Installing and configuring authoritative, recursive, and DoT/DNSSEC DNS server with Unbound

[rgnldo]

regular router log window system->General Log

Most likely it is in path /var/logs/messages. I'm at work, coming home I see it.

 

[rgnldo]

its better to use Thread num=2

Comparing unbound reports, I found that the stub-zone option redirects the cache to stubby. The detail is that stubby does not offer cache service. Stub zones are other Unbound or Bind servers that interconnect, further reducing response time.
Raising to the thread will make no difference in 'avg'. Unbound works with requests. The higher the query requests, the better the response time, lowering the 'avg'. So for a network with ARM router, better Thead num = 1.
Disregard

stub-zone:
name: "1.1.168.192.in-addr.arp"
stub-addr: 192.168.1.1
stub-first: yes

If you want to get CacheHIT

 

[Swistheater]

Comparing unbound reports, I found that the stub-zone option redirects the cache to stubby. The detail is that stubby does not offer cache service. Stub zones are other Unbound or Bind servers that interconnect, further reducing response time.
Raising to the thread will make no difference in 'avg'. Unbound works with requests. The higher the query requests, the better the response time, lowering the 'avg'. So for a network with ARM router, better Thead num = 1.
Disregard

stub-zone:
name: "1.1.168.192.in-addr.arp"
stub-addr: 192.168.1.1
stub-first: yes

If you want to get CacheHIT

You may see better performance if you could pick which thread it uses.

 

[rgnldo]

You may see better performance if you could pick which thread it uses.

Can you describe this procedure?

 

[Swistheater]

I have no clue I just thought it was good tip because you may see better performance if you were able to use the 2nd thread instead of the 1st , that maybe why there is a noticable difference when delusion set it to use both.

 

[rgnldo]

2nd thread instead of the 1st

    # this limits TCP service but uses less buffers
    outgoing-num-tcp: 10
    incoming-num-tcp: 10

    # no threads and no memory slabs for threads
    num-threads: 2
    outgoing-range: 200
    num-queries-per-thread: 512
    msg-cache-slabs: 4
    rrset-cache-slabs: 4
    infra-cache-slabs: 4
    key-cache-slabs: 4

Go tests

 

[rgnldo]

Update post install unbound on FW 384.13

 

[L&LD]

This script seems like it has hit prime time.

Can anyone make an installer script for this in a format compatible to be included in a future amtm release?

 

[rgnldo]

ompatible to be included in a future amtm release?

It takes someone with very good shell-script knowledge and good communication with the amtm team. It's not my case. It seems to me that @Voxel builds already include unbound + stubby as an option. Gradually they are including unbound.

 

[rgnldo]

UPDATE Tips

Unbound and DNSSEC Health Check Tests:

dig sigok.verteiltesysteme.net @127.0.0.1 -p 5453
=> status: NOERROR

dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5453
=> status: SERVFAIL

dig snbforums.com  @127.0.0.1 -p 5453
Query time: 0 msec <= On the second attempt the response time should be zero.
SERVER: 127.0.0.1#5453(127.0.0.1)

 

[rgnldo]

Not entirely sure, but the debate is interesting. Source: https://discourse.pi-hole.net/t/unbound-or-stubby/15432/2

 

[Delusion]

But stubby still runs ,,,

 

[rgnldo]

But stubby still runs ,,,

Take the test without stubby. Disable

 

[Delusion]

Take the test without stubby. Disable

Which package do I need to install to get 'dig' command? and disable what? stubby? how?
earlier I saw you added also a part in which we need to edit dnsnmasq.postconf (without stubby) but it is not there, no need anymore?

 

[rgnldo]

'dig' command

opkg update
opkg list | grep "bind-tools"
opkg install bind-tools

 

[rgnldo]

edit dnsnmasq.postconf

Update post.

 

[rgnldo]

but it is not there, no need anymore?

I don't want you to stop using stubby. This is an option given the debate about the need for stubby + unbound.

 

[Delusion]

well... it works fine... (without stubby).
However, lately I stopped using unbound because it had some issues with VPN and sometimes I had to turn off and on my VPN client configured on router. Sometimes I would loose connection (Merlin FW says no connection but there is connection and internet works but it messes up Skynet and other stuff which think there is no connection ) I hope this time everything will be fine

 

[rgnldo]

VPN

What VPN service do you configure?

lately I stopped using unbound

I believe it must be some conflict with TLS certificates or ciphers

 

[rgnldo]

had to turn off and on my VPN client configured on router

If you use VPN on the router, there is no need for security options or DNSSEC on Unbound.