android-unbound-dns
android-unbound-dns copied to clipboard
smarek
[WIP] Integrating dnscrypt-proxy
(no root needed, if you have root DENY access for this app)
source: https://github.com/licaon-kter/android-unbound-dns/tree/dnscrypt-proxy latest test APK build 14: in the comments below
what's modified:
- updated unbound to 1.5.10 and openssl to 1.0.2l
- added
dnscrypt-proxy,dnscrypt-resolvers.csvandlibsodium.sofrom the precompiled Android version of dnscrypt-proxy topackage.zip:\bin\ - added this start procedure at the end of unbound-control-setup
- modified listen port to 5300 so it does not need root
- added 2 forwarders in the config, that point to the 2 instances of dnscrypt-proxy running locally
how to run:
- get that APK and get NetGuard
- install AndroidUnbound but don't start it
- install NetGuard
- NetGuard->Settings->Advanced->(enable Filter)->Port redirect->(+)->UDP/53/127.0.0.1/5300/Android Unbound
- Netguard-> be sure that AndroidUnbound and RootProcess are Allowed on both Wi-Fi and mobile (greenish icons)
- start AndroidUnbound
- no root needed, if you have root DENY access for this app
- check the box "start on boot"
- uncheck the box "root"
- exit AndroidUnbound and use main Android>Settings>Apps>AndroidUnbound>Force Close
- restart AndroidUnbound
- look in the MAIN log tab (swipe right) where you should see the key generation, dnscrypt-proxy output etc
- WAIT FOR THE OUTPUT, it may take a bit for things to unpack, setup keys, certs, etc.
- ignore the warnings
- test with these links: https://github.com/jedisct1/dnscrypt-proxy/issues/393#issuecomment-204802390
- hide notifications for both NetGuard and AndroidUnbound (they'll run in background anyway)
- except (NOT OPTIMIZED) both NetGUard and Unbound in Battery settings.
issues:
- some tests say other servers are used too (eg. those added by the Wi-Fi connection), not sure why these are seen, might be an Android issue (reported here too)
- sometimes telco mobile APNs add a proxy that will override your DNS: edit APN to remove proxy and port, save, reconnect
- keep in mind that as long as NetGuard is running (with the port redirection active) if AndroidUnbound and/or dnscrypt-proxy does not work correctly you can't connect to sites, since apps can't get DNS resolved
- useless warnings in logs
- all the other issues are there unfixed
future:
- add a separate dnscrypt-proxy start script, and a view to edit it (eg. choose servers)
- add a way to update
dnscrypt-resolvers.csv(eg. view to edit, one can copy/paste/save/restart app)
/LE: added source and lastest APK links
/LE2: I didn't figured it out why port 5300 (actual unbound process) fails to resolv, in the mean time use port 5301 or 5302 to query a dnscrypt-proxy instance directly (yes you lose the unbound features but at least it works)
Hi @licaon-kter , cool stuff, before I test it, do you have the source, from which you've compiled this APK, published? I haven't found it here: https://github.com/licaon-kter/android-unbound-dns
Thanks a lot!
Did not push them in a repo yet, as I need to re-write packing scripts, and yes I know what you mean, loading APK from strangers off the internet :).
You can just unpack the APK and grab my package.zip already, look at the scripts. you can replace those binaries if you want, etc.
How to use your app with root and iptables? Now I got connection refused every time even without root
How to use your app with root and iptables?
With root just use dnscrypt-proxy by itself with either NetGuard port redirect (as mentioned above but with the correct port of 53 or whatever) or with iptables as the 99dnscrypt script mentiones.
Now I got connection refused every time even without root
Who says that? Detail your setup.
Hm, you advised me to use your solution because it will not drain battery when device goes to sleep. Now you are saying I can use dnscrypt instead. It's a little bit strange.
Without root:
WARNING: linker: Warning: unable to normalize "" WARNING: linker: Warning: unable to normalize "" WARNING: linker: Warning: unable to normalize "" [1490260598] libunbound[16601:0] notice: init module 0: validator [1490260598] libunbound[16601:0] notice: init module 1: iterator root.key does not exist fail: the anchor is NOT ok and could not be fixed [1490260612] unbound-control[16607:0] error: connect: Connection refused for 127.0.0.1 [1490260613] unbound[16611:0] notice: init module 0: validator [1490260613] unbound[16611:0] notice: init module 1: iterator [1490260613] unbound[16611:0] info: start of service (unbound 1.5.10).
Now you are saying I can use dnscrypt instead. It's a little bit strange.
Read the first post here.... NO-ROOT. But if you ask about root I'll answer on how to use that, again, like I said, this works most of the time ok with sleeping devices.
Also I did not remember you and your issues precisely. :)
Did you follow the steps exactly? try to Force Close the app and retry. What settings does the main settings screen has?
I removed your app. Then installed again. Unchecked first option and checked other 3 options. Then i saw the log I already wrote here. Nothing more, nothing less.
Maybe it's not working because I'm not using netguard? Is it required?
I use this:
iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:5300 &&
iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:5300
Now I got connection refused every time
Missed it in your log, that's another issue, but not a problem here.
Unchecked first option and checked other 3 options.
My steps did not mention checking 3 options, just start at boot.
If you don't have root NetGuard it is required.
If you have root, iptables might actually interfere as it will redirect ALL traffic to local 5300, including this apps traffic (and dnscrypt-proxy runs under this app), so you'll just loop 53 to 5300 to 53 and so on.
Again, decide what mode (root/no-root) you want and stick with that, don't mix them.
hi
i don't know if this is a legitimate issue or not, but i'm trying to use this new instruction to use unbound on a tablet, its the sm-t230nu on 4.4.2 kitkat (stock, rooted) and i keep getting cannot link executable errors with all the binaries when trying to start unbound.
i've already tried the ./env.sh script to grant the app root access by uid and i still get the cannot link executable error.
is this compatible with 4.4.2 kitkat?
This does not need root, the instructions clearly state that.
Not sure on compatibility though, this was tested only on 5.1.1 and 6.0.1.
If you have root you might not need this, install dnscrypt-proxy as usual (flash from recovery iirc) and just either use NetGuard with port redirection (53/127.0.0.1/53/root) or setup iptables.
thank you @licaon-kter for your answer.
however, my main issue is with the unbound android binaries not launching correctly in the tablet.
i'd like to deploy a local DNS resolver to use with dnscrypt, that is if its possible.
I am no networking expert, but as I understand in this experimental set up, you have netguard forwarding dns traffic to unbound, redirecting port 53 to a different specified port, and you have dnscrypt-proxy running two instances as a forwarder in unbound, also on specified ports.
your write up specifies using unbound within this process, is there now no need for it?
@smarek any suggestions for how to fire up unbound android on kitkat 4.4.2? are the cannot link executable errors platform specific?
Does the normal app launch ok (https://github.com/smarek/android-unbound-dns/releases) ?
If you compile it, does it work ok? This is my build for this thing that I'm trying, I might have broken something (eg. libs)
minSdk is 17 hence on Android 4.2, 4.2.2 and later it should work.
Can you post the log?
@licaon-kter the normal app doesn't launch for me either, i get the same errors etc unbound-control-setup fatal error: could not genrsa, for example.
I'm also getting cannot locate symbol errors from signal (in unbound binary), sigfillset (in unbound-control binary), and __cmsg_nxthdr (in unbound-anchor binary)
yes, i can provide a full log. what do i have to do?
@licaon-kter @smarek, just wanted to follow up on this issue i'm having getting this fired up on my tab.
I can provide a log but from what source? the inbuilt log from the unbound app I believe is provided more or less, did I exclude any important info? or is logcat preferred?
@licaon-kter thx for the swift reply
is there a way to export the log from within the app to .txt to upload? or do I have to alternatively copy the log text from the app, save to .txt and upload?
@licaon-kter hmm decided to upload from tab directly. the text is from no root version of your revision to the app. i force closed from within app and copied the log output from start till after 10 or so secs.
reason for the short log time is the unbound-control error loops infinitum, or should I allow the log to run longer? tmp_untitled-1838409509.txt
@itspull ok, no, that is correct behavior, we do compile against NDK API level 21, which is Android version 5.0 So I guess you could try recompiling with lower API settings, see https://github.com/smarek/android-unbound-dns/blob/master/_setenv_android.bash#L31
@itspull If you can build, build the main project as usual (but with NDK19) and get my package.zip contained in my APK (it has dnscrypt-proxy inside and the scripts).
I'll try a rebuild too, asap.
@smarek, @licaon-kter ok guys thx so much for narrowing the issue down for me! so,the builds available for downloading here were made with lollipop in mind and won't work with anything lower.... got it.
as for building from scratch i can't seem to get the hang of it! all the different tools, instruction sets, etc. troubleshooting, the different programming languages each program is build with, its all a bit dizzying for a common app user such as myself.
however, i have a tremendous amount of respect for what you guys do so again, thank you @licaon-kter, @smarek for sorting this out for me! i'll try my hand at building again maybe i'll have an easier time with this.
@licaon-kter thx for a rebuild you could possibly provide for backward compatibility.
I would appreciate it, as I mention I'm not totally proficient with building apps from source.
@itspull Here you go build 9, hopefully the NDK 19 setting sticked link: https://mega.nz/#!QUoyCCbJ!ufgDWByaVTKkcQP_aLE4Cxr_gn9iTuV_vomUrCvzH7M sha1sum: 4561d5791ce525c1e547692af227c594d7004cf0
(and updated to dnscrypt-proxy 1.9.4)
@licaon-kter thank you so much! this one seems to work but i'm still having connection problems.
i think this is an issue with netguard and how it's trying to communicate with my tab, no pages will load when i flip it on.
i'll come back with logs and screenshots of how i have netguard set up. will you accept a debugging log for netguard here or should i post that in a different place?
Lets not fill this up, comment here instead: https://github.com/licaon-kter/android-unbound-dns/commit/433764263278254d8005b7e7538a2faa7f942de3
@licaon-kter so still, except for this commit, your APKs in this thread are closed-source? :-))
Like I've said above, you can just get the package.zip from inside, the script modification is plain text, while dnscrypt-proxy and the .csv are copied from that package.
I did not yet bother actually integrating this in a build workflow because of those issues mentioned in the first post.
Also, this has not gained much traction/testing as you can see.
Now, having a successful build again I'm thinking that I could take another look at this, I tried to update the libs inside a while ago and I got flooded by linking errors.
/LE: So I've written that, tried to open a page in Firefox to no avail, netstat says everyone is listening 5300/5301/5302 yet the resolvers can't be reached. FC the app, start it, working again. Yup, switching from Wi-Fi to mobile (and presumely back too) somehow messes things up. :(
@licaon-kter @smarek Thank your for your efforts, jointly and individually, in providing unbound and DNSCrypt to us who are not able to code and build, the noobs and slackers in the android community. Now to my (admittedly small) contribution: I tried build 7 for a while on two android-M smartphones, and was annoyed with the many Force Close's required. But this now has been reduced to almost nothing by unticking the box for "Apply rules and conditions" in NetGuard, search 10185. When at it I checked that "VpnDialogs", 10045, was there also, and unchecked that too. Now @smarek 's app with @licaon-kter 's scripts and packaging (currently on build 9, but there was no noticeable difference from build 7) works. Is it unsecure to untick this box? Probably, but what good is secure DNS if the internet just halts or is reduced to a crawl? - A little worried that the two smartphones get different DNS servers when checking with dnsleaktest.com, one from the US and the other from the UK. build 7 gave DNS from Iceland, which felt safer (no NSA or GCHQ on that island). Ah, well. Good to have phones with internet again!
search 10185/10045
Those are specific to your install, they get different UIDs on other devices, searching for the app name works fine.
I also have in with unchecked "apply rules" but it still gets stuck sometimes, although rarely it will recover by itself if you wait.
This is one on my TODO list: reset everything on connection change
Vpndialogs does not even have Internet permissions, not sure it matters.
There are 3 servers involved, on start dns1 and dnsbackup1 are checked (eg. Until you get a connection) and whoever answers first becomes DNS1 and DNS2 is fixed. I chose them for stability, did not consider jurisdiction.
This is one on my TODO list: change the edit view frow unbound config to DNS servers config. I'll do this on my next build.
@licaon-kter I do hope you track the bugs in your new implementation for this as it seems you refuse help by @smarek, that seems tricky to keep this closed source on your end, why not post your code? That is a legitimate question, can you choose to answer?
Besides that, I'm attaching a couple screen shots from your a.u dns app build 9, unbound-control is refused access to 127.0.0.1, that may be the culprit for my particular case, no dns changes are being applied, dnsleaktest.com is showing my isp dns.
the 1st one is after launching unbound app without launching netguard, the 2nd is netguard launched and then starting unbound app.
Does it make a difference to what instance is started first?
Regarding close source, read above, I won't repeat it, c'mon.
Regarding refused 127.... that's #12 I guess, read careful it's not unbound but unbound-control (I guess that's what you see too, because those picture are... Wow)
Small update, I did try to get it up to snuff (reproducible scripts; working APKs) but something or other fails on the device when testing even after managing to compile them all ok. Eg. using the app: mainlog empty, no process listening on ports, BUT running from Termux (unpacking package.zip, run commands one by one): works fine
In the mean time I'm using build 9 too, works fine 99% of the time.
@licaon-kter could you provide your current state of build scripts edits in PR or branch on your fork of the repository? I'm willing to help you debug current state. Thank you!
or can I work with current master ? https://github.com/licaon-kter/android-unbound-dns/commit/d993c77e24556a2b877ff17607d7e72bc77a5eb9
Ok here it is, branch, 1 commit for it all: https://github.com/licaon-kter/android-unbound-dns/commit/f4d5ab24c08749243f9278d9f91e9a456ae62b5e
See my comments there.
And the resulting build 11 APK: https://mega.nz/#!IZJSGBZb!1jOntMuYiqW5JGFRpmSGnbWpFnBHaYiz0h5pjYQZyBU SHA256 sum: f59379c231fbeb5434b60083b8396ad23c0edd135a0650fcf67ae8964ae8f7ca
Awful, really awful this version, I blame it on Unbound 1.6.xx, as on desktop testing I see the same behaviour: querying dnscrypt-proxy ports directly works while using the unbound one fails, after some random time it will suddenly start working. Since the desktop uses suspend/resume (as mobile does) this might be a factor.
Right now:
- Ports are bind
- Unbound does not respond at
digqueries:no servers could be reached - First dnscrypt-proxy responds ok (!!!)
- Second one does not respond at
digqueries:no servers could be reached
The log says the servers were checked ok on start.
Looks like I need to recompile with 1.5.xx and test that again.
@smarek What's the point of extracting the ZIP everytime the app starts? I can't actually change any settings without a recompile :(
That being said, I've recompiled yet again, so dnscrypt-proxy/libsodium from git and updated openssl 1.0.2l, resulting 2 builds:
- Unbound 1.6.4 (build 13) - APK / sha256sum: 624d77913d10a7a694401851f0ef74ec291872388bf2d829ee4ba9865eeecd7d
- Unbound 1.5.10 (build 12) - APK / sha256sum: 0bd8e56955ac7dc4472240cb48aebb12ffdf353077620eab1f610bdb8831b40c
After using them for a while I can repro the behaviour, basically you use the device, turn off the screen for a while, open it again:
- 1.5.10 will reply slow but it will respond to the queries
- 1.6.4 might start later on but the waiting time makes it unusable, one can
digat the dnscrypt-proxy ports (5301/5302) and they respond right away with NOERROR and the IP, while unbound says SERVFAIL (port 5300)
@licaon-kter yes build 9 exhibits the same behaviour for me, turn off the screen and the log is emptied (was the report for your build 12 and 13 a response to the log screen going white or what? What steps did you take to 'repo the behaviour'? terminal commands?), but the processes still seem to run. Maybe turning up the default verbosity will help the log to keep ticking after turning off the screen?
I will mention just now- i dont know that its an 'issue', per se, maybe for non root users-one thing I don't like about the unbound port to android overall is, it seems you can't launch the binaries standalone in the terminal without root.
I myself have not figured that out, maybe theres a way? This ought to be implemented, as the current idea being pushed for all of this is, 'using unbound dns with dnscrypt behind netguard, no root'. (correct @smarek?)
so, there's that.
anyway, @licaon-kter I want to try one of your new builds. I'm currently using build 9. What happened to build 10? It looks like you scrapped that one.
And what of build 11? Was that one intended for testing?
This really needs an official changelog.
After the screen is off you are at the mercy of the Android battery policies, either Doze or OEM. Now, unbound being a PC app first might not be that smart to cope with suspend.
You can launch binaries, the only limit is this (as far as I can see): you can only make program executable and launch them IF they're located in the apps data folder.
Eg on how I tested dnscrypt-proxy with Termux:
- extract package.zip from APK
- extract files from package.zip in /sdcard/Downloads/package
- in Termux copy package folder to home dir of the app (actually located at /data/data/org.termux/files/home) by running:
cp -r /sdcard/Downloads/package ~/ - enter bin folder:
cd package/bin - make them all executable:
chmod 755 * - run whatever
Build numbers are just to keep my testing on a plan (actually I've build a lot of these and scrape them if failing):
- build 9 is unbound 1.5.10
- build 10 was scraped internal testing (trying to omit some app views that are useless like unbound-control and trying to get rid of the first page checkboxes)
- build 11 was updated to unbound 1.6.3 since that's the latest, also first build of the actual branch with the published source code
- build 12 updated unbound 1.6.4 and openssl 1.0.2l, with the new "Create random list of dnscrypt servers on packaging" commit
- build 13 as build 12 except that is using unbound 1.5.10, as it copes better with the needs of mobile (suspend) in my testing.
Builds 12 and 13 are for comparison at this moment, hope you (or others?) can use them both for a few days and make a judgement.
About that last commit, I had dnscrypt.eu-dk in builds 9 & 11 IIRC and it failed to resolve even on desktop for some reason, that made testing even harder.
@licaon-kter ok, so as far as the terminal is concerned, I'm using data/data/jackpal.androidterm.
I'll report back to follow your instruction set to use the binaries standalone without root, thanks for the hint.
so, your response, in regards to your build numbers, seems to me to suggest that build 12, as of now in the current development, is the recommended test release, yes?
12 and 13 are both, since the issues I have with Unbound 1.6.x. Hence my request to test them both.
So, reporting back to use the binaries without root.
As I expected, it's not working for me. I've pushed the extracted package.zip to home directory of terminal emulator app at data/data/jackpal.androidterm/app_HOME, cd from there to package/bin, and in an example test, the command ./dnscrypt-proxy --version, I get a 'CANNOT LINK EXECUTABLE' error from libsodium.so, despite it being in the same directory.
I've set permissions to executable 755 for all files there, even the folders themselves, reboot, cd back to the directory, executed the same test, and experience the same result.
I don't expect you to provide a direct answer, but i ask anyway: what is termux doing differently as there are no errors for you to use it with the unbound binaries standalone without root, but with terminal emulator im experiencing the issue I've listed above?
can you test the binaries using jackpal.androidterm to see if you too experience the same issue?
F-Droid has jackpal.androidterm from 2012, not sure if that's useful for testing. I see that Termux needs Android 5 or later, hence you can't use it.
Anyway, that's is for testing, now, using the app (build 12 or 13) what does the log say?
I'm using build 12.
Build 9 is a bit 'snappier' for me. It could be the dnscrypt resolvers you set to default in that build, maybe from my location I get a quicker response time.
Just a theory, I haven't bothered with ping.
The issue of having to force stop the app, kill dnscrypt/unbound in terminal, delete all server files, and restart the app after a reboot is still present, at least for me.
To just now mention that, its such a dirty workaround. There ought to be a sh script to help automate that, if it can't be fixed better yet. I'll try to get one together and maybe post it here if it works.
Also, noticed you're using a dnscrypt resolver count of 4 in build 12, for fall back reasons?
Build 9 is a bit 'snappier' for me...server
Yes server might be a factor.
its such a dirty workaround.
That should not be the case on EVERY start, I don't have that, basically plain Android force close and clean data will make it work (as that's a requirement for NO-root). I've mentioned that since you have root, you can control/check stuff a little better.
kill dnscrypt/unbound in terminal
Killing the app will do that... your ROM does not do that? Umm....
delete all server files
Android->Clean app data will do that... your ROM does not do that? Umm...
restart the app after a reboot
The app starts on boot fine here (in app checkbox checked)... your ROM does not do that? Other apps start?
There ought to be a sh script
See my last line in the comment above: https://github.com/smarek/android-unbound-dns/issues/18#issuecomment-311584772
you're using a dnscrypt resolver count of 4 in build 12, for fall back reasons?
There were always four (yes, they're hard coded for now, random chosen at build time), they get tested every time the app is started, first one that responds between 1 and 2 will listen on port 5301, and first one that responds between 3 and 4 will listen on port 5302. That depends on your connection and the server.
kill dnscrypt/unbound in terminal, Killing the app will do that... your ROM does not do that? Umm....
So, that's 'odd', and, yes, a force close from app manager on this rom (stock rom btw) doesn't attach the dnscrypt and unbound binaries to kill, so what processes is it 'closing'? I'm assuming the app id, but the binaries still run in background/foreground, I don't know.
I was mistaken about 'delete all server files-insert- with root explorer'. yes, the app manager does take care of that standalone.
However, its still nessesary, for me, to have to terminal root killall dnscrypt and unbound after a force close, otherwise I get a root.key error upon restarting the app.
The app starts on boot fine here (in app checkbox checked)... your ROM does not do that? Other apps start?
No, you misunderstood me there. It starts fine on reboot. The trust anchor presented twice is the issue as far as thats concerned. I created a separate ticket to mention that. For your build 12 I haven't yet tested it. Maybe it's fixed, although I doubt it.
Your builds are considered 'duct tape' as of now, correct?
there ought to be a sh script, See my last line in the comment above: #18 (comment)
I think I'm missing something there, care to explain? What does that have to do with a sh script workaround? Or, where's the sh script?
you're using a dnscrypt resolver count of 4 in build 12, for fall back reasons?, There were always four
Were there? I remember counting only two in build 9. Your most recent builds, yes, four resolvers. Is that what you mean?
Just downgraded to build 9. Your build 12, also maybe 13-Ive not tested that build- use the newly implemented conf file for dnscrypt.
In those builds, the resolvers are listed in the dnscrypt.conf file, yes, four.
Where's the same for build 9?
As to mention that just now, I've reviewed your initial dnscrypt addition code as prior to special build 9, there were only two servers listed there, namely ns0.dnscrypt.is and the soltysiak server, what were the other two?
Also, there's a dialog in your build 12 to mention the d0wn resolvers it connects to in its log. Is that a result of using a conf file for dnscrypt in that build, or, no?
There's no mention of the connecting resolvers in the build 9 log.
Would you call that a 'bug fix' to compare side by side your build 9 and build 12?
@smarek Please, get in here.
Yes it's all duct tape, don't bother him about this :)
Remembered wrong, build 9 has only 3, one (between 1 and 2) will listen on 5301 and another one is setup for 5302. Build 11, 12 and 13 will mention in the log (view) the servers it has setup.
Or, where's the sh script?
There is no script, read again: the package.zip is extracted in some conditions.
The trust anchor presented twice
Yeah, the initial errors need to be better tackled.
Build 14: https://mega.nz/#!tUBEBC4L!b7KL6nVlZQ2gpSzvRACPbI_-0HbUc6ZNVlo1If9CYxU sha256sum: 16679a6008a8cc2ac708358b5c5d6cc644b7393cb024b721b0daefcf3301b0dc
Changes (unbound 1.5.10+openssl 1.0.2l):
- added PATH to setup script
- re-enabled some cleanup (that was in git but not in the script included in the APK)
- enabled D8 (not seeing any difference though)
[1516619939] libunbound[30232:0] error: module init for module validator failed root.key has content resolve DNSKEY: initialization failure error: SSL handshake failed 3067778444:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:1269: [1516619940] unbound[30251:0] error: can't bind socket: Address already in use for 127.0.0.1 [1516619940] unbound[30251:0] fatal error: could not open ports error: SSL handshake failed 3067577740:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:1269: error: SSL handshake failed 3067889036:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:1269:
I use build 14, Nexus 5, Lineages OS 14, honestly, I like your hard work, very cool apps. Right now I using build 13, but I can't see mainlog, it looks like this build works fine.
I'd recommend you'd use build 14, build 13 might has different servers and one of them is down IIRC, remember to clear all app data after update, and be patient when you start the app again, it takes a bit to generate it's needed files.
Regarding the log, you can see it on first start, but not at any time, it does not matter actually.
Attach a new picture after 14 started.
Also see LE2 note in the first post here, use ports 5301 or 5302.
If I use build 14, it won't start, I don't see notification from status bar (unbound not running) Im sure about this.
The app won't actually start? Even if you uninstall build 13 and then install 14?
Oops, sorry sir, https://gist.github.com/cgk78/4b2124bd7ceccada4a155e07e0b36fa0
Works perfectly in build 14, I changed 127.0.0.1 to my device IP address 192.168.1.42 at unbound.conf
Strange... this sounds like a ROM issue.
So how did you get it started after all?
Before I changed to 192.168.1.42, I changed to 127.0.0.2 in interface, then reload, but I also got error in remote-control section, so I changed from 127.0.0.1 to 127.0.0.2 and reload, strange, because I don't see nothing in the mainlog, because my Linux box (laptop) I use unbound as local resolver, then I try to changed to 192.168.1.42 (android IP), reload the conf & works perfectly 😁. I also confused, but doesn't work if changed conf like below: server: verbosity: 1 interface: 192.168.1.42@853 # interface: ::1 # interface: 0.0.0.0 port: 5300 do-daemonize: no # access-control: 0.0.0.0/0 refuse # access-control: 0.0.0.0/0 allow_snoop # access-control: ::0/0 refuse # access-control: ::0/0 allow_snoop # do-not-query-address: 127.0.0.1/8 # do-not-query-address: ::1 do-not-query-localhost: no # prefetch: yes # prefetch-key: yes cache-max-ttl: 604800 cache-min-ttl: 432000 directory: "" chroot: "" username: "" logfile: "mainlog" pidfile: "unbound.pid" auto-trust-anchor-file: "root.key" harden-dnssec-stripped: yes rrset-roundrobin: yes ssl-upstream: yes # udp-upstream-without-downstream: yes qname-minimisation: yes minimal-responses: yes num-threads: 4 msg-cache-slabs: 8 rrset-cache-slabs: 8 infra-cache-slabs: 8 key-cache-slabs: 8 outgoing-num-tcp: 64 rrset-cache-size: 256m msg-cache-size: 128m
ssl-service-key: "unbound_server.key" ssl-service-pem: "unbound_server.pem" ssl-port: 853
forward-zone: name: "." forward-addr: 127.0.0.1@5301 forward-addr: 127.0.0.1@5302 forward-addr: 9.9.9.9@853 forward-addr: 149.112.112.112@853 forward-addr: 145.100.185.15@853 forward-addr: 145.100.185.16@853 forward-addr: 184.105.193.78@853 forward-addr: 185.49.141.37@853 forward-addr: 199.58.81.218@853 forward-addr: 146.185.167.43@853 forward-addr: 89.233.43.71@853
remote-control: control-enable: yes # control-interface: 0.0.0.0 control-interface: 192.168.1.42 # control-interface: ::1 control-port: 8953 server-key-file: "unbound_server.key" server-cert-file: "unbound_server.pem" control-key-file: "unbound_control.key" control-cert-file: "unbound_control.pem"