DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 19th June 2020
Funkygoby Funkygoby is offline
Fdisk Soldier
 
Join Date: Aug 2015
Posts: 57
Default Unbound(8) and dig(1) delays

Hello,

I have been thinking about the ISP tracking users by storing their DNS requests. So I decided to test unbound.

I started by putting
Code:
nameserver 127.0.0.1
in /etc/resolv.conf but because I use dhcp in /etc/hostname.if, the resolv.conf file is overwritten at boot. The solution was to put
Code:
supersede domain-name-servers 127.0.0.1;
in /etc/dhclient.conf so that the generated resolv.conf contains the correct line.

After enabling unbound, I tested the DNS resolution cache by running
Code:
dig @127.0.0.1 google.com
several times. The first query takes 46ms because unbound has not cached google.com yet. Then the following queries take 0ms because unbound has correctly cached the query.
Is this correct?
Also instead of my ISP DNS, I should now be using the unbound builtins DNS for new queries right?

My question/problem is: If I browse daemonforums.org with firefox then run
Code:
dig @127.0.0.1 daemonforums.org
, the first query is 79ms and the following ones 0ms.
What is going on? I though that unbound would cache the query from firefox but it doesn't seem so. Otherwise the first dig query would take 0ms, not 79ms.

So what am I missing?

Last edited by Funkygoby; 21st June 2020 at 11:04 AM. Reason: solved
Reply With Quote
  #2   (View Single Post)  
Old 19th June 2020
bsdun bsdun is offline
Real Name: Steve
Fdisk Soldier
 
Join Date: Feb 2020
Posts: 48
Default

Make sure that DNS over HTTPS is disabled in Firefox settings.
Reply With Quote
  #3   (View Single Post)  
Old 19th June 2020
Funkygoby Funkygoby is offline
Fdisk Soldier
 
Join Date: Aug 2015
Posts: 57
Default

In Firefox network settings there is "Use system proxy settings" and "Enable DNS over HTTPS" is disabled.
Reply With Quote
  #4   (View Single Post)  
Old 20th June 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

If you're on 6.7, consider replacing unbound(8) with unwind(8). While unbound() is a caching non-authoritive namesever, the new unwind() utility is specifically designed for use on a workstation which may switch networks, and can be configured to resolve with TLS (known as DoT)

Last edited by jggimi; 20th June 2020 at 01:08 PM. Reason: no DoH.
Reply With Quote
  #5   (View Single Post)  
Old 20th June 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

And, unwindctl(8) produces interesting status. Here's what my laptop says after about 3 minutes from a resume from suspend:
Code:
$ unwindctl stat
1. forwarder       validating,   N/A   5. stub             resolving, 700ms
2. DoT             validating, 900ms   6. oDoT-forwarder        dead,   N/A
3. recursor        validating, 700ms   7. oDoT-dhcp             dead,  70ms
4. dhcp            validating,   Inf    
.
.
.
$
My laptop's unwind.conf(5) contains 3 nameservers. My local network's unbound() server -- servers, actually, using carp(4) to share the same IP address -- and then two quad9 servers using TLS:
Code:
forwarder {
        10.0.1.1
        9.9.9.9 authentication name dns.quad9.net DoT
        2620:fe::fe authentication name dns.quad9.net DoT
        }
force accept bogus stub {jggimi.net}
Reply With Quote
  #6   (View Single Post)  
Old 20th June 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

I should mention that using Firefox to reach this forum, then using dig(1), my query was resolved in 0 milliseconds. This tells me that Firefox on this laptop is resolving through unwind(), and that the IP address was cached. I'm running -current, amd64, with Firefox 77.0.1.
Reply With Quote
  #7   (View Single Post)  
Old 21st June 2020
Funkygoby Funkygoby is offline
Fdisk Soldier
 
Join Date: Aug 2015
Posts: 57
Default

Hello jggimi,
I had no idea unwind(8) was a thing. Thank you for the info.

I was writing a long answer about how it doesn't work. But as I was testing dig(1) commands, I found something.
I need to provide the correct URL from Firefox to dig(1): "www.google.com" instead of "google.com". <- SOLUTION
When I start typing "goo" in Firefox, it suggests "google.com". Then when I press Enter, the URL turns into "www.google.com" maybe because of my browsing log where Firefox recognize the domain and add "www" automatically. So I was thinking that the cached query was "google.com" where in fact it was "www.google.com".
Using the URL used for the actual query by Firefox (the one in the URL bar after pressing Enter) solved the issue.

I think this was the initial issue that I had with unbound(8). I will keep unwind(8) instead anyway.
Although the procedure is very well documented, I will leave my "minimal" conf here for the sake of discussion.

-- Details --
So I disabled unbound(8), enabled unwind(8). I implemented /etc/unwind.conf with a simple
Code:
forwarder{127.0.0.1}
I didn't touch /etc/dhclient.conf because the configuration needed by unwind and unbound are identical (unwind manual says this entry should go in /etc/dhclient.conf: supersede domain-name-servers 127.0.0.1; ).

The flow is still not clear to me. Here is my guess: When I do a query, /etc/resolv.conf is read and the nameserver entry is used (127.0.0.1). The query is sent to 127.0.0.1 where unwind is listening. unwind(8) will recursively use the lines in /etc.unwind.conf:fowarder so the query is forwarded to 127.0.0.1 but now, the libunbound will be used implicitly (although unbound(8) is not running AFAICT). libunbound processes the query, if it is cached it returns the cached resolution, otherwise it asks one of the fallback DNS servers.

Last edited by Funkygoby; 21st June 2020 at 11:10 AM.
Reply With Quote
  #8   (View Single Post)  
Old 21st June 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

You've got a misconfiguration, if I understand correctly. The unwind() utility is NOT a nameserver, it is a caching nameserver manager that listens for domain resolution requests on the loopback address 127.0.0.1, and if not in local cache submits them to one or more various nameservers you define. You've got it pointing to itself, not to any nameservers. In my example above, my nameservers are a) local unbound servers on my local network but not on my laptop, then b) IPv4 quad9 nameservers, and c) IPv6 quad9 nameservers.
Reply With Quote
  #9   (View Single Post)  
Old 21st June 2020
Funkygoby Funkygoby is offline
Fdisk Soldier
 
Join Date: Aug 2015
Posts: 57
Default

Ok so unwind is a manager of nameservers (unbound-like services?).

But can it work without an explicit nameserver list (forwarder)?
I removed the /etc/unwind.conf file, restarted the daemon and everything seems fine.
So I guess that unwind receives the request and default to the local cache through libunbound. If the query is not cached, it uses a fallback DNS server.

Regarding the local cache, what is managing it if there is no nameserver launched? I assume that unwind deals with it by default?
Reply With Quote
Old 21st June 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

You had configured unwind(8) to resolve with a non-existent nameserver, using the same IP address as unwind().

The unwind() utility can manage with many different nameservers, and that includes nameservers defined by SLAAC or DHCP. They are searched in a preferential order, defined by a list of preferences in unwind.conf(5). The default order has nameservers defined by SLAAC or DHCP in fourth place, after provisioned nameservers using DNS over TLS, provisioned non-TLS nameservers, and cached recursions.

You can see the nameservers defined by SLAAC or DHCP with $ unwindctl status autoconf, and which types of nameservers are active with $ unwindctl status
Reply With Quote
Old 21st June 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

For additional clarity, unwind(8) is a fancy resolver, not a nameserver. Without unwind(), OpenBSD uses a simple resolver, configured with resolv.conf(5), which can resolve from the hosts(5) file and/or from a list of nameservers.

There are two classes of nameserver:
  • Authoritative - this is an Internet-facing nameserver. OpenBSD has one built-in, nsd(8).
  • Non-Authoritative - this is a non-Internet-facing nameserver. OpenBSD has one built-in, unbound(8).
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Unbound problems mefisto OpenBSD General 0 19th December 2017 11:01 PM
Unbound and states junkym OpenBSD General 3 22nd October 2016 10:03 PM
Unbound Database daemonbak OpenBSD General 2 21st July 2015 03:28 AM
How to make delays between multiple commands in an alias (ircII) guitarscn Programming 3 23rd September 2010 12:36 AM
Mozilla delays Firefox 3.6.4 J65nko News 0 2nd June 2010 08:08 PM


All times are GMT. The time now is 10:50 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick