Installing and configuring authoritative, recursive, and DoT/DNSSEC DNS server with Unbound

[Delusion]

If you use VPN on the router, there is no need for security options or DNSSEC on Unbound.

If I used VPN on all devices than no, I wouldn't need most of this but I don't run VPN on all devices so I chose to use DoT and DNSSEC on all devices including those on VPN (in this way I also get Diversion working) , so unbound is fine as long as I don't have issues (which I guess most of them because of turning on Local Cache) .

 

[rgnldo]

(which I guess most of them because of turning on Local Cache) .

To use Unbound you must enable local caching.

 

[rgnldo]

inform you that the implementation of the Unbound DNS server is not compatible with adblock DIVERSION. Dnsmasq queries redirection to the unbound integrates not as desired. @Xentrk

 

[rgnldo]

Update tips
For some reason, integration with the Diversion + Unbound solution is working. I disabled Merlin's native NTP server and installed AMTM's NTPMerlin. I also checked the option on WAN: Forward local domain queries to upstream DNS. Funcional Unbound with Diversion + Skynet. Enjoy

 

[Marin]

How to start unbound from Entware (I assume default prefix /opt is used). I still forward queries from dnsmasq (well it is a query forwarder) to unbound, listening to port 5453. The Unbound will cache services, and authoritative dns recursion.

Credits contributions [B][COLOR=#b30000]@SomeWhereOverTheRainBow[/COLOR][/B] @Swistheater (for Stubby.yml)
Contributions to this post are well received

Install NTPMerlin script AMTM

Install unbound

Run unbound-control-setup for Unbound monitoring

Create /opt/var/lib/unbound directory

Change directory ownership to nobody, in case you want to drop daemon privileges from root to nobody

Edit /opt/etc/unbound/unbound.conf

Add unbound-anchor to unbound without stubby

# DNSSEC validation

   module-config: "validator iterator"
   auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"

Add FORWARD-ZONE to mate stubby-melim

forward-zone:
   #Local Stubby
   name: "."
   forward-addr: 127.0.1.1@53

Get root DNS server:

curl -o /opt/var/lib/unbound/root.hints https://www.internic.net/domain/named.cache

Edit and start unbound daemon

#!/bin/sh
if [ "$1" = "start" ] || [ "$1" = "restart" ]; then
      # Wait for NTP before starting
      logger -st "S61unbound" "Waiting for NTP to sync before starting..."
      ntptimer=0
      while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do
              ntptimer=$((ntptimer+1))
              sleep 1
      done

      if [ "$ntptimer" -ge "300" ]; then
              logger -st "S61unbound" "NTP failed to sync after 5 minutes - please check immediately!"
              echo ""
              exit 1
      fi
fi
export PATH=/sbin:/bin:/usr/sbin:/usr/bin:$PATH
export TZ=$(cat /etc/TZ)
ENABLED=yes
PROCS=unbound
ARGS="-c /opt/var/lib/unbound/unbound.conf"
PREARGS="nohup"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

Create dnsmasq custom configuration in /jffs/scripts/dnsmasq.postconf:

#!/bin/sh
  if [ "$(nvram get dnspriv_enable)" = "1" ]; then
       if [ "$(nvram get ntp_ready)" = "1" ]; then
          if [ -f /opt/etc/init.d/S61unbound ]; then
             source /usr/sbin/helper.sh
             pc_delete "no-negcache" /etc/dnsmasq.conf
             pc_delete "no-negcache" /etc/dnsmasq.conf
             pc_delete "bogus-priv" /etc/dnsmasq.conf
             pc_delete "domain-needed" /etc/dnsmasq.conf
             pc_delete "server=127.0.0.1" /tmp/resolv.dnsmasq
             pc_delete "server=127.0.0.1#5453" /tmp/resolv.dnsmasq
             pc_append "server=127.0.0.1" /tmp/resolv.dnsmasq
             pc_append "server=127.0.0.1#5453" /etc/dnsmasq.conf
             pc_replace "cache-size=1500" "cache-size=0" /etc/dnsmasq.conf
         else
             source /usr/sbin/helper.sh
             pc_delete "server=127.0.0.1#5453" /tmp/resolv.dnsmasq
             pc_delete "server=127.0.0.1" /tmp/resolv.dnsmasq
             pc_append "server=127.0.0.1" /tmp/resolv.dnsmasq
         fi
      fi
   fi
if [ "$(nvram get dns_local_cache)" = "1" ]; then
   {
    NTPSERVERS=""
    for VAR in 0 1; do
        NTP="$(nvram get "ntp_server$VAR")"
        [ -n "$NTP" ] && NTPSERVERS="$NTPSERVERS/$NTP"
    done
    [ -z "$NTPSERVERS" ] && NTPSERVERS="/pool.ntp.org"
    for DNS in $(nvram get wan_dns); do
        echo "server=$NTPSERVERS/$DNS"
    done
    for DNS in $(nvram get ipv6_get_dns); do
        echo "server=$NTPSERVERS/$DNS"
    done
    for VAR in 1 2 3; do
        DNS="$(nvram get "ipv6_dns$VAR")"
        [ -n "$DNS" ] && echo "server=$NTPSERVERS/$DNS"
    done
        echo "server=$NTPSERVERS/127.0.1.1"
   } >> "$1"
fi

Stubby valid procedure current FW 384.13.

Configure Stubby for DNSSEC validation:

nano /jffs/configs/stubby.yml.add

dnssec_return_status: GETDNS_EXTENSION_TRUE
tls_min_version: GETDNS_TLS1_2
tls_cipher_list: "EECDH+AESGCM:EECDH+CHACHA20"
tls_max_version: GETDNS_TLS1_3
tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"

chmod +x /jffs/configs/stubby.yml.add

run service restart_stubby

this sets the TZ for accurate sysloging, and nohup allows for commands to be used to verify active listening addresses these different commands can be runned via command line
ps | grep unbound | grep -v grep
netstat -lnptu | grep unbound
netstat -lnpt | grep -E '^Active|^Proto|/unbound'

last thing, I treated this like a headless server situation
i opted to install haveged with
opkg install haveged
then I modified /opt/etc/init.d/S02haveged
nano /opt/etc/init.d/S02haveged

#!/bin/sh
if [ "$1" = "start" ] || [ "$1" = "restart" ]; then
        # Wait for NTP before starting
        logger -st "S02haveged" "Waiting for NTP to sync before starting..."
        ntptimer=0
        while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do
                ntptimer=$((ntptimer+1))
                sleep 1
        done

        if [ "$ntptimer" -ge "300" ]; then
                logger -st "S02haveged" "NTP failed to sync after 5 minutes - please check immediately!"
                echo ""
                exit 1
        fi
fi
export TZ=$(cat /etc/TZ)
ENABLED=yes
PROCS=haveged
ARGS="-w 1024 -d 32 -i 32 -v 1"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

NOTE: It is advisable to configure swap memory.

https://i.ibb.co/0YLYqjg/query.png

This pic shows this setting as “Yes” but the the other pic below it still has this setting selected as “No”. Could you please clarify the correct choice.

Thank you!


Sent from my iPhone using Tapatalk

 

[Delusion]

I am still having issues . After installing - everyhing is good. After a reboot, even if the clock syncs, after some time , it shows 'no connection' in Web Gui ... tried everything.

 

[rgnldo]

After a reboot, even if the clock

Add this to dnsmasq.postconf:

CONFIG=$1
source /usr/sbin/helper.sh
pc_delete "no-negcache" $CONFIG
pc_delete "bogus-priv" $CONFIG
pc_delete "domain-needed" $CONFIG
pc_replace "cache-size=1500" "cache-size=0" $CONFIG
pc_append "server=127.0.0.1#5453" $CONFIG

Make the backup. Remove the NTP parameters in the start scripts. Return has worked.

 

[rgnldo]

This pic shows this setting as “Yes” but the the other pic below it still has this setting selected as “No”. Could you please clarify the correct choice.

Fixed up. Review the tip

 

[Delusion]

Add this to dnsmasq.postconf:

CONFIG=$1
source /usr/sbin/helper.sh
pc_delete "no-negcache" $CONFIG
pc_delete "bogus-priv" $CONFIG
pc_delete "domain-needed" $CONFIG
pc_replace "cache-size=1500" "cache-size=0" $CONFIG
pc_append "server=127.0.0.1#5453" $CONFIG

Make the backup. Remove the NTP parameters in the start scripts. Return has worked.

Nope. Disconnect after a while . Trying to update Skynet blocklist and it happens. (disconnects and then connects again but the connection is actually working all the time)

 

[rgnldo]

Nope. Disconnect after a while

You are using FW 384.14_alpha1. I didn't test this one.

 

[Delusion]

You are using FW 384.14_alpha1. I didn't test this one.

Its the same its still not available ... However, are you sure setting "Local Cache" to No doesn't work? because I changed it to No and restarted unbound ,dnsmasq and stubby, I still see that it is working , DNSSEC also working (disabled in GUI) through Unbound . Here is the statistic from the log :

Aug 22 14:48:14 unbound: [990:0] info: server stats for thread 1: 84 queries, 8 answers from cache, 76 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Aug 22 14:48:14 unbound: [990:0] info: server stats for thread 1: requestlist max 42 avg 10.6184 exceeded 0 jostled 0
Aug 22 14:48:14 unbound: [990:0] info: average recursion processing time 0.266426 sec
Aug 22 14:48:14 unbound: [990:0] info: histogram of recursion processing times
Aug 22 14:48:14 unbound: [990:0] info: [25%]=0.065536 median[50%]=0.203162 [75%]=0.416346
Aug 22 14:48:14 unbound: [990:0] info: lower(secs) upper(secs) recursions
Aug 22 14:48:14 unbound: [990:0] info:    0.000000    0.000001 5
Aug 22 14:48:14 unbound: [990:0] info:    0.004096    0.008192 2
Aug 22 14:48:14 unbound: [990:0] info:    0.016384    0.032768 2
Aug 22 14:48:14 unbound: [990:0] info:    0.032768    0.065536 10
Aug 22 14:48:14 unbound: [990:0] info:    0.065536    0.131072 8
Aug 22 14:48:14 unbound: [990:0] info:    0.131072    0.262144 20
Aug 22 14:48:14 unbound: [990:0] info:    0.262144    0.524288 17
Aug 22 14:48:14 unbound: [990:0] info:    0.524288    1.000000 11
Aug 22 14:48:14 unbound: [990:0] info:    1.000000    2.000000 1

 

[rgnldo]

However, are you sure setting "Local Cache" to No doesn't work?

So far I couldn't understand the FW Merlin Local Cache. If you launch the command

dig snbforums.com

, With local cache OFF, will return queries via ISP.

 

[rgnldo]

Note, with the NO-RESOLV + CACHE-SIZE + 127.0.0.1#5453 option dnsmasq will ignore queries in the /etc/resolv.conf file, will not cache and forward these services to Unbound.

These commands should return '0' on the second attempt, signaling the query cache.

dig snbforums.com

dig snbforums.com @127.0.0.1 -p 5453

Go testing. If it works, please report here. This will help improve the post.

 

[Delusion]

Note, with the NO-RESOLV + CACHE-SIZE + 127.0.0.1#5453 option dnsmasq will ignore queries in the /etc/resolv.conf file, will not cache and forward these services to Unbound.

These commands should return '0' on the second attempt, signaling the query cache.

dig snbforums.com

dig snbforums.com @127.0.0.1 -p 5453

Go testing. If it works, please report here. This will help improve the post.

I enabled Stubby integration . Setting Wan: Use local caching DNS server as system resolver=No solves all the issues with NTP\Disconnections.

And everything working fine (Skynet, Diversion+pixelserv) ... Unbound does seem to work , you can see queries num and you can see how much answered from cache,,,

By the way, if DNSSEC wasn't done by Unbound, It wouldn't work (With Cache set to 0) because with Merlin's FW DNSSEC, cache must be at least 200 (if I recall ) otherwise it will scream and DNSSEC will not work.
With -p 5453 (cahe size is 0 , changed by dnsmasq.postconf) :

; <<>> DiG 9.12.3-P4 <<>> snbforums.com @127.0.0.1 -p 5453
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26433
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;snbforums.com.                 IN      A

;; ANSWER SECTION:
snbforums.com.          3525    IN      A       104.25.235.15
snbforums.com.          3525    IN      A       104.25.234.15

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5453(127.0.0.1)
;; WHEN: Thu Aug 22 15:11:04 IDT 2019
;; MSG SIZE  rcvd: 74

Statistics after half an hour:

Aug 22 15:43:15 unbound: [3644:1] info: server stats for thread 1: 182 queries, 16 answers from cache, 166 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Aug 22 15:43:15 unbound: [3644:1] info: server stats for thread 1: requestlist max 9 avg 1.74699 exceeded 0 jostled 0
Aug 22 15:43:15 unbound: [3644:1] info: average recursion processing time 0.419671 sec
Aug 22 15:43:15 unbound: [3644:1] info: histogram of recursion processing times
Aug 22 15:43:15 unbound: [3644:1] info: [25%]=0.211588 median[50%]=0.367002 [75%]=0.522416
Aug 22 15:43:15 unbound: [3644:1] info: lower(secs) upper(secs) recursions
Aug 22 15:43:15 unbound: [3644:1] info:    0.004096    0.008192 1
Aug 22 15:43:15 unbound: [3644:1] info:    0.008192    0.016384 1
Aug 22 15:43:15 unbound: [3644:1] info:    0.032768    0.065536 6
Aug 22 15:43:15 unbound: [3644:1] info:    0.065536    0.131072 12
Aug 22 15:43:15 unbound: [3644:1] info:    0.131072    0.262144 35
Aug 22 15:43:15 unbound: [3644:1] info:    0.262144    0.524288 70
Aug 22 15:43:15 unbound: [3644:1] info:    0.524288    1.000000 33
Aug 22 15:43:15 unbound: [3644:1] info:    1.000000    2.000000 8
Aug 22 15:43:15 unbound: [3644:0] info: server stats for thread 0: 184 queries, 20 answers from cache, 164 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Aug 22 15:43:15 unbound: [3644:0] info: server stats for thread 0: requestlist max 8 avg 1.73171 exceeded 0 jostled 0
Aug 22 15:43:15 unbound: [3644:0] info: average recursion processing time 0.422724 sec
Aug 22 15:43:15 unbound: [3644:0] info: histogram of recursion processing times
Aug 22 15:43:15 unbound: [3644:0] info: [25%]=0.184845 median[50%]=0.351174 [75%]=0.610781
Aug 22 15:43:15 unbound: [3644:0] info: lower(secs) upper(secs) recursions
Aug 22 15:43:15 unbound: [3644:0] info:    0.032768    0.065536 5
Aug 22 15:43:15 unbound: [3644:0] info:    0.065536    0.131072 20
Aug 22 15:43:15 unbound: [3644:0] info:    0.131072    0.262144 39
Aug 22 15:43:15 unbound: [3644:0] info:    0.262144    0.524288 53
Aug 22 15:43:15 unbound: [3644:0] info:    0.524288    1.000000 33
Aug 22 15:43:15 unbound: [3644:0] info:    1.000000    2.000000 14

 

[Marin]

Como iniciar desvinculado Entware (presumo padrão prefixo / opt é usado). Eu consultas ainda para a frente de dnsmasq (bem, é um encaminhador de consulta) para não ligado, ouvindo a porta 5453. O Unbound irá armazenar em cache serviços e recursividade de DNS autoritário.

Créditos contribuições [UTILIZADOR = 64179] @SomeWhereOverTheRainBow [/ UTILIZADOR] [UTILIZADOR = 53994] @Swistheater [/ UTILIZADOR] (para Stubby.yml)
As contribuições para este post são bem recebidos

Instale NTPMerlin roteiro AMTM

instale desacoplado
[CITAR]
opkg instalar-controlo independente não ligada-control-setup não ligado
[/CITAR]
Execute desacoplado-control-setup para monitoramento Unbound
[CITAR]
não ligada-controlo-configuração
[/CITAR]
Criar / opt / var / lib / não ligado
[CITAR]
mkdir / opt / var / lib / não ligado
[/CITAR]
Alterar a propriedade diretório para ninguém, no caso de você querer deixar cair privilégios do daemon de raiz para ninguém
[CITAR]
chown ninguém / opt / var / lib / não ligado
[/CITAR]
Editar /opt/etc/unbound/unbound.conf
[Citação] [/ CITAÇÕES] [citação]
servidor:
# Porta para responder a consultas de
porta: 5453
verbosity: 1

fazer-ip4: sim
fazer-ip6: sim
fazer-udp: sim
fazer-tcp: sim

Interface: 0.0.0.0
Interface: :: 0
de controle de acesso: 0.0.0.0/0 lixo
de controle de acesso: 127.0.0.0/8 permitir
access-control: 10.0.30.0/24 allow

# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10

# no threads and no memory slabs for threads
num-threads: 2
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
so-reuseport: yes

# tiny memory cache
key-cache-size: 16m
msg-cache-size: 2m
rrset-cache-size: 2m
cache-max-ttl: 86400
cache-min-ttl: 3600
edns-buffer-size: 1472
cache-max-negative-ttl: 0

# prefetch
prefetch: yes
prefetch-key: yes
minimal-responses: yes

# gentle on recursion
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
rrset-roundrobin: yes
harden-glue: yes
val-clean-additional: yes
harden-dnssec-stripped: yes
harden-referral-path: yes

# Self jail Unbound with user "unbound" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"
root-hints: "/opt/var/lib/unbound/root.hints"

Add unbound-anchor to unbound without stubby

# DNSSEC validation

   module-config: "validator iterator"
   auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"

Add FORWARD-ZONE to mate stubby-melim

forward-zone:
   #Local Stubby
   name: "."
   forward-addr: 127.0.1.1@53

Get root DNS server:

curl -o /opt/var/lib/unbound/root.hints https://www.internic.net/domain/named.cache

Edit and start unbound daemon

#!/bin/sh
if [ "$1" = "start" ] || [ "$1" = "restart" ]; then
      # Wait for NTP before starting
      logger -st "S61unbound" "Waiting for NTP to sync before starting..."
      ntptimer=0
      while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do
              ntptimer=$((ntptimer+1))
              sleep 1
      done

      if [ "$ntptimer" -ge "300" ]; then
              logger -st "S61unbound" "NTP failed to sync after 5 minutes - please check immediately!"
              echo ""
              exit 1
      fi
fi
export PATH=/sbin:/bin:/usr/sbin:/usr/bin:$PATH
export TZ=$(cat /etc/TZ)
ENABLED=yes
PROCS=unbound
ARGS="-c /opt/var/lib/unbound/unbound.conf"
PREARGS="nohup"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

Create dnsmasq custom configuration in /jffs/scripts/dnsmasq.postconf:

#!/bin/sh
  if [ "$(nvram get dnspriv_enable)" = "1" ]; then
       if [ "$(nvram get ntp_ready)" = "1" ]; then
          if [ -f /opt/etc/init.d/S61unbound ]; then
             source /usr/sbin/helper.sh
             pc_delete "no-negcache" /etc/dnsmasq.conf
             pc_delete "no-negcache" /etc/dnsmasq.conf
             pc_delete "bogus-priv" /etc/dnsmasq.conf
             pc_delete "domain-needed" /etc/dnsmasq.conf
             pc_delete "server=127.0.0.1" /tmp/resolv.dnsmasq
             pc_delete "server=127.0.0.1#5453" /tmp/resolv.dnsmasq
             pc_append "server=127.0.0.1" /tmp/resolv.dnsmasq
             pc_append "server=127.0.0.1#5453" /etc/dnsmasq.conf
             pc_replace "cache-size=1500" "cache-size=0" /etc/dnsmasq.conf
         else
             source /usr/sbin/helper.sh
             pc_delete "server=127.0.0.1#5453" /tmp/resolv.dnsmasq
             pc_delete "server=127.0.0.1" /tmp/resolv.dnsmasq
             pc_append "server=127.0.0.1" /tmp/resolv.dnsmasq
         fi
      fi
   fi
if [ "$(nvram get dns_local_cache)" = "1" ]; then
   {
    NTPSERVERS=""
    for VAR in 0 1; do
        NTP="$(nvram get "ntp_server$VAR")"
        [ -n "$NTP" ] && NTPSERVERS="$NTPSERVERS/$NTP"
    done
    [ -z "$NTPSERVERS" ] && NTPSERVERS="/pool.ntp.org"
    for DNS in $(nvram get wan_dns); do
        echo "server=$NTPSERVERS/$DNS"
    done
    for DNS in $(nvram get ipv6_get_dns); do
        echo "server=$NTPSERVERS/$DNS"
    done
    for VAR in 1 2 3; do
        DNS="$(nvram get "ipv6_dns$VAR")"
        [ -n "$DNS" ] && echo "server=$NTPSERVERS/$DNS"
    done
        echo "server=$NTPSERVERS/127.0.1.1"
   } >> "$1"
fi

Stubby valid procedure current FW 384.13.

Configure Stubby for DNSSEC validation:

nano /jffs/configs/stubby.yml.add

dnssec_return_status: GETDNS_EXTENSION_TRUE
tls_min_version: GETDNS_TLS1_2
tls_cipher_list: "EECDH+AESGCM:EECDH+CHACHA20"
tls_max_version: GETDNS_TLS1_3
tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"

chmod +x /jffs/configs/stubby.yml.add

run service restart_stubby

this sets the TZ for accurate sysloging, and nohup allows for commands to be used to verify active listening addresses these different commands can be runned via command line
ps | grep unbound | grep -v grep
netstat -lnptu | grep unbound
netstat -lnpt | grep -E '^Active|^Proto|/unbound'

last thing, I treated this like a headless server situation
i opted to install haveged with
opkg install haveged
then I modified /opt/etc/init.d/S02haveged
nano /opt/etc/init.d/S02haveged

#!/bin/sh
if [ "$1" = "start" ] || [ "$1" = "restart" ]; then
        # Wait for NTP before starting
        logger -st "S02haveged" "Waiting for NTP to sync before starting..."
        ntptimer=0
        while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do
                ntptimer=$((ntptimer+1))
                sleep 1
        done

        if [ "$ntptimer" -ge "300" ]; then
                logger -st "S02haveged" "NTP failed to sync after 5 minutes - please check immediately!"
                echo ""
                exit 1
        fi
fi
export TZ=$(cat /etc/TZ)
ENABLED=yes
PROCS=haveged
ARGS="-w 1024 -d 32 -i 32 -v 1"
PREARGS=""
DESC = $ PROCS
PATH = / opt / sbin: / opt / bin: / opt / usr / bin: / usr / local / sbin: / usr / local / bin: / usr / sbin: / usr / bin: / sbin: / bin

. /opt/etc/init.d/rc.func

NOTA: É aconselhável configurar memória swap .[/QUOTE]

Is it me seeing this in Portuguese or did something change on this post?




Sent from my iPhone using Tapatalk

 

[rgnldo]

I enabled Stubby integration . Setting Wan: Use local caching DNS server as system resolver=No solves all the issues with NTP\Disconnections.

Now I understand why FW Merlin offers the Local cache option, so it is easier to read the clock in cases with DNSSEC or Stubby. I do not use stubby or VPN.

 

[rgnldo]

Is it me seeing this in Portuguese or did something change on this post?

For formatting reasons and issues with translator editor, we had to remove the illustrated tips.
https://pastebin.com/raw/YkQ0shvc

 

[Delusion]

Note, with the NO-RESOLV + CACHE-SIZE + 127.0.0.1#5453 option dnsmasq will ignore queries in the /etc/resolv.conf file, will not cache and forward these services to Unbound.

These commands should return '0' on the second attempt, signaling the query cache.

dig snbforums.com

dig snbforums.com @127.0.0.1 -p 5453

Go testing. If it works, please report here. This will help improve the post.

Ok, so If I run dig without a port and 127.0.0.1 it shows me my ISP DNS. But when I check dns using a website it shows what I configured in WAN settings (DoT servers) . And when I check dnssec test website they all pass ok. What does it mean?
@rgnldo , with Local Cache =YES, what does is the output when you run
dig snbforums.com +dnssec
and
dig rootcanary.org +dnssec

??

 

[rgnldo]

And when I check dnssec test website they all pass ok. What does it mean?

Try

CONFIG=$1
source /usr/sbin/helper.sh
pc_delete "no-negcache" $CONFIG
pc_delete "bogus-priv" $CONFIG
pc_delete "domain-needed" $CONFIG
pc_replace "cache-size=1500" "cache-size=0" $CONFIG
pc_append "server=127.0.0.1#5453" $CONFIG
pc_append "listen-address=127.0.0.1" $CONFIG 
pc_append "server=/pool.ntp.org/1.1.1.1" $CONFIG

 

[Delusion]

Try

CONFIG=$1
source /usr/sbin/helper.sh
pc_delete "no-negcache" $CONFIG
pc_delete "bogus-priv" $CONFIG
pc_delete "domain-needed" $CONFIG
pc_replace "cache-size=1500" "cache-size=0" $CONFIG
pc_append "server=127.0.0.1#5453" $CONFIG
pc_append "listen-address=127.0.0.1" $CONFIG
pc_append "server=/pool.ntp.org/1.1.1.1" $CONFIG

Still no. The solution I tried and is working but I don't know what will happen after restart, I will try later : deleting my ISP servers from /etc/resolv.conf
by adding :
pc_delete "nameserver x.x.x.x" /etc/resolv.conf \\x.x.x.x my isp dns server.