lolgast1987
commented
2 years ago For DNSSEC to work, you'd have to use a custom unboud.conf as this is not enabled by default https://www.nlnetlabs.nl/documentation/unbound/howto-anchor/
Open redschumi opened 2 years ago
lolgast1987
commented
2 years ago For DNSSEC to work, you'd have to use a custom unboud.conf as this is not enabled by default https://www.nlnetlabs.nl/documentation/unbound/howto-anchor/
redschumi
commented
2 years ago thanks for your info.can you give an advice how to do that in your container?
Or is there a chance that you implement this directly?
hat3ph
commented
2 years ago I try to enable DNSSEC but everytime I enable auto-trust-anchor-file, the unbound service failed in docker. As you can see when I log in to the container and run the process, unbound is not running. Any idea?
Mem: 846924K used, 142940K free, 1964K shrd, 21380K buff, 545236K cached
CPU: 0% usr 0% sys 0% nic 100% idle 0% io 0% irq 0% sirq
Load average: 0.05 0.01 0.00 2/256 37
PID PPID USER STAT VSZ %VSZ CPU %CPU COMMAND
10 1 root S 730m 75% 1 0% /opt/adguardhome/AdGuardHome -c /opt/adguardhome/conf/AdGuardHome.yaml -w /opt/adguardho 20 0 root S 1664 0% 1 0% sh
1 0 root S 1596 0% 0 0% {entrypoint.sh} /bin/ash /opt/entrypoint.sh
37 20 root R 1596 0% 0 0% top
/opt/adguardhome/work # netstat -tulpa
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.11:36743 0.0.0.0:* LISTEN -
tcp 0 0 :::http :::* LISTEN 10/AdGuardHome
tcp 0 0 :::domain :::* LISTEN 10/AdGuardHome
udp 0 0 127.0.0.11:57253 0.0.0.0:* -
udp 0 0 :::domain :::* 10/AdGuardHome
docker-compose.yml
version: "3"
services:
adguard-unbound:
container_name: adguard-unbound
image: lolgast/adguard-unbound
restart: unless-stopped
hostname: adguard-unbound
# Volumes store your data between container upgrades
volumes:
- "./adguard/opt-adguard-work:/opt/adguardhome/work"
- "./adguard/opt-adguard-conf:/opt/adguardhome/conf"
- "./unbound:/opt/unbound"
#- "/usr/share/dns:/usr/share/dns:rw"
- "/usr/share/dns/root.hints:/opt/unbound/root.hints"
- "/usr/share/dns/root.key:/opt/unbound/root.key"
ports:
- 53:53/tcp # AdGuard Home DNS connection
- 53:53/udp # AdGuard Home DNS connection
- 3000:3000/tcp # AdGuard Home web panel
- 80:80/tcp # AdGuard Home web panel HTTP
#- 443:443/tcp # AdGuard Home web panel HTTPS
#- 784:784/udp # AdGuard Home DNS-over-QUIC service
#- 853:853/tcp # AdGuard Home DNS-over-TLS/QUIC service
#- 67:67/udp # DHCP server
#- 68:68/udp # DHCP server
#- 5053:5053/tcp # Unbound DNS connection
#- 5053:5053/udp # Unbound DNS connectionunbound.conf
server:
# if no logfile is specified, syslog is used
# logfile: "/var/log/unbound/unbound.log"
verbosity: 2
logfile: "/opt/unbound/unbound.log"
#log-time-ascii: yes
interface: 0.0.0.0
port: 5053
do-ip4: yes
do-udp: yes
do-tcp: yes
# May be set to yes if you have IPv6 connectivity
do-ip6: no
# You want to leave this to no unless you have "native" IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no
# File with trust anchor for one zone, which is tracked with RFC5011
# probes.
# Get the root hint and anchor key from dns-root-data package
root-hints: "/opt/unbound/root.hints"
auto-trust-anchor-file: "/opt/unbound/root.key"
#auto-trust-anchor-file: "/usr/share/dnssec-root/trusted-key.key"
#chroot: "/opt/unbound"
#directory: "/opt/unbound/"
# Trust glue only if it is within the server's authority
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no
# Reduce EDNS reassembly buffer size.
# Suggested by unbound man page to reduce fragmentation reassembly problems
edns-buffer-size: 1472
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
# One thread should be sufficient, can be increased on beefy machines. In reality for most
# users running on small networks or on a single machine, it should be unnecessary to
# seek performance enhancement by increasing num-threads above 1.
num-threads: 1
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
#so-rcvbuf: 1m
so-rcvbuf: 0
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe00::/10
hide-identity: yes
hide-version: yes
access-control: 0.0.0.0/0 allow
access-control: ::0/0 allow
#access-control: 127.0.0.1/32 allow
#access-control: 192.168.0.0/16 allow
#access-control: 172.16.0.0/12 allow
#access-control: 10.0.0.0/8 allow
# ssl cert
#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
#forward-zone:
# name: "."
# forward-addr: 1.1.1.1@853#cloudflare-dns.com
# forward-addr: 1.0.0.1@853#cloudflare-dns.com
# forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
# forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
# forward-tls-upstream: yesOk. The problem is unbound do not have permission to access the root.key and root.hints. Fix it by run unbound as root.
did a resolver test with your docker adguard/unbound. 127.0.0.1:5053 is upstream DNS.
resolver test @ dnssec.vs.uni-due.de failed with „…No, your DNS resolver does NOT validate DNSSEC signatures“
Any chance to fix this?
Thanks in advance.