Adguard + Unbuond Configuration ISSUE

Troubleshooting
21

ok i try to disable firewall and still not work

i dont have a wifi module but i have a PiZero2W with DietPi v8.11.2

i try this command

root@DietPi:~# unbound
[1671111324] unbound[1536:0] warning: so-rcvbuf 4194304 was not granted. Got 425984. To fix: start with root permissions(linux) or sysctl bigger net.core.rmem_max(linux) or kern.ipc.maxsockbuf(bsd) values.
[1671111324] unbound[1536:0] warning: so-sndbuf 4194304 was not granted. Got 425984. To fix: start with root permissions(linux) or sysctl bigger net.core.wmem_max(linux) or kern.ipc.maxsockbuf(bsd) values.
[1671111324] unbound[1536:0] error: can't bind socket: Address already in use for 127.0.0.1 port 8953
[1671111324] unbound[1536:0] error: cannot open control interface 127.0.0.1 8953
[1671111324] unbound[1536:0] fatal error: could not open ports
22

unbound is already started as service. You can’t start it twice :wink:

What I’m still not sure about are these messages :thinking:

theoretically you could try to install unbound while connected to your local network and check how it is going. No need to install AGH. Issue is with unbound directly.

23

Ah yes of course, sorry for the stupid thing, in the end I created a virtual machine and connected to the hostpot and it doesn’t work

https://ibb.co/JsdnY2Y

24

strange thing, I could not replicate the issue at all. Unbound is working, doesn’t matter what SOC or VM I’m using,

@trendy any ideas?

25

As you pointed out @Joulinar the SERVFAIL is a sign of DNSSEC failure.
Reading this thread from the beginning, I’ll share a crazy idea which I faced recently.
Could the original DNS packet to the root dns server be hijacked?
Could you try over another connection? LTE, VPN…

26

Yes, then I tried again and actually changing the network works… is there anything I can do to solve the problem? change any router settings?

27

does it mean, using a different network, hotspot, was resolving the issue? Not sure if there are settings on your router that could be changed. We are not familiar with your hardware. Probably you could ask technical support of your ISP?

28

Sorry if I didn’t specify better, I took the RPi 2w and connected it to the hostpot of the mobile phone (this time I did everything with the monitor and not blindly), what should I tell the ISP customer service? “why are DNS/DNSSEC calls being hijacked?” can i be more specific?

I share with you some settings maybe you can help me

dada
dada1176×615 30.4 KB

dwadaw
dwadaw1133×585 26.1 KB

29

hiii @pietromezza ,

I don’t know if it can help you but there’s this one that’s a bit old, but it’s related to a vodafone router and unbound, also with the error SERVEUR FAIL
Pi-Hole + Unbound => Unbound anchor not ok // always SERVFAIL : pihole (reddit.com)

30

yeah looks like similar issue bit sadly no solution.

@pietromezza on DNS settings, what happen if you switch from Secure DNS to manually?? What are the options after you changed to option.

31

Immagine 2022-12-16 210256
Immagine 2022-12-16 210256891×923 38.3 KB

32

can you save settings on manually. Does this change something for unbound?

33

Ok after some testing I found how to make it work then: it should be configured as follows

Before definitively closing the issue, when my ISP hijacks, what do I encounter? do they see all my searches?

DNS
DNS1691×1207 156 KB

34

Well by default DNS is not encrypted and someone who like, could theoretically see what request has been sent. Unbound by default is not encrypting DNS reuest. However, it’s giving some kind of privacy as DNS request are send to the root DNS server directly and not to your ISP or some other global upstream DNS provider. If you like encrypted DNS, you will need to look into DNS over TLS (DoT). We describe a configuration example on our online docs. DNS Servers Options - DietPi.com Docs

35

Ok thx,

Is corret this configuration on “server” side?

dietpi@DietPi:~$ cat /etc/resolv.conf
nameserver 1.1.1.1

and client side is corret this one?
dada

36

Yes, best practice is to have server using a global upstream DNS server. And clients should point to your AdBlock server. However you should try to distribute DNS server settings via DHCP. Manual configuration might be working on a Windows or Mac client. But on mobile devices or other small network devices, it might become impossible.

37

Tonight a few things happened that I don’t understand, I received requests like this:

adguard
adguard1210×347 19.5 KB

top

Why did I get so many requests from external IPs to the local network?

If some devices continue to use the router’s DNS or 192.168.1.1 what happens?

Maybe all this happened because I had the firewall turned off?

38

It looks to me that you created an open resolver.
Didn’t you turn the firewall back on?

1 Like
39

at least 172.17.* ; 10.6.* and 192.168.* are private network addresses Private network - Wikipedia

Did you open any port to public internet (port forwarding)?

40

Oh yes I was saying the other two, however yes I have an open port 5xxx on TCP/UDP