I have an unbound server that resolves VPN addresses as local data:

local-data: "host1.wireguard. A 10.10.100.10"
local-data: "host2.wireguard. A 10.100.100.11"

Polling it directly returns DNS records just fine. But added a stub zone, that points to the Unbound server, I do not get any results. This is part of configuration from my local unbound:

stub-zone:                                                                                                                                                                                                 
        name: "wireguard"                                                                                                                                                                                         
        stub-addr: 10.10.10.1  # DNS server's address
                                                                                                                                                                                                                                                                                                                                                                                                                                                                   
forward-zone:                                                                                                                                                                                              
        name: "."                                                                                                                                                                                          
        forward-addr: 1.1.1.1@853#cloudflare-dns.com
        forward-addr: 1.0.0.1@853#cloudflare-dns.com

I tried different variations of the config, but to no avail. Anything I am missing?

I am struggling for a few weeks to be able to query domains against spamhaus' DBL. I am capturing a list of newly registered domains, and looking to see if any of these domains have been flagged by spamhaus DBL block list. I am using the command dig dbltest.com.dbl.spamhaus.org which should return a response: `;; ANSWER SECTION: dbltest.com.dbl.spamhaus.org. 60 IN A 127.0.1.2` to confirm that it has been flaged as phishing but instead I just receive an error: communications error to 127.0.0.1#53: timed out . I have set up a new Ubunutu server and have also installed unbound and DNSMasq to see if using these would resolve the issues but to no avail. Has anyone been able to query against Spamhaus DBL?

I installed unbound 1.13.1 and I want to use it as a recursive resolver and log everything into a file. Unfortunately, unbound does not write into the file and I get the error: Feb 15 11:46:53 unbound[832702:0] error: Could not open logfile /etc/unbound/unbound.log: Permission denied The file's ownership has already been assigned to user unbound and the service has been restarted: 0 -rw-r--r-- 1 unbound unbound 0 Feb 15 10:17 unbound.log I also tried to create this file in multiple other directories like my home directory, under /var/sys/log/ etc. but the exact same error persists. And this is what the config file looks like: include-toplevel: "/etc/unbound/unbound.conf.d/*.conf" server: use-syslog: no chroot: "" username: "unbound" directory: "/etc/unbound/" logfile: "/etc/unbound/unbound.log" verbosity: 5 log-queries: yes log-replies: yes log-tag-queryreply: yes log-servfail: yes log-time-ascii: yes do-ip6: yes interface: 127.0.0.53 port: 53 prefetch: no root-hints: /usr/share/dns/root.hints harden-dnssec-stripped: yes Does anyone see what I am doing wrong regarding the log file?

I have unbound installed and it works just fine (debian testing).\ I also have a domain at duckdns.org. \ \ I would like to set DoT on my Android phone as xxxxx.duckdns.org, so i can make all requests go through my server.\ What am i suposed to do/install/whatever, to make it work?\ Or is this not possible this way?\ \ \ /etc/unbound/unbound.conf.d/myconfig.conf

server:

  interface: 0.0.0.0
  interface: ::0

  prefetch: yes
  do-not-query-localhost: no

  access-control: 0.0.0.0/0 allow

/etc/NetworkManager/conf.d/myconfig.conf

[main]
dns=none
systemd-resolved=false

/etc/resolv.conf

nameserver 127.0.0.1
nameserver ::1
options trust-ad

I attempted to disable IPv6 lookups in unbound through these options: do-ip6: no prefer-ip6: no Really prefer-ip6 should only take effect when do-ip6 is yes. In any case, I use tcpdump to dump the traffic and I still see IPv6 queries being issued to my forwarding server. If I have disabled it, why is unbound still attempting to do IPv6? Is there another hidden option that is silently enabling it?

Could anyone elaborate a little on this warning? Reading the unbound comment it references, I guess it's some configuration in place for security reasons (?), but I'm not clear on what the _tradeoffs_ really are if you "get rid of" this warning by adding the config file mentioned below. > reducing DNS packet size for nameserver ADDRESS to SAFE_PKTSZ > > When receiving answers from upstream only with a smaller maximum DNS packet size, dnsmasq warns about this and remembers this decision per server for some time (defaulting to 60 seconds). > > If you see this message continuously, you are affected by some unusual truncation on the path from your Pi-hole to the configured upstream server. You can get rid of the warning by adding a config file like /etc/dnsmasq.d/99-edns.conf and adding > > > edns-packet-max=1232 > After running pihole restartdns your Pi-hole will not even try larger packet sizes (the default is 4096). Check out our [unbound guide](https://docs.pi-hole.net/guides/dns/unbound/) for a comment about the particular value of 1232. >

I am currently setting up an OpenBSD firewall, router, and dns server. I've been following various guides online with the bulk of my configuration coming from the OpenBSD site and the pf configuration adapted from another guide. Here are the main links: Bridge Setup — https://www.openbsd.org/faq/faq6.html PF Setup — https://www.openbsd.org/faq/pf/example1.html , https://openbsdrouterguide.net When trying this out, I have two main issues that I'm not sure how to resolve. The first issue is that the bridge as explained in the OpenBSD guide is not working (no IP to the interface). The WAN port does successfully get an IP from the ISP and I can ping 1.1.1.1 as well as websites like openbsd.org and google.com. However, when I attempt to do a fw_update or a pkg_add to maintain the system, I get an error stating that there is no route to host. My pf.conf does not load properly because it says there is a syntax error and bridge cannot be assigned an IP. I've looked my pf.conf over and I cannot spot where the syntax error is. Here is my pf.conf:

# MACROS
pubif = "em0"
bridge = "bridge0"
wifi = "em5"

# TABLES
table  {0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.0.0/24 192.0.0.0/29 192.0.2.0/24 192.88.99.0/24 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 240.0.0.0/4 255.255.255.255/32}

# RULES
set skip on lo0

# Spoofs
block in from no-route
block in quick from urpf-failed

# Block Non-routes
block in quick on $pubif from  to any
block return out quick on $pubif from any to 

# Default Block
block return in on {$bridge $wifi}
block return in on ! lo0 proto tcp to port 6000:6010
block return out log proto {tcp udp} user _pbuild
block drop in log on $pubif

# Allow ICMP
match in on $pubif inet proto icmp icmp-type {echoreq} tag ICMP_IN
block drop in on $pubif proto icmp
pass in proto icmp tagged ICMP_IN max-pkt-rate 100/10

# Router to Internet
pass out inet from $pubif

# Interfaces to Internet
pass in on {$bridge $wifi}

# Block DNS not originating from server
block return in quick on $bridge proto {udp tcp} to ! $bridge port {53 853}
block return in quick on $wifi proto {udp tcp} to ! $wifi port {53 853}

# Allow LAN
pass out on {$bridge $wifi} inet keep state

# NAT Rules
pass out on $pubif inet from $bridge:network to any nat-to ($pubif)
pass out on $pubif inet from $wifi:network to any nat-to ($pubif)

Here is my unbound.conf:

server:
	interface: 127.0.0.1
	interface: 10.0.0.1
	interface: 10.0.1.1

	access-control: 0.0.0.0/0 refuse
	access-control: ::0/0 refuse
	access-control: 127.0.0.0/8 allow
	access-control: ::1 allow
	access-control: 10.0.0.0/24 allow
	access-control: 10.0.1.0/24 allow

	hide-identity: yes

	hide-version: yes

	prefetch: yes

	private-address: 10.0.0.0/16

	auto-trust-anchor-file: "/var/unbound/db/root.key"
	root-hints: "/var/unbound/db/root.hints"

	cache-min-ttl: 3600
	serve-expired: yes

remote-control:
	control-enable: yes
	control-interface: /var/run/unbound.sock

Here is my dhcpd:

subnet 10.0.0.0 netmask 255.255.255.0 {
	option domain-name-servers 10.0.0.1;
	option routers 10.0.0.1;
	range 10.0.0.32 10.0.0.254;
}
subnet 10.0.1.0 netmask 255.255.255.0 {
	option domain-name-servers 10.0.1.1;
	option routers 10.0.1.1;
	range 10.0.1.32 10.0.1.254;
}

My vether0

10.0.0.1 255.255.255.0 10.0.0.255

my bridge0

add vether0
add em1
add em2
add em3
add em4
up

The bridged interfaces are simply marked as up in their hostname.if and em5 which would connect to the access point is marked with it's own IP to separate it from the rest of the network (10.0.1.1). rc.conf.local has the following lines:

dhcpd_flags=vether0
unbound_flags=
unbound_timeout=240

At this point, I'm not quite sure what I'm doing wrong. I feel I have followed all instructions. The one area I am most unsure is the vether0 and bridge0. Perhaps I am not doing this correctly? If anyone sees my error, it would appreciate if you can direct me to fixing it. Thank you EDIT: ifconfig -a:

lo0: flags=8049 mtu 32768
	index 8 priority 0 llprio 3
	groups: lo
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
	inet 127.0.0.1 netmask 0xff000000
em0: flags=808843 mtu 1500
	lladdr 00:e0:67:2b:a9:ec
	index 1 priority 0 llprio 3
	media: Ethernet autoselect (none)
	status: no carrier
em1: flags=8b43 mtu 1500
	lladdr 00:e0:67:2b:a9:ed
	index 2 priority 0 llprio 3
	media: Ethernet autoselect (none)
	status: no carrier
em2: flags=8b43 mtu 1500
	lladdr 00:e0:67:2b:a9:ee
	index 3 priority 0 llprio 3
	media: Ethernet autoselect (none)
	status: no carrier
em3: flags=8b43 mtu 1500
	lladdr 00:e0:67:2b:a9:ef
	index 4 priority 0 llprio 3
	media: Ethernet autoselect (none)
	status: no carrier
em4: flags=8b43 mtu 1500
	lladdr 00:e0:67:2b:a9:f0
	index 5 priority 0 llprio 3
	media: Ethernet autoselect (none)
	status: no carrier
em5: flags=8843 mtu 1500
	lladdr 00:e0:67:2b:a9:f1
	index 6 priority 0 llprio 3
	media: Ethernet autoselect (none)
	status: no carrier
	inet 10.0.1.1 netmask 0xffffff00 broadcast 10.0.1.255
enc0: flags=0
	index 7 priority 0 llprio 3
	groups: enc
	status: active
bridge0: flags=41 mtu 1500
	index 9 llprio 3
	groups: bridge
	priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp
	em4 flags=3
		port 5 ifpriority 0 ifcost 0
	em3 flags=3
		port 4 ifpriority 0 ifcost 0
	em2 flags=3
		port 3 ifpriority 0 ifcost 0
	em1 flags=3
		port 2 ifpriority 0 ifcost 0
	vether0 flags=3
		port 10 ifpriority 0 ifcost 0
vether0: flags=8943 mtu 1500
	lladdr fe:e1:ba:d0:86:5a
	index 10 priority 0 llprio 3
	groups: vether
	media: Ethernet autoselect
	status: active
	inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
pflog0: flags=141 mtu 33136
	index 11 priority 0 llprio 3
	groups: pflog

pfctl -nf /etc/pf.conf:

no IP address found for em0
/etc/pf.conf:33: could not parse host specification
no IP address found for bridge0
/etc/pf.conf:39: could not parse host specification
no IP address found for bridge0:network
/etc/pf.conf:49: could not parse host specification

I deployed the unbound caching server, below is how it is deployed Client ---> InternelDNSServer(Windows) ---> ExternalDNSServer(RHEL) ---> GoogleDNS from Localhost(unbound) If i do dig +ttlunits somesite.com on first try it will go to google dns servers and on second try it will check from unbound cache and Query time will be either 1 msec or 0msec tcpdump confirms that it is checking from internel cache. But if any other client which is behind InternelDNSServer then query still goes to GoogleDNS. below is unbound.conf content server: verbosity: 1 statistics-interval: 0 statistics-cumulative: no extended-statistics: yes num-threads: 4 interface: 192.168.56.10 interface-automatic: no so-reuseport: yes ip-transparent: yes do-ip4: yes access-control: 127.0.0.0/8 allow access-control: 192.168.56.10/32 allow ***(unbound,Localhost)*** access-control: 10.30.10.1/32 allow_snoop ***(InternetDNSServer1)*** access-control: 10.30.11.2/32 allow_snoop ***(InternetDNSServer2)*** chroot: "" username: "unbound" directory: "/etc/unbound" logfile: /var/log/unbound/unbound.log log-queries: yes use-syslog: yes log-time-ascii: yes log-replies: yes pidfile: "/var/run/unbound/unbound.pid" hide-identity: yes hide-version: yes harden-glue: yes harden-dnssec-stripped: yes harden-below-nxdomain: yes harden-referral-path: yes unwanted-reply-threshold: 10000000 prefetch: yes prefetch-key: yes rrset-roundrobin: yes minimal-responses: yes module-config: "ipsecmod validator iterator" trust-anchor-signaling: yes trusted-keys-file: /etc/unbound/keys.d/*.key auto-trust-anchor-file: "/var/lib/unbound/root.key" val-clean-additional: yes val-permissive-mode: no val-log-level: 1 include: /etc/unbound/local.d/*.conf ipsecmod-enabled: no ipsecmod-hook: "/usr/libexec/ipsec/_unbound-hook" python: remote-control: control-enable: yes server-key-file: "/etc/unbound/unbound_server.key" server-cert-file: "/etc/unbound/unbound_server.pem" control-key-file: "/etc/unbound/unbound_control.key" control-cert-file: "/etc/unbound/unbound_control.pem" forward-zone: name: "." forward-addr: 8.8.8.8 forward-addr: 8.8.4.4 forward-addr: 1.1.1.1 forward-first: no include: /etc/unbound/conf.d/*.conf /etc/resolv.conf contents # Generated by NetworkManager search privatedomain.com nameserver 192.168.56.10 i'm confused why is it not looking for cache for clients behind the InternelDNSServer

I'm trying to redirect my LAN queries i.e. 10.0.0.0/8 to my captive portal hosted at 10.10.10.10. I've 2 networks, 10.0.0.0/8 and 192.168.1.0/24. Objective is redirect 10.0.0.0/8 to 10.10.10.10 There's no DHCP server at the moment for this IP Pool, devices are statically mapped with 10.x.x.x/8. All DNS queries are going to Unbound resolver. I tried creating a few changes in the unbound-config but no luck so far. **Server:** unblock-lan-zones: yes insecure-lan-zones: yes domain-insecure: "10.in-addr.arpa." Option 1: local-zone local-zone: "10.in-addr.arpa." transparent forward-zone: name: "10.in-addr.arpa." forward-addr: 10.10.10.10 Option 2: via define tags define-tags: "portal" access-control-tag: 10.0.0.0/8 "portal" access-control-tag-action: 10.0.0.0/8 "portal" redirect access-control-tag-data: 10.0.0.0/8 "portal" "A 10.10.10.10" Option 3: Respip module response-ip: 10.0.0.0/8 redirect response-ip-data: 10.0.0.0/8 A 10.10.10.10 Can you please steer in the right direction?

I have server with debian 10, previously on this server unbound service installed. Today I noticed that the service is reset every minute. I even deleted the file /lib/systemd/system/unbound.service and killed process manually But again it runs automatically; I can not understand what process runs this service twice. I have two problem: #1: how service start again automatically? ‍#2: if service started, why reset again? also I do not think the reset is due to the service itself.

unbound.service
   Loaded: loaded (/etc/init.d/unbound; generated)
   Active: active (running) since Sun 2022-05-01 14:57:25 +0430; 50s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 24965 ExecStart=/etc/init.d/unbound start (code=exited, status=0/SUCCESS)
 Main PID: 24985 (unbound)
    Tasks: 8 (limit: 4915)
   Memory: 14.3M
   CGroup: /system.slice/unbound.service
                 24985 /usr/sbin/unbound

May 01 14:57:24 INF-dns-ntp02 systemd: Starting unbound.service...
May 01 14:57:24 INF-dns-ntp02 unbound-anchor: /var/lib/unbound/root.key has content
May 01 14:57:24 INF-dns-ntp02 unbound-anchor: success: the anchor is ok
May 01 14:57:25 INF-dns-ntp02 unbound: Starting DNS server: unbound.
May 01 14:57:25 INF-dns-ntp02 systemd: Started unbound.service.

**UPDATE**:list files

/etc/apparmor.d/local/usr.sbin.unbound
/etc/apparmor.d/usr.sbin.unbound
/etc/init.d/unbound
/etc/insserv.conf.d/unbound
/etc/resolvconf/update.d/unbound
/etc/systemd/system/multi-user.target.wants/unbound.service -> /lib/systemd/system/unbound.service
/etc/systemd/system/unbound.service.d
/etc/systemd/system/unbound.service.wants
/etc/systemd/system/unbound.service.wants/unbound-resolvconf.service -> /lib/systemd/system/unbound-resolvconf.service
/etc/unbound
/etc/unbound/unbound.conf
/etc/unbound/unbound.conf.bk
/etc/unbound/unbound.conf.d
/run/systemd/generator.late/graphical.target.wants/unbound.service -> ../unbound.service
/run/systemd/generator.late/multi-user.target.wants/unbound.service -> ../unbound.service
/run/systemd/generator.late/unbound.service
/run/systemd/units/invocation:unbound.service -> ff49954ca79b45bf851f4f6c9eb007da
/usr/lib/x86_64-linux-gnu/libunbound.so.8 -> libunbound.so.8.1.0
/usr/lib/x86_64-linux-gnu/libunbound.so.8.1.0
/usr/sbin/unbound
/usr/sbin/unbound-anchor
/usr/sbin/unbound-checkconf
/usr/sbin/unbound-control
/usr/sbin/unbound-control-setup
/usr/share/doc/libunbound8
/usr/share/doc/unbound
/usr/share/doc/unbound-anchor

**Update2:** remove all /etc/rc*/[ks]unbound

unbound.service
   Loaded: loaded (/etc/init.d/unbound; generated)
   Active: active (running) since Sun 2022-05-01 18:22:25 +0430; 5s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 4854 ExecStart=/etc/init.d/unbound start (code=exited, status=0/SUCCESS)
 Main PID: 4873 (unbound)
    Tasks: 8 (limit: 4915)
   Memory: 13.6M
   CGroup: /system.slice/unbound.service
                 4873 /usr/sbin/unbound

May 01 18:22:24 INF-dns-ntp02 systemd: Starting unbound.service...
May 01 18:22:25 INF-dns-ntp02 unbound-anchor: /var/lib/unbound/root.key has content
May 01 18:22:25 INF-dns-ntp02 unbound-anchor: success: the anchor is ok
May 01 18:22:25 INF-dns-ntp02 unbound: Starting DNS server: unbound.
May 01 18:22:25 INF-dns-ntp02 systemd: Started unbound.service.

kill Main PID: 4873 exec kill -9 4873 but unbound service starts again automatically ... **Update3:** grep -r unbound /etc

output: 

/etc/apparmor.d/usr.sbin.unbound:/usr/sbin/unbound flags=(attach_disconnected) {
/etc/apparmor.d/usr.sbin.unbound:  /etc/unbound/** r,
/etc/apparmor.d/usr.sbin.unbound:  owner /etc/unbound/*.key* rw,
/etc/apparmor.d/usr.sbin.unbound:  audit deny /etc/unbound/unbound_control.{key,pem} rw,
/etc/apparmor.d/usr.sbin.unbound:  audit deny /etc/unbound/unbound_server.key w,
/etc/apparmor.d/usr.sbin.unbound:  /var/lib/unbound/** r,
/etc/apparmor.d/usr.sbin.unbound:  owner /var/lib/unbound/** rw,
/etc/apparmor.d/usr.sbin.unbound:  audit deny /var/lib/unbound/**/unbound_control.{key,pem} rw,
/etc/apparmor.d/usr.sbin.unbound:  audit deny /var/lib/unbound/**/unbound_server.key w,
/etc/apparmor.d/usr.sbin.unbound:  /usr/sbin/unbound mr,
/etc/apparmor.d/usr.sbin.unbound:  /{,var/}run/{unbound/,}unbound.pid rw,
/etc/apparmor.d/usr.sbin.unbound:  /{,var/}run/unbound.ctl rw,
/etc/apparmor.d/usr.sbin.unbound:  #include

I am having issues setting up Unbound as a general use DNS resolver and NSD as a local authoritive server. I intend to use Unbound as a replacement for my routers DNS server and would like to incorporate a range of private domains which may reference each other. Using Unbounds local DNS resolver via local-data and alike does not fulfill my needs; hence the need for NSD. My setup is that I have Unbound running on Port 53 and NSD on Port 10053 (listening only on localhost) on the same machine. My Unbound config:

server:
      # private and link-local subnets
      private-address: 10.0.0.0/8
      private-address: 172.16.0.0/12
      private-address: 192.168.0.0/16
      private-address: 169.254.0.0/16
      private-address: fd00::/8
      private-address: fe80::/10

      local-zone: "xe." transparent
      private-domain: "xe"

stub-zone:
      name: "xe"
      stub-addr: ::1@10053
      stub-addr: 127.0.0.1@10053

I won't go into details of my zone config for xe. but I can tell you that using dig -p 10053 .xe resolves just fine. Unbound resolves external domains like google.com without any problems. I just cannot seem to get this to work. Do you have any suggestions on how I might get this to work?

Arch up to date. Through QEMU manager I had recently created a NAT network mapped to my wireless device. The plan is to use the wireless for the VM and the ethernet for the host. Before that the VM and the host unbound were okay. No other system changes. Now, after system reboot, unbound fails to start, complaining that it can't get port 53. Through lsof I see that dnsmasq has taken 53. This happens even though I have the virtual networks to NOT start up on boot. I don't want to change unbound's port because that will require re-configuring its clients. Why is dnsmasq starting? What is the simplest least impactful configuration change?

Error 'finding' log file on starting unbound service Jun 25 20:02:19 asus unbound: unbound[111312:0] error: Could not open logfile /var/log/unbound.log: No such file or directory But the file exists and should be writable... For *example* (I have tried a number of combinations of ownership and perms) [root@asus:/var/log] :> ll | grep unbound -rw-rw-r-- 1 root unbound 0 2021-06-25 20:00 unbound.log Where's the error? I have tried even -rw-r--r-- 1 unbound unbound 0 2021-06-25 20:00 unbound.log and -rw-rw-r-- 1 stephen stephen 0 2021-06-25 20:00 unbound.log and -rw-rw-r-- 1 root root 0 2021-06-25 20:00 unbound.log And so on Parent permissions drwxr-xr-x 13 root root 4.0K 2021-06-24 14:19 var drwxr-xr-x 13 root root 4.0K 2021-06-25 20:00 log Logging config on unbound.conf is : server: directory: "/etc/unbound" username: unbound chroot: "/etc/unbound" pidfile: "/etc/unbound/unbound.pid" interface: 0.0.0.0 interface: ::0 logfile: /var/log/unbound.log verbosity: 1 log-queries: yes

My general set up are several Ubiquiti Switches, APs, a UDMP, etc. I have multiple VLANs which ultimately intertwine with a PiHole and Unbound running on the same VM on a Dell PowerEdge R420. I have three small children all homeschooling due to the pandemic and need desperately to block YouTube from a series of devices, in two specific cases: 1. Specific devices (by MAC address) on one VLAN. 2. All devices on a second VLAN. I know the PiHole can block devices to a site/regex by MAC, but only by one hop. So given the number of switches in my network, this doesn't work. I'm hoping this is something that can be done with either Unbound or another *nix utility that I'm not aware of. Suggestions?

Reading the man pages of OpenBSD gives me unwind - validating DNS resolver and unbound - Unbound DNS validating resolver 1.11.0 which begs the question - what is the difference between these programs, and which should I prefer?

Can the unbound DNS server give different answers to DNS queries made on different interfaces (split-horizon)? I did not see any indication in the manual that it could, but I may have missed something.

I made a function in bash and when I call it, it *crashes* with an unbound variable error. I don't understand cause the variables that are said to be _unbound_ are declared. Moreover, it seems to be triggered randomly like some times it crashes on line 66, some times it crashes on line 76 and some other times it crashes on line 86. Here is the function:

#!/usr/bin/env bash

function setConfigLS() {
    declare DFLT_CFG_FILE="${WEB_DOCUMENT_ROOT}/application/config/config.php"
    declare DFLT_ARRAY='config'
    declare cfgFile="$DFLT_CFG_FILE"
    declare array="$DFLT_ARRAY"
    declare value key arg
    declare -a args=()

    while (( $# > 0 )); do
        arg="$1" && shift
        case "$arg" in
            --file=*)
                cfgFile="${arg#*=}"
            ;;
            -f|--file)
                cfgFile="$1"
                shift
            ;;
            --value=*)
                value="${arg#*=}"
            ;;
            -v|--value)
                value="$1"
                shift
            ;;
            --key=*)
                key="${arg#*=}"
            ;;
            -k|--key)
                key="$1"
                shift
            ;;
            --array=*)
                array="${arg#*=}"
            ;;
            -a|--array)
                array="$1"
                shift
            ;;
            -h|--help)
                echo >&2 'Set a LimeSurvey configuration option.'
                echo >&2 ''
                echo >&2 'Usage:'
                echo >&2 '  setConfigLS [options...]  '
                echo >&2 '  setConfigLS [options...] --value= --key='
                echo >&2 ''
                echo >&2 'Options:'
                echo >&2 '  --file, -f   LimeSurvey configuration file.'
                echo >&2 "                              Default: ${DFLT_CFG_FILE}"
                echo >&2 '  --array, -a        Name of array containing the configuration.'
                echo >&2 "                              Default: ${DFLT_ARRAY}"
                echo >&2 '  --key, --k           Key of the configuration option to set. (required)'
                echo >&2 '  --value, -v        Value of the configuration option. (required)'
                echo >&2 '  --help, -h                Prints this message.'
                echo >&2 ''
                return 0
            ;;
            *)
                args+=( "$arg" )
            ;;
        esac
    done

    if [ -z "$key" ]; then # line 66: key: unbound variable
        if (( ${#args} > 0 )); then
            key="${args}"
            args=( "${args[@]:1}" )
        else
            echo 'Error: --key is required' >&2
            return 1
        fi
    fi

    if [ -z "$value" ]; then # line 76: value: unbound variable
        if (( ${#args} > 0 )); then
            value="${args}"
            args=( "${args[@]:1}" )
        else
            echo 'Error: --value is required' >&2
            return 1
        fi
    fi

    if (( ${#args} > 0 )); then # line 86: args: unbound variable
        echo 'Error: too many arguments' >&2
        return 1
    fi

    array="${array//\//\\\/}"
    value="${value//$'\n'/\\$'\n'}"

    ssed -Ri "$cfgFile" \
        -e 's~^(\s*)('"${array}"'\s*=>\s*array\s*\()((?:\([^)]*\)|[^)])+)~\1\2\n\1    \3\n\1~'

    ssed -Ri "$cfgFile" \
        -e '/^\s*'"${array}"'\s*=>\s*array\s*\([^)]*$/ {
                :a
                n
                s~^((?:\s*(?:[^,/\s]|/[^/]))+)(\s*//.*)?$~\1,\2~
                s~^(\s*)//\s*('"${key//~/\\~}"'\s*=>)~\1\2~
                /^\s*\)/ {
                    i \        '"${key}"'=>'"${value}"',
                    bq
                }
                /^\s*'"${key//\//\\\/}"'\s*=>/ {
                    s~>.*~>'"${value//~/\\~}"',~
                    bq
                }
                ba
                :q
            }'
}

I tried replacing declare value key arg to...

declare value=
declare key=
declare arg=

...but it didn't change anthing. I'm a little bit confused! Did I miss something? Is there something I'm not seeing? ----- **Edit 1** The function is called from an entrypoint script of a docker image based on ubuntu 18.04. In fact, I use [this image](https://github.com/webdevops/Dockerfile/tree/master/docker/php-apache-dev/ubuntu-18.04) . The function's file is copied to /opt/docker/functions/set-config-ls.sh. Here is the script from which the function is called:

#!/usr/bin/env bash
set -eu

declare FUNC_DIR='/opt/docker/functions'
declare APP_DIR="${WEB_DOCUMENT_ROOT}"
declare DB_SETUP_PHP="/opt/docker/db_setup.php"

source "${FUNC_DIR}/tty-loggers.sh"
source "${FUNC_DIR}/yes-no.sh"
source "${FUNC_DIR}/file-env.sh"
source "${FUNC_DIR}/set-config-ls.sh"
source "${FUNC_DIR}/env-list-vars.sh"


####################################################################
########################## Setup Variables #########################

fileEnv 'LIMESURVEY_DB_TYPE' 'mysql'
fileEnv 'LIMESURVEY_DB_HOST' 'mysql'
fileEnv 'LIMESURVEY_DB_PORT' '3306'
fileEnv 'LIMESURVEY_TABLE_PREFIX' ''
fileEnv 'LIMESURVEY_ADMIN_NAME' 'Lime Administrator'
fileEnv 'LIMESURVEY_ADMIN_EMAIL' 'lime@lime.lime'
fileEnv 'LIMESURVEY_ADMIN_USER' ''
fileEnv 'LIMESURVEY_ADMIN_PASSWORD' ''
fileEnv 'LIMESURVEY_DEBUG' '0'
fileEnv 'LIMESURVEY_SQL_DEBUG' '0'
fileEnv 'MYSQL_SSL_CA' ''
fileEnv 'LIMESURVEY_USE_INNODB' ''

# if we're linked to MySQL and thus have credentials already, let's use them
fileEnv 'LIMESURVEY_DB_NAME' "${MYSQL_ENV_MYSQL_DATABASE:-limesurvey}"
fileEnv 'LIMESURVEY_DB_USER' "${MYSQL_ENV_MYSQL_USER:-root}"

if [ "${LIMESURVEY_DB_USER}" = 'root' ]; then
    fileEnv 'LIMESURVEY_DB_PASSWORD' "${MYSQL_ENV_MYSQL_ROOT_PASSWORD:-}"
else
    fileEnv 'LIMESURVEY_DB_PASSWORD' "${MYSQL_ENV_MYSQL_PASSWORD:-}"
fi

if [ -z "${LIMESURVEY_DB_PASSWORD}" ]; then
    logError 'error: missing required LIMESURVEY_DB_PASSWORD environment variable' >&2
    logError '  Did you forget to -e LIMESURVEY_DB_PASSWORD=... ?' >&2
    logError '' >&2
    logError '  (Also of interest might be LIMESURVEY_DB_USER and LIMESURVEY_DB_NAME.)' >&2
    exit 1
fi

declare -A CONNECTION_STRINGS=(
    [mysql]="mysql:host=${LIMESURVEY_DB_HOST};port=${LIMESURVEY_DB_PORT};dbname=${LIMESURVEY_DB_NAME};"
    [dblib]="dblib:host=${LIMESURVEY_DB_HOST};dbname=${LIMESURVEY_DB_NAME}"
    [pgsql]="pgsql:host=${LIMESURVEY_DB_HOST};port=${LIMESURVEY_DB_PORT};user=${LIMESURVEY_DB_USER};password=${LIMESURVEY_DB_PASSWORD};dbname=${LIMESURVEY_DB_NAME};"
    [sqlsrv]="sqlsrv:Server=${LIMESURVEY_DB_HOST};Database=${LIMESURVEY_DB_NAME}"
)

if [ -z "${CONNECTION_STRINGS[${LIMESURVEY_DB_TYPE}]}" ]; then
    logError "error: invalid database type: ${LIMESURVEY_DB_TYPE}" >&2
    logError "  LIMESURVEY_DB_TYPE must be either \"mysql\", \"dblib\", \"pgsql\" or \"sqlsrv\"." >&2
    exit 1
fi


####################################################################
######################## Download LimeSurvey #######################

if [ ! -f "${APP_DIR}/.RELEASE_${LIMESURVEY_GIT_RELEASE}" ] || isYes "${LIMESURVEY_FORCE_FETCH}"; then
    find "$APP_DIR" -maxdepth 1 -type f -name '.RELEASE_*' -delete

    logInfo "Retrieving LimeSurvey... (this operation may take a while)" >&2
    wget -O "/tmp/lime.tar.gz" \
        --progress="$( [ -t 1 ] && echo 'bar:noscroll' || echo 'dot:mega' )" \
        "https://github.com/LimeSurvey/LimeSurvey/archive/${LIMESURVEY_GIT_RELEASE}.tar.gz "


    logInfo "Extracting files from archive..." >&2
    tar -xzf "/tmp/lime.tar.gz" \
        --strip-components=1 \
        --keep-newer-files \
        --exclude-vcs \
        --to-command='sh -c '\''
            mkdir -p "$(dirname "'"${APP_DIR}"'/$TAR_FILENAME")" &&
                touch "'"${APP_DIR}"'/$TAR_FILENAME" &&
                dd of="'"${APP_DIR}"'/$TAR_FILENAME" >/dev/null 2>&1 &&
                echo "'"${APP_DIR}"'/$TAR_FILENAME" '\' |
        xargs -I '{}' touch -t 195001010000 '{}'

    chown -R "${APPLICATION_USER}:${APPLICATION_GROUP}" "$APP_DIR"
    rm "/tmp/lime.tar.gz"

    touch ".RELEASE_${LIMESURVEY_GIT_RELEASE}"
fi


####################################################################
######################### LimeSurvey Setup #########################

# Install BaltimoreCyberTrustRoot.crt.pem
if [ ! -f "${APP_DIR}/BaltimoreCyberTrustRoot.crt.pem" ]; then
    logInfo "Downloading BaltimoreCyberTrustroot.crt.pem..."
    curl -fsSLo "${APP_DIR}/BaltimoreCyberTrustRoot.crt.pem" \
        "https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem "
fi

if [ ! -f "${APP_DIR}/application/config/config.php" ]; then
    logWarn "No config file for LimeSurvey"
    logWarn "  Copying default config file..."
    # Copy default config file but also allow for the addition of attributes
    echo "            'attributes' => array()," |
        awk '/lime_/ && c == 0 { c = 1; system("cat") } { print }' \
            "${APP_DIR}/application/config/config-sample-${LIMESURVEY_DB_TYPE}.php" \
            > "${APP_DIR}/application/config/config.php"
fi

# Set LimeSurvey configs
setConfigLS -a 'db' -k 'connectionString' "'${CONNECTION_STRINGS[${LIMESURVEY_DB_TYPE}]}'"
setConfigLS -a 'db' -k 'tablePrefix' "'${LIMESURVEY_TABLE_PREFIX}'"
setConfigLS -a 'db' -k 'username' "'${LIMESURVEY_DB_USER}'"
setConfigLS -a 'db' -k 'password' "'${LIMESURVEY_DB_PASSWORD}'"
setConfigLS -a 'urlManager' -k 'urlFormat' "'path'"
setConfigLS -k 'debug' "${LIMESURVEY_DEBUG}"
setConfigLS -k 'debugsql' "${LIMESURVEY_SQL_DEBUG}"

if [ -n "${MYSQL_SSL_CA}" ]; then
    setConfigLS -a 'db' 'attributes' \
        "array(PDO::MYSQL_ATTR_SSL_CA => '${APP_DIR//\//\\\/}\/${MYSQL_SSL_CA}',
            PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => false)"
fi

declare cfg key val
for ENV_VAR in $(envListVars "limesurvey\."); do
        val="$(envGetValue "$ENV_VAR")"
        cfg="${ENV_VAR#limesurvey.}"
        cfg="${cfg%%.*}"
        key="${ENV_VAR#limesurvey.*.}"
        setConfigLS -a "$cfg" "$key" "$val"
done

mkdir -p "${APP_DIR}/upload/surveys"
chown -R "${APPLICATION_USER}:${APPLICATION_GROUP}" \
    "${APP_DIR}/tmp" "${APP_DIR}/upload" "${APP_DIR}/application/config"

####################################################################
#################### LimeSurvey Database Setup #####################

if [ -n "${LIMESURVEY_USE_INNODB}" ]; then
    # If you want to use INNODB - remove MyISAM specification from LimeSurvey code
    sed -i "/ENGINE=MyISAM/s/\(ENGINE=MyISAM \)//1" \
        "${APP_DIR}/application/core/db/MysqlSchema.php"
fi

logInfo "Waiting for database..." >&2
while ! curl -sL "${LIMESURVEY_DB_HOST}:${LIMESURVEY_DB_PORT:-3306}"; do sleep 1; done

DBSTATUS=$(TERM=dumb php -f "$DB_SETUP_PHP" -- \
    "${LIMESURVEY_DB_HOST}" "${LIMESURVEY_DB_USER}" "${LIMESURVEY_DB_PASSWORD}" \
    "${LIMESURVEY_DB_NAME}" "${LIMESURVEY_TABLE_PREFIX}" "${MYSQL_SSL_CA}" \
    "${APP_DIR}") &>/dev/null

if [ "${DBSTATUS}" != "DBEXISTS" ] &&  [ -n "${LIMESURVEY_ADMIN_USER}" ] && [ -n "${LIMESURVEY_ADMIN_PASSWORD}" ]; then
    logInfo 'Database not yet populated - installing Limesurvey database' >&2
    su - "${APPLICATION_USER}" \
        -c php -f "${APP_DIR}/application/commands/console.php" -- \
            install "${LIMESURVEY_ADMIN_USER}" "${LIMESURVEY_ADMIN_PASSWORD}" \
            "${LIMESURVEY_ADMIN_NAME}" "${LIMESURVEY_ADMIN_EMAIL}" verbose
fi

if [ -f "${APP_DIR}/application/commands/UpdateDbCommand.php" ]; then
    logInfo 'Updating database...' >&2
    su - "${APPLICATION_USER}" -c php "${APP_DIR}/application/commands/console.php" updatedb
else
    logWarn 'WARNING: Manual database update may be required!' >&2
fi

if [ -n "${LIMESURVEY_ADMIN_USER}" ] && [ -n "${LIMESURVEY_ADMIN_PASSWORD}" ]; then
    logInfo 'Updating password for admin user...' >&2
    su - "${APPLICATION_USER}" \
        -c php -f "${APP_DIR}/application/commands/console.php" -- \
            resetpassword "${LIMESURVEY_ADMIN_USER}" "${LIMESURVEY_ADMIN_PASSWORD}"
fi

Here is the output of bash --version:

GNU bash, version 4.4.20(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

----- **Edit 2** I put what I could on github. Here is the [commit](https://github.com/DrunkenPoney/docker-limesurvey/tree/1e8983f671941622dea5e70df940eb323cae05aa) . I'm not entirely sure but I think it should work if you clone the repo and run the launch script.

Is is it possible to configure a dns server (dnsmasq, unbound etc. i dont really care which one) to respond to all request with a specific cname, except for the cname itself? And if yes how and with which server?

I set up pi-hole with unbound on my ubuntu 18.04 machine. I followed the instructions by pi-hole. Clients can reach websites with this method but after some time I get timeouts. Pihole is still forwarding requests to 127.0.0.1 but it seems that unbound doesn't answer anymore. Even on the host machine I get timeouts.

dig pi-hole.net @127.0.0.1 -p 5353

; > DiG 9.11.3-1ubuntu1.8-Ubuntu > pi-hole.net @127.0.0.1 -p 5353
;; global options: +cmd
;; connection timed out; no servers could be reached

Only systemctl restart unbound solves this problem. Unbound is still running and doesn't show any obvious errors though. I posted on the pi-hole forums and added quite some information there so you might want to check the thread . https://docs.pi-hole.net/guides/unbound/ https://discourse.pi-hole.net/t/pihole-on-ubuntu-18-04-with-unbound-fails-after-some-time/22585

I am attempting to redirect all outgoing DNS queries on my Linux box to my local caching stub resolver (unbound). iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to 1.1.1.1:53 iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to 1.1.1.1:53 iptables -t nat -A POSTROUTING -j MASQUERADE When I use the above rules, all the outgoing DNS queries are intercepted and redirected to the DNS server at 1.1.1.1 However, if I replace the '1.1.1.1' with '127.0.0.1', all DNS queries fail and are not directed to my local stub resolver. I did pass the below sysctl parameter sysctl -w net.ipv4.conf.eth0.route_localnet=1 but my problem remained the same. Any pointers?