What's new

Installing and configuring authoritative, recursive, and DoT/DNSSEC DNS server with Unbound

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

If you use VPN on the router, there is no need for security options or DNSSEC on Unbound.
If I used VPN on all devices than no, I wouldn't need most of this but I don't run VPN on all devices so I chose to use DoT and DNSSEC on all devices including those on VPN (in this way I also get Diversion working) , so unbound is fine as long as I don't have issues (which I guess most of them because of turning on Local Cache) .
 
inform you that the implementation of the Unbound DNS server is not compatible with adblock DIVERSION. Dnsmasq queries redirection to the unbound integrates not as desired. @Xentrk
 
Update tips
For some reason, integration with the Diversion + Unbound solution is working. I disabled Merlin's native NTP server and installed AMTM's NTPMerlin. I also checked the option on WAN: Forward local domain queries to upstream DNS. Funcional Unbound with Diversion + Skynet. Enjoy
 
How to start unbound from Entware (I assume default prefix /opt is used). I still forward queries from dnsmasq (well it is a query forwarder) to unbound, listening to port 5453. The Unbound will cache services, and authoritative dns recursion.

Credits contributions [B][COLOR=#b30000]@SomeWhereOverTheRainBow[/COLOR][/B] @Swistheater (for Stubby.yml)
Contributions to this post are well received

upload_2019-6-5_20-19-8-png.18033


query.png


Fire-Shot-Capture-001-ASUS-Wireless-Router-RT-AC86-U-Internet-Connection-10-0-30-1.png


Install NTPMerlin script AMTM

Install unbound

Run unbound-control-setup for Unbound monitoring

Create /opt/var/lib/unbound directory

Change directory ownership to nobody, in case you want to drop daemon privileges from root to nobody

Edit /opt/etc/unbound/unbound.conf

Add unbound-anchor to unbound without stubby
Code:
# DNSSEC validation

   module-config: "validator iterator"
   auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
Add FORWARD-ZONE to mate stubby-melim
Code:
forward-zone:
   #Local Stubby
   name: "."
   forward-addr: 127.0.1.1@53
Get root DNS server:
Code:
curl -o /opt/var/lib/unbound/root.hints https://www.internic.net/domain/named.cache

Edit and start unbound daemon
Code:
#!/bin/sh
if [ "$1" = "start" ] || [ "$1" = "restart" ]; then
      # Wait for NTP before starting
      logger -st "S61unbound" "Waiting for NTP to sync before starting..."
      ntptimer=0
      while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do
              ntptimer=$((ntptimer+1))
              sleep 1
      done

      if [ "$ntptimer" -ge "300" ]; then
              logger -st "S61unbound" "NTP failed to sync after 5 minutes - please check immediately!"
              echo ""
              exit 1
      fi
fi
export PATH=/sbin:/bin:/usr/sbin:/usr/bin:$PATH
export TZ=$(cat /etc/TZ)
ENABLED=yes
PROCS=unbound
ARGS="-c /opt/var/lib/unbound/unbound.conf"
PREARGS="nohup"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func


Create dnsmasq custom configuration in /jffs/scripts/dnsmasq.postconf:
Code:
#!/bin/sh
  if [ "$(nvram get dnspriv_enable)" = "1" ]; then
       if [ "$(nvram get ntp_ready)" = "1" ]; then
          if [ -f /opt/etc/init.d/S61unbound ]; then
             source /usr/sbin/helper.sh
             pc_delete "no-negcache" /etc/dnsmasq.conf
             pc_delete "no-negcache" /etc/dnsmasq.conf
             pc_delete "bogus-priv" /etc/dnsmasq.conf
             pc_delete "domain-needed" /etc/dnsmasq.conf
             pc_delete "server=127.0.0.1" /tmp/resolv.dnsmasq
             pc_delete "server=127.0.0.1#5453" /tmp/resolv.dnsmasq
             pc_append "server=127.0.0.1" /tmp/resolv.dnsmasq
             pc_append "server=127.0.0.1#5453" /etc/dnsmasq.conf
             pc_replace "cache-size=1500" "cache-size=0" /etc/dnsmasq.conf
         else
             source /usr/sbin/helper.sh
             pc_delete "server=127.0.0.1#5453" /tmp/resolv.dnsmasq
             pc_delete "server=127.0.0.1" /tmp/resolv.dnsmasq
             pc_append "server=127.0.0.1" /tmp/resolv.dnsmasq
         fi
      fi
   fi
if [ "$(nvram get dns_local_cache)" = "1" ]; then
   {
    NTPSERVERS=""
    for VAR in 0 1; do
        NTP="$(nvram get "ntp_server$VAR")"
        [ -n "$NTP" ] && NTPSERVERS="$NTPSERVERS/$NTP"
    done
    [ -z "$NTPSERVERS" ] && NTPSERVERS="/pool.ntp.org"
    for DNS in $(nvram get wan_dns); do
        echo "server=$NTPSERVERS/$DNS"
    done
    for DNS in $(nvram get ipv6_get_dns); do
        echo "server=$NTPSERVERS/$DNS"
    done
    for VAR in 1 2 3; do
        DNS="$(nvram get "ipv6_dns$VAR")"
        [ -n "$DNS" ] && echo "server=$NTPSERVERS/$DNS"
    done
        echo "server=$NTPSERVERS/127.0.1.1"
   } >> "$1"
fi

Stubby valid procedure current FW 384.13.

Configure Stubby for DNSSEC validation:

nano /jffs/configs/stubby.yml.add
Code:
dnssec_return_status: GETDNS_EXTENSION_TRUE
tls_min_version: GETDNS_TLS1_2
tls_cipher_list: "EECDH+AESGCM:EECDH+CHACHA20"
tls_max_version: GETDNS_TLS1_3
tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"

chmod +x /jffs/configs/stubby.yml.add


run service restart_stubby

this sets the TZ for accurate sysloging, and nohup allows for commands to be used to verify active listening addresses these different commands can be runned via command line
ps | grep unbound | grep -v grep
netstat -lnptu | grep unbound
netstat -lnpt | grep -E '^Active|^Proto|/unbound'

last thing, I treated this like a headless server situation
i opted to install haveged with
opkg install haveged
then I modified /opt/etc/init.d/S02haveged
nano /opt/etc/init.d/S02haveged
Code:
#!/bin/sh
if [ "$1" = "start" ] || [ "$1" = "restart" ]; then
        # Wait for NTP before starting
        logger -st "S02haveged" "Waiting for NTP to sync before starting..."
        ntptimer=0
        while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do
                ntptimer=$((ntptimer+1))
                sleep 1
        done

        if [ "$ntptimer" -ge "300" ]; then
                logger -st "S02haveged" "NTP failed to sync after 5 minutes - please check immediately!"
                echo ""
                exit 1
        fi
fi
export TZ=$(cat /etc/TZ)
ENABLED=yes
PROCS=haveged
ARGS="-w 1024 -d 32 -i 32 -v 1"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func
NOTE: It is advisable to configure swap memory.

https://i.ibb.co/0YLYqjg/query.png

This pic shows this setting as “Yes” but the the other pic below it still has this setting selected as “No”. Could you please clarify the correct choice.

Thank you!


Sent from my iPhone using Tapatalk
 
I am still having issues . After installing - everyhing is good. After a reboot, even if the clock syncs, after some time , it shows 'no connection' in Web Gui ... tried everything.
 
After a reboot, even if the clock
Add this to dnsmasq.postconf:
Code:
CONFIG=$1
source /usr/sbin/helper.sh
pc_delete "no-negcache" $CONFIG
pc_delete "bogus-priv" $CONFIG
pc_delete "domain-needed" $CONFIG
pc_replace "cache-size=1500" "cache-size=0" $CONFIG
pc_append "server=127.0.0.1#5453" $CONFIG

Make the backup. Remove the NTP parameters in the start scripts. Return has worked.
 
This pic shows this setting as “Yes” but the the other pic below it still has this setting selected as “No”. Could you please clarify the correct choice.
Fixed up. Review the tip
 
Add this to dnsmasq.postconf:
Code:
CONFIG=$1
source /usr/sbin/helper.sh
pc_delete "no-negcache" $CONFIG
pc_delete "bogus-priv" $CONFIG
pc_delete "domain-needed" $CONFIG
pc_replace "cache-size=1500" "cache-size=0" $CONFIG
pc_append "server=127.0.0.1#5453" $CONFIG

Make the backup. Remove the NTP parameters in the start scripts. Return has worked.
Nope. Disconnect after a while . Trying to update Skynet blocklist and it happens. (disconnects and then connects again but the connection is actually working all the time)
 
You are using FW 384.14_alpha1. I didn't test this one.
Its the same its still not available ... However, are you sure setting "Local Cache" to No doesn't work? because I changed it to No and restarted unbound ,dnsmasq and stubby, I still see that it is working , DNSSEC also working (disabled in GUI) through Unbound . Here is the statistic from the log :

Code:
Aug 22 14:48:14 unbound: [990:0] info: server stats for thread 1: 84 queries, 8 answers from cache, 76 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Aug 22 14:48:14 unbound: [990:0] info: server stats for thread 1: requestlist max 42 avg 10.6184 exceeded 0 jostled 0
Aug 22 14:48:14 unbound: [990:0] info: average recursion processing time 0.266426 sec
Aug 22 14:48:14 unbound: [990:0] info: histogram of recursion processing times
Aug 22 14:48:14 unbound: [990:0] info: [25%]=0.065536 median[50%]=0.203162 [75%]=0.416346
Aug 22 14:48:14 unbound: [990:0] info: lower(secs) upper(secs) recursions
Aug 22 14:48:14 unbound: [990:0] info:    0.000000    0.000001 5
Aug 22 14:48:14 unbound: [990:0] info:    0.004096    0.008192 2
Aug 22 14:48:14 unbound: [990:0] info:    0.016384    0.032768 2
Aug 22 14:48:14 unbound: [990:0] info:    0.032768    0.065536 10
Aug 22 14:48:14 unbound: [990:0] info:    0.065536    0.131072 8
Aug 22 14:48:14 unbound: [990:0] info:    0.131072    0.262144 20
Aug 22 14:48:14 unbound: [990:0] info:    0.262144    0.524288 17
Aug 22 14:48:14 unbound: [990:0] info:    0.524288    1.000000 11
Aug 22 14:48:14 unbound: [990:0] info:    1.000000    2.000000 1
 
Last edited:
However, are you sure setting "Local Cache" to No doesn't work?
So far I couldn't understand the FW Merlin Local Cache. If you launch the command
Code:
dig snbforums.com
, With local cache OFF, will return queries via ISP.
 
Note, with the NO-RESOLV + CACHE-SIZE + 127.0.0.1#5453 option dnsmasq will ignore queries in the /etc/resolv.conf file, will not cache and forward these services to Unbound.

These commands should return '0' on the second attempt, signaling the query cache.
Code:
dig snbforums.com

dig snbforums.com @127.0.0.1 -p 5453

Go testing. If it works, please report here. This will help improve the post.
 
Note, with the NO-RESOLV + CACHE-SIZE + 127.0.0.1#5453 option dnsmasq will ignore queries in the /etc/resolv.conf file, will not cache and forward these services to Unbound.

These commands should return '0' on the second attempt, signaling the query cache.
Code:
dig snbforums.com

dig snbforums.com @127.0.0.1 -p 5453

Go testing. If it works, please report here. This will help improve the post.
I enabled Stubby integration . Setting Wan: Use local caching DNS server as system resolver=No solves all the issues with NTP\Disconnections.

And everything working fine (Skynet, Diversion+pixelserv) ... Unbound does seem to work , you can see queries num and you can see how much answered from cache,,,

By the way, if DNSSEC wasn't done by Unbound, It wouldn't work (With Cache set to 0) because with Merlin's FW DNSSEC, cache must be at least 200 (if I recall ) otherwise it will scream and DNSSEC will not work.
With -p 5453 (cahe size is 0 , changed by dnsmasq.postconf) :

Code:
; <<>> DiG 9.12.3-P4 <<>> snbforums.com @127.0.0.1 -p 5453
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26433
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;snbforums.com.                 IN      A

;; ANSWER SECTION:
snbforums.com.          3525    IN      A       104.25.235.15
snbforums.com.          3525    IN      A       104.25.234.15

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5453(127.0.0.1)
;; WHEN: Thu Aug 22 15:11:04 IDT 2019
;; MSG SIZE  rcvd: 74



Statistics after half an hour:
Code:
Aug 22 15:43:15 unbound: [3644:1] info: server stats for thread 1: 182 queries, 16 answers from cache, 166 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Aug 22 15:43:15 unbound: [3644:1] info: server stats for thread 1: requestlist max 9 avg 1.74699 exceeded 0 jostled 0
Aug 22 15:43:15 unbound: [3644:1] info: average recursion processing time 0.419671 sec
Aug 22 15:43:15 unbound: [3644:1] info: histogram of recursion processing times
Aug 22 15:43:15 unbound: [3644:1] info: [25%]=0.211588 median[50%]=0.367002 [75%]=0.522416
Aug 22 15:43:15 unbound: [3644:1] info: lower(secs) upper(secs) recursions
Aug 22 15:43:15 unbound: [3644:1] info:    0.004096    0.008192 1
Aug 22 15:43:15 unbound: [3644:1] info:    0.008192    0.016384 1
Aug 22 15:43:15 unbound: [3644:1] info:    0.032768    0.065536 6
Aug 22 15:43:15 unbound: [3644:1] info:    0.065536    0.131072 12
Aug 22 15:43:15 unbound: [3644:1] info:    0.131072    0.262144 35
Aug 22 15:43:15 unbound: [3644:1] info:    0.262144    0.524288 70
Aug 22 15:43:15 unbound: [3644:1] info:    0.524288    1.000000 33
Aug 22 15:43:15 unbound: [3644:1] info:    1.000000    2.000000 8
Aug 22 15:43:15 unbound: [3644:0] info: server stats for thread 0: 184 queries, 20 answers from cache, 164 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Aug 22 15:43:15 unbound: [3644:0] info: server stats for thread 0: requestlist max 8 avg 1.73171 exceeded 0 jostled 0
Aug 22 15:43:15 unbound: [3644:0] info: average recursion processing time 0.422724 sec
Aug 22 15:43:15 unbound: [3644:0] info: histogram of recursion processing times
Aug 22 15:43:15 unbound: [3644:0] info: [25%]=0.184845 median[50%]=0.351174 [75%]=0.610781
Aug 22 15:43:15 unbound: [3644:0] info: lower(secs) upper(secs) recursions
Aug 22 15:43:15 unbound: [3644:0] info:    0.032768    0.065536 5
Aug 22 15:43:15 unbound: [3644:0] info:    0.065536    0.131072 20
Aug 22 15:43:15 unbound: [3644:0] info:    0.131072    0.262144 39
Aug 22 15:43:15 unbound: [3644:0] info:    0.262144    0.524288 53
Aug 22 15:43:15 unbound: [3644:0] info:    0.524288    1.000000 33
Aug 22 15:43:15 unbound: [3644:0] info:    1.000000    2.000000 14
 
Last edited:
Como iniciar desvinculado Entware (presumo padrão prefixo / opt é usado). Eu consultas ainda para a frente de dnsmasq (bem, é um encaminhador de consulta) para não ligado, ouvindo a porta 5453. O Unbound irá armazenar em cache serviços e recursividade de DNS autoritário.

Créditos contribuições [UTILIZADOR = 64179] @SomeWhereOverTheRainBow [/ UTILIZADOR] [UTILIZADOR = 53994] @Swistheater [/ UTILIZADOR] (para Stubby.yml)
As contribuições para este post são bem recebidos

upload_2019-6-5_20-19-8-png.18033



query.png


Instale NTPMerlin roteiro AMTM

instale desacoplado
[CITAR]
opkg instalar-controlo independente não ligada-control-setup não ligado
[/CITAR]
Execute desacoplado-control-setup para monitoramento Unbound
[CITAR]
não ligada-controlo-configuração
[/CITAR]
Criar / opt / var / lib / não ligado
[CITAR]
mkdir / opt / var / lib / não ligado
[/CITAR]
Alterar a propriedade diretório para ninguém, no caso de você querer deixar cair privilégios do daemon de raiz para ninguém
[CITAR]
chown ninguém / opt / var / lib / não ligado
[/CITAR]
Editar /opt/etc/unbound/unbound.conf
[Citação] [/ CITAÇÕES]
[citação]
servidor:
# Porta para responder a consultas de
porta: 5453
verbosity: 1

fazer-ip4: sim
fazer-ip6: sim
fazer-udp: sim
fazer-tcp: sim

Interface: 0.0.0.0
Interface: :: 0
de controle de acesso: 0.0.0.0/0 lixo
de controle de acesso: 127.0.0.0/8 permitir
access-control: 10.0.30.0/24 allow

# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10

# no threads and no memory slabs for threads
num-threads: 2
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
so-reuseport: yes

# tiny memory cache
key-cache-size: 16m
msg-cache-size: 2m
rrset-cache-size: 2m
cache-max-ttl: 86400
cache-min-ttl: 3600
edns-buffer-size: 1472
cache-max-negative-ttl: 0

# prefetch
prefetch: yes
prefetch-key: yes
minimal-responses: yes

# gentle on recursion
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
rrset-roundrobin: yes
harden-glue: yes
val-clean-additional: yes
harden-dnssec-stripped: yes
harden-referral-path: yes

# Self jail Unbound with user "unbound" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"
root-hints: "/opt/var/lib/unbound/root.hints"
Add unbound-anchor to unbound without stubby
Code:
# DNSSEC validation

   module-config: "validator iterator"
   auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
Add FORWARD-ZONE to mate stubby-melim
Code:
forward-zone:
   #Local Stubby
   name: "."
   forward-addr: 127.0.1.1@53
Get root DNS server:
Code:
curl -o /opt/var/lib/unbound/root.hints https://www.internic.net/domain/named.cache

Edit and start unbound daemon
Code:
#!/bin/sh
if [ "$1" = "start" ] || [ "$1" = "restart" ]; then
      # Wait for NTP before starting
      logger -st "S61unbound" "Waiting for NTP to sync before starting..."
      ntptimer=0
      while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do
              ntptimer=$((ntptimer+1))
              sleep 1
      done

      if [ "$ntptimer" -ge "300" ]; then
              logger -st "S61unbound" "NTP failed to sync after 5 minutes - please check immediately!"
              echo ""
              exit 1
      fi
fi
export PATH=/sbin:/bin:/usr/sbin:/usr/bin:$PATH
export TZ=$(cat /etc/TZ)
ENABLED=yes
PROCS=unbound
ARGS="-c /opt/var/lib/unbound/unbound.conf"
PREARGS="nohup"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func


Create dnsmasq custom configuration in /jffs/scripts/dnsmasq.postconf:
Code:
#!/bin/sh
  if [ "$(nvram get dnspriv_enable)" = "1" ]; then
       if [ "$(nvram get ntp_ready)" = "1" ]; then
          if [ -f /opt/etc/init.d/S61unbound ]; then
             source /usr/sbin/helper.sh
             pc_delete "no-negcache" /etc/dnsmasq.conf
             pc_delete "no-negcache" /etc/dnsmasq.conf
             pc_delete "bogus-priv" /etc/dnsmasq.conf
             pc_delete "domain-needed" /etc/dnsmasq.conf
             pc_delete "server=127.0.0.1" /tmp/resolv.dnsmasq
             pc_delete "server=127.0.0.1#5453" /tmp/resolv.dnsmasq
             pc_append "server=127.0.0.1" /tmp/resolv.dnsmasq
             pc_append "server=127.0.0.1#5453" /etc/dnsmasq.conf
             pc_replace "cache-size=1500" "cache-size=0" /etc/dnsmasq.conf
         else
             source /usr/sbin/helper.sh
             pc_delete "server=127.0.0.1#5453" /tmp/resolv.dnsmasq
             pc_delete "server=127.0.0.1" /tmp/resolv.dnsmasq
             pc_append "server=127.0.0.1" /tmp/resolv.dnsmasq
         fi
      fi
   fi
if [ "$(nvram get dns_local_cache)" = "1" ]; then
   {
    NTPSERVERS=""
    for VAR in 0 1; do
        NTP="$(nvram get "ntp_server$VAR")"
        [ -n "$NTP" ] && NTPSERVERS="$NTPSERVERS/$NTP"
    done
    [ -z "$NTPSERVERS" ] && NTPSERVERS="/pool.ntp.org"
    for DNS in $(nvram get wan_dns); do
        echo "server=$NTPSERVERS/$DNS"
    done
    for DNS in $(nvram get ipv6_get_dns); do
        echo "server=$NTPSERVERS/$DNS"
    done
    for VAR in 1 2 3; do
        DNS="$(nvram get "ipv6_dns$VAR")"
        [ -n "$DNS" ] && echo "server=$NTPSERVERS/$DNS"
    done
        echo "server=$NTPSERVERS/127.0.1.1"
   } >> "$1"
fi

Stubby valid procedure current FW 384.13.

Configure Stubby for DNSSEC validation:

nano /jffs/configs/stubby.yml.add
Code:
dnssec_return_status: GETDNS_EXTENSION_TRUE
tls_min_version: GETDNS_TLS1_2
tls_cipher_list: "EECDH+AESGCM:EECDH+CHACHA20"
tls_max_version: GETDNS_TLS1_3
tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"

chmod +x /jffs/configs/stubby.yml.add


run service restart_stubby

this sets the TZ for accurate sysloging, and nohup allows for commands to be used to verify active listening addresses these different commands can be runned via command line
ps | grep unbound | grep -v grep
netstat -lnptu | grep unbound
netstat -lnpt | grep -E '^Active|^Proto|/unbound'

last thing, I treated this like a headless server situation
i opted to install haveged with
opkg install haveged
then I modified /opt/etc/init.d/S02haveged
nano /opt/etc/init.d/S02haveged
Code:
#!/bin/sh
if [ "$1" = "start" ] || [ "$1" = "restart" ]; then
        # Wait for NTP before starting
        logger -st "S02haveged" "Waiting for NTP to sync before starting..."
        ntptimer=0
        while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do
                ntptimer=$((ntptimer+1))
                sleep 1
        done

        if [ "$ntptimer" -ge "300" ]; then
                logger -st "S02haveged" "NTP failed to sync after 5 minutes - please check immediately!"
                echo ""
                exit 1
        fi
fi
export TZ=$(cat /etc/TZ)
ENABLED=yes
PROCS=haveged
ARGS="-w 1024 -d 32 -i 32 -v 1"
PREARGS=""
DESC = $ PROCS
PATH = / opt / sbin: / opt / bin: / opt / usr / bin: / usr / local / sbin: / usr / local / bin: / usr / sbin: / usr / bin: / sbin: / bin

. /opt/etc/init.d/rc.func
NOTA: É aconselhável configurar memória swap .
[/QUOTE]

Is it me seeing this in Portuguese or did something change on this post?




Sent from my iPhone using Tapatalk
 
I enabled Stubby integration . Setting Wan: Use local caching DNS server as system resolver=No solves all the issues with NTP\Disconnections.
Now I understand why FW Merlin offers the Local cache option, so it is easier to read the clock in cases with DNSSEC or Stubby. I do not use stubby or VPN.
 
Note, with the NO-RESOLV + CACHE-SIZE + 127.0.0.1#5453 option dnsmasq will ignore queries in the /etc/resolv.conf file, will not cache and forward these services to Unbound.

These commands should return '0' on the second attempt, signaling the query cache.
Code:
dig snbforums.com

dig snbforums.com @127.0.0.1 -p 5453

Go testing. If it works, please report here. This will help improve the post.

Ok, so If I run dig without a port and 127.0.0.1 it shows me my ISP DNS. But when I check dns using a website it shows what I configured in WAN settings (DoT servers) . And when I check dnssec test website they all pass ok. What does it mean?
@rgnldo , with Local Cache =YES, what does is the output when you run
dig snbforums.com +dnssec
and
dig rootcanary.org +dnssec


??
 
And when I check dnssec test website they all pass ok. What does it mean?
Try
Code:
CONFIG=$1
source /usr/sbin/helper.sh
pc_delete "no-negcache" $CONFIG
pc_delete "bogus-priv" $CONFIG
pc_delete "domain-needed" $CONFIG
pc_replace "cache-size=1500" "cache-size=0" $CONFIG
pc_append "server=127.0.0.1#5453" $CONFIG
pc_append "listen-address=127.0.0.1" $CONFIG 
pc_append "server=/pool.ntp.org/1.1.1.1" $CONFIG
 
Try
Code:
CONFIG=$1
source /usr/sbin/helper.sh
pc_delete "no-negcache" $CONFIG
pc_delete "bogus-priv" $CONFIG
pc_delete "domain-needed" $CONFIG
pc_replace "cache-size=1500" "cache-size=0" $CONFIG
pc_append "server=127.0.0.1#5453" $CONFIG
pc_append "listen-address=127.0.0.1" $CONFIG
pc_append "server=/pool.ntp.org/1.1.1.1" $CONFIG

Still no. The solution I tried and is working but I don't know what will happen after restart, I will try later : deleting my ISP servers from /etc/resolv.conf
by adding :
pc_delete "nameserver x.x.x.x" /etc/resolv.conf \\x.x.x.x my isp dns server.
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top