

Platform

Mac, IOS

Browser

Chrome, Other

Issue

Not working, Other (explain in description)

Issue Description

The first time you setup Cloudflare and point AdGuard to it; there seems to be no issue at all.
Even the 1.1.1.1/help test always is consistent and indicated Yes for DoH and DoT.

But if a restart or shutdown happens then for some reason the status of clodflared when checked in terminal shows the following

flared[609]: 2022-04-30T10:48:21Z ERR failed to connect to an HTTPS backend "https://1.1.1.1/dns-query" error="faile> Apr 30 16:18:21 eltonsraspberrypi cloudflared[609]: 2022-04-30T10:48:21Z ERR failed to connect to an HTTPS backend "https://1.1.1.1/dns-query" error="faile> Apr 30 16:18:21 eltonsraspberrypi cloudflared[609]: 2022-04-30T10:48:21Z ERR failed to connect to an HTTPS backend "https://1.1.1.1/dns-query" error="faile> Apr 30 16:18:21 eltonsraspberrypi cloudflared[609]: 2022-04-30T10:48:21Z ERR failed to connect to an HTTPS backend "https://1.1.1.1/dns-query" error="faile> Apr 30 16:18:21 eltonsraspberrypi cloudflared[609]: 2022-04-30T10:48:21Z ERR failed to connect to an HTTPS backend "https://1.1.1.1/dns-query" error="faile> Apr 30 16:18:21 eltonsraspberrypi cloudflared[609]: 2022-04-30T10:48:21Z ERR failed to connect to an HTTPS backend "https://1.1.1.1/dns-query" error="faile> Apr 30 16:18:21 eltonsraspberrypi cloudflared[609]: 2022-04-30T10:48:21Z ERR failed to connect to an HTTPS backend "https://1.1.1.1/dns-query" error="faile> Apr 30 16:18:22 eltonsraspberrypi cloudflared[609]: 2022-04-30T10:48:22Z ERR failed to connect to an HTTPS backend "https://1.1.1.1/dns-query" error="faile> Apr 30 16:18:22 eltonsraspberrypi cloudflared[609]: 2022-04-30T10:48:22Z ERR failed to connect to an HTTPS backend "https://1.1.1.1/dns-query" error="faile> Apr 30 16:29:14 eltonsraspberrypi cloudflared[609]: 2022-04-30T10:59:14Z ERR failed to connect to an HTTPS backend "https://1.1.1.1/dns-query" error="faile>

These warnings can be 3 - 10 in number.
If you stop the clodfalred service and restart it; the Warning goes away. But eventually it reappears.

Now the odd part is that around the same time this happens; the 1.1.1.1/help ,test gives you sporadically Yes for DoH when tested in Safari and Chrome browser compared to initially and either way the cache was cleared.

I have searched multiple forums but no one’s solution seems to stick.

Also moving away from “Parallel Requests” to “Fastest IP Address” the issue goes but the speed of fetching web content is reduced by a small amount.

Operating System

Raspberry Pi

Architecture

64-bit

Platform

Linux

Project

Aduard Home

Browser

Other

Issue

Other (explain in description)

Issue Description

I added all the url's with the python script, do these block lists get updated with new urls automatic or if there is a script that can be run to keep all block lists up to date. I remember with pihole I used to run a script to update all block lists.

Operating System

DietPi

Architecture

64-bit

Platform

Linux

Project

Unbound, DNScrypt

Browser

Firefox, Chrome, Other

Issue

Other (explain in description)

Issue Description

I believe I'm having the same issue as #59, but I didn't want to necro.

Both Unbound and DNScrypt-proxy are running on the same Pi. Unbound is running on port 5335, DNScrypt-proxy on 6053. If I dig google.com @127.0.0.1 -p 6053 Google resolves to an IP.

If I attempt to dig google.com @127.0.0.1 -p 5335 with the config below, I don't get an answer. I just trimmed it to what I believe is relevant. Only DNScrypt's forward-addrs are uncommented.

server:
    tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
forward-zone:
  name: "."
  forward-tls-upstream: yes
  # DNScrypt proxy
  forward-addr: 127.0.0.1@6053
  forward-addr: ::1@6053

Checking the logs with verbosity at 1, I get a lot of:

DietPi unbound[1944]: [1944:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
DietPi unbound[1944]: [1944:0] notice: ssl handshake failed 127.0.0.1 port 6053
DietPi unbound[1944]: [1944:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
DietPi unbound[1944]: [1944:0] notice: ssl handshake failed ::1 port 6053

If I set forward-tls-upstream to no, dig google.com @127.0.0.1 -p 5335 now resolves.

So what I suspect is that when forward-tls-upstream is yes, Unbound is correctly attempting to DoT to DNScrypt-proxy, but DNScrypt-proxy only works with regular DNS requests, giving us the ssl handshake failed crypto. I don't believe there is way to make it so Unbound does not attempt this for a single forward-addr, only at a forward-zone level and I think you can only have one "." forward-zone. Unbound correctly resolves domains when configured with the other forward-addrs (I can't speak for Stubby).

I am not intimately familiar with these technologies so I admit I could be entirely wrong about this. If I'm not, then Unbound and DNScrypt config section needs to be updated. Also if DNScrypt would then not be accessed only by Unbound, then probably best to enable DNScrypt's caching. Or maybe keep caching disabled and also disable Unbound and have Adguard Home/Pi-Hole handle caching.

If Unbound can make DoH requests then maybe you can setup DNScrypt to accept DoH requests and then still have DNScrypt handle the related. I believe you can make Unbound accept DoH requests, but I don't know if it can make DoH requests itself.

Thanks!

Hi,

I had followed the previous guide without Stubby on a Raspberry Pi and it was great. This time, I'm using an new with the new set up and I notice that it takes a very long time to load web pages. If I add another server (9.9.9.9 for instance) to the upstream DNS, then everything is fine.

The average process time is less than 10ms though, so I'm not sure which part is guilty of the slowness. Could Unbound/Stubby cause the issue?

Could you give me any hint towards troubleshooting this?

Thanks!

Operating System

Ubuntu, Other (explain in description)

Architecture

64-bit

Platform

Linux

Project

Unbound

Browser

Other

Issue

No response

Issue Description

OS: Ubuntu and Debian from VPS

Hi, i'm trying to self-compile unbound from source following steps in the wiki but encounter this error

wireshark@localhost:~/unbound-1.17.0$ ./configure --prefix=/usr --sysconfdir=/etc --with-conf-file=/etc/unbound/unbound.conf.d/unbound.conf --with-run-dir=/var/lib/unbound --with-rootkey-file=/var/lib/unbound/root.key --enable-subnet --enable-ipset --enable-cachedb --enable-checking --with-libhiredis --with-libevent --enable-systemd

checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking minix/config.h usability... no
checking minix/config.h presence... no
checking for minix/config.h... no
checking whether it is safe to define EXTENSIONS... yes
checking for an ANSI C-conforming const... yes
checking whether gcc supports -g... yes
checking whether gcc supports -O2... yes
checking for gcc... (cached) gcc
checking whether we are using the GNU C compiler... (cached) yes
checking whether gcc accepts -g... (cached) yes
checking for gcc option to accept ISO C89... (cached) none needed
checking gcc dependency flag... -MM
checking whether gcc supports -Werror... yes
checking whether gcc supports -Wall... yes
checking whether gcc supports -std=c99... yes
checking whether gcc supports -xc99... no
checking for getopt.h... yes
checking for time.h... yes
checking whether we need -std=c99 -D__EXTENSIONS__ -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 -D_XOPEN_SOURCE_EXTENDED=1 -D_ALL_SOURCE as a flag for gcc... failed
checking whether we need -std=c99 -D__EXTENSIONS__ -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 -D_ALL_SOURCE as a flag for gcc... failed
checking whether we need -std=c99 as a flag for gcc... no
checking whether we need -D_BSD_SOURCE -D_DEFAULT_SOURCE as a flag for gcc... no
checking whether we need -D_GNU_SOURCE as a flag for gcc... yes
checking whether we need -D_GNU_SOURCE -D_FRSRESGID as a flag for gcc... no
checking whether we need -D_POSIX_C_SOURCE=200112 as a flag for gcc... no
checking whether we need -D__EXTENSIONS__ as a flag for gcc... failed
checking whether gcc supports -W... yes
checking whether gcc supports -Wall... (cached) yes
checking whether gcc supports -Wextra... yes
checking whether gcc supports -Wdeclaration-after-statement... yes
checking if gcc supports -flto... yes
checking for inline... inline
checking whether the C compiler (gcc) accepts the "format" attribute... yes
checking whether the C compiler (gcc) accepts the "unused" attribute... yes
checking whether the C compiler (gcc) accepts the "weak" attribute... yes
checking whether the C compiler (gcc) accepts the "noreturn" attribute... yes
checking for flex... flex
checking lex output file root... lex.yy
checking lex library... -lfl
checking whether yytext is a pointer... yes
checking for yylex_destroy... yes
checking for lex %option... yes
checking for bison... bison -y
checking for doxygen... no
checking for strip... strip
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking for ar... /usr/bin/ar
checking how to print strings... printf
checking for a sed that does not truncate output... /usr/bin/sed
checking for fgrep... /usr/bin/grep -F
checking for ld used by gcc... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
checking the name lister (/usr/bin/nm -B) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 1572864
checking how to convert x86_64-pc-linux-gnu file names to x86_64-pc-linux-gnu format... func_convert_file_noop
checking how to convert x86_64-pc-linux-gnu file names to toolchain format... func_convert_file_noop
checking for /usr/bin/ld option to reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... printf %s\n
checking for archiver @file support... @
checking for strip... (cached) strip
checking for ranlib... ranlib
checking for gawk... no
checking for mawk... mawk
checking command to parse /usr/bin/nm -B output from gcc object... ok
checking for sysroot... no
checking for a working dd... /usr/bin/dd
checking how to truncate binary pipes... /usr/bin/dd bs=4096 count=1
checking for mt... mt
checking if mt is a manifest tool... no
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC -DPIC
checking if gcc PIC flag -fPIC -DPIC works... yes
checking if gcc static flag -static works... yes
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... yes
checking for pkg-config... no
checking for stdarg.h... yes
checking for stdbool.h... yes
checking for netinet/in.h... yes
checking for netinet/tcp.h... yes
checking for sys/param.h... yes
checking for sys/select.h... yes
checking for sys/socket.h... yes
checking for sys/un.h... yes
checking for sys/uio.h... yes
checking for sys/resource.h... yes
checking for arpa/inet.h... yes
checking for syslog.h... yes
checking for netdb.h... yes
checking for sys/wait.h... yes
checking for pwd.h... yes
checking for glob.h... yes
checking for grp.h... yes
checking for login_cap.h... no
checking for winsock2.h... no
checking for ws2tcpip.h... no
checking for endian.h... yes
checking for sys/endian.h... no
checking for libkern/OSByteOrder.h... no
checking for sys/ipc.h... yes
checking for sys/shm.h... yes
checking for ifaddrs.h... yes
checking for poll.h... yes
checking for net/if.h... yes
checking for TargetConditionals.h... no
checking for netioapi.h... no
checking for int8_t... yes
checking for int16_t... yes
checking for int32_t... yes
checking for int64_t... yes
checking for uint8_t... yes
checking for uint16_t... yes
checking for uint32_t... yes
checking for uint64_t... yes
checking for size_t... yes
checking for ssize_t... yes
checking for uid_t in sys/types.h... yes
checking for pid_t... yes
checking for off_t... yes
checking for u_char... yes
checking for rlim_t... yes
checking for socklen_t... yes
checking for in_addr_t... yes
checking for in_port_t... yes
checking if memcmp compares unsigned... yes
checking size of time_t... 8
checking size of size_t... 8
checking for library containing inet_pton... none required
checking for library containing socket... none required
checking for unistd.h... (cached) yes
checking for working chown... yes
checking vfork.h usability... no
checking vfork.h presence... no
checking for vfork.h... no
checking for fork... yes
checking for vfork... yes
checking for working fork... yes
checking for working vfork... (cached) yes
checking for _LARGEFILE_SOURCE value needed for large files... no
checking for special C compiler options needed for large files... no
checking for _FILE_OFFSET_BITS value needed for large files... no
checking whether we need -D_LARGEFILE_SOURCE=1 as a flag for gcc... no
checking if nonblocking sockets work... yes
checking whether mkdir has one arg... no
checking for strptime... yes
checking whether strptime works... yes
checking for SYSTEMD... no
checking for SYSTEMD_DAEMON... no
configure: error: systemd enabled but libsystemd not found

Tried again on a clean ubuntu instance, running as root and sudo, reinstalling libsystemd and downgrading to 1.16.0 but still the same error.

Next I tried removing --enable-systemd flag and got thru swiftly till the service part which i can't seem to get it working.

Operating System

Ubuntu

Architecture

64-bit

Platform

Windows, Android

Project

Aduard Home, Unbound, DNScrypt

Browser

Brave, Edge

Issue

Other (explain in description)

Issue Description

Hi, I am facing an issue where sites stops loading due to DNS issue.

Example - www.1337x.to stops loading and displays an error message "1337x.to’s DNS address could not be found. Diagnosing the problem. DNS_PROBE_POSSIBLE"

Occurrence - Occasional !

I am using this setup since past 6 months and I started facing this problem from last week.
This happened about 30 mins ago and before that I was able to use the website. I tried flushing Windows DNS cache and Browser's cache but the issue persists.

Browsers tested - Brave (Windows & Android), Edge.

Using DNScrypt for DoH and here are the logs - query.log

It seems the browser is querying and getting response but website might have moved to a different IP hence it is not able to load.

Fix - When using 1.1.1.1 as DNS, website loads just fine.

Do let me know if you require any other info in resolving the issue.

Thank you.

Operating System

Raspberry Pi

Architecture

64-bit

Platform

Linux

Project

Aduard Home

Browser

Chrome

Issue

Not working

Issue Description

Hi.

Currently I'm using pi zero 2w.
Is it possible to let Adguard listen on all interface since tailscale not working when listening to only wlan0. Just like pihole permit all origin?
I already tried editing adguard.yaml and set dns interface to 0.0.0.0 and dns service won't start.

For those us of with a little less networking and linux know-how, would it be possible to get a more complete example of this setup?
Seems there's a few ports that conflict, and I'm not 100% on what passes what to what, or what settings need to be set in AdGuard.
On paper, I like the sounds of Knot better than Unbound, and I like oDoH more than DoH/Cloudflared, but in practice it's a little advanced.

Thanks

First of all, thank you for this great guide! I've been looking for something simple and there it was!

I've been following the guide to the letter, but the configuration doesn't seem to work on my Raspberry Pi.

In Adguard, when I change the DNS to 127.0.0.1:53 and 5053, I get the message "impossible to use this server, please check the name". I tried to change it to the IP of my Pi as 192.168.0.XXX, same error (in French, sorry):

I've looked into the unbound.conf file and couldn't find any reference to port 5053, which made me wonder if I missed a step in the whole configuration. Adguard is listening to port 53 already, how does it work for Unbound?

Thanks a lot for your help!

Using setup with systemd resolved DNSStubListener=off seems to improve DNS resolving but it still DO NOT make sense to have it on anyways alongside other DNS stub resolvers.

Turn off in resolved.conf and reboot:

sudo nano /etc/systemd/resolved.conf