Help! UNBOUND on Tomato

Discussion in 'Tomato Firmware' started by rgnldo, May 24, 2018.

  1. rgnldo

    rgnldo Reformed Router Member

    Help! I can not start the Unbound Entware service. Notifies that port and interface exist. I tried changing the unbound.conf or swapping the ports, it did not work.

    [1527160247] unbound[3984:0] error: can't bind socket: Address already in use for 127.0.0.1
    [1527160247] unbound[3984:0] fatal error: could not open ports

    unbound.conf

    server:
    root-hints: /opt/etc/unbound/named.cache
    auto-trust-anchor-file: /opt/etc/unbound/root.key
    access-control: 10.0.0.0/8 allow
    access-control: 127.0.0.0/8 allow
    access-control: 192.168.0.0/16 allow
    cache-max-ttl: 14400
    cache-min-ttl: 900
    port: 5453
    #allow username: nobody
    hide-identity: yes
    hide-version: yes
    interface: 127.0.0.1
    interface: 10.0.30.1
    minimal-responses: yes
    prefetch: yes
    qname-minimisation: yes
    rrset-roundrobin: yes
    use-caps-for-id: yes
    verbosity: 1

    forward-zone:
    name: "."
    forward-addr: 1.1.1.1 # Cloudflare
    forward-addr: 1.0.0.1 # Cloudflare
     
  2. eibgrad

    eibgrad Network Guru Member

    Obviously using the same port as DNSMasq (53) would cause a conflict. But I don't see why using a different port would be an issue. Not unless unbound is using a different config file than the one you *think* it's using. Seen that before.

    Try adding the following to DNSMasq in Custom Configuration (which should disable its DNS server) and see if it will now accept your port, or even port 53.

    Code:
    port=0
     
    rgnldo likes this.
  3. rgnldo

    rgnldo Reformed Router Member

    DNSMasq in Custom Configuration:

    127.0.0.1#5453
    no-resolv
    port=0
     
  4. AndreDVJ

    AndreDVJ LI Guru Member

    Spent this evening figuring out how to start unbound from Entware (I assume default prefix /opt is used). I still forward queries from dnsmasq (well it is a query forwarder) to unbound, listening to port 40.

    1) install unbound
    Code:
    opkg install unbound
    2) install unbound-anchor
    Code:
    opkg install unbound-anchor
    3) run unbound-anchor
    Code:
    /opt/sbin/unbound-anchor
    4) create /opt/var/lib/unbound directory
    Code:
    mkdir /opt/var/lib/unbound
    5) copy root.key to unbound directory
    Code:
    cp -f /opt/etc/unbound/root.key /opt/var/lib/unbound/root.key
    6) change directory ownership to nobody, in case you want to drop daemon privileges from root to nobody
    Code:
    chown nobody /opt/var/lib/unbound
    7) edit /opt/etc/unbound/unbound.conf - In this case I wanted DNSSEC enabled that's why I copied root key, etc. Tweak as you see fit, I don't use unbound as dnsmasq does everything I need.
    Code:
    server:
        # whitespace is not necessary, but looks cleaner.
    
        # port to answer queries from
        port: 40
    
        # verbosity 1 is default
        verbosity: 1
    
        # Self jail Unbound with user "unbound" to /var/lib/unbound
        # The script /etc/init.d/unbound will setup the location
        username: "nobody"
        directory: "/opt/var/lib/unbound"
        chroot: "/opt/var/lib/unbound"
    
        # The pid file is created before privleges drop so no concern
        pidfile: "/opt/var/run/unbound.pid"
    
        # no threads and no memory slabs for threads
        num-threads: 2
        msg-cache-slabs: 2
        rrset-cache-slabs: 2
        infra-cache-slabs: 2
        key-cache-slabs: 2
    
        # don't be picky about interfaces but consider your firewall
        interface: 0.0.0.0
        interface: ::0
        access-control: 0.0.0.0/0 allow
        access-control: ::0/0 allow
    
        # this limits TCP service but uses less buffers
        outgoing-num-tcp: 1
        incoming-num-tcp: 1
    
        # use somewhat higher port numbers versus possible NAT issue
        outgoing-port-permit: "10240-65335"
    
        # uses less memory but less performance
        outgoing-range: 60
        num-queries-per-thread: 30
    
        # exclude large responses
        msg-buffer-size: 8192
    
        # tiny memory cache
        infra-cache-numhosts: 200
        msg-cache-size: 100k
        rrset-cache-size: 100k
        key-cache-size: 100k
        neg-cache-size: 10k
    
        # gentle on recursion
        target-fetch-policy: "2 1 0 0 0 0"
        harden-large-queries: yes
        harden-short-bufsize: yes
    
        # DNSSEC enable by removing comments on "module-config:" and "auto-trust-
        # -anchor-file:" The init script will copy root key to /var/lib/unbound.
        # See package documentation for crontab entry to copy RFC5011 results back.
        module-config: "validator iterator"
        auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
    
        # DNSSEC needs real time to validate signatures. If your device does not
        # have power off clock (reboot), then you may need this work around.
        #domain-insecure: "pool.ntp.org"
    
    forward-zone:
    #       Cloudflare
            name: "."
            forward-addr: 1.1.1.1
            forward-addr: 1.0.0.1
    8) start unbound daemon
    Code:
    /opt/sbin/unbound -c /opt/etc/unbound/unbound.conf
    Edit dnsmasq custom configuration in GUI and save it:
    Code:
    cache-size=0
    server=127.0.0.1#40
    no-resolv
    no-poll
     
    rgnldo likes this.
  5. rgnldo

    rgnldo Reformed Router Member

    Thank you very much
     
    Last edited: Jun 8, 2018
  6. rgnldo

    rgnldo Reformed Router Member

    [1528665349] unbound[2995:0] error: can't bind socket: Address already in use for 0.0.0.0
    [1528665349] unbound[2995:0] fatal error: could not open ports`
     
  7. rgnldo

    rgnldo Reformed Router Member

    @AndreDVJ there is a problem: no internet after reboot.
     
  8. AndreDVJ

    AndreDVJ LI Guru Member

    Are Entware daemons starting after reboot? dnsmasq should be forwarding queries to another DNS server running in your router, which should be unbound.

    In somewhere among your scripts after /opt is mounted, this should be called:
    Code:
    /opt/etc/init.d/rc.unslung start
     
    rgnldo likes this.
  9. rgnldo

    rgnldo Reformed Router Member

    I just do not understand how I leave the options in Tomato's dnsmasq GUI.
     
    Last edited: Jun 11, 2018
  10. rgnldo

    rgnldo Reformed Router Member

    #!/bin/sh
    mount -o bind /tmp/mnt/ENTWARE/opt /opt
    mount -o bind /tmp/mnt/ENTWARE/jffs /jffs
    swapon /dev/sda2
    sleep 2
    /opt/etc/init.d/rc.unslung start
    sleep 40
    /opt/etc/init.d/rc.unslung restart
     
    Last edited: Jun 11, 2018
  11. rgnldo

    rgnldo Reformed Router Member

    This is the NO-RESOLV option on the Tomato GUI page.
     
  12. AndreDVJ

    AndreDVJ LI Guru Member

    I tested again - I had issues because I forgot to disable DNSSEC from GUI - so disable that.

    The only checkbox enabled is "Use internal DNS".

    dnsmasq configuration - forwarding queries to port 40:
    Code:
    root@R7000:/tmp/home/root# cat /etc/dnsmasq.conf
    pid-file=/var/run/dnsmasq.pid
    resolv-file=/etc/resolv.dnsmasq
    addn-hosts=/etc/dnsmasq
    dhcp-hostsfile=/etc/dnsmasq
    expand-hosts
    min-port=4096
    interface=br0
    dhcp-range=tag:br0,192.168.1.10,192.168.1.41,255.255.255.0,1440m
    dhcp-option=tag:br0,3,192.168.1.1
    dhcp-option=tag:br0,44,192.168.1.1
    interface=br1
    dhcp-range=tag:br1,192.168.2.2,192.168.2.254,255.255.255.0,1440m
    dhcp-option=tag:br1,3,192.168.2.1
    dhcp-option=tag:br1,44,192.168.2.1
    dhcp-host=XX:XX:XX:XX:XX:XX,192.168.1.104
    dhcp-lease-max=255
    dhcp-authoritative
    log-async=25
    log-dhcp
    dhcp-option=252
    dns-loop-detect
    log-facility=/mnt/usb/log/dnsmasq.log
    cache-size=0
    server=127.0.0.1#40
    no-resolv
    no-poll
    unbond configuration, listening on port 40:
    Code:
    root@R7000:/tmp/home/root# cat /opt/etc/unbound/unbound.conf
    # The server clause sets the main parameters.
    server:
            # whitespace is not necessary, but looks cleaner.
    
            # port to answer queries from
            port: 40
    
            # verbosity 1 is default
            verbosity: 1
    
            # Self jail Unbound with user "unbound" to /var/lib/unbound
            # The script /etc/init.d/unbound will setup the location
            username: "nobody"
            directory: "/opt/var/lib/unbound"
            chroot: "/opt/var/lib/unbound"
    
            # The pid file is created before privleges drop so no concern
            pidfile: "/opt/var/run/unbound.pid"
    
            # no threads and no memory slabs for threads
            num-threads: 2
            msg-cache-slabs: 2
            rrset-cache-slabs: 2
            infra-cache-slabs: 2
            key-cache-slabs: 2
    
            # don't be picky about interfaces but consider your firewall
            interface: 0.0.0.0
            interface: ::0
            access-control: 0.0.0.0/0 allow
            access-control: ::0/0 allow
    
            # this limits TCP service but uses less buffers
            outgoing-num-tcp: 1
            incoming-num-tcp: 1
    
            # use somewhat higher port numbers versus possible NAT issue
            outgoing-port-permit: "10240-65335"
    
            # uses less memory but less performance
            outgoing-range: 60
            num-queries-per-thread: 30
    
            # exclude large responses
            msg-buffer-size: 8192
    
            # tiny memory cache
            infra-cache-numhosts: 200
            msg-cache-size: 100k
            rrset-cache-size: 100k
            key-cache-size: 100k
            neg-cache-size: 10k
    
            # gentle on recursion
            target-fetch-policy: "2 1 0 0 0 0"
            harden-large-queries: yes
            harden-short-bufsize: yes
    
            # DNSSEC enable by removing comments on "module-config:" and "auto-trust-
            # -anchor-file:" The init script will copy root key to /var/lib/unbound.
            # See package documentation for crontab entry to copy RFC5011 results back.
            module-config: "validator iterator"
            auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
    
            # DNSSEC needs real time to validate signatures. If your device does not
            # have power off clock (reboot), then you may need this work around.
            #domain-insecure: "pool.ntp.org"
    
    forward-zone:
    #       Cloudflare
            name: "."
            forward-addr: 1.1.1.1
            forward-addr: 1.0.0.1

    netstat dump:
    Code:
    root@R7000:/tmp/home/root# netstat -lnpW
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address                                       Foreign Address                                     State       PID/Program name
    tcp        0      0 0.0.0.0:40                                          0.0.0.0:*                                           LISTEN      21121/unbound
    tcp        0      0 127.0.0.1:9000                                      0.0.0.0:*                                           LISTEN      18727/php-cgi
    tcp        0      0 192.168.1.1:139                                     0.0.0.0:*                                           LISTEN      18786/smbd
    tcp        0      0 192.168.1.254:80                                    0.0.0.0:*                                           LISTEN      20867/pixelserv-tls
    tcp        0      0 177.194.97.86:8080                                  0.0.0.0:*                                           LISTEN      20330/httpd
    tcp        0      0 192.168.2.1:80                                      0.0.0.0:*                                           LISTEN      20330/httpd
    tcp        0      0 192.168.1.1:80                                      0.0.0.0:*                                           LISTEN      20330/httpd
    tcp        0      0 0.0.0.0:53                                          0.0.0.0:*                                           LISTEN      20960/dnsmasq
    tcp        0      0 0.0.0.0:85                                          0.0.0.0:*                                           LISTEN      18730/nginx
    tcp        0      0 0.0.0.0:22                                          0.0.0.0:*                                           LISTEN      939/dropbear
    tcp        0      0 0.0.0.0:38746                                       0.0.0.0:*                                           LISTEN      20323/miniupnpd
    tcp        0      0 192.168.1.254:443                                   0.0.0.0:*                                           LISTEN      20867/pixelserv-tls
    tcp        0      0 192.168.2.1:443                                     0.0.0.0:*                                           LISTEN      20330/httpd
    tcp        0      0 192.168.1.1:443                                     0.0.0.0:*                                           LISTEN      20330/httpd
    tcp        0      0 192.168.1.1:445                                     0.0.0.0:*                                           LISTEN      18786/smbd
    tcp        0      0 :::40                                               :::*                                                LISTEN      21121/unbound
    tcp        0      0 :::53                                               :::*                                                LISTEN      20960/dnsmasq
    tcp        0      0 :::22                                               :::*                                                LISTEN      939/dropbear
    udp        0      0 0.0.0.0:42000                                       0.0.0.0:*                                                       19008/eapd
    udp        0      0 0.0.0.0:40                                          0.0.0.0:*                                                       21121/unbound
    udp        0      0 0.0.0.0:53                                          0.0.0.0:*                                                       20960/dnsmasq
    udp        0      0 0.0.0.0:67                                          0.0.0.0:*                                                       20960/dnsmasq
    udp        0      0 0.0.0.0:1900                                        0.0.0.0:*                                                       20323/miniupnpd
    udp        0      0 192.168.1.1:12144                                   0.0.0.0:*                                                       20323/miniupnpd
    udp        0      0 0.0.0.0:38000                                       0.0.0.0:*                                                       19008/eapd
    udp        0      0 192.168.1.255:137                                   0.0.0.0:*                                                       18775/nmbd
    udp        0      0 192.168.1.1:137                                     0.0.0.0:*                                                       18775/nmbd
    udp        0      0 0.0.0.0:137                                         0.0.0.0:*                                                       18775/nmbd
    udp        0      0 192.168.1.255:138                                   0.0.0.0:*                                                       18775/nmbd
    udp        0      0 192.168.1.1:138                                     0.0.0.0:*                                                       18775/nmbd
    udp        0      0 0.0.0.0:138                                         0.0.0.0:*                                                       18775/nmbd
    udp        0      0 127.0.0.1:38032                                     0.0.0.0:*                                                       19010/nas
    udp        0      0 192.168.1.1:5351                                    0.0.0.0:*                                                       20323/miniupnpd
    udp        0      0 0.0.0.0:43000                                       0.0.0.0:*                                                       19008/eapd
    udp        0      0 :::40                                               :::*                                                            21121/unbound
    udp        0      0 :::53                                               :::*                                                            20960/dnsmasq
    raw        0      0 0.0.0.0:255                                         0.0.0.0:*                                           255         20361/udhcpc
    Active UNIX domain sockets (only servers)
    Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
    unix  2      [ ACC ]     STREAM     LISTENING     1282190 18775/nmbd          /var/nmbd/unexpected
    
     
    rgnldo likes this.
  13. rgnldo

    rgnldo Reformed Router Member

    I also use these settings:

    #set up the localhost forward and reverse lookups with the following lines:

    local-zone: "localhost." static
    local-data: "localhost. 10800 IN NS localhost."
    local-data: "localhost. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
    local-data: "localhost. 10800 IN A 127.0.0.1"
    local-zone: "127.in-addr.arpa." static
    local-data: "127.in-addr.arpa. 10800 IN NS localhost."
    local-data: "127.in-addr.arpa. 10800 IN SOA localhost. nobody.invalid. 2 3600 1200 604800 10800"
    local-data: "1.0.0.127.in-addr.arpa. 10800 IN PTR localhost."

    I also use unbound-control to keep up with unbound performance. command "unbound-control stats"

    remote-control:
    # Enable remote control with unbound-control(8) here.
    # set up the keys and certificates with unbound-control-setup.
    control-enable: yes

    # what interfaces are listened to for remote control.
    # give 0.0.0.0 and ::0 to listen to all interfaces.
    control-interface: 0.0.0.0

    # port number for remote control operations.
    control-port: 953

    # unbound server key file.
    server-key-file: "/opt/var/lib/unbound/unbound_server.key"

    # unbound server certificate file.
    server-cert-file: "/opt/var/lib/unbound/unbound_server.pem"

    # unbound-control key file.
    control-key-file: "/opt/var/lib/unbound/unbound_control.key"

    # unbound-control certificate file.
    control-cert-file: "/opt/var/lib/unbound/unbound_control.pem"
     
  14. rgnldo

    rgnldo Reformed Router Member

    @AndreDVJ I comment #NO-RESOLV and apply the DNSMasq GUI. Then I do not comment NO-RESOLV and I apply the DNSMasq GUI and the internet works. I think unbound comes late than DNSMasq. I use ENTWARE MiniDLNA, but I need to set the "sleep 40" /opt/etc/init.d/rc.unslug restart.
     
  15. rgnldo

    rgnldo Reformed Router Member

    @AndreDVJ With Stubby it works cool the NO-RESOLV option after the reboot. But with Unbound it does not work after reboot. I have to comment apply in the Dnsmasq GUI and then uncomment the NO-RESOLV and apply Dnsmasq GUI.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice