Re: Updating Unbound from 1.9.0 to latest version ?

2024-01-30 Thread Gil Levy via Unbound-users 
Hi Jon,

Thanks. This didn't update much. Only a Python package. I'm still stuck
with Unbound 1.9.0.
The Pihole community doesn't assist with updating things they didn't
develop. I searched there already :)

Cheers,
Gil

On Mon, 29 Jan 2024 at 00:04, Jon Murphy  wrote:

> Hi Gil,
>
> I am guessing you are *not* using the piHole image . . .
>
> With Debian you can update with:
>
> sudo apt update
> sudo apt list --upgradable
> sudo apt dist-upgrade
>
>
> Be aware this will updated most everything Debian on the device running
> pihole.  (It won’t update the OS from 10 to 11)
>
> The pihole community is better for these type of questions.  See
> https://discourse.pi-hole.net
>
>
>
> On Jan 28, 2024, at 3:04 PM, Gil Levy via Unbound-users <
> unbound-users@lists.nlnetlabs.nl> wrote:
>
> Dear community,
>
> I'm using my Pihole with Unbound 1.9.0.
>
> PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"
> NAME="Raspbian GNU/Linux"
> VERSION_ID="10"
> VERSION="10 (buster)"
> VERSION_CODENAME=buster
> ID=raspbian
>
> The OS repo doesn't provide any updates for Unbound.
>
> Is there any benefit to update to the latest version?
>
> Where can I get a file to install the latest on my PiHole?
>
>
> Thank you!
>
>
>

Updating Unbound from 1.9.0 to latest version ?

2024-01-28 Thread Gil Levy via Unbound-users 
Dear community,

I'm using my Pihole with Unbound 1.9.0.

PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"
NAME="Raspbian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=raspbian

The OS repo doesn't provide any updates for Unbound.

Is there any benefit to update to the latest version?

Where can I get a file to install the latest on my PiHole?


Thank you!

remote control faild ssl crypto error

2023-09-24 Thread Gil Levy via Unbound-users 
Running Unbound 1.18.0 on my Pihole RPi device.
I get this error:

 tail -n 20 /etc/unbound/unbound.log
Sep 24 18:57:22 unbound[6565:0] info: generate keytag query _ta-4f66. NULL
IN
Sep 24 18:59:03 unbound[6565:0] notice: failed connection from 127.0.0.1
port 52304
Sep 24 18:59:03 unbound[6565:0] error: remote control failed ssl crypto
error:1408F10B:SSL routines:ssl3_get_record:wrong version number
Sep 24 18:59:03 unbound[6565:0] info: service stopped (unbound 1.18.0).

Troubleshooting SERVFAIL

2023-09-24 Thread Gil Levy via Unbound-users 
Upon trying to reach the domain Attenix Login 
I encounter SERVFAIL

dig saas.attenix.co.il

; <<>> DiG 9.16.1-Ubuntu <<>> saas.attenix.co.il
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18269
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;saas.attenix.co.il.IN  A

;; Query time: 19 msec
;; SERVER: 172.19.0.1#53(172.19.0.1)
;; WHEN: Sun Sep 24 09:56:56 IDT 2023
;; MSG SIZE  rcvd: 47

I'm using unbound on my Pihole device.
I do not block this domain using pihole. This is only a DNS setup issue,
but I'm not sure how to fix this.

Appreciate your help.

Unboudn v13 - error: udp connect failed

2021-01-28 Thread Gil Levy via Unbound-users 
Hi.
I'm getting udp connection failed and I'm not sure if this is normal or not.
I pasted below a link to the entire output of the 'status' command.

#: sudo systemctl status unbound
https://pastebin.com/5p9PvJj4

*Example: *Jan 29 15:02:47 raspberrypi unbound-anchor[451]: [1611892967]
libunbound[451:0] error: udp connect failed: Network is unreachable for
198.41.0.4 port 53


Thanks!

Re: Getting SERVFAIL when trying to reach .co.il domains

2021-01-01 Thread Gil Levy via Unbound-users 
Thanks, guys!
I'm running chroot on /etc/unbound.

I followed this guide to compile unbound on my machine:
https://pastebin.com/UUjss5aY
Some initial values there made use of /etc/unbound instead of
/var/log/unbound so after I compiled unbound-1.13.0, I changed the paths to
point to /var/log/unbound

The log file user is set to unbound with write permissions, but seems it's
not aware of its location (?)
The *unbound-checkconf* command is failing as well. It feels like the
solution is not complicated, yet I'm unsure how to fix it or if I should
try to compile all over again.
I'd rather try to fix it, if it's ok to ask for such type of help over this
thread.

*pi@raspberrypi:/etc/unbound $* grep chroot unbound.conf
*chroot*: "/etc/unbound"

*pi@raspberrypi:/etc/unbound $* ls -l /var/log/unbound/unbound.log
-rw-r--r-- 1 unbound unbound 5553 Oct 21 00:16 /var/log/unbound/unbound.log

*pi@raspberrypi:/etc/unbound $* unbound-checkconf
/etc/unbound/var/log/unbound: *No such file or directory*
[1609510296] unbound-checkconf[2288:0] *fatal error*: logfile directory
does not exist

*pi@raspberrypi:/etc/unbound $* sudo systemctl status unbound
● unbound.service - Unbound DNS resolver
   Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor
preset: enabled)
   *Active: active* (running) since Sat 2021-01-02 00:46:44 AEDT; 25min ago
  Process: 457 ExecStartPre=/usr/sbin/unbound-anchor -r
/etc/unbound/root.hints -a /etc/unbound/root.key (code=exited,
status=0/SUCCESS)
 Main PID: 483 (unbound)
Tasks: 1 (limit: 2063)
   CGroup: /system.slice/unbound.service
   └─483 /usr/sbin/unbound -c /etc/unbound/unbound.conf -d

Jan 02 00:46:49 raspberrypi unbound[483]: [1609508809] unbound[483:0]
error: udp connect failed: Network is unreachable for 199.7.83.42 port 53
Jan 02 00:46:49 raspberrypi unbound[483]: [1609508809] unbound[483:0]
error: udp connect failed: Network is unreachable for 198.41.0.4 port 53
Jan 02 00:46:49 raspberrypi unbound[483]: [1609508809] unbound[483:0]
error: udp connect failed: Network is unreachable for 199.7.91.13 port 53
Jan 02 00:46:49 raspberrypi unbound[483]: [1609508809] unbound[483:0]
error: udp connect failed: Network is unreachable for 198.97.190.53 port 53
Jan 02 00:46:49 raspberrypi unbound[483]: [1609508809] unbound[483:0]
error: udp connect failed: Network is unreachable for 199.7.91.13 port 53
Jan 02 00:46:49 raspberrypi unbound[483]: [1609508809] unbound[483:0]
error: udp connect failed: Network is unreachable for 193.0.14.129 port 53
Jan 02 00:46:49 raspberrypi unbound[483]: [1609508809] unbound[483:0]
error: udp connect failed: Network is unreachable for 199.7.91.13 port 53
Jan 02 00:46:49 raspberrypi unbound[483]: [1609508809] unbound[483:0]
error: udp connect failed: Network is unreachable for 192.33.4.12 port 53
Jan 02 00:46:49 raspberrypi unbound[483]: [1609508809] unbound[483:0]
error: udp connect failed: Network is unreachable for 192.58.128.30 port 53
Jan 02 00:46:50 raspberrypi unbound[483]: [1609508810] unbound[483:0] info:
generate keytag query _ta-4f66. NULL IN

*pi@raspberrypi:/etc/unbound $* sudo lsof -i :53
COMMAND   PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
pihole-FT 829 pihole4u  IPv4  27749  0t0  UDP *:domain
pihole-FT 829 pihole5u  IPv4  27750  0t0  TCP *:domain (LISTEN)
pihole-FT 829 pihole6u  IPv6  27751  0t0  UDP *:domain
pihole-FT 829 pihole7u  IPv6  27752  0t0  TCP *:domain (LISTEN)

On Sat, 2 Jan 2021 at 01:05, Jaap Akkerhuis  wrote:

>  Joe Abley via Unbound-users writes:
>
>
>  >
>  > On Jan 1, 2021, at 14:15, Gil Levy via Unbound-users <
> unbound-users@lists.nlnetlabs.nl> wrote:
>  >
>  > >> Are you running unbound in a chroot(8)?
>  > > I don't know how to check that.
>  >
>  > man chroot
>  >
>  > for a better description of what chroot does, and how the
> interpretation of
>  > absolute pathnames differs inside and outside the chroot namespace.
>  >
>  > man man
>  >
>  > if you're unfamiliar with how manual pages are organised. If you don't
> have
>  > manual pages installed and can't add them as a package, it should not
> be hard
>  >  to find collections of manual pages for your particular distribution
> if you
>  >  search for them.
>  >
>  > grep chroot unbound.conf
>
> For a running unbound, do
>
> unbound-control get_option chroot
>
> to get the value it is using.
>
>  > seems like a reasonable place to start to find configuration options in
> your
>  >  environment that relate to chroot. You might also refer to the unbound
>  > documentation to understand the defaults and the specific meaning of
> individual
>  > parameters.
>
> Especially take notice what
>
> man unbound.conf
>
> tells you about the interaction between chroot and abso

Re: Getting SERVFAIL when trying to reach .co.il domains

2021-01-01 Thread Gil Levy via Unbound-users 
>
> But apparently your unbound.conf file indicates it's here:
> >> /etc/unbound/var/log/unbound
>

This has already been fixed in my unbound.conf file (see here: unbound.conf
<https://pastebin.com/GsA8GtJF>), but it still errors: *error: Could not
open logfile /var/log/unbound/unbound.log: No such file or directory*

>
> See the difference?
> Are you running unbound in a chroot(8)?

I don't know how to check that.


On Fri, 1 Jan 2021 at 22:23, Unbound  wrote:

> On 2021-01-01 03:06, Gil Levy via Unbound-users wrote:
> > Thanks, Daisuke.
> >
> > However, I'm past that line. While I will change the settings as you
> kindly
> > suggested (thank you for that), I'm encountering other issues which
> disable
> > me from using Unbound.
> > I shot an email earlier today with the following:
> >
> >
> >>
> >>1. Cannot open log file (despite it's configured in unbound.conf)
> >>2. Cannot use the unbound-checkconf utility
> >>
> >> I provided a link to my config file at the bottom.
> >> Appreciate your help!
> >>
> >> Gil
> >>
> >>
> >> *pi@raspberrypi:/etc/unbound $ sudo systemctl status unbound*
> >> ● unbound.service - Unbound DNS resolver
> >>Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor
> >> preset: enabled)
> >>Active: active (running) since Fri 2021-01-01 10:44:56 AEDT; 19min
> ago
> >>   Process: 456 ExecStartPre=/usr/sbin/unbound-anchor -r
> >> /etc/unbound/root.hints -a /etc/unbound/root.key (code=exited,
> >> status=0/SUCCESS)
> >>  Main PID: 481 (unbound)
> >> Tasks: 1 (limit: 2063)
> >>CGroup: /system.slice/unbound.service
> >>└─481 /usr/sbin/unbound -c /etc/unbound/unbound.conf -d
> >>
> >> Jan 01 10:44:56 raspberrypi unbound-anchor[456]: [1609458296]
> >> libunbound[456:0] error: udp connect failed: Network is unreachable for
> >> 198.41.0.4 port 53
> >> Jan 01 10:44:56 raspberrypi unbound-anchor[456]: [1609458296]
> >> libunbound[456:0] error: udp connect failed: Network is unreachable for
> >> 192.33.4.12 port 53
> >> Jan 01 10:44:56 raspberrypi unbound-anchor[456]: [1609458296]
> >> libunbound[456:0] error: udp connect failed: Network is unreachable for
> >> 2001:dc3::35 port 53
> >> Jan 01 10:44:56 raspberrypi unbound-anchor[456]: [1609458296]
> >> libunbound[456:0] error: udp connect failed: Network is unreachable for
> >> 2001:500:1::53 port 53
> >> Jan 01 10:44:56 raspberrypi unbound-anchor[456]: [1609458296]
> >> libunbound[456:0] error: udp connect failed: Network is unreachable for
> >> 2001:500:9f::42 port 53
> >> Jan 01 10:44:56 raspberrypi unbound-anchor[456]: [1609458296]
> >> libunbound[456:0] error: udp connect failed: Network is unreachable for
> >> 199.7.91.13 port 53
> >> Jan 01 10:44:56 raspberrypi unbound[481]: [1609458296] unbound[481:0]
> >> *error:
> >> Could not open logfile /var/log/unbound/unbound.log: No such file or
> >> directory*
> >> Jan 01 10:44:57 raspberrypi unbound[481]: [1609458297] unbound[481:0]
> >> notice: init module 0: validator
> >> Jan 01 10:44:57 raspberrypi unbound[481]: [1609458297] unbound[481:0]
> >> notice: init module 1: iterator
> >> Jan 01 10:44:57 raspberrypi unbound[481]: [1609458297] unbound[481:0]
> >> info: start of service (unbound 1.13.0).
> >>
> >> pi@raspberrypi:/var/log/unbound $ ls
> >> unbound.log
> >>
> >> pi@raspberrypi:/etc/unbound $ unbound-checkconf
> /etc/unbound/unbound.conf
> >> /etc/unbound/var/log/unbound: *No such file or directory*
> ^^^
> I won't speak for all your woes. But this line (above) says it all.
> On one hand you indicate your log file is located here:
> >> pi@raspberrypi:/var/log/unbound $ ls
> >> unbound.log
> But apparently your unbound.conf file indicates it's here:
> >> /etc/unbound/var/log/unbound
>
> See the difference?
> Are you running unbound in a chroot(8)?
>
> >> [1609459551] unbound-checkconf[1316:0] fatal error: logfile directory
> >> does not exist
> >>
> >> pi@raspberrypi:/etc/unbound $ ls
> >> root.hints  root.key  root.zone  unbound.conf  unbound_control.key
> >>  unbound_control.pem  unbound.log  unbound.pid  unbound_server.key
> >>  unbound_server.pem
> >>
> >> *unbound.conf* here -> https://pastebin.com/ZAUVFVEF
> >>
> >
> > Any ideas what should I do? I'm really lost here and would like to keep
> > using unbound.
> >
> > Thanks in advance.
> >
> > On Fri, 1 Jan 2021 at 20:29, Daisuke HIGASHI 
> > wrote:
> >
> >> Hi,
> >>
> >> ".co.il" and ".il"  (seemingly under DNSSEC algorithm rollover) have
> >> several errors. Current versions of Unbound in default configuration
> >> tolerate them, but in a specific configuration Unbound could make
> >> fatal errors.
> >>
> >> Assuming [1] is your configuration file, the offending line is:
> >>
> >> >   harden-algo-downgrade: yes
> >>
> >> "harden-algo-downgrade: no" (this is the current default value) makes
> >> Unbound tolerant.
> >>
> >> [1] https://pastebin.com/ZAUVFVEF
> >>
>

Re: Getting SERVFAIL when trying to reach .co.il domains

2021-01-01 Thread Gil Levy via Unbound-users 
Thanks, Daisuke.

However, I'm past that line. While I will change the settings as you kindly
suggested (thank you for that), I'm encountering other issues which disable
me from using Unbound.
I shot an email earlier today with the following:


>
>1. Cannot open log file (despite it's configured in unbound.conf)
>2. Cannot use the unbound-checkconf utility
>
> I provided a link to my config file at the bottom.
> Appreciate your help!
>
> Gil
>
>
> *pi@raspberrypi:/etc/unbound $ sudo systemctl status unbound*
> ● unbound.service - Unbound DNS resolver
>Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor
> preset: enabled)
>Active: active (running) since Fri 2021-01-01 10:44:56 AEDT; 19min ago
>   Process: 456 ExecStartPre=/usr/sbin/unbound-anchor -r
> /etc/unbound/root.hints -a /etc/unbound/root.key (code=exited,
> status=0/SUCCESS)
>  Main PID: 481 (unbound)
> Tasks: 1 (limit: 2063)
>CGroup: /system.slice/unbound.service
>└─481 /usr/sbin/unbound -c /etc/unbound/unbound.conf -d
>
> Jan 01 10:44:56 raspberrypi unbound-anchor[456]: [1609458296]
> libunbound[456:0] error: udp connect failed: Network is unreachable for
> 198.41.0.4 port 53
> Jan 01 10:44:56 raspberrypi unbound-anchor[456]: [1609458296]
> libunbound[456:0] error: udp connect failed: Network is unreachable for
> 192.33.4.12 port 53
> Jan 01 10:44:56 raspberrypi unbound-anchor[456]: [1609458296]
> libunbound[456:0] error: udp connect failed: Network is unreachable for
> 2001:dc3::35 port 53
> Jan 01 10:44:56 raspberrypi unbound-anchor[456]: [1609458296]
> libunbound[456:0] error: udp connect failed: Network is unreachable for
> 2001:500:1::53 port 53
> Jan 01 10:44:56 raspberrypi unbound-anchor[456]: [1609458296]
> libunbound[456:0] error: udp connect failed: Network is unreachable for
> 2001:500:9f::42 port 53
> Jan 01 10:44:56 raspberrypi unbound-anchor[456]: [1609458296]
> libunbound[456:0] error: udp connect failed: Network is unreachable for
> 199.7.91.13 port 53
> Jan 01 10:44:56 raspberrypi unbound[481]: [1609458296] unbound[481:0] *error:
> Could not open logfile /var/log/unbound/unbound.log: No such file or
> directory*
> Jan 01 10:44:57 raspberrypi unbound[481]: [1609458297] unbound[481:0]
> notice: init module 0: validator
> Jan 01 10:44:57 raspberrypi unbound[481]: [1609458297] unbound[481:0]
> notice: init module 1: iterator
> Jan 01 10:44:57 raspberrypi unbound[481]: [1609458297] unbound[481:0]
> info: start of service (unbound 1.13.0).
>
> pi@raspberrypi:/var/log/unbound $ ls
> unbound.log
>
> pi@raspberrypi:/etc/unbound $ unbound-checkconf /etc/unbound/unbound.conf
> /etc/unbound/var/log/unbound: *No such file or directory*
> [1609459551] unbound-checkconf[1316:0] fatal error: logfile directory
> does not exist
>
> pi@raspberrypi:/etc/unbound $ ls
> root.hints  root.key  root.zone  unbound.conf  unbound_control.key
>  unbound_control.pem  unbound.log  unbound.pid  unbound_server.key
>  unbound_server.pem
>
> *unbound.conf* here -> https://pastebin.com/ZAUVFVEF
>

Any ideas what should I do? I'm really lost here and would like to keep
using unbound.

Thanks in advance.

On Fri, 1 Jan 2021 at 20:29, Daisuke HIGASHI 
wrote:

> Hi,
>
> ".co.il" and ".il"  (seemingly under DNSSEC algorithm rollover) have
> several errors. Current versions of Unbound in default configuration
> tolerate them, but in a specific configuration Unbound could make
> fatal errors.
>
> Assuming [1] is your configuration file, the offending line is:
>
> >   harden-algo-downgrade: yes
>
> "harden-algo-downgrade: no" (this is the current default value) makes
> Unbound tolerant.
>
> [1] https://pastebin.com/ZAUVFVEF
>

Trying to run unbound-1.13.0 after compiling on RaspberryOS

2020-12-31 Thread Gil Levy via Unbound-users 
Happy new year everyone! :)

After a failure in accessing .co.il domains with unbound 1.9.0, I decided
to give it a go and compile unbound 1.13.0 on my RaspberryOS (Debian
Buster).

I'm encountering issues that I'm out of ideas on how to solve.

   1. Cannot open log file (despite it's configured in unbound.conf)
   2. Cannot use the unbound-checkconf utility

I provided a link to my config file at the bottom.
Appreciate your help!

Gil


*pi@raspberrypi:/etc/unbound $ sudo systemctl status unbound*
● unbound.service - Unbound DNS resolver
   Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor
preset: enabled)
   Active: active (running) since Fri 2021-01-01 10:44:56 AEDT; 19min ago
  Process: 456 ExecStartPre=/usr/sbin/unbound-anchor -r
/etc/unbound/root.hints -a /etc/unbound/root.key (code=exited,
status=0/SUCCESS)
 Main PID: 481 (unbound)
Tasks: 1 (limit: 2063)
   CGroup: /system.slice/unbound.service
   └─481 /usr/sbin/unbound -c /etc/unbound/unbound.conf -d

Jan 01 10:44:56 raspberrypi unbound-anchor[456]: [1609458296]
libunbound[456:0] error: udp connect failed: Network is unreachable for
198.41.0.4 port 53
Jan 01 10:44:56 raspberrypi unbound-anchor[456]: [1609458296]
libunbound[456:0] error: udp connect failed: Network is unreachable for
192.33.4.12 port 53
Jan 01 10:44:56 raspberrypi unbound-anchor[456]: [1609458296]
libunbound[456:0] error: udp connect failed: Network is unreachable for
2001:dc3::35 port 53
Jan 01 10:44:56 raspberrypi unbound-anchor[456]: [1609458296]
libunbound[456:0] error: udp connect failed: Network is unreachable for
2001:500:1::53 port 53
Jan 01 10:44:56 raspberrypi unbound-anchor[456]: [1609458296]
libunbound[456:0] error: udp connect failed: Network is unreachable for
2001:500:9f::42 port 53
Jan 01 10:44:56 raspberrypi unbound-anchor[456]: [1609458296]
libunbound[456:0] error: udp connect failed: Network is unreachable for
199.7.91.13 port 53
Jan 01 10:44:56 raspberrypi unbound[481]: [1609458296] unbound[481:0] *error:
Could not open logfile /var/log/unbound/unbound.log: No such file or
directory*
Jan 01 10:44:57 raspberrypi unbound[481]: [1609458297] unbound[481:0]
notice: init module 0: validator
Jan 01 10:44:57 raspberrypi unbound[481]: [1609458297] unbound[481:0]
notice: init module 1: iterator
Jan 01 10:44:57 raspberrypi unbound[481]: [1609458297] unbound[481:0] info:
start of service (unbound 1.13.0).

pi@raspberrypi:/var/log/unbound $ ls
unbound.log

pi@raspberrypi:/etc/unbound $ unbound-checkconf /etc/unbound/unbound.conf
/etc/unbound/var/log/unbound: *No such file or directory*
[1609459551] unbound-checkconf[1316:0] fatal error: logfile directory does
not exist

pi@raspberrypi:/etc/unbound $ ls
root.hints  root.key  root.zone  unbound.conf  unbound_control.key
 unbound_control.pem  unbound.log  unbound.pid  unbound_server.key
 unbound_server.pem

*unbound.conf* here -> https://pastebin.com/ZAUVFVEF

Re: Getting SERVFAIL when trying to reach .co.il domains

2020-12-31 Thread Gil Levy via Unbound-users 
Does that mean that the problem is not with my network?

I don't know how to compile the latest build of unbound for Pihole using
RaspberryOS (Debian)


Thanks for the info.

On Thu, 31 Dec 2020 at 23:39, Havard Eidnes  wrote:

> > Using Unbound 1.9.0 on Raspberry Pi with Pihole.
> >
> > Since two days ago I cannot access .co.il domains, such as hwzone.co.il
> or
> > ynet.co.il.
>
> The analysis tool at https://dnsviz.net/ seems to indicate there's a
> problem with the DNSSEC setup for both .IL and .CO.IL, ref.
>
> https://dnsviz.net/d/hwzone.co.il/dnssec/
>
> The recurring message seems to be that e.g. the DNSKEY RRset for .IL
> includes a key with algorithm 13 (ECDSAP256SHA256), but no
> corresponding RRSIG can be found, and the same for the .CO.IL domain.
>
> Whether that should be a fatal error is another matter, it probably
> should not, as long as there exists other keys where there exists a
> matching RRSIG.  Newer unbound (e.g. 1.12.0) does not make this a
> fatal error, and resolves those names just fine.
>
> Regards,
>
> - Håvard
>

Re: Getting SERVFAIL when trying to reach .co.il domains

2020-12-31 Thread Gil Levy via Unbound-users 
Hi Joe,

Thanks for the reply!
The verbosity of Unbound is set to 3 and all I get is:

pi@raspberrypi:/var/log $ tail -f syslog
Dec 31 23:13:31 raspberrypi avahi-daemon[363]: Registering new address
record for 192.168.1.2 on eth0.IPv4.
Dec 31 23:13:31 raspberrypi dbus-daemon[300]: [system] Successfully
activated service 'org.freedesktop.hostname1'
Dec 31 23:13:31 raspberrypi systemd[1]: Started Hostname Service.
Dec 31 23:13:35 raspberrypi systemd[1]: systemd-rfkill.service: Succeeded.
Dec 31 23:13:39 raspberrypi dhcpcd[380]: eth0: no IPv6 Routers available
Dec 31 23:13:52 raspberrypi systemd[1]: systemd-fsckd.service: Succeeded.
Dec 31 23:14:04 raspberrypi systemd-timesyncd[284]: Synchronized to time
server for the first time 217.147.208.1:123 (2.debian.pool.ntp.org).
Dec 31 23:14:11 raspberrypi systemd[1]: systemd-hostnamed.service:
Succeeded.
Dec 31 23:14:51 raspberrypi systemd[1]: Started Session 6 of user pi.
Dec 31 23:15:14 raspberrypi systemd[1]: Started Session 7 of user pi.
Dec 31 23:16:05 raspberrypi systemd[1]: Started Session 8 of user pi.
Dec 31 23:16:17 raspberrypi systemd[1]: Stopping Unbound DNS server via
resolvconf...
Dec 31 23:16:17 raspberrypi package-helper[978]: Too few arguments.
Dec 31 23:16:17 raspberrypi systemd[1]: unbound-resolvconf.service:
Succeeded.
Dec 31 23:16:17 raspberrypi systemd[1]: Stopped Unbound DNS server via
resolvconf.
Dec 31 23:16:17 raspberrypi systemd[1]: Stopping Unbound DNS server...
Dec 31 23:16:17 raspberrypi systemd[1]: unbound.service: Succeeded.
Dec 31 23:16:17 raspberrypi systemd[1]: Stopped Unbound DNS server.
Dec 31 23:16:17 raspberrypi systemd[1]: Starting Unbound DNS server...
Dec 31 23:16:17 raspberrypi unbound[1028]: [1609416977] unbound[1028:0]
debug: chdir to /etc/unbound
Dec 31 23:16:17 raspberrypi unbound[1028]: [1609416977] unbound[1028:0]
debug: drop user privileges, run as unbound
Dec 31 23:16:17 raspberrypi unbound[1028]: [1609416977] unbound[1028:0]
debug: switching log to /dev/null
Dec 31 23:16:17 raspberrypi systemd[1]: Started Unbound DNS server.
Dec 31 23:16:18 raspberrypi systemd[1]: Started Unbound DNS server via
resolvconf.
Dec 31 23:16:18 raspberrypi package-helper[1029]: Too few arguments.

If I was to guess I'd say that you have a full set of servers for some zone
> or other that is causing trouble
>
Sorry, I don't know what it means. I didn't set up anything like that.
I also don't use ipv6.

I don't know why it worked well 2 days ago and now I have this issue.

How do I proceed from here?

Thanks and happy new year! :D

On Thu, 31 Dec 2020 at 23:33, Joe Abley  wrote:

> Hi Gil,
>
> On Dec 31, 2020, at 12:23, Gil Levy via Unbound-users <
> unbound-users@lists.nlnetlabs.nl> wrote:
>
> The tail log of the SERVFAIL can be found here:
> https://textuploader.com/185f0
>
>
> Unless I'm missing something, that log seems to be mainly (entirely?)
> messages from dnsmasq. You probably want to see log messages from unbound
> to shed light on the events leading up to the SERVFAIL that dnsmasq is
> receiving from localhost.
>
> If I was to guess I'd say that you have a full set of servers for some
> zone or other that is causing trouble, e.g. sending repeated SERVFAIL
> responses or timing out, and unbound is putting them all in the penalty box.
>
> The trick in that case will be to determine whether the problem is local
> (e.g. a broken firewall or persistent local routing problem for IPv6) or
> remote (e.g. your resolver or the subnet it's numbered in has been
> blacklisted for some reason).
>
> But this is just wild speculation; you should see what the logs say.
>
> Happy New Year in advance :-)
>
>
> Joe
>

Getting SERVFAIL when trying to reach .co.il domains

2020-12-31 Thread Gil Levy via Unbound-users 
Using Unbound 1.9.0 on Raspberry Pi with Pihole.

Since two days ago I cannot access .co.il domains, such as hwzone.co.il or
ynet.co.il.
When I issue# sudo systemctl stop unbound and then #sudo systemctl start
unbound, I can access these sites for a few seconds and then they become
unavailable again.

I tried to isolate the case by using Quad9 DNS instead of Unbound and the
issue resolved.
When I revert back to Unbound, I encounter the same problem.

I also run Unbound on my Oracle cloud Ubuntu instance and I experience the
same issue there.

I use Unbound as the authoritative server, I don't have it set up with
upstream servers.

The tail log of the SERVFAIL can be found here:
https://textuploader.com/185f0

Appreciate any help in troubleshooting this.

Thanks,
Gil

Cannot update Ubuntu

2020-11-11 Thread Gil Levy via Unbound-users 
Not sure if it's Unbound related, but this problem appeared after
installing unbound on Ubuntu 20.04 on an Oracle cloud instance.

If I issue #: sudo apt update
I get:
Err:1 http://ap-sydney-1-ad-1.clouds.archive.ubuntu.com/ubuntu focal
InRelease
  Could not connect to 127.0.0.1:8080 (127.0.0.1). - connect (111:
Connection re
fused)


This is my proxy.conf file:
  GNU nano 4.8 proxy.conf
Acquire {
  HTTP::proxy "http://127.0.0.1:8080;;
  HTTPS::proxy "http://127.0.0.1:8080;;
}

If I set it to 5335 (the port for unbound) then I get:
0% [Waiting for headers] [Waiting for headers] <-- this is stuck.

Did anyone else encounter this?

Thanks.

Am I supposed to see my public IP as the DNS server during leak test?

2020-11-08 Thread Gil Levy via Unbound-users 
 No real issue here. Just trying to understand how to read the results.
Using https://ipleak.net I'm seeing that the DNS Address is exactly the
same as my public IP address.

It seems reasonable because I'm running my own DNS server hence my IP is
the DNS, but I just wanted to be sure that this is what I'm supposed to see.

I'm not using a VPN when running this test. Unbound is set as a recursive
server, i.e., I'm not using any forwarding addresses.


Thanks!

Re: fail: the anchor is NOT ok and could not be fixed

2020-10-27 Thread Gil Levy via Unbound-users 
Thanks for the detailed explanation!

Are you referring to this area:

do_root_trust_anchor_update() {
if $ROOT_TRUST_ANCHOR_UPDATE; then
if [ -n "$ROOT_TRUST_ANCHOR_FILE" ]; then
if [ -r "$DNS_ROOT_KEY_FILE" ]; then
if [ ! -e "$ROOT_TRUST_ANCHOR_FILE" -o "$DNS_ROOT_KEY_FILE"
-nt "$ROOT_TRUST_ANCHOR_FILE" ]; then
if [ ! -e "$ROOT_TRUST_ANCHOR_FILE" ]; then
echo "$ROOT_TRUST_ANCHOR_FILE does not exist,
copying from $DNS_ROOT_KEY_FILE"
elif [ "$DNS_ROOT_KEY_FILE" -nt
"$ROOT_TRUST_ANCHOR_FILE" ]; then
echo "Overwriting older file
$ROOT_TRUST_ANCHOR_FILE with newer file $DNS_ROOT_KEY_FILE"
fi
install -m 0644 -o unbound -g unbound
"$DNS_ROOT_KEY_FILE" "$ROOT_TRUST_ANCHOR_FILE"
fi
fi
env -i LANG="$LANG" PATH="$PATH" start-stop-daemon \
--chuid unbound:unbound --start \
--exec /usr/sbin/unbound-anchor -- -a
"$ROOT_TRUST_ANCHOR_FILE" -v || true
fi
fi}

Should I add the *-R *to --exec /usr/sbin/unbound-anchor -- -a *-R
*"$ROOT_TRUST_ANCHOR_FILE"
-v || true ?



On Tue, 27 Oct 2020 at 22:29, Bernardo Reino via Unbound-users <
unbound-users@lists.nlnetlabs.nl> wrote:

> On 27/10/2020 09:38, Gil Levy via Unbound-users wrote:
> > Anyone?
> > Still couldn't fix this on boot.
> > Appreciate your help.
> >
> > On Fri, 23 Oct 2020 at 13:51, Gil Levy  > <mailto:just@gmail.com>> wrote:
> >
> > After a system reboot, I get the following message when I run
> > #> sudo systemctl status unbound
> >
> > Oct 23 13:31:38 raspberrypi systemd[1]: Starting Unbound DNS
> server...
> > Oct 23 13:31:39 raspberrypi package-helper[513]:
> > /var/lib/unbound/root.key has content
> > Oct 23 13:31:39 raspberrypi package-helper[513]: *fail: the anchor
> > is NOT ok and could not be fixed*
> > Oct 23 13:31:39 raspberrypi systemd[1]: Started Unbound DNS server.
> >
> > If I then issue:
> > #> sudo systemctl restart unbound
> > #> sudo systemctl status unbound
> >
> > Oct 23 13:48:30 raspberrypi systemd[1]: Starting Unbound DNS
> server...
> > Oct 23 13:48:30 raspberrypi package-helper[1294]:
> > /var/lib/unbound/root.key has content
> > Oct 23 13:48:30 raspberrypi package-helper[1294]: *success: the
> > anchor is ok*
> > Oct 23 13:48:31 raspberrypi systemd[1]: Started Unbound DNS server.
> >
> > Why is that?
> > Running unbound 1.9.0 on Debian.
> >
> > Thanks.
>
> As far as I tell unbound 1.9.0 (debian stable) includes this in
> /usr/lib/unbound/package-helper, which supposedly checks the validity of
> the trust anchor file.
>
> env -i LANG="$LANG" PATH="$PATH" start-stop-daemon \
>  --chuid unbound:unbound --start \
>  --exec /usr/sbin/unbound-anchor -- -a
> "$ROOT_TRUST_ANCHOR_FILE" -v || true
>
> This call is not present in the package-helper in e.g. unbound 1.12.0
> (debian backports).
>
> It could be that unbound-anchor tries to download the root trust anchor
> but fails because your resolver is set to 127.0.0.1 and unbound is not
> yet running :)
>
> (This would explain why restarting unbound works)
>
> In the man page of unbound-anchor they mention this issue, which can be
> solved by using "-f /path/to/another/resolv.conf" for bootstapping, or
> using "-R" which allows fallback to querying directly the root servers.
>
> I'd suggest you edit /usr/lib/unbound/package-helper, look for the call
> to unbound-anchor, and add "-R" to the list of options.
>
> Hopefully that will fix it.
> (You can also edit /etc/default/unbound and set
> ROOT_TRUST_ANCHOR_UPDATE=false), which will just omit the (attempt) to
> update.
>
> Good luck.
>

Re: fail: the anchor is NOT ok and could not be fixed

2020-10-27 Thread Gil Levy via Unbound-users 
Anyone?
Still couldn't fix this on boot.
Appreciate your help.

On Fri, 23 Oct 2020 at 13:51, Gil Levy  wrote:

> After a system reboot, I get the following message when I run
> #> sudo systemctl status unbound
>
> Oct 23 13:31:38 raspberrypi systemd[1]: Starting Unbound DNS server...
> Oct 23 13:31:39 raspberrypi package-helper[513]: /var/lib/unbound/root.key
> has content
> Oct 23 13:31:39 raspberrypi package-helper[513]: *fail: the anchor is NOT
> ok and could not be fixed*
> Oct 23 13:31:39 raspberrypi systemd[1]: Started Unbound DNS server.
>
> If I then issue:
> #> sudo systemctl restart unbound
> #> sudo systemctl status unbound
>
> Oct 23 13:48:30 raspberrypi systemd[1]: Starting Unbound DNS server...
> Oct 23 13:48:30 raspberrypi package-helper[1294]:
> /var/lib/unbound/root.key has content
> Oct 23 13:48:30 raspberrypi package-helper[1294]: *success: the anchor is
> ok*
> Oct 23 13:48:31 raspberrypi systemd[1]: Started Unbound DNS server.
>
> Why is that?
> Running unbound 1.9.0 on Debian.
>
> Thanks.
>
>

fail: the anchor is NOT ok and could not be fixed

2020-10-22 Thread Gil Levy via Unbound-users 
After a system reboot, I get the following message when I run
#> sudo systemctl status unbound

Oct 23 13:31:38 raspberrypi systemd[1]: Starting Unbound DNS server...
Oct 23 13:31:39 raspberrypi package-helper[513]: /var/lib/unbound/root.key
has content
Oct 23 13:31:39 raspberrypi package-helper[513]: *fail: the anchor is NOT
ok and could not be fixed*
Oct 23 13:31:39 raspberrypi systemd[1]: Started Unbound DNS server.

If I then issue:
#> sudo systemctl restart unbound
#> sudo systemctl status unbound

Oct 23 13:48:30 raspberrypi systemd[1]: Starting Unbound DNS server...
Oct 23 13:48:30 raspberrypi package-helper[1294]: /var/lib/unbound/root.key
has content
Oct 23 13:48:30 raspberrypi package-helper[1294]: *success: the anchor is
ok*
Oct 23 13:48:31 raspberrypi systemd[1]: Started Unbound DNS server.

Why is that?
Running unbound 1.9.0 on Debian.

Thanks.

Troubleshooting: warning: so-sndbuf 4194304 was not granted

2020-10-22 Thread Gil Levy via Unbound-users 
Hi there,

Hope everyone is doing well these days.

Using unbound 1.9.0. My config file has
so-dnbuf = 4m
so-rcvbuf = 4m

When I type #: unbound
I get these warnings:
---






*[1603203700] unbound[4853:0] warning: so-rcvbuf 4194304 was not granted.
Got 360448. To fix: start with root permissions(linux) or sysctl bigger
net.core.rmem_max(linux) or kern.ipc.maxsockbuf(bsd) values.[1603203700]
unbound[4853:0] warning: so-sndbuf 4194304 was not granted. Got 360448. To
fix: start with root permissions(linux) or sysctl bigger
net.core.wmem_max(linux) or kern.ipc.maxsockbuf(bsd) values.[1603203700]
unbound[4853:0] error: can't bind socket: Address already in use for
127.0.0.1 port 5335[1603203700] unbound[4853:0] fatal error: could not open
ports*
---

Any idea why this should start with a root permission? Shouldn't the system
allocate the RAM during boot?


Thanks.