To have dnssec working with unbound I added :
trust-anchor-file: "/etc/dnssec/root-anchors.txt"
(generated/query-ed by unbound-anchor)

this is under gentoo

To test if DNSSEC is working look at the "ad" flag in dig in a DNSSEC-enabled zone (dnssec-tools.org might be a good default) and additionally if badsign-A.test.dnssec-tools.org doesn’t resolve (should send SERVFAIL)

[root@hk ~]# wget https://raw.githubusercontent.com/Angristan/Local-DNS-resolver/master/centos-unbound.sh
--2017-08-06 21:32:33-- https://raw.githubusercontent.com/Angristan/Local-DNS-resolver/master/centos-unbound.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.72.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.72.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1113 (1.1K) [text/plain]
Saving to: ‘centos-unbound.sh’

100%[==============================================================================>] 1,113 --.-K/s in 0s

2017-08-06 21:32:34 (221 MB/s) - ‘centos-unbound.sh’ saved [1113/1113]

[root@hk ~]# chmod +x centos-unbound.sh
[root@hk ~]# ./centos-unbound.sh
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile

• epel: ftp.cuhk.edu.hk
  Package unbound-1.4.20-28.el7.x86_64 already installed and latest version
  Nothing to do
  [1502026355] unbound[15127:0] error: Could not open /etc/unbound/unbound.conf: No such file or directory
  [1502026355] unbound[15127:0] warning: Continuing with default config settings
  [1502026355] unbound[15127:0] warning: increased limit(open files) from 1024 to 4152
  [1502026355] unbound[15127:0] error: bind: address already in use
  [1502026355] unbound[15127:0] fatal error: could not open ports
  --2017-08-06 21:32:35-- ftp://ftp.internic.net/domain/named.cache
  => ‘/var/lib/unbound/root.hints’
  Resolving ftp.internic.net (ftp.internic.net)... 192.0.32.9, 2620:0:2d0:200::9
  Connecting to ftp.internic.net (ftp.internic.net)|192.0.32.9|:21... connected.
  Logging in as anonymous ... Logged in!
  ==> SYST ... done. ==> PWD ... done.
  ==> TYPE I ... done. ==> CWD (1) /domain ... done.
  ==> SIZE named.cache ... 3314
  ==> PASV ... done. ==> RETR named.cache ... done.
  Length: 3314 (3.2K) (unauthoritative)

100%[==============================================================================>] 3,314 --.-K/s in 0.001s

2017-08-06 21:32:37 (3.10 MB/s) - ‘/var/lib/unbound/root.hints’ saved [3314]

mv: cannot stat ‘/etc/unbound/unbound.conf’: No such file or directory
server:
root-hints: root-hints: /var/lib/unbound/root.hints
./centos-unbound.sh: line 25: auto-trust-anchor-file:: command not found
./centos-unbound.sh: line 26: interface:: command not found
./centos-unbound.sh: line 27: access-control:: command not found
./centos-unbound.sh: line 28: port:: command not found
./centos-unbound.sh: line 29: do-daemonize:: command not found
./centos-unbound.sh: line 30: num-threads:: command not found
./centos-unbound.sh: line 31: use-caps-for-id:: command not found
./centos-unbound.sh: line 32: harden-glue:: command not found
./centos-unbound.sh: line 33: hide-identity:: command not found
./centos-unbound.sh: line 46: unexpected EOF while looking for matching `"'
./centos-unbound.sh: line 47: syntax error: unexpected end of file
[root@hk ~]# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)
[root@hk ~]#

I tried to touch /etc/unbound/unbound.conf and run it again with same result.

Sync angristan/openvpn-install#604 and add menu to uninstall.

Coucou,

Ce serait cool d'avoir le même script avec PowerDNS Recursor

When I put ip adress 127.0.0.1 in /etc/openvpn/server.conf and resolv.conf then OpenVPN can't connect to any domain. But when I replace on 8.8.8.8 for example, then OpenVPN working correctly (Angristan/OpenVPN-install script).

I am using Debian 9 x64, could anybody tell me, maybe I am missing something or I must try another OS?

Root Hits For All Systems.

https://dnssec.vs.uni-due.de

does not work for me on centos 7 (openvz)

possible?

I have an error when I am trying to start the script:

root@name:~# sudo ./unbound-install.sh
./unbound-install.sh: 8: ./unbound-install.sh: Syntax error: newline unexpected

When I start command 'netstat -natp' I have this result:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 141/rpcbind
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 389/apache2
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 271/sshd
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 456/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 8999/openvpn
tcp 0 36 server-ip:22 my-ip:62727 ESTABLISHED 13578/0
tcp 0 11596 server-ip:80 some-ip:37141 CLOSING -
tcp6 0 0 :::111 :::* LISTEN 141/rpcbind
tcp6 0 0 :::22 :::* LISTEN 271/sshd
tcp6 0 0 :::25 :::* LISTEN 456/master

It means that 53 port is not using, then what could be a problem?

P.S. my OS: Ubuntu 16.04.1 LTS (GNU/Linux 2.6.32-042stab120.11 x86_64)

Hey. Such a problem. I have a router that runs on Linux. And unbound does not work for me, although if I connect to the normal one, then everything works. I can’t understand what this is connected with ... The router distributes ssh tunnels and socks5. DNS server inside Unbound and DNScrypt-proxy. Depending on what is being distributed. I really need your advice) thanks

https://wiki.archlinux.org/index.php/Unbound#Roothints_systemd_timer

/etc/systemd/system/roothints.service
[Unit]
Description=Update root hints for unbound
After=network.target

[Service]
ExecStart=/usr/bin/curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache
/etc/systemd/system/roothints.timer


[Unit]
Description=Run root.hints monthly

[Timer]
OnCalendar=monthly
Persistent=true
 
[Install]
WantedBy=timers.target

Just so I won't forget to look at it : https://mastodon.xyz/@Gildas_GH/9354867

Installed

https://github.com/Angristan/Local-DNS-resolver/blob/master/ubuntu-unbound.sh on Ubuntu 16.04

also tried https://github.com/Angristan/Local-DNS-resolver/blob/master/centos-unbound.sh on CentOS 7.

Install succeeded. Service starts ok and is responsive:

root@dns2:~# unbound-control reload
ok

root@dns2:~# unbound-control status
version: 1.5.8
verbosity: 3
threads: 2
modules: 2 [ validator iterator ]
uptime: 415851 seconds
options: control(ssl)
unbound (pid 1469) is running...

As far as I can tell, I can usually resolve unsigned domains:

root@dns2:~# dig espncricinfo.com +dnssec +multi

; <<>> DiG 9.10.3-P4-Ubuntu <<>> espncricinfo.com +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, **status: NOERROR**, id: 61648
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;espncricinfo.com.      IN A

;; ANSWER SECTION:
espncricinfo.com.       573 IN **A 52.19.167.6**

Most DNSSEC signed domains resolve OK, too:

root@dns2:~# dig dnssectest.sidn.nl +dnssec +multi

; <<>> DiG 9.10.3-P4-Ubuntu <<>> dnssectest.sidn.nl +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54219
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 17

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnssectest.sidn.nl.    IN A

_[truncated irrelevant output]_

Stuff that should fail also tends to fail:

root@dns2:~# dig www.dnssec-failed.org

; <<>> DiG 9.10.3-P4-Ubuntu <<>> www.dnssec-failed.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, **status: SERVFAIL**, id: 61846
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.dnssec-failed.org.         IN      A

However,

some lookups fail and I have no idea why.

Does not seem to matter if the domain is signed or not.

I first noticed that I can't visit http://ipleak.net anymore

Then half the apps on my Roku claimed they have no connectivity because lookups failed.

root@dns2:~# dig -t A ipleak.net @127.0.0.1

; <<>> DiG 9.10.3-P4-Ubuntu <<>> -t A ipleak.net @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, **status: NOERROR**, id: 3183
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ipleak.net.                    IN      A

;; Query time: 190 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Oct 27 00:54:28 SGT 2017
;; MSG SIZE  rcvd: 39

It returns NOERROR but then doesn't provide a response.

Compare with:

root@dns2:~# dig -t A ipleak.net @208.67.222.222

; <<>> DiG 9.10.3-P4-Ubuntu <<>> -t A ipleak.net @208.67.222.222
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, **status: NOERROR**, id: 775
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ipleak.net.                    IN      A

;; ANSWER SECTION:
ipleak.net.             376     IN      **A       95.85.16.212**

;; Query time: 177 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Fri Oct 27 00:55:11 SGT 2017
;; MSG SIZE  rcvd: 55

First I thought it may just be an Ubuntu thing. But it happens on CentOS, too. Then I thought it may be some root servers refuse queries from some of my hosts (Vultr netblock). But I ended up setting up on a bunch of other hosts on Softlayer, DO, etc. in various regions and the issue persists in all cases.

What's the best way to troubleshoot this ?

Some people with similar issues blamed UDP fragmentation as the culprit. I tried

edns-buffer-size: 1280 in unbound.conf but it did not help.