Ubuntu 24.04 unbound install problems -- resolv.conf

Robert Moskowitz rgm at htt-consult.com
Thu Jun 12 12:47:34 UTC 2025 

First, I am not skilled with Ubuntu.  This is only my second Ubuntu 
server, and my first was pretty much turn-key for Mail-in-a-Box with 
Ubuntu 22.  My decades of experience is with CentOS/Fedora.  Thus at 
times it is easy (general Linux), and other times I am lost as to where 
things are.

So:

My unbound is on a public address on my home business network.  You 
should ping it at onlo.htt-consult.com.  But firewall rules will block 
you from accessing DNS.  Also that is not my SSH port below...

My plan is for all internal systems to point to it for DNS resolution.

in unbound.conf, I have allowed access for my local systems:

       interface: 0.0.0.0

       access-control: 23.123.122.144/28 allow
       access-control: 192.168.128.0/17 allow
       access-control: 192.168.64.0/21 allow
       access-control: 192.168.96.0/21 allow
       access-control: 127.0.0.1/24 allow

(BTW, I do play games with local RFC1918 IPv4 addrs.  Afterall, I am the 
lead author of that RFC.  I also worked in the CIDR workgroup at the time.)

Then I opened up firewall for DNS:

ufw allow in from 23.123.122.144/28 to any port 53
ufw allow in from 192.168.0.0/24 to any port 53

I can't find out if this makes the rules permanent, but at the time of 
testing, they were in force.

But I can't dig from my notebook:

dig @onlo.htt-consult.com <http://onlo.htt-consult.com> A 
medon.htt-consult.com <http://medon.htt-consult.com>
;; communications error to 23.123.122.146#53: timed out
;; communications error to 23.123.122.146#53: timed out
;; communications error to 23.123.122.146#53: timed out

; <<>> DiG 9.18.33 <<>> @onlo.htt-consult.com 
<http://onlo.htt-consult.com> A medon.htt-consult.com 
<http://medon.htt-consult.com>
; (1 server found)
;; global options: +cmd
;; no servers could be reached

And the unbound server's resolv.conf is not working?  local nslookup fails.

So basically how do I trouble-shoot this?

On 6/11/25 11:48 PM, Jared Norris wrote:
> Hi Robert,
>
> I use Unbound at home and might have a slightly different take. I 
> point my local router at an Unbound instance (running on a Raspberry 
> Pi) as the DNS service then set up Unbound using unbound.conf
>
> That way the whole network is using Unbound, not just my local PC. 
> That also means there is no config on any computer, just set it up 
> once on the router.
>
> I use it alongside Pihole and find it works well, they have 
> documentation to help with the set up and they mention a resolve.conf 
> issue with a workaround that may also help even if you want to still 
> run it locally - https://docs.pi-hole.net/guides/dns/unbound/
>
> Regards,
>
> Jared Norris
>
> On Thu, 12 Jun 2025 at 08:29, Robert Moskowitz via ubuntu-users 
> <ubuntu-users at lists.ubuntu.com> wrote:
>
>     I have been following the cookbook at:
>
>     https://www.linuxbabe.com/ubuntu/set-up-unbound-dns-resolver-on-ubuntu-20-04-server
>
>     which is really for Ubuntu 22.
>
>     I got through his getting unbounded running.
>
>     systemctl status unbound
>     ● unbound.service - Unbound DNS server
>           Loaded: loaded (/usr/lib/systemd/system/unbound.service;
>     enabled;
>     preset: >
>           Active: active (running) since Wed 2025-06-11 18:02:18 EDT;
>     26s ago
>             Docs: man:unbound(8)
>          Process: 5494 ExecStartPre=/usr/libexec/unbound-helper
>     chroot_setup
>     (code=e>
>          Process: 5496 ExecStartPre=/usr/libexec/unbound-helper
>     root_trust_anchor_up>
>         Main PID: 5499 (unbound)
>            Tasks: 1 (limit: 928)
>           Memory: 8.2M (peak: 8.6M)
>              CPU: 89ms
>           CGroup: /system.slice/unbound.service
>                   └─5499 /usr/sbin/unbound -d -p
>
>     netstat -tulpn
>     Active Internet connections (only servers)
>     Proto Recv-Q Send-Q Local Address           Foreign Address State
>     PID/Program name
>     tcp        0      0 0.0.0.0:53 <http://0.0.0.0:53> 0.0.0.0:* LISTEN
>     5499/unbound
>     tcp6       0      0 :::7456                  :::* LISTEN 1/init
>     udp        0      0 0.0.0.0:53 <http://0.0.0.0:53> 0.0.0.0:*
>     5499/unbound
>
>
>     And setting firewall rules:
>
>     Status: active
>
>     To                         Action      From
>     --                         ------      ----
>     7456                        ALLOW       Anywhere
>     53                         ALLOW 23.123.122.144/28
>     <http://23.123.122.144/28>
>     53                         ALLOW 192.168.0.0/24
>     <http://192.168.0.0/24>
>     7456 (v6)                   ALLOW       Anywhere (v6)
>
>     Now I am up to resolv.conf.
>
>     I thought to be smart and set nameserver 127.0.0.1in my netplan.
>     Easy,
>     as I am on a fixed plan
>
>     But
>
>     cat /etc/resolv.conf
>     # This is /run/systemd/resolve/stub-resolv.conf managed by
>     man:systemd-resolved(8).
>     # Do not edit.
>     #
>     # This file might be symlinked as /etc/resolv.conf. If you're
>     looking at
>     # /etc/resolv.conf and seeing this text, you have followed the
>     symlink.
>     #
>     # This is a dynamic resolv.conf file for connecting local clients
>     to the
>     # internal DNS stub resolver of systemd-resolved. This file lists all
>     # configured search domains.
>     #
>     # Run "resolvectl status" to see details about the uplink DNS servers
>     # currently in use.
>     #
>     # Third party programs should typically not access this file
>     directly,
>     but only
>     # through the symlink at /etc/resolv.conf. To manage
>     man:resolv.conf(5) in a
>     # different way, replace this symlink by a static file or a different
>     symlink.
>     #
>     # See man:systemd-resolved.service(8) for details about the supported
>     modes of
>     # operation for /etc/resolv.conf.
>
>     nameserver 127.0.0.53
>     options edns0 trust-ad
>     search htt-consult.com <http://htt-consult.com>
>
>     not 127.0.0.1
>
>     So then I set my netplan back to the regular nameservers and tried to
>     follow his instructions to
>
>     systemctl restart unbound-resolvconf.service
>
>     But this fails  I am suppose to
>
>     apt install openresolv
>
>     But this has been pulled as of Ubuntu 23.
>
>     So how do I finish up this unbound setup?
>
>     I tried nslookup on my server.  It times out.  From my "allowed"
>     local
>     addresses I tried:
>
>     dig @onlo.htt-consult.com <http://onlo.htt-consult.com> A
>     medon.htt-consult.com <http://medon.htt-consult.com>
>     ;; communications error to 23.123.122.146#53: timed out
>     ;; communications error to 23.123.122.146#53: timed out
>     ;; communications error to 23.123.122.146#53: timed out
>
>     ; <<>> DiG 9.18.33 <<>> @onlo.htt-consult.com
>     <http://onlo.htt-consult.com> A medon.htt-consult.com
>     <http://medon.htt-consult.com>
>     ; (1 server found)
>     ;; global options: +cmd
>     ;; no servers could be reached
>
>     thank you for your help.
>
>
>
>     -- 
>     ubuntu-users mailing list
>     ubuntu-users at lists.ubuntu.com
>     Modify settings or unsubscribe at:
>     https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20250612/3dbb79b7/attachment.html>

More information about the ubuntu-users mailing list