Page 1 of 2

config unbound forward.conf

Posted: July 23rd, 2018, 7:40 am
by parker_lewis
Hi there everybody,

I'm quite new to IPFire und I'm struggeling with the unbound dns.

Whats the situation:
I'm using an IPFire-System based on APU2C4 with an Zyxel bridge-modem, so IPFire does everything.

What do I want to do?
Well, the main goal is to set up a dns-over-tls config.

Where's the problem?
First of all I tried to force unbound in the unbound.conf not to use the generated forward.conf (simply by placing a # before "include") and placed a selfwritten (better to say: self-copied ;) ) forward.conf in the local.d folder. Then I did restart unboard but the system used the dns-setting from the isp once again. So I tried to change to manual dns setting in the log-in section, but the effect was no usage of dns-over-tls.

In the init.d script I found some hints, that there is the the standard forward.conf being generated at startup. But if the setting are generated to forward.conf and this forward.conf is included by unbound.conf WHY it doesn't work to me: don't include forward.conf from unbound but use forward.conf from unbound/local.d?

Do you have any idea hints, suggestion or something like that?

Re: config unbound forward.conf

Posted: July 23rd, 2018, 7:48 am
by Arne.F
The forwand.conf is only a startup value for boot.

The real forwarders will updated at runtime by the network scripts.
You can disable this by setting USE_FORWARDERS=0 in /etc/sysconfig/unbound

Re: config unbound forward.conf

Posted: July 23rd, 2018, 8:34 am
by parker_lewis
Thank you very much! Problem is now solved! :)

Re: config unbound forward.conf

Posted: August 1st, 2018, 7:56 pm
by firewell
Does this mean that all settings to forward to a DNS-over-TLS provider need to be present in the /etc/sysnconfig/unbound file? I tried setting SE_FORWARDERS=0, and this forces unbound to be a local recursor and use root name servers on the net.

However, if I place any .conf file in the local.d folder in /etc/unbound, none of those .confs appear to be parsed when I restart the unbound service. I'm trying to get a forwarder config to use cloudflare and Quad9 servers with DNS over TLS.

Re: config unbound forward.conf

Posted: August 2nd, 2018, 2:13 pm
by firewell
I'm still struggling to get this working, I could use some help to see how this was resolved. Parker_lewis, do you have any hints you could give me to get me up and running?

I have done the following changes:
created file "/etc/sysconfig/unbound" and added "USE_FORWARDERS=0" to that file.

created file "/etc/unbound/local.d/forward.conf" and I have added the following settings in forward.conf:

Code: Select all

	name: "."
	forward-ssl-upstream: yes
I've tried rebooting and also just issuing "/etc/init.d/unbound restart". Unbound continues to use the root DNS resolvers on port 53, it does not appear to be using the config properties that I have specified in the forward.conf file. I'm sure I just need to make a tweak to my config but I'm at a loss as to what else I can change to get this to fire up. Parker_lewis or ArneF, do you see any issues with my config?

Re: config unbound forward.conf

Posted: August 8th, 2018, 1:53 pm
by iotapi322
I don't know if this helps or not, but I was looking into this as well. I noticed that example 2 on this page:
has how to setup unbound to do DNS or TLS
I haven't tried it yet, but I will...

Re: config unbound forward.conf

Posted: August 10th, 2018, 1:49 am
by firewell
Thank you for posting the Calomel example, I have tried to follow it but am not having much success. I had a suspicion this would not work because IPfire seems to be doing some scripting to customize the config files and then inputting the results of those scripts into the config files on startup. Because of this I'm worried that changing the unbound.conf file will cause issues. Using the file below, unbound continues to run in local recursor mode and does not send requests outbound on port 853 to the forwarders listed in the unbound.conf file. I can see this when I view the active connections on the firewall (Status/Connections), I see outbound connections to DNS root servers on port 53, the values that I specified for the forwarders are being ignored.

This is what my unbound.conf looks like (I am using **** tags to show what I added to make it easier to see the changes from default):

Code: Select all

# Unbound configuration file for IPFire
# The full documentation is available at:

        # Common Server Options
        chroot: ""
        directory: "/etc/unbound"
        username: "nobody"
        port: 53
        do-ip4: yes
        do-ip6: no
        # do-udp: yes ****changed
        do-tcp: yes
        so-reuseport: yes
        do-not-query-localhost: yes
        ssl-upstream: yes ****added

        # System Tuning
        include: "/etc/unbound/tuning.conf"

        # Logging Options
        verbosity: 1
        use-syslog: yes
        log-time-ascii: yes
        log-queries: no        

	# Unbound Statistics
        statistics-interval: 0
        statistics-cumulative: yes
        extended-statistics: yes

        # Prefetching
        prefetch: yes
        prefetch-key: yes

        # Randomise any cached responses
        rrset-roundrobin: yes

        # Privacy Options
        hide-identity: yes
        hide-version: yes
        qname-minimisation: yes
        minimal-responses: yes

        # DNSSEC
        auto-trust-anchor-file: "/var/lib/unbound/root.key"
        val-permissive-mode: no
        val-clean-additional: yes
        val-log-level: 1

        # Hardening Options
        harden-glue: yes
        harden-short-bufsize: no
        harden-large-queries: yes
        harden-dnssec-stripped: yes
        harden-below-nxdomain: yes
        harden-referral-path: yes
        harden-algo-downgrade: no
        use-caps-for-id: no

        # Listen on all interfaces
        interface-automatic: yes

        # Allow access from everywhere
        access-control: allow

        # Bootstrap root servers
        root-hints: "/etc/unbound/root.hints"
	# Include DHCP leases
        include: "/etc/unbound/dhcp-leases.conf"

        # Include any forward zones
        include: "/etc/unbound/forward.conf"

        control-enable: yes
        control-use-cert: yes
        server-key-file: "/etc/unbound/unbound_server.key"
        server-cert-file: "/etc/unbound/unbound_server.pem"
        control-key-file: "/etc/unbound/unbound_control.key"
        control-cert-file: "/etc/unbound/unbound_control.pem"

forward-zone: ****added
        name: "." ****added
        forward-addr: ****added
        forward-addr: ****added

# Import any local configurations
include: "/etc/unbound/local.d/*.conf"

Re: config unbound forward.conf

Posted: August 16th, 2018, 1:43 pm
by parker_lewis
Hi there,

sorry, I was on holiday, so couldn't answer.

Well, after you're local recur problem I had a closer look to my config und voila, damm it, I was too quick with my heureka - it works.
Local recur was listed for me too - so it doesn't work for me, too.

Lets collect what we got:

USE_FORWARDERS=0 --> works, the auto-config of the dns seems to be "mostly" off
but dns-over-tls still doesnt work. >:(

What I found for the unbound dns-tls config was about certs: ... -on-linux/

Maybe one of the developers could give us another hint how the startup dns-config of ipfire works? Are the other scripts or ways to convince unbound to use the new config?
In my first try - the update to core 122 killed my whole system yesterday - I was close to the heise tutorial of setting up dns-over-tls.

What I have to add is that I'm using PPPoE on RED, so maybe there a function/script/whatsoever which links the isp-dns-information to the local unbound. Maybe that's something we have to look at?

Re: config unbound forward.conf

Posted: August 16th, 2018, 1:51 pm
by parker_lewis
@ firewall: still not authorized for PMs. I can read but not answer.

Re: config unbound forward.conf

Posted: August 17th, 2018, 1:54 pm
by firewell
Parker thanks for getting back to us. Hope you had a great holiday. :)

In my config, I'm using a WAN/DHCP interface on RED, and we seem to have the same issues with DNS over TLS. Hopefully this means that the PPPoE config that you rely on isn't a factor in getting this to work correctly.

From my limited understanding and perusing some other threads here, it seems like Unbound should be using *.conf files that are left in the local.d folder. I tried placing a file in there with my forwarder.conf settings and it still seems to ignore any files left in the local.d folder in /etc/unbound. At this point I'm not sure where else to go to try to get unbound to follow the specified config that we want for DNS over TLS.

I have tried setting DNS over TLS in other distros and it's usually a very straight forward process. I have DNS over TLS working on pfSense 2.4.4, OPNsense 18.1 and 18.7, and on OpenWRT 18.06. All attempt with DNS over TLS and IPFire have been with Core 120 and with a fresh install using Core 122. Both of my environments use 64bit installs of IPFire.

If any devs are reading, could you give us some hints as to where we might need to make more changes? I'm at a loss as to how to get this working and all of the configs I try to follow seem to be ignored by Unbound due to the way it is configured in IPFire.

Re: config unbound forward.conf

Posted: August 17th, 2018, 5:30 pm
by parker_lewis
Thank's a lot for the greetings and details about your conf.

Now I went a step back and ask myself, what would happened if we dns-over-tls leave behind and just try it with normal dns-servers. So I did and voilá the same:

I put the use-forwarders in the init-section to =0 and wrote those in formations to local.d:

name: "."
forward-addr: # Cloudflare
forward-addr: # Cloudflare
forward-addr: # Google
forward-addr: # Google
forward-addr: # FreeDNS
forward-addr: # FreeDNS
forward-addr: # OpenNIC
forward-addr: # Verisign
forward-addr: # Verisign
forward-addr: # Hurricane Electric
forward-addr: # DNS Watch
forward-addr: # DNS Watch
forward-addr: #
forward-addr: # puntCAT
forward-addr: # OpenDNS
forward-addr: # OpenDNS
forward-addr: # Dyn Public

After a stop/start of unbound the setting changed to DNS-Server: local recursor.

So it seams that it not a problem abound DoT but a general Problem if you use the init-script with USE_FORWARDERS=0. With the value of 1 it gave me the ISP-DNS-settings, with 2 the local recur again, 3 the same.
So maybe use_forwarders=0 is too strong and kills all forwarders? I really have no idea just a guess?!

Re: config unbound forward.conf

Posted: August 18th, 2018, 6:49 pm
by iotapi322
half the issue with ipfire is that the depth of knowledge on setting up features is “shallow”.
I love the product, I love the development that the devs do. I am disappointed that the powers that be dont help support how to use this ninja sword.

For example how do the maintainers of ipfire recommand on doing DNS over TLS?
There are many ways to do it, ie ... ypted-dns/

Re: config unbound forward.conf

Posted: August 30th, 2018, 10:01 pm
by firewell
Unfortunately I have not been able to make any progress on this. I see this thread has thousands of views but not many posters or support. I would be willing to test this functionality and help to validate it if the developers here would be willing to support this effort. I'm sure some of the other posters in this thread would also do the same to help give extra feedback.

Re: config unbound forward.conf

Posted: October 28th, 2018, 12:11 pm
by Jan_B

I have been able to make this work in current version core 124.

create file /etc/sysconfig/unbound

Code: Select all

create file whatever.conf under /etc/unbound/local.d/

Code: Select all

        name: "."
        forward-tls-upstream: yes
unbound-control stop
unbound-control start

et voilá

Re: config unbound forward.conf

Posted: October 28th, 2018, 5:41 pm
by ummeegge
Hi all,
wanted to provide a little list --> ... st+Servers for some other possibilities instead of Quad9 --> ... ver-quad9/ and Cloudflair --> ... s-service/ .

Some of the lists are currently Off/Do not work or do worked very slow but may nevertheless useful for someone...