DNS Fails w/ DNSCrypt

Started by vorago, October 09, 2021, 01:12:34 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 09, 2021, 01:12:34 AM Last Edit: October 09, 2021, 04:30:37 AM by vorago
I'm trying to get DoH working and am missing something. When I disable "DNS Query Forwarding" in Unbound, I get SERVFAILs back with "BOGUS (refused upstream)" for the queries.

Pihole Query Log:


My set up is Pihole -> Unbound -> DNSCrypt with mullvad & nextdns servers

I have the following in /usr/local/etc/unbound.opnsense.d/dnsCrypt-forward.conf:
Code Select

server:
do-not-query-localhost: no

forward-zone:
name: "."
forward-addr: 127.0.0.1@5353
forward-addr: ::1@5353

Content of /usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml:
Code Select

server_names = ['mullvad-doh','mullvad-adblock-doh','nextdns']

listen_addresses = ['127.0.0.1:5353','[::1]:5353']

max_clients = 250

ipv4_servers = true

ipv6_servers = true

dnscrypt_servers = true

doh_servers = true

require_dnssec = true

require_nolog = true

require_nofilter = false

force_tcp = false


timeout = 2500
keepalive = 30

log_level = 2
log_file = '/var/log/dnscrypt-proxy/dnscrypt-proxy.log'
use_syslog = false

cert_refresh_delay = 240

dnscrypt_ephemeral_keys = false

tls_disable_session_tickets = false

fallback_resolver = '193.138.218.74:53'

ignore_system_dns = false

netprobe_timeout = 30
log_files_max_size = 10
log_files_max_age = 7
log_files_max_backups = 1

block_ipv6 = false

forwarding_rules = 'forwarding-rules.txt'
cloaking_rules = 'cloaking-rules.txt'

cache = true
cache_size = 2048
cache_min_ttl = 600
cache_max_ttl = 86400
cache_neg_min_ttl = 60
cache_neg_max_ttl = 600

[query_log]
file = '/var/log/dnscrypt-proxy/query.log'
format = 'tsv'

[nx_log]
file = '/var/log/dnscrypt-proxy/nx.log'
format = 'tsv'

[whitelist]
whitelist_file = 'whitelist.txt'
log_file = '/var/log/dnscrypt-proxy/whitelisted.log'
log_format = 'tsv'


[sources]
[sources.'public-resolvers']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
cache_file = 'public-resolvers.md'
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
refresh_delay = 72
prefix = ''

[static]


Contents of /var/unbound/unbound.conf:
Code Select

##########################
# Unbound Configuration
##########################

##
# Server configuration
##
server:
chroot: /var/unbound
username: unbound
directory: /var/unbound
pidfile: /var/run/unbound.pid
root-hints: /var/unbound/root.hints
use-syslog: yes
port: 53
verbosity: 3
extended-statistics: yes
log-queries: yes
hide-identity: no
hide-version: no
harden-referral-path: no
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
so-reuseport: yes
module-config: "validator iterator"
cache-max-ttl: 86400
cache-min-ttl: 0
harden-dnssec-stripped: no
serve-expired: no
outgoing-num-tcp: 10
incoming-num-tcp: 10
num-queries-per-thread: 4096
outgoing-range: 8192
infra-host-ttl: 900
infra-cache-numhosts: 10000
unwanted-reply-threshold: 0
jostle-timeout: 200
msg-cache-size: 20m
rrset-cache-size: 40m
num-threads: 4
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8

qname-minimisation: yes
qname-minimisation-strict: yes

auto-trust-anchor-file: /var/unbound/root.key

prefetch: yes
prefetch-key: no

# Interface IP(s) to bind to
interface: 0.0.0.0
interface: ::
interface-automatic: yes



# DNS Rebinding



# Access lists
include: /var/unbound/access_lists.conf

# Static host entries
include: /var/unbound/host_entries.conf

# DHCP leases (if configured)
include: /var/unbound/dhcpleases.conf

# Domain overrides
include: /var/unbound/domainoverrides.conf

# Custom includes
include: /var/unbound/etc/*.conf

# Forwarding
forward-zone:
name: "."
forward-addr: 193.138.218.74
forward-addr: 10.0.8.1
forward-addr: 9.9.9.9


remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 953
server-key-file: /var/unbound/unbound_server.key
server-cert-file: /var/unbound/unbound_server.pem
control-key-file: /var/unbound/unbound_control.key
control-cert-file: /var/unbound/unbound_control.pem


I'm unsure what else to provide for insight. Any help would be greatly appreciated.
Print
Go Up Pages1
User actions