[Support] Unbound


Recommended Posts

Overview: Support for the Unbound Docker Container

Docker: https://hub.docker.com/r/kutzilla/unbound

GitHub: https://github.com/kutzilla/unbound-docker

 

This is an unofficial Docker implementation of Unbound. It was build to run Unbound on your Unraid machine.

 

Unbound is a validating, recursive, and caching DNS resolver. It can be used to create your own recursive DNS-Server at home. You can use Unbound for services such as Pi-Hole or you can create custom DNS Records for your local network.

 

 

Here is a tutorial how to configure Pi-Hole with Unbound (Not exclusively on Unraid):

 

 

Edited by kutzilla
  • Like 1
Link to comment
  • 3 weeks later...
  • 3 weeks later...

@BelgarionNL Thank you for your feedback. I'm going to provide a more detailed introduction for unraid soon. Any suggestions what I should include?

 

 

 

PS: I know what you mean about my name. Many dutch ppl think it is funny. But my last name is part of this pseudonym. Thats why I chose it ;-)

 

 

 

 

Link to comment
  • 2 weeks later...

How to configure it so I can resolve local hostname,

 

Example, If I would like to access one of my docker container "home-assistant-core" I would like to enter homeassistant/ on browser to direct to the dashboard instead of 192.168.x.x:8123

 

I've seen the a-record.conf, but it doesn't work for me. Any help would be appreciated 

Link to comment
  • 2 weeks later...
On 7/26/2021 at 8:44 AM, kutzilla said:

Overview: Support for the Unbound Docker Container

Docker: https://hub.docker.com/r/kutzilla/unbound

GitHub: https://github.com/kutzilla/unbound-docker

 

This is an unofficial Docker implementation of Unbound. It was build to run Unbound on your Unraid machine.

 

Unbound is a validating, recursive, and caching DNS resolver. It can be used to create your own recursive DNS-Server at home. You can use Unbound for services such as Pi-Hole or you can create custom DNS Records for your local network.

 

Can you provide step on how to create custom DNS Records for your local network?

 

What' I've done is add a PTR record on the config but it doesn't resolve it

 

# A Record
     #local-data: "somecomputer.local. A 192.168.1.1"

# PTR Record
     #local-data-ptr: "192.168.1.1 somecomputer.local."
     #local-data-ptr: "192.168.1.190 tenseven.local."

 

I thought you need to remove the hash symbol, but after I saved the file, unbound won't start after a restart due to the file missing/incorrect.

Link to comment
  • 2 weeks later...

@ySkNight Sorry for the long silence. I was working on other projects and totally forgot about this issue. This sounds weird, because the syntax looks right. I might sound stupid, but did you keep the hash symbols on the description fields "# A Record" and "# PTR Record"? Those symbols need to stay, because those are just descriptive comments.

Hopefully this helps.

 

@BelgarionNL I didn't forget about you either. I try to provide a "Getting started"-guide soon.

 

Cheers, 

kutzilla

Link to comment

@kutzilla

 

Yes, 

# A Record
     #local-data: "somecomputer.local. A 192.168.1.1"
     #local-data: "unraid. A 192.168.3.190"

# PTR Record
     #local-data-ptr: "192.168.1.1 somecomputer.local."
     #local-data-ptr: "192.168.3.190 unraid."

This is my a-records.conf

 

it didn't work for me. Also even if it work how do you config a services or docker that has port number? eg 192.168.1.10:8000?

Link to comment

@kutzilla

 

When building the container I see their is an option to mount the config to a share/volume. When I put in for instance host Path: /user/appdata/unbound which maps to Container Path: /opt/unbound/etc/unbound/. I see some of the files/directories. However I'm unable to edit them unless I go in to the terminal and change the permissions. Even after doing that the container will not start and throws a critical error listed below. Any thoughts on how to resolve this? I'm hoping that it should be straight forward having share access to the unbound config files to modify them.

 

[1634322343] unbound[1:0] fatal error: Could not read config file: /opt/unbound/etc/unbound/unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf

 

  • Upvote 1
Link to comment
  • 1 month later...

Hi.  I've been using piHole in unraid docker for ages and it's great.  I now want to add unbound to the mix. I'm following the video linked in the documentation but it's not unraid specific.  

 

I've dropped into the unbound console and gone into /etc but there is no unbound folder in  there so I'm not sure where to put the pihole config file that is detailed here https://docs.pi-hole.net/guides/dns/unbound/

It says to create the file /etc/unbound/unbound.conf.d/pi-hole.conf but it seems I have the unbound folders missing.

Link to comment
On 10/15/2021 at 7:31 PM, S1nglebarrel said:

@kutzilla

 

When building the container I see their is an option to mount the config to a share/volume. When I put in for instance host Path: /user/appdata/unbound which maps to Container Path: /opt/unbound/etc/unbound/. I see some of the files/directories. However I'm unable to edit them unless I go in to the terminal and change the permissions. Even after doing that the container will not start and throws a critical error listed below. Any thoughts on how to resolve this? I'm hoping that it should be straight forward having share access to the unbound config files to modify them.

 

[1634322343] unbound[1:0] fatal error: Could not read config file: /opt/unbound/etc/unbound/unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf

 

 

I get this also as soon as I specify the appdata directory for config files.  Docker won't start up.   I've also noticed that only the unbound.conf file is present in the appdata unbound folder.   There is also a Dev and var folder.  No other config files.  Log files show the below

 

Quote

/opt/unbound/etc/unbound/unbound.conf:293: error: cannot open include file '/opt/unbound/etc/unbound/a-records.conf': No such file or directory
/opt/unbound/etc/unbound/unbound.conf:294: error: cannot open include file '/opt/unbound/etc/unbound/srv-records.conf': No such file or directory
/opt/unbound/etc/unbound/unbound.conf:300: error: cannot open include file '/opt/unbound/etc/unbound/forward-records.conf': No such file or directory
read /opt/unbound/etc/unbound/unbound.conf failed: 3 errors in configuration file
[1639840290] unbound[1:0] fatal error: Could not read config file: /opt/unbound/etc/unbound/unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf

 

@kutzilla  Any ideas?  

Edited by unraid-user
  • Upvote 1
Link to comment

I got the same error. Therefore I first ran the container with a volume

 

/opt/unbound/etc/unbound2

 

then I copied everything from

 

/opt/unbound/etc/unbound
 

to

 

/opt/unbound/etc/unbound2

 

then I rebuild the container with the correct volumepath

 

/opt/unbound/etc/unbound
 

then you will see every file and the error is gone, though still some warnings are shown.

 

But: I cannot reach the Container from my Adguard container. Any ideas?

 

the Adguard runs on an own ip on unraid and unbound runs in bridged mode with port 5335 published.

 

Link to comment
  • 3 weeks later...
  • 3 weeks later...

I have the issue with adguard + unbound that i cant access the unraid ui anymore i get the DNS_PROBE_POSSIBLE error, when i use the Unbound DNS IP.

 

I set it up like this:

 

Unbound.conf ip 127.0.0.1 port 5335 in the Docker template i put it in br0 network (shows in Adguard client list as unbound.br0) and the ip for it is 192.168.178.3 (thats what i use in the adguard DNS Settings). 

 

After i save this settings the ui is not working anymore, but other sites are loading normal and ads also get blocked. So i guess unbound is doing its job. I also put a DNS Rebind in my router for unraid.net and the server ip but no luck to get it working.

 

So any ideas what im doing wrong?

 

Update: On Pi-Hole the Unraid Gui works but had an 

Maximum number of concurrent DNS queries reached (max: 150) error

Edited by Lanraider
Link to comment

Could someone share a working config of both unbound and pi-hole please? I have tried all the suggestions here but have not had any success.

 

 # dig pi-hole.net @127.0.0.1 -p 5335

; <<>> DiG 9.11.5-P4-5.1+deb10u6-Debian <<>> pi-hole.net @127.0.0.1 -p 5335
;; global options: +cmd
;; connection timed out; no servers could be reached
#

Link to comment
11 hours ago, Wozzagonebush said:

Could someone share a working config of both unbound and pi-hole please? I have tried all the suggestions here but have not had any success.

 

 # dig pi-hole.net @127.0.0.1 -p 5335

; <<>> DiG 9.11.5-P4-5.1+deb10u6-Debian <<>> pi-hole.net @127.0.0.1 -p 5335
;; global options: +cmd
;; connection timed out; no servers could be reached
#

Thats what i did:

 

1. Put the container to brO

2. Put an fixed IP in the optional field

3. create an folder /mnt/user/appdata/unbound/

4. Paste the path /mnt/user/appdata/unbound/ in the Config Path in the docker tab

5. Paste in the unbound folder this files a-records.conf srv-records.conf forward-records.conf from https://github.com/MatthewVance/unbound-docker/tree/master/1.10.1 like suggested from debizaemon

6. Create an folder unbound.conf.d in /mnt/user/appdata/unbound/

7.  Create an txt file in unbound.conf.d with the settings from https://docs.pi-hole.net/guides/dns/unbound/

8. rename it to pihole.conf after you save it

9. Go to you Pihole then to settings/dns/costum1 IPv4 put in 127.0.0.1#5335 (dont forget to untick all the other DNS Upstreamservers)

10. save it

 

Then it should work (kind of), i still have time outs reaching the unraid ui. Please tell me how it worked out for you... A proper tutorial would be nice from the unbound (unraid) pros, because i still have issues (like i said) and have to stick to the conventional DNS Upstream Servers.

 

What i noticed is that in the docker tab the container is still using port 53, instead of showing that it is using port 5335 (like put in the docker config) is this right?

Edited by Lanraider
Link to comment

I'll add that you might be concerned about logs errors "due" to poor ressources for Unbound..

 

Unless you've more than 500 workers in your network depending on your stuff, do not urge to set the container as "Priviledge" if only for home usage.

 

What i noticed is that in the docker tab the container is still using port 53, instead of showing that it is using port 5335 (like put in the docker config) is this right?

 

To me, it sounds like a false positive and refers to the out port for DNS request. In my own case, it solves DNS queries and is indeed listening my pihole request on port 5335.

Edited by gyto6
Added a Quote
Link to comment
3 hours ago, Wozzagonebush said:

I've got it working by setting pi-hole ip to 192.168.1.2 br0, pointing to unbound br0 192.168.1.3#53

Doesn't sound good to me as Pi-Hole uses this port to reslove clients DNS queries. Can you check in PiHole's Query Log section if the solver's unbound's docker name (With #53 for you of course)?

image.png.2164ea204a745ba9aafef363edc36a6c.png

Link to comment
On 2/3/2022 at 12:13 AM, gyto6 said:

I'll add that you might be concerned about logs errors "due" to poor ressources for Unbound..

 

Unless you've more than 500 workers in your network depending on your stuff, do not urge to set the container as "Priviledge" if only for home usage.

 

What i noticed is that in the docker tab the container is still using port 53, instead of showing that it is using port 5335 (like put in the docker config) is this right?

 

To me, it sounds like a false positive and refers to the out port for DNS request. In my own case, it solves DNS queries and is indeed listening my pihole request on port 5335.

 

Thanks for your answer! 

 

I had time again to play around a bit with unbound & pi-hole, so the pihole container was not set to "Priviledge" i think the "Maximum number of concurrent DNS queries reached (max: 150) error" was because i restarted the pihole container and it always forgets the DNS Settings i put in and changes to "listen to all devices", even though i put in "Allow only local devices" and another DNS Server it should use, when it starts again.

 

So i tested unbound and i figured out that it is not using my pihole.conf file in the unbound.conf.d dir! Dont know why it is doing this... So i tested unbound with the unbound.conf that is in the unbound main dir and it is working fine and answering in the pihole query log with "sent to unbound.br0#5335" like i put it in the unbound.conf file. How can i say to unbound to use my pihole.conf file or how do i fix this?

 

Another thing i noticed is that it is not using DNS over TLS with the unbound.conf, like with the pihole.conf file when it was recognised.

 

Also i get the following errors in the unbound log:

 

[1644065587] libunbound[21:0] error: udp connect failed: Cannot assign requested address for 2001:500:200::b port 53
[1644065587] libunbound[21:0] error: udp connect failed: Cannot assign requested address for 2001:500:200::b port 53
[1644065587] libunbound[21:0] error: udp connect failed: Cannot assign requested address for 2001:500:2d::d port 53
[1644065587] unbound[1:0] warning: setrlimit: Operation not permitted
[1644065587] unbound[1:0] warning: cannot increase max open fds from 40960 to 189120
[1644065587] unbound[1:0] warning: continuing with less udp ports: 1750
[1644065587] unbound[1:0] warning: increase ulimit or decrease threads, ports in config to remove this warning
[1644065587] unbound[1:0] error: Could not open logfile /dev/null: Permission denied

 

 

 

 

 

  • Like 1
Link to comment
On 2/5/2022 at 2:41 PM, Lanraider said:

 

Thanks for your answer! 

 

I had time again to play around a bit with unbound & pi-hole, so the pihole container was not set to "Priviledge" i think the "Maximum number of concurrent DNS queries reached (max: 150) error" was because i restarted the pihole container and it always forgets the DNS Settings i put in and changes to "listen to all devices", even though i put in "Allow only local devices" and another DNS Server it should use, when it starts again.

 

So i tested unbound and i figured out that it is not using my pihole.conf file in the unbound.conf.d dir! Dont know why it is doing this... So i tested unbound with the unbound.conf that is in the unbound main dir and it is working fine and answering in the pihole query log with "sent to unbound.br0#5335" like i put it in the unbound.conf file. How can i say to unbound to use my pihole.conf file or how do i fix this?

 

Another thing i noticed is that it is not using DNS over TLS with the unbound.conf, like with the pihole.conf file when it was recognised.

 

Also i get the following errors in the unbound log:

 

[1644065587] libunbound[21:0] error: udp connect failed: Cannot assign requested address for 2001:500:200::b port 53
[1644065587] libunbound[21:0] error: udp connect failed: Cannot assign requested address for 2001:500:200::b port 53
[1644065587] libunbound[21:0] error: udp connect failed: Cannot assign requested address for 2001:500:2d::d port 53
[1644065587] unbound[1:0] warning: setrlimit: Operation not permitted
[1644065587] unbound[1:0] warning: cannot increase max open fds from 40960 to 189120
[1644065587] unbound[1:0] warning: continuing with less udp ports: 1750
[1644065587] unbound[1:0] warning: increase ulimit or decrease threads, ports in config to remove this warning
[1644065587] unbound[1:0] error: Could not open logfile /dev/null: Permission denied

 

 

 

 

 

You're welcome.

 

First, how do you know that unbound isn't using the pihole.conf?

 

Then, I didn't set DoH yet, i'll warn you once done how to do this.

 

And at last, the errors refers to what I said sooner. Except for the ipv6 address as it's disabled in default unbound.conf file.

 

Edit 1 : Concerning the pi-hole.conf file not used, open the unbound console :

 

find / -name pi-hole.conf -print

You're supposed to get your file path inside the docker :

/opt/unbound/etc/unbound/unbound.conf.d/pi-hole.conf

Now, execute the following command and restart Pi-Hole

unbound -c /opt/unbound/etc/unbound/unbound.conf.d/pi-hole.conf

 

Edit 2 : I didn't find the docker parameter to use another unbound.conf file aka pi-hole.conf at launch.

So you can, as you did, set your pi-hole.conf config into the unbound.conf. But the file given by pi-hole is less configured that the original pi-hole file and I don't see what's better, so be cautious. Especially with certificate and key files path which must be kept in the config for DNSSEC.

The only difference from original config file in pi-hole.conf is this line which's been set to "no" :

use-caps-for-id: no

 

Edited by gyto6
Edition
Link to comment

So,

 

The original unbound config is set for DNSSEC. Nothing more to configure else to check the "Use DNSSEC" boxe within Pi-Hole GUI. But even if the box is not checked, it tends to unbound to already use DNSSEC. Furthermore, don't be suprised to see a lot of well known websites not using DNSSEC.

 

Once done, go on your web browser to https://nifc.fr (a domain name I've set with DNSSEC) and check "Queries Logs"

 

image.png.0437249d30440707135676fdb4ab80b5.png

 

Else, you can check this site https://dnssec.vs.uni-due.de/

 

Source :

https://discourse.pi-hole.net/t/how-do-i-interperet-the-dnssec-column-in-the-query-log/7185

https://medium.com/nlnetlabs/dns-over-https-in-unbound-c7a407e8480

Edited by gyto6
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.