I am not able to setup a srv record

[balajeek]

I setup unbound with pi-hole and all seem to work fine.

Now what i want to achieve is create some lan dns entries so i don't have to remember ports of all the docker service containers i am running such as portianer, plex, hass and so.

when i go into the browser and type portainer.homelab.me should go to http://192.168.1.9:9000 and similar to other services as well. all the google i did tells me i need to set srv-records in unbound, so i created an srv-records.conf and included in unbound.conf

I tried my best to put in the line for the dns entries, everything comes with error or does not work, I am that good in networking so please forgive me.

here is what i tried

_port._tcp.portainer.homelab.one.  86400 IN    SRV 0        10     9000     portainer.homelab.one.

[MatthewVance]

Will you share your Docker run command and output of error logs?

On Sun, Aug 15, 2021, 9:05 PM balajeek @.***> wrote:

I setup unbound with pi-hole and all seem to work fine.

Now what i want to achieve is create some lan dns entries so i don't have to remember ports of all the docker service containers i am running such as portianer, plex, hass and so.

when i go into the browser and type portainer.homelab.me should go to http://192.168.1.9:9000 and similar to other services as well. all the google i did tells me i need to set srv-records in unbound, so i created an srv-records.conf and included in unbound.conf

I tried my best to put in the line for the dns entries, everything comes with error or does not work, I am that good in networking so please forgive me.

here is what i tried

_port._tcp.portainer.homelab.one. 86400 IN SRV 0 10 9000 portainer.homelab.one.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/MatthewVance/unbound-docker/issues/74, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAUMHOWQRGEVC7EM2NTO3PLT5BW7LANCNFSM5CGZSELQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email .

[balajeek]

here is the docker-compose:

  unbound:
    image: mvance/unbound:latest
    container_name: unbound
    restart: unless-stopped
    networks:
      pihole_net:
        ipv4_address: 172.20.0.7
    volumes:  
      - ${DOCKERDIR}/unbound/:/opt/unbound/etc/unbound/
    ports:
      - 5053:5053/tcp
      - 5053:5053/udp
    healthcheck:
      disable: true

log:

[1629143174] libunbound[20:0] error: udp connect failed: Cannot assign requested address for 2001:500:9f::42 port 53
/opt/unbound/etc/unbound/srv-records.conf:9: error: unknown keyword '_port._tcp.portainer.homelab.one.'
/opt/unbound/etc/unbound/srv-records.conf:9: error: unknown keyword '86400'
/opt/unbound/etc/unbound/srv-records.conf:9: error: unknown keyword 'IN'
/opt/unbound/etc/unbound/srv-records.conf:9: error: unknown keyword 'SRV'
/opt/unbound/etc/unbound/srv-records.conf:9: error: unknown keyword '0'
/opt/unbound/etc/unbound/srv-records.conf:9: error: unknown keyword '10'
/opt/unbound/etc/unbound/srv-records.conf:9: error: unknown keyword '3000'
/opt/unbound/etc/unbound/srv-records.conf:9: error: unknown keyword 'portainer.homelab.one.'
read /opt/unbound/etc/unbound/unbound.conf failed: 8 errors in configuration file
[1629143174] unbound[1:0] fatal error: Could not read config file: /opt/unbound/etc/unbound/unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf

homelab.one dns record pointing to an my home IP is added in pi-hole

[MatthewVance]

Try this:

volumes:

• ${DOCKERDIR}/unbound:/opt/unbound/etc/unbound/

On Mon, Aug 16, 2021, 2:49 PM balajeek @.***> wrote:

here is the docker-compose:

unbound: image: mvance/unbound:latest container_name: unbound restart: unless-stopped networks: pihole_net: ipv4_address: 172.20.0.7 volumes:

• ${DOCKERDIR}/unbound/:/opt/unbound/etc/unbound/ ports:
• 5053:5053/tcp
• 5053:5053/udp healthcheck: disable: true

log:

[1629143174] libunbound[20:0] error: udp connect failed: Cannot assign requested address for 2001:500:9f::42 port 53 /opt/unbound/etc/unbound/srv-records.conf:9: error: unknown keyword '_port._tcp.portainer.homelab.one.' /opt/unbound/etc/unbound/srv-records.conf:9: error: unknown keyword '86400' /opt/unbound/etc/unbound/srv-records.conf:9: error: unknown keyword 'IN' /opt/unbound/etc/unbound/srv-records.conf:9: error: unknown keyword 'SRV' /opt/unbound/etc/unbound/srv-records.conf:9: error: unknown keyword '0' /opt/unbound/etc/unbound/srv-records.conf:9: error: unknown keyword '10' /opt/unbound/etc/unbound/srv-records.conf:9: error: unknown keyword '3000' /opt/unbound/etc/unbound/srv-records.conf:9: error: unknown keyword 'portainer.homelab.one.' read /opt/unbound/etc/unbound/unbound.conf failed: 8 errors in configuration file [1629143174] unbound[1:0] fatal error: Could not read config file: /opt/unbound/etc/unbound/unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf

homelab.one dns record pointing to an my home IP is added in pi-hole

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/MatthewVance/unbound-docker/issues/74#issuecomment-899774122, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAUMHOVFSTN335DSHZI57A3T5FTTLANCNFSM5CGZSELQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email .

[balajeek]

tried and got the same set of errors. I think the problem is not loading/reading the config file, becaz as soon as i remove the line from srv-records.conf, the errors goes away.

[MatthewVance]

Very odd. The errors are pointing to a bad volume mount. That's usually due to:

• having or not having a slash in the right place in the volume parameter of the run command / compose file. OR
• not having the files in the right location in your local file system in respect to the volume mount.

Are you confident the ${DOCKERDIR} environment variable is set to the right thing and accessible in the context of user running docker compose up?

On Mon, Aug 16, 2021, 2:57 PM balajeek @.***> wrote:

tried and got the same set of errors.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/MatthewVance/unbound-docker/issues/74#issuecomment-899778809, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAUMHOSF7DQF2SIWXSFDW4DT5FUSRANCNFSM5CGZSELQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email .

[balajeek]

i am sure its reading the file, becaz the srv-records.conf is in the unbound.conf with line include: /opt/unbound/etc/unbound/srv-records.conf

also i make sure is i turned the verbrosity:2 to log in the unbound.conf and immediately i see log file is generated.

so in this way it tells me that docker container is indeed reading the config files in unbound directory. moreover the error tells 8 errors in the config file which means its reading the config file but have errors.

btw do you see any syntax errors in the way i tried in srv-records?

[MatthewVance]

I need to look closer. I had your logs errors mixed up in my mind with someone else's I looked at recently. Yours are definitely pointing to a srv record syntax issue.

On Mon, Aug 16, 2021, 3:49 PM balajeek @.***> wrote:

i am sure its reading the file, becaz the srv-records.conf is in the unbound.conf with line include: /opt/unbound/etc/unbound/srv-records.conf

also i make sure is i turned the verbrosity:2 to log in the unbound.conf and immediately i see log file is generated.

so i this way it tells me that docker container is indeed reading the config files in unbound directory.

btw do you see any syntax errors in the way i tried in srv-records?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/MatthewVance/unbound-docker/issues/74#issuecomment-899808547, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAUMHOQ27LNCX3ILBZ33JT3T5F2ULANCNFSM5CGZSELQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email .

[MatthewVance]

Apologies for the earlier confusion with the mix up on my end.

SRV records are not something I personally use so I have limited experience here. Most of the examples I've seen prefix the entry with local-data. For instance:

# SRV records
# _service._proto.name. | TTL | class | SRV | priority | weight | port | target.
    local-data: "_port._tcp.portainer.homelab.one.  86400 IN    SRV 0        10     9000     portainer.homelab.one."

A prefix like that makes sense though because the a-record and ptr) in the a-records.conf file I do use require that. The forward records in the forward-zone also require prefixes.

If you confirm this is the case, I should update the example file to provide greater clarity.

[balajeek]

What do you suggest i can try so i have lan only dns with ports so i could call my names rather than IP?

[MatthewVance]

Is there a specific reason you are using a SRV record over an A record?

On Mon, Aug 16, 2021, 9:15 PM balajeek @.***> wrote:

What do you suggest i can try so i have lan only dns with ports so i could call my names rather than IP?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/MatthewVance/unbound-docker/issues/74#issuecomment-899941219, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAUMHOSEP5NWGCQVLLTSYKTT5HA4NANCNFSM5CGZSELQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email .

[balajeek]

I tried A record by including a-records.conf in the unbound conf and add it like this, but did not work.

# A Record
    local-data: "portainer.homelab.one. A 192.168.1.11"

# PTR Record
    local-data-ptr: "192.168.1.11 portainer.homelab.one."

[MatthewVance]

That should work. I haven't seen your custom unbound.conf file, but I know the a-records support for custom LAN DNS works with the default config.

To help narrow down the issue, what happens when you use this method: https://github.com/MatthewVance/unbound-docker#a-records

What does your custom config look like? How are you checking whether it is working or not? Dig is the preferred method. What is are the results of running dig? Are you sure everything is pointed to the right DNS server (typically the IP of the host running the container, unless you need this to be accessible from other containers)?

On Tue, Aug 17, 2021, 6:39 AM balajeek @.***> wrote:

I tried A record by including a-records.conf in the unbound conf and add it like this, but did not work.

A Record

local-data: "portainer.homelab.one. A 192.168.1.11"

PTR Record

local-data-ptr: "192.168.1.11 portainer.homelab.one."

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/MatthewVance/unbound-docker/issues/74#issuecomment-900222555, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAUMHOWXX2FKOYOGE7FPZCTT5JDABANCNFSM5CGZSELQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email .

[balajeek]

Sure I will explain here all about my setup. All the services i have are on docker and using docker-compose. I am running pihole for over a year now and all my clients computers/phones are all connected with the dns ip as pihole and all seem to work.

With all the services running on the same box as pihole run in many different ports, and it become hard for me to remember the ports to access their web ui's. I use more than one computer/phones so bookmarking all does not make sense. So i thought i should have local dns so i can simply type http://portainer and it should resolve and go to http://192.168.99.11 (let say) I would do this to all the services i use.

I know in pihole i could add dns records and A records which works but i can't do ports on it.

Then when i was googling some folks at reddit said unbound will do it and it also helps with other dns features which i liked so i setup unbound in docker, added unbound as upstream dns on pi-hole, the test commands as seen are seem to execute fine.

The way i test is from my mac terminal i ping the dns i created,

But my primary goal of lan dns I am strill stuggling to make it work. Hope you understand what my goal is.

I already posted my docker compose, a-records and srv-records conf Here is my unbound conf:

server:
# If no logfile is specified, syslog is used
logfile: /opt/unbound/etc/unbound/unbound.log
verbosity: 1

access-control: 172.16.0.0/12 allow
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/8 allow
access-control: 192.168.0.0/16 allow
interface: 0.0.0.0
port: 5053
do-ip4: yes
do-udp: yes
do-tcp: yes

# May be set to yes if you have IPv6 connectivity
do-ip6: no

# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no

# Use this only when you downloaded the list of primary root servers!
# If you use the default dns-root-data package, unbound will find it automatically
# I have to quote out this root-hints, as it causing container endless restarting for a new installation. You can add root-hints back after first run. 
#root-hints: “/opt/unbound/etc/unbound/root.hints”

# Trust glue only if it is within the server's authority
harden-glue: yes

# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes

# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no

# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size: 1472

# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes

# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads: 1

# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m

# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10

#includes
include: /opt/unbound/etc/unbound/a-records.conf
include: /opt/unbound/etc/unbound/srv-records.conf

[MatthewVance]

Thanks for the background.

While SRV records associate ports with names, I don't believe http or browsers use them. They're more common for things like AD and Kerberos. Browsers rely on A or AAAA records but those don't support ports. Thus, I'm not sure you will be able to accomplish what you want to via either method.

Have you explored solving this with Docker Swarm or Kubernetes? I think you're at the point of needing service discovery.

On Tue, Aug 17, 2021, 7:06 AM balajeek @.***> wrote:

Sure I will explain here all about my setup. All the services i have are on docker and using docker-compose. I am running pihole for over a year now and all my clients computers/phones are all connected with the dns ip as pihole and all seem to work.

With all the services running on the same box as pihole run in many different ports, and it become hard for me to remember the ports to access their web ui's. I use more than one computer/phones so bookmarking all does not make sense. So i thought i should have local dns so i can simply type http://portainer and it should resolve and go to http://192.168.99.11 (let say) I would do this to all the services i use.

I know in pihole i could add dns records and A records which works but i can't do ports on it.

Then when i was googling some folks at reddit said unbound will do it and it also helps with other dns features which i liked so i setup unbound in docker, added unbound as upstream dns on pi-hole, the test commands as seen are seem to execute fine.

The way i test is from my mac terminal i ping the dns i created,

But my primary goal of lan dns I am strill stuggling to make it work. Hope you understand what my goal is.

I already posted my docker compose, a-records and srv-records conf Here is my unbound conf:

server:

If no logfile is specified, syslog is used

logfile: /opt/unbound/etc/unbound/unbound.log

verbosity: 1

access-control: 172.16.0.0/12 allow

access-control: 127.0.0.0/8 allow

access-control: 10.0.0.0/8 allow

access-control: 192.168.0.0/16 allow

interface: 0.0.0.0

port: 5053

do-ip4: yes

do-udp: yes

do-tcp: yes

May be set to yes if you have IPv6 connectivity

do-ip6: no

You want to leave this to no unless you have native IPv6. With 6to4 and

Terredo tunnels your web browser should favor IPv4 for the same reasons

prefer-ip6: no

Use this only when you downloaded the list of primary root servers!

If you use the default dns-root-data package, unbound will find it automatically

I have to quote out this root-hints, as it causing container endless restarting for a new installation. You can add root-hints back after first run.

root-hints: “/opt/unbound/etc/unbound/root.hints”

Trust glue only if it is within the server's authority

harden-glue: yes

Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS

harden-dnssec-stripped: yes

Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes

see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details

use-caps-for-id: no

Reduce EDNS reassembly buffer size.

Suggested by the unbound man page to reduce fragmentation reassembly problems

edns-buffer-size: 1472

Perform prefetching of close to expired message cache entries

This only applies to domains that have been frequently queried

prefetch: yes

One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.

num-threads: 1

Ensure kernel buffer is large enough to not lose messages in traffic spikes

so-rcvbuf: 1m

Ensure privacy of local IP ranges

private-address: 192.168.0.0/16

private-address: 169.254.0.0/16

private-address: 172.16.0.0/12

private-address: 10.0.0.0/8

private-address: fd00::/8

private-address: fe80::/10

includes

include: /opt/unbound/etc/unbound/a-records.conf

include: /opt/unbound/etc/unbound/srv-records.conf

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/MatthewVance/unbound-docker/issues/74#issuecomment-900239652, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAUMHORBDD3CZQRTVZVHTLLT5JGFRANCNFSM5CGZSELQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email .

[balajeek]

I was troubleshooting today and it seem to work but wierdly.

I added and entry (without the period at the domain name) local-data: "portainer.homelab.one A 192.168.1.11"

restarted unbound docker and i was able to ping portainer.homelab.one and also able see the page on the browser. which is great.

This was only a test so i changed the ip from 11 to 15 and restarted unbound docker, but it still points to 11 on the ping and on the browser, I completed commented the A records and restarted and to my surprise the dns portainer.homelab.one still works.

Is it a cache? how can i clear it ?

[MatthewVance]

Restarting the container and thus Unbound works immediately for me. I don't recall ever running into a caching issue.

Other than restarting the container, unbound-control is the other method I'm aware of. It'll take more setup to work. The following touches on it a bit: https://github.com/restic/restic/issues/2349#issuecomment-514148843

On Wed, Aug 18, 2021, 12:28 PM balajeek @.***> wrote:

I was troubleshooting today and it seem to work but wierdly.

I added and entry (without the period at the domain name) local-data: "portainer.homelab.one A 192.168.1.11"

restarted unbound docker and i was able to ping portainer.homelab.one and also able see the page on the browser. which is great.

This was only a test so i changed the ip from 11 to 15 and restarted unbound docker, but it still points to 11 on the ping and on the browser, I completed commented the A records and restarted and to my surprise the dns portainer.homelab.one still works.

Is it a cache? how can i clear it ?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/MatthewVance/unbound-docker/issues/74#issuecomment-901296011, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAUMHOVDUUQGBBOCQ2PSF7TT5PUTHANCNFSM5CGZSELQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email .

[MatthewVance]

@balajeek I'm going to go ahead and close this one because I haven't heard back in a while. If the above didn't solve it for you, feel free to reopen this.