isc-dhcp-server + BIND9 + Unbound + dnscrypt & DDNS Not working

Question

Original

I have a complex DNS set-up on my home router that's running Ubuntu servers. My objective is to be able to,

1. Query my local ISP's DNS for geo leocation sensitive lookups that I care about
2. dnscrypt-proxy for the majority of look-ups. For certain domains (a few I know), many that I don't and as such other than specific domains, my ISP poisons the lookups with false addresses to blackhole traffic. I wish this to be the default DNS lookup server
3. Minimize internet DNS lookups. My internet connection isn't reliable and at certain times during the day I have as low as a 50/50 chance of having DNS lookups out of country succeed
4. Have my own internal domain, predominantly for reverse lookups to work.

The solution I've had to implement to achieve these objectives is,

1. unbound as my LAN's primary DNS server for caching lookups, aggressively retaining that cache, and forwarding addresses to the relevant DNS server for cache misses
2. dnscrypt-proxy on 127.0.2.1:53 as the forward-addr for "." in unbound
3. bind on 192.168.1.1:40 authoritative for my local domain only
4. isc-dhcp-server for handing out IP addresses and inserting forward and reverse lookups.

I've managed to achieve the majority of my objectives. So reticent to change things significantly except for having forward/reverse look-ups for non-static hosts on my LAN.

My suspicion is isc-dhcp-server is sending DDNS updates to unbound that doesn't have any idea what to do with it. How do I ask isc-dhcp-server to send it to 192.168.1.1:40, bind even though I want the DNS server for my clients to be 192.168.1.1:53, unbound or enable unbound to know how to forward DDNS updates to bind?

Example error message

Sep 29 08:01:10 ubuntu dhcpd[7057]: DHCPREQUEST for 192.168.1.101 from 28:18:78:7c:d5:a1 (Xbox-SystemOS) via enp2s0
Sep 29 08:01:10 ubuntu dhcpd[7057]: DHCPACK on 192.168.1.101 to 28:18:78:7c:d5:a1 (Xbox-SystemOS) via enp2s0
Sep 29 08:01:22 ubuntu dhcpd[7057]: Unable to add forward map from Xbox-SystemOS.mydomain.ddns.net. to 192.168.1.101: timed out

Relevant lines in dhcpd.conf

ddns-updates on;
ddns-update-style interim;
key rndc-key { algorithm hmac-md5; secret MIND_YOUR_BUSINESS; }

subnet ...... {
    ....
    option domain-name-servers 192.168.1.1;
    ...
    ddns-domainname "mydomain.ddns.net.";
    ddns-rev-domainname "in-addr.arpa.";
}

Relevant lines from /etc/bind/named.conf.local

zone "mydomain.ddns.net" {
        type master;
        file "/etc/bind/zones/db.mydomain.ddns.net"; # Zone file path
       allow-update { key rndc-key; };               # allow for dynamic updates
};

zone "168.192.in-addr.arpa" {
        type master;
        file "/etc/bind/zones/db.192.168";           # 192.168.0.0/16 subnet
        allow-update { key rndc-key; };              # allow for dynamic updates
};

Update 1

After digging through dhcpd.conf I arrived to the conclusion that I cannot specify a port number for the bind server in it. There is however a magic option named ddns-local-address4 which allowed me to specify a different server IP address for DDNS from the domain-name-server option.

I changed bind to listen to 127.0.0.1 and this largely works (at least bind is now receiving the update). However it is tripping up on permissions.

Sep 29 19:21:40 ubuntu named[31415]: client 127.0.0.1#2824/key rndc-key: signer "rndc-key" approved
Sep 29 19:21:40 ubuntu named[31415]: client 127.0.0.1#2824/key rndc-key: updating zone 'mydomain.ddns.net/IN': adding an RR at 'iPhone.mydomain.ddns.net' A 192.168.1.104
Sep 29 19:21:40 ubuntu named[31415]: client 127.0.0.1#2824/key rndc-key: updating zone 'mydomain.ddns.net/IN': adding an RR at 'iPhone.mydomain.ddns.net' TXT "316a52934f2adcaf4c95004e870a4c0f70"
Sep 29 19:21:40 ubuntu named[31415]: /etc/bind/zones/db.mydomain.ddns.net.jnl: open: permission denied
Sep 29 19:21:40 ubuntu named[31415]: client 127.0.0.1#2824/key rndc-key: updating zone 'mydomain.ddns.net/IN': error: journal open failed: unexpected error
Sep 29 19:21:40 ubuntu kernel: [212079.779512] audit: type=1400 audit(1475148100.710:25): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/etc/bind/zones/db.mydomain.ddns.net.jnl" pid=31419 comm="named" requested_mask="w" denied_mask="w" fsuid=110 ouid=0

My best attempts however at giving bind sufficient permission to update that file isn't working. What gives?

ps aux | grep named
bind     31415  0.0  0.2 429564 19572 ?        Ssl  19:10   0:00 /usr/sbin/named -f -u bind

ls -la /etc/bind/zones
total 16
drwxrwsr-x 2 root bind 4096 Sep 29 19:21 .
drwxr-sr-x 3 root bind 4096 Sep 29 19:07 ..
-rw-r--r-- 1 root bind  340 Sep 28 08:01 db.192.168
-rw-r--r-- 1 root bind  514 Sep 27 07:40 db.mydomain.ddns.net
-rw-rw-r-- 1 bind bind    0 Sep 29 19:21 db.mydomain.ddns.net.jnl

Update 2

I modified my apparmor profile for named and I am no longer getting the permission errors.

When I query bind directly on 127.0.0.1, everything works.

However, when I query it via ubuntu, it's not forwarding the look-ups to bind correctly.

What am I doing wrong now?

From unbound.conf

    local-zone: "1.168.192.in-addr.arpa." nodefault
    local-zone:   "168.192.in-addr.arpa." nodefault

    stub-zone:
            name:   "168.192.inaddr.arpa."
            stub-addr: 127.0.0.1

    stub-zone:
            name: "1.168.192.inaddr.arpa."
            stub-addr: 127.0.0.1

    stub-zone:
            name: "mydomain.ddns.net."
            stub-addr: 127.0.0.1

Answer 1

There was an additional file in /etc/unbound/unbound.d/ that was disrupting the resolution of mydomain.ddns.net.. Once the file was removed, this resolved the issue.

Final set-up

1. dnscrypt-proxy listening on 127.0.2.1.
2. bind listening on 127.0.0.1.
3. unbound listening on 192.168.1.1, forwards mydomain.ddns.net to bind using the stub-zone statements in the question, has a default forward to dnscrypt-proxy.
4. isc-server-dhcp updates bind using the ddns* options in dhcpd.conf