What's new

Installing and configuring authoritative, recursive, and DoT/DNSSEC DNS server with Unbound

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

i modified the IPV6 part of the ntp server directives to also use ISP's ipv6 if dns servers have not been defined on ipv6 page (meaning it is set to automatic instead of manually defined) for some reason NVRAM variables for predefined and automatic are different when dealing with IPV6.
Updated your proposed settings. I hope that in future we will have libunbound and unbound-anchor at FW Merlin.. :)
 
you should try this with S61unbound
Code:
#!/bin/sh
if [ "$1" = "start" ] || [ "$1" = "restart" ]; then
       # Wait for NTP before starting
       logger -st "S61unbound" "Waiting for NTP to sync before starting..."
       ntptimer=0
       while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do
               ntptimer=$((ntptimer+1))
               sleep 1
       done

       if [ "$ntptimer" -ge "300" ]; then
               logger -st "S61unbound" "NTP failed to sync after 5 minutes - please check immediately!"
               echo ""
               exit 1
       fi
fi

export PATH=/sbin:/bin:/usr/sbin:/usr/bin:$PATH
export TZ=$(cat /etc/TZ)
ENABLED=yes
PROCS=unbound
ARGS="-c /opt/var/lib/unbound/unbound.conf"
PREARGS="nohup"
PRECMD="service restart_dnsmasq"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

and this with dnsmasq.postconf
Code:
#!/bin/sh
  if [ "$(nvram get dnspriv_enable)" = "1" ]; then
        if [ "$(nvram get ntp_ready)" = "1" ]; then
           if [ -f /opt/etc/init.d/S61unbound ]; then
              source /usr/sbin/helper.sh
              pc_delete "no-negcache" /etc/dnsmasq.conf
              pc_delete "bogus-priv" /etc/dnsmasq.conf
              pc_delete "domain-needed" /etc/dnsmasq.conf
              pc_delete "server=127.0.1.1" /tmp/resolv.dnsmasq
              pc_delete "server=127.0.1.1#5453" /tmp/resolv.dnsmasq
              pc_append "server=127.0.1.1#5453" /tmp/resolv.dnsmasq
              pc_replace "cache-size=1500" "cache-size=0" /etc/dnsmasq.conf
           else
              source /usr/sbin/helper.sh
              pc_delete "server=127.0.1.1#5453" /tmp/resolv.dnsmasq
              pc_delete "server=127.0.1.1" /tmp/resolv.dnsmasq
              pc_append "server=127.0.1.1" /tmp/resolv.dnsmasq
           fi
        fi
    fi
if [ "$(nvram get dns_local_cache)" = "1" ]; then
   {
      NTPSERVERS=""
      for VAR in 0 1; do
          NTP="$(nvram get "ntp_server$VAR")"
          [ -n "$NTP" ] && NTPSERVERS="$NTPSERVERS/$NTP"
      done
      [ -z "$NTPSERVERS" ] && NTPSERVERS="/pool.ntp.org"
      for DNS in $(nvram get wan_dns); do
          echo "server=$NTPSERVERS/$DNS"
      done
      for DNS in $(nvram get ipv6_get_dns); do
          echo "server=$NTPSERVERS/$DNS"
      done
      for VAR in 1 2 3; do
          DNS="$(nvram get "ipv6_dns$VAR")"
          [ -n "$DNS" ] && echo "server=$NTPSERVERS/$DNS"
      done
          echo "server=$NTPSERVERS/127.0.1.1"
   } >> "$1"
fi

it handles the clock syncing problem by only apply modifications only when the clock is synced and if your storage is mounted else it will use regular dnsmasq.

The biggest problem to overcome is only allowing the settings to be added once the clock syncs, because applying changes too soon will manipulate the process and order of how things occur within the router itself.

Edit: I added an extra piece to the bottom of dnsmasq.postconf
Running /opt/etc/init.d/S61unbound restart, the file /tmp/resolv.dnsmasq gets the address server=127.0.0.1#5453, without internet connection.
 
Running /opt/etc/init.d/S61unbound restart, the file /tmp/resolv.dnsmasq gets the address server=127.0.0.1#5453, without internet connection.
it should only be brief internet connection loss not something that takes all day. because the handoff is being switched from stubby to unbound and unbound then takes stubby.

with script it should be getting server=127.0.1.1#5453
 
Last edited:
Last edited:
you should try this with S61unbound
Code:
#!/bin/sh
if [ "$1" = "start" ] || [ "$1" = "restart" ]; then
       # Wait for NTP before starting
       logger -st "S61unbound" "Waiting for NTP to sync before starting..."
       ntptimer=0
       while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do
               ntptimer=$((ntptimer+1))
               sleep 1
       done

       if [ "$ntptimer" -ge "300" ]; then
               logger -st "S61unbound" "NTP failed to sync after 5 minutes - please check immediately!"
               echo ""
               exit 1
       fi
fi

export PATH=/sbin:/bin:/usr/sbin:/usr/bin:$PATH
export TZ=$(cat /etc/TZ)
ENABLED=yes
PROCS=unbound
ARGS="-c /opt/var/lib/unbound/unbound.conf"
PREARGS="nohup"
PRECMD="service restart_dnsmasq"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

and this with dnsmasq.postconf
Code:
#!/bin/sh
  if [ "$(nvram get dnspriv_enable)" = "1" ]; then
        if [ "$(nvram get ntp_ready)" = "1" ]; then
           if [ -f /opt/etc/init.d/S61unbound ]; then
              source /usr/sbin/helper.sh
              pc_delete "no-negcache" /etc/dnsmasq.conf
              pc_delete "bogus-priv" /etc/dnsmasq.conf
              pc_delete "domain-needed" /etc/dnsmasq.conf
              pc_delete "server=127.0.1.1" /tmp/resolv.dnsmasq
              pc_delete "server=127.0.1.1#5453" /tmp/resolv.dnsmasq
              pc_append "server=127.0.1.1#5453" /tmp/resolv.dnsmasq
              pc_replace "cache-size=1500" "cache-size=0" /etc/dnsmasq.conf
           else
              source /usr/sbin/helper.sh
              pc_delete "server=127.0.1.1#5453" /tmp/resolv.dnsmasq
              pc_delete "server=127.0.1.1" /tmp/resolv.dnsmasq
              pc_append "server=127.0.1.1" /tmp/resolv.dnsmasq
           fi
        fi
    fi
if [ "$(nvram get dns_local_cache)" = "1" ]; then
   {
      NTPSERVERS=""
      for VAR in 0 1; do
          NTP="$(nvram get "ntp_server$VAR")"
          [ -n "$NTP" ] && NTPSERVERS="$NTPSERVERS/$NTP"
      done
      [ -z "$NTPSERVERS" ] && NTPSERVERS="/pool.ntp.org"
      for DNS in $(nvram get wan_dns); do
          echo "server=$NTPSERVERS/$DNS"
      done
      for DNS in $(nvram get ipv6_get_dns); do
          echo "server=$NTPSERVERS/$DNS"
      done
      for VAR in 1 2 3; do
          DNS="$(nvram get "ipv6_dns$VAR")"
          [ -n "$DNS" ] && echo "server=$NTPSERVERS/$DNS"
      done
          echo "server=$NTPSERVERS/127.0.1.1"
   } >> "$1"
fi

it handles the clock syncing problem by only apply modifications only when the clock is synced and if your storage is mounted else it will use regular dnsmasq.

The biggest problem to overcome is only allowing the settings to be added once the clock syncs, because applying changes too soon will manipulate the process and order of how things occur within the router itself.

Edit: I added an extra piece to the bottom of dnsmasq.postconf
Missing listening port redirection option for unbound:
Adjusted
Code:
if [ "$(nvram get dnspriv_enable)" = "1" ]; then
       if [ "$(nvram get ntp_ready)" = "1" ]; then
          if [ -f /opt/etc/init.d/S61unbound ]; then
             source /usr/sbin/helper.sh
             pc_delete "no-negcache" /etc/dnsmasq.conf
             pc_delete "bogus-priv" /etc/dnsmasq.conf
             pc_delete "domain-needed" /etc/dnsmasq.conf
             pc_delete "server=127.0.1.1" /tmp/resolv.dnsmasq
             pc_delete "server=127.0.1.1#5453" /tmp/resolv.dnsmasq
             pc_append "server=127.0.1.1" /tmp/resolv.dnsmasq
             pc_append "server=127.0.1.1#5453" /etc/dnsmasq.conf
             pc_replace "cache-size=1500" "cache-size=0" /etc/dnsmasq.conf
          else
             source /usr/sbin/helper.sh
             pc_delete "server=127.0.1.1#5453" /tmp/resolv.dnsmasq
             pc_delete "server=127.0.1.1" /tmp/resolv.dnsmasq
             pc_append "server=127.0.1.1" /tmp/resolv.dnsmasq
          fi
       fi
   fi
if [ "$(nvram get dns_local_cache)" = "1" ]; then
   {
    NTPSERVERS=""
    for VAR in 0 1; do
        NTP="$(nvram get "ntp_server$VAR")"
        [ -n "$NTP" ] && NTPSERVERS="$NTPSERVERS/$NTP"
    done
    [ -z "$NTPSERVERS" ] && NTPSERVERS="/pool.ntp.org"
    for DNS in $(nvram get wan_dns); do
        echo "server=$NTPSERVERS/$DNS"
    done
    for DNS in $(nvram get ipv6_get_dns); do
        echo "server=$NTPSERVERS/$DNS"
    done
 
Ok, now everything fine. I can see unbound working when setting 'verbosity' level to 2 or higher, and survives rebooting . Are there any other tweaks worth trying? (like increasing 'num threads' or increasing cache - or any other parameter in unbound.conf)
 
I can see unbound working
It works cool here. Verbosity 1
Increasing cache and the thread is no use. This is for large networks and queries. For ARM routers, these settings solve.
Code:
rgnldo@rgnldo-lan:/tmp/home/root# unbound-control -c /opt/var/lib/unbound/unbound.conf stats_noreset | grep total.num
total.num.queries=472
total.num.queries_ip_ratelimited=0
total.num.cachehits=371
total.num.cachemiss=101
total.num.prefetch=16
total.num.zero_ttl=0
total.num.recursivereplies=101
 
verbosity: <number>
The verbosity number, level 0 means no verbosity, only errors.
Level 1 gives operational information. Level 2 gives detailed
operational information. Level 3 gives query level information,
output per query. Level 4 gives algorithm level information.
Level 5 logs client identification for cache misses. Default is
level 1. The verbosity can also be increased from the command-
line, see unbound(8)
 
And one last thing, is haveged necessary ?

I used verbosity 2 only to see if its doing anything , then I changed to 1 after I saw It was working good.
unbound-control stats -is also fine to see stats.

the latest updated unbound.conf is faster, thanks, good job. Will use unbound from now on
 
Last edited:
setting 'verbosity' level to 2
If you added Verbosity 2, which has a loggin function, also add
Code:
Statistics-cumulative: yes
Extended-statistics: yes
 
Suggestion for improving latency:
Code:
stub-zone:
    name: "1.1.168.192.in-addr.arpa"
    stub-addr: 192.168.1.1
Font: https://jeanbruenn.info/2017/04/18/...-your-resolver-using-stub-zones-with-unbound/

Awaiting Feedback
Works fine. I also did some tweaks. First of all if you have dual core cpu router (or more) , its better to use Thread num=2 (for dual core) and the slubs multiply by 2 . One of the good things with Unbound is that it is multi threaded, setting it to 1 disables multi threading according what I read. This gives me the best results, much better response: (Everything else just like in the guide)

Code:
verbosity: 1
statistics-interval: 3600 #stats in the log every hour Verbosity can stay 1
statistics-cumulative: yes

num-threads: 2
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
# tiny memory cache
key-cache-size: 16m
msg-cache-size: 25m
rrset-cache-size: 51m
so-rcvbuf: 1m

stub-zone:
name: "1.1.168.192.in-addr.arp"
stub-addr: 192.168.1.1
stub-first: yes


This is how the logging looks (every one hour), my last log:
Code:
Aug  1 11:55:01 unbound: [13732:0] info: server stats for thread 0: 914 queries, 642 answers from cache, 272 recursions, 19 prefetch, 0 rejected by ip ratelimiting
Aug  1 11:55:01 unbound: [13732:0] info: server stats for thread 0: requestlist max 7 avg 0.656357 exceeded 0 jostled 0
Aug  1 11:55:01 unbound: [13732:0] info: average recursion processing time 0.399791 sec
Aug  1 11:55:01 unbound: [13732:0] info: histogram of recursion processing times
Aug  1 11:55:01 unbound: [13732:0] info: [25%]=0.21463 median[50%]=0.351045 [75%]=0.506052
Aug  1 11:55:01 unbound: [13732:0] info: lower(secs) upper(secs) recursions
Aug  1 11:55:01 unbound: [13732:0] info:    0.000000    0.000001 3
Aug  1 11:55:01 unbound: [13732:0] info:    0.008192    0.016384 1
Aug  1 11:55:01 unbound: [13732:0] info:    0.065536    0.131072 13
Aug  1 11:55:01 unbound: [13732:0] info:    0.131072    0.262144 80
Aug  1 11:55:01 unbound: [13732:0] info:    0.262144    0.524288 115
Aug  1 11:55:01 unbound: [13732:0] info:    0.524288    1.000000 54
Aug  1 11:55:01 unbound: [13732:0] info:    1.000000    2.000000 5
Aug  1 11:55:01 unbound: [13732:0] info:    2.000000    4.000000 1
 
This is how the logging looks (every one hour), my last log:
I notice that you use the logs. I use unbound-control stats. What is the path of unbound logs?
 
I notice that you use the logs. I use unbound-control stats. What is the path of unbound logs?
I don't know what is the path. The logs appear on the regular router log window system->General Log
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top