angristan / local-dns-resolver Goto Github PK
View Code? Open in Web Editor NEWScript to install a local Unbound DNS resolver on your Linux machine with DNSSEC support
License: MIT License
Script to install a local Unbound DNS resolver on your Linux machine with DNSSEC support
License: MIT License
Hey. Such a problem. I have a router that runs on Linux. And unbound does not work for me, although if I connect to the normal one, then everything works. I can’t understand what this is connected with ... The router distributes ssh tunnels and socks5. DNS server inside Unbound and DNScrypt-proxy. Depending on what is being distributed. I really need your advice) thanks
Coucou,
Ce serait cool d'avoir le même script avec PowerDNS Recursor
When I put ip adress 127.0.0.1 in /etc/openvpn/server.conf and resolv.conf then OpenVPN can't connect to any domain. But when I replace on 8.8.8.8 for example, then OpenVPN working correctly (Angristan/OpenVPN-install script).
I am using Debian 9 x64, could anybody tell me, maybe I am missing something or I must try another OS?
does not work for me on centos 7 (openvz)
possible?
Root Hits For All Systems.
Sync angristan/openvpn-install#604 and add menu to uninstall.
https://wiki.archlinux.org/index.php/Unbound#Roothints_systemd_timer
/etc/systemd/system/roothints.service
[Unit]
Description=Update root hints for unbound
After=network.target
[Service]
ExecStart=/usr/bin/curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache
/etc/systemd/system/roothints.timer
[Unit]
Description=Run root.hints monthly
[Timer]
OnCalendar=monthly
Persistent=true
[Install]
WantedBy=timers.target
[root@hk ~]# wget https://raw.githubusercontent.com/Angristan/Local-DNS-resolver/master/centos-unbound.sh
--2017-08-06 21:32:33-- https://raw.githubusercontent.com/Angristan/Local-DNS-resolver/master/centos-unbound.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.72.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.72.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1113 (1.1K) [text/plain]
Saving to: ‘centos-unbound.sh’
100%[==============================================================================>] 1,113 --.-K/s in 0s
2017-08-06 21:32:34 (221 MB/s) - ‘centos-unbound.sh’ saved [1113/1113]
[root@hk ~]# chmod +x centos-unbound.sh
[root@hk ~]# ./centos-unbound.sh
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
100%[==============================================================================>] 3,314 --.-K/s in 0.001s
2017-08-06 21:32:37 (3.10 MB/s) - ‘/var/lib/unbound/root.hints’ saved [3314]
mv: cannot stat ‘/etc/unbound/unbound.conf’: No such file or directory
server:
root-hints: root-hints: /var/lib/unbound/root.hints
./centos-unbound.sh: line 25: auto-trust-anchor-file:: command not found
./centos-unbound.sh: line 26: interface:: command not found
./centos-unbound.sh: line 27: access-control:: command not found
./centos-unbound.sh: line 28: port:: command not found
./centos-unbound.sh: line 29: do-daemonize:: command not found
./centos-unbound.sh: line 30: num-threads:: command not found
./centos-unbound.sh: line 31: use-caps-for-id:: command not found
./centos-unbound.sh: line 32: harden-glue:: command not found
./centos-unbound.sh: line 33: hide-identity:: command not found
./centos-unbound.sh: line 46: unexpected EOF while looking for matching `"'
./centos-unbound.sh: line 47: syntax error: unexpected end of file
[root@hk ~]# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)
[root@hk ~]#
I tried to touch /etc/unbound/unbound.conf and run it again with same result.
To have dnssec working with unbound I added :
trust-anchor-file: "/etc/dnssec/root-anchors.txt"
(generated/query-ed by unbound-anchor)
this is under gentoo
To test if DNSSEC is working look at the "ad" flag in dig in a DNSSEC-enabled zone (dnssec-tools.org might be a good default) and additionally if badsign-A.test.dnssec-tools.org doesn’t resolve (should send SERVFAIL)
I have an error when I am trying to start the script:
root@name:~# sudo ./unbound-install.sh
./unbound-install.sh: 8: ./unbound-install.sh: Syntax error: newline unexpected
When I start command 'netstat -natp' I have this result:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 141/rpcbind
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 389/apache2
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 271/sshd
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 456/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 8999/openvpn
tcp 0 36 server-ip:22 my-ip:62727 ESTABLISHED 13578/0
tcp 0 11596 server-ip:80 some-ip:37141 CLOSING -
tcp6 0 0 :::111 :::* LISTEN 141/rpcbind
tcp6 0 0 :::22 :::* LISTEN 271/sshd
tcp6 0 0 :::25 :::* LISTEN 456/master
It means that 53 port is not using, then what could be a problem?
P.S. my OS: Ubuntu 16.04.1 LTS (GNU/Linux 2.6.32-042stab120.11 x86_64)
Just so I won't forget to look at it : https://mastodon.xyz/@Gildas_GH/9354867
Installed
https://github.com/Angristan/Local-DNS-resolver/blob/master/ubuntu-unbound.sh on Ubuntu 16.04
also tried https://github.com/Angristan/Local-DNS-resolver/blob/master/centos-unbound.sh on CentOS 7.
Install succeeded. Service starts ok and is responsive:
root@dns2:~# unbound-control reload
ok
root@dns2:~# unbound-control status
version: 1.5.8
verbosity: 3
threads: 2
modules: 2 [ validator iterator ]
uptime: 415851 seconds
options: control(ssl)
unbound (pid 1469) is running...
As far as I can tell, I can usually resolve unsigned domains:
root@dns2:~# dig espncricinfo.com +dnssec +multi
; <<>> DiG 9.10.3-P4-Ubuntu <<>> espncricinfo.com +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, **status: NOERROR**, id: 61648
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;espncricinfo.com. IN A
;; ANSWER SECTION:
espncricinfo.com. 573 IN **A 52.19.167.6**
Most DNSSEC signed domains resolve OK, too:
root@dns2:~# dig dnssectest.sidn.nl +dnssec +multi
; <<>> DiG 9.10.3-P4-Ubuntu <<>> dnssectest.sidn.nl +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54219
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 17
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnssectest.sidn.nl. IN A
_[truncated irrelevant output]_
Stuff that should fail also tends to fail:
root@dns2:~# dig www.dnssec-failed.org
; <<>> DiG 9.10.3-P4-Ubuntu <<>> www.dnssec-failed.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, **status: SERVFAIL**, id: 61846
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.dnssec-failed.org. IN A
However,
some lookups fail and I have no idea why.
Does not seem to matter if the domain is signed or not.
I first noticed that I can't visit http://ipleak.net anymore
Then half the apps on my Roku claimed they have no connectivity because lookups failed.
root@dns2:~# dig -t A ipleak.net @127.0.0.1
; <<>> DiG 9.10.3-P4-Ubuntu <<>> -t A ipleak.net @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, **status: NOERROR**, id: 3183
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ipleak.net. IN A
;; Query time: 190 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Oct 27 00:54:28 SGT 2017
;; MSG SIZE rcvd: 39
It returns NOERROR but then doesn't provide a response.
Compare with:
root@dns2:~# dig -t A ipleak.net @208.67.222.222
; <<>> DiG 9.10.3-P4-Ubuntu <<>> -t A ipleak.net @208.67.222.222
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, **status: NOERROR**, id: 775
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ipleak.net. IN A
;; ANSWER SECTION:
ipleak.net. 376 IN **A 95.85.16.212**
;; Query time: 177 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Fri Oct 27 00:55:11 SGT 2017
;; MSG SIZE rcvd: 55
First I thought it may just be an Ubuntu thing. But it happens on CentOS, too. Then I thought it may be some root servers refuse queries from some of my hosts (Vultr netblock). But I ended up setting up on a bunch of other hosts on Softlayer, DO, etc. in various regions and the issue persists in all cases.
What's the best way to troubleshoot this ?
Some people with similar issues blamed UDP fragmentation as the culprit. I tried
edns-buffer-size: 1280
in unbound.conf but it did not help.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.