Unbound DNS: Troubleshooting with ssl-upstream option and/or vpn interface

Question

I recently wanted to setup unbound in place of dnscrypt to resolve queries with my pi-hole on my rasp.

The version of unbound available on Raspbian is 1.6.0 currently.

When activating the options

ssl-upstream: yes
ssl-service-key: "/etc/ssl/certs/ca-certificates.crt"

unbound stopped working and we have something like this in the logs:

[1556709926] unbound[4394:0] info: server stats for thread 0: 23 queries, 7 answers from cache, 16 recursions, 0 prefetch
[1556709926] unbound[4394:0] info: server stats for thread 0: requestlist max 13 avg 1.875 exceeded 0 jostled 0
[1556709926] unbound[4394:0] info: mesh has 0 recursion states (0 with reply, 0 detached), 0 waiting replies, 16 recursion replies sent, 0 replies dropped, 0 states jostled out
[1556709926] unbound[4394:0] info: average recursion processing time 0.948223 sec
[1556709926] unbound[4394:0] info: histogram of recursion processing times
[1556709926] unbound[4394:0] info: [25%]=0.32768 median[50%]=0.603573 [75%]=0.920715
[1556709926] unbound[4394:0] info: lower(secs) upper(secs) recursions
[1556709926] unbound[4394:0] info:    0.000000    0.000001 1
[1556709926] unbound[4394:0] info:    0.008192    0.016384 1
[1556709926] unbound[4394:0] info:    0.016384    0.032768 1
[1556709926] unbound[4394:0] info:    0.262144    0.524288 4
[1556709926] unbound[4394:0] info:    0.524288    1.000000 6
[1556709926] unbound[4394:0] info:    1.000000    2.000000 1
[1556709926] unbound[4394:0] info:    2.000000    4.000000 2
[1556709926] unbound[4394:0] debug: cache memory msg=33040 rrset=33040 infra=17292 val=40931
[1556709926] unbound[4394:0] debug: switching log to stderr

I did also try to setup unbound to send queries through a vpn connection on the rasp itself, but I can’t resolve apparently through the vpn connection. I tried set it up by hardcoding the ip address from the vpn connection, same result. I tried to used udp and tcp separately, same result

Am I missing something? I have connectivity through my vpn so that’s not the problem apparently. And the problem disappear as soon as I deactivate the vpn connection. Or is all that supposed to happen in 1.6?

Does anyone have an idea about this?

Thanks in advance.

Answer 1

Those look like wrong options, at least ssl-service-key should specify private key of your instance (and not list of trusted CAs!), and you would always use it in combination with it's public key in ssl-service-pem, otherwise you should not use it. For my Debian Stretch, the following config enables listening for plain DNS queries on port 53 as well as DoT (DNS-over-TLS) queries on port 853 on all addresses (for both IPv4 and IPv6).

server:
  #verbosity: 2
  interface: 0.0.0.0
  interface: ::0
  interface: 0.0.0.0@853
  interface: ::0@853
  #tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
  ssl-service-key: "/var/lib/acme/live/your.domain.example.com/privkey"
  ssl-service-pem: "/var/lib/acme/live/your.domain.example.com/fullchain"
  ssl-port: 853

This is example for final resolver, so it doesn't use forwarders (you'd need forward-zone block for that. Also, you can check /usr/share/doc/unbound/examples/unbound.conf for example config with explanations. In my example I use acmetool to generate keys/certificates in /var/lib/acme/live automatically, but you can use whatever way you want (or even omit it if you don't care about security).