Unbound Force all DNS requests through Unbound using iptables?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

muffintastic

Senior Member
Hello folks!

I'm looking for correct iptables to allow me to pass all dns queries through Unbound, the goal would be:
  1. Encrypt any plain dns.
  2. Force hardcoded DNS through Unbound; Smart TVs etc.
  3. Deny any DoH / DoT browsers may use.
  4. Use Adguard to cease any ads.
My setup at the moment > RT-AX86U Pro (Merlin FW) > Adguard > Unbound (Using DoT, Cloudflare)

In Adguard upstream at the moment is set as '127.0.0.1:53535' at this time everything works, blocking ads as intended.

Anyone with a similar setup able to include this into iptables as requested?
 
Is DNS Director in Router mode not enough? Why custom rules?
Yeah, but i was wondering if it was possible. Jeeze, I was only asking a friendly question didn't expect that crude response. Nevermind eh, I guess that's society for you. 😏
 
My question was intended to determine if the DNS Director method was inadequate with 3 different DNS servers running on the router (dnsmasq, AdGuard Home, Unbound).

Enable DNS Director and examine the rules it creates.
Code:
iptables -t nat -S
 
Last time I checked a setup like this on an Asus router DNS Director was indeed good enough.

AdGuard Home or Diversion can be used to block known DoH servers as they will go around the DNS redirection.
 
With DNS Director nothing can escape Adguard Home if you set the WAN DNS Setting ip to Adguard Home. This will force all router requests to Adguard Home and any devices that try to circumvent your Lan dns settings will be shown in Adguard logs as coming from the router.

To deny DNS/DOT requests you can do this.
dns.png
 
Last edited:
Encrypt any plain dns.

Possible with Unbound as Forwarder only to upstream servers with DoT support. Encryption is not supported with Unbound as Resolver to root servers. If DNS encryption is a must - I would remove Unbound and use AdGuard Home to whatever is preferred DoT/DoH/DoQ upstream. Unbound in this case is not needed and its local cache can't beat the constant performance of Google, Cloudflare, OpenDNS, etc. big public DNS service providers.
 
Although large DNS providers perform exceptionally well within their own data centers, local DNS caching can still offer advantages in certain situations. For example, when multiple devices repeatedly query the same domain within a short period, using the traceroute command to check the path to a large DNS provider reveals that upstream queries often pass through several network nodes, each potentially introducing some delay or packet loss. In such cases, local DNS caching remains valuable, offering faster and more stable responses within the local network.

This is my understanding based on limited knowledge, so please feel free to correct me if I am mistaken.
 
dnsmasq can be considered a "black box" to some extent because its internal operations and caching statistics are not as transparent as those of other DNS solutions, such as Unbound. While dnsmasq offers some basic logging capabilities, it does not automatically provide specific statistics for cache hit rates, making it difficult for users to directly observe and analyze its caching performance.
 
directly observe and analyze its caching performance

Sure, analyzing caching performance is what I would like to do all day long. 🤔
 
dnsmasq can be considered a "black box" to some extent because its internal operations and caching statistics are not as transparent as those of other DNS solutions, such as Unbound. While dnsmasq offers some basic logging capabilities, it does not automatically provide specific statistics for cache hit rates, making it difficult for users to directly observe and analyze its caching performance.
You can get some cache usage stats dumped to syslog by sending a USR1 signal to dnsmasq.

Code:
Oct 28 00:39:11 dnsmasq[4160]: time 1086314
Oct 28 00:39:11 dnsmasq[4160]: cache size 1500, 0/176 cache insertions re-used unexpired cache entries.
Oct 28 00:39:11 dnsmasq[4160]: queries forwarded 59, queries answered locally 18
Oct 28 00:39:11 dnsmasq[4160]: DNSSEC per-query subqueries HWM 3
Oct 28 00:39:11 dnsmasq[4160]: DNSSEC per-query crypto work HWM 10
Oct 28 00:39:11 dnsmasq[4160]: DNSSEC per-RRSet signature fails HWM 0
Oct 28 00:39:11 dnsmasq[4160]: pool memory in use 3696, max 5148, allocated 66000
Oct 28 00:39:11 dnsmasq[4160]: child processes for TCP requests: in use 0, highest since last SIGUSR1 3, max allowed 20.
Oct 28 00:39:11 dnsmasq[4160]: server 103.86.96.100#53: queries sent 8, retried 0, failed 0, nxdomain replies 0, avg. latency 0ms
Oct 28 00:39:11 dnsmasq[4160]: server 103.86.99.100#53: queries sent 8, retried 0, failed 0, nxdomain replies 0, avg. latency 0ms
Oct 28 00:39:11 dnsmasq[4160]: server 74.116.184.28#53: queries sent 87, retried 0, failed 0, nxdomain replies 1, avg. latency 5ms
Oct 28 00:39:11 dnsmasq[4160]: server 96.127.255.29#53: queries sent 11, retried 0, failed 0, nxdomain replies 0, avg. latency 2ms
Oct 28 00:39:11 dnsmasq[4160]: server 2606:6d00:0:99::aaaa#53: queries sent 8, retried 0, failed 0, nxdomain replies 0, avg. latency 2ms
Oct 28 00:39:11 dnsmasq[4160]: server 2606:6d00:0:99::bbbb#53: queries sent 20, retried 0, failed 0, nxdomain replies 0, avg. latency 2ms

My stats are currently pretty low because dnsmasq was restarted a few minutes ago.
 
I used kill -USR1 $(pidof dnsmasq) to observe real-time reports generated in tail -f /tmp/mnt/usbkey/entware/var/log/dnsmasq.log. Thank you for the explanation!

Code:
Oct 28 13:34:49 dnsmasq[31679]: time 772026
Oct 28 13:34:49 dnsmasq[31679]: cache size 0, 0/0 cache insertions re-used unexpired cache entries.
Oct 28 13:34:49 dnsmasq[31679]: queries forwarded 71921, queries answered locally 57455
Oct 28 13:34:49 dnsmasq[31679]: DNSSEC per-query subqueries HWM 0
Oct 28 13:34:49 dnsmasq[31679]: DNSSEC per-query crypto work HWM 0
Oct 28 13:34:49 dnsmasq[31679]: DNSSEC per-RRSet signature fails HWM 0
Oct 28 13:34:49 dnsmasq[31679]: pool memory in use 0, max 132, allocated 2200
Oct 28 13:34:49 dnsmasq[31679]: child processes for TCP requests: in use 0, highest since last SIGUSR1 0, max allowed 20.
Oct 28 13:34:49 dnsmasq[31679]: server 127.0.0.1#53535: queries sent 72040, retried 68, failed 119, nxdomain replies 979, avg. latency 9ms

I noticed that my router is running both dnsmasq and unbound at the same time. Should I disable the DNS functionality of dnsmasq and only keep the DHCP function to avoid duplicate query handling and compatibility issues, thereby improving overall efficiency? Adding port=0 to /jffs/configs/dnsmasq.conf.add disables the DNS feature of dnsmasq.
 
I noticed that my router is running both dnsmasq and unbound at the same time. Should I disable the DNS functionality of dnsmasq and only keep the DHCP function to avoid duplicate query handling and compatibility issues, thereby improving overall efficiency? Adding port=0 to /jffs/configs/dnsmasq.conf.add disables the DNS feature of dnsmasq.

I'm sorry for my fanciful idea; after adding port=0, the whole webpage froze. 😅
 
noticed that my router is running both dnsmasq and unbound at the same time. Should I disable the DNS functionality of dnsmasq and only keep the DHCP function to avoid duplicate query handling and compatibility issues, thereby improving overall efficiency? Adding port=0 to /jffs/configs/dnsmasq.conf.add disables the DNS feature of dnsmasq.
You will probably want to retain DNS resolver capabilities in dnsmasq because it will be authoritative for resolving LAN addresses.
 
  • Like
Reactions: aru
Having installed adguard home over unbound i no longer have unbound as my single home router ip address as resolver. Is there anything in Adguard home configuration i can change to keep unbound as it was?
 
I have decided against Adguard on a AC86U - too CPU intensive - and too slow accessing WEB UI. Works fine on an AX-86U.
Large list and other selected denylists with Diversion Dnsmasq is so much more responsive - and with Unbound as a local resolver rather than other upstream DNS resolvers.
 
I have decided against Adguard on a AC86U - too CPU intensive - and too slow accessing WEB UI. Works fine on an AX-86U.
Large list and other selected denylists with Diversion Dnsmasq is so much more responsive - and with Unbound as a local resolver rather than other upstream DNS resolvers.

Your decision is wise, based on my observations, Using Diversion + Skynet + Unbound on the router, with privacy settings disabled in system management, results in faster web browsing response compared to installing Adguard. This suggests that these specialized tools are optimized for routers, offering better performance in terms of resource efficiency and responsiveness.

Additionally, I use NextDNS as my upstream service (which claims to feature AI-powered threat detection), and its reports show an extremely low miss rate, indicating that almost no threats slip through. This demonstrates that the first layer of local filtering with Diversion + Skynet achieves a blocking rate as high as 99%. Overall, I am very satisfied with the performance.


The NextDNS report shows an extremely low blocking rate. Over the past 30 days, only one request was blocked due to DNS rebinding protection, specifically for dns.msftncsi.com.

1736385592543.png



The local Diversion and Skynet reports clearly show their effectiveness in handling a torrent of requests on the front lines. Diversion alone achieved an impressive blocking rate of 32% in a single day, with some malicious requests nearing tens of thousands—truly a storm of relentless traffic.

1736386301785.png



Skynet is capable of blocking attacks from known malicious IPs and botnet armies.
1736386574729.png
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top