Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[tomsk]

QQ: If I use Unbound exclusively (bypass dnsmasq), is it safe/recommended to change the following from Tools>Other Settings to YES?

Wan: Use local caching DNS server as system resolver (default: No)

Looks like that would ensure ALL DNS requests are processed by Unbound. Am I correct in this line of thinking?

Any impacts to be aware of?

No this is not a good idea..... Unbound will only come up once entware starts and the router needs to resolve DNS requests prior to that..... this is only for the router itself and not for clients.

 

[ttgapers]

No this is not a good idea..... Unbound will only come up once entware starts and the router needs to resolve DNS requests prior to that..... this is only for the router itself and not for clients.

Thanks man! I always seem to forget that -- smdh!

 

[Ubimo]

What's the purpose to use Unbound exclusively (bypass dnsmasq)?

 

[juched]

What's the purpose to use Unbound exclusively (bypass dnsmasq)?

For me I use it to allow for better reporting. Now I can see which client is making the DNS request, and that shows up in the Unbound GUI tab.

Only other reason is because it is one less item in the chain to getting a DNS request, but to be honest, it likely isn't a big deal.

 

[joe scian]

Can you check

grep -A1 "port=0" /jffs/configs/dnsmasq.conf.add /etc/dnsmasq.conf

also 'unbound.conf' is incorrect

##@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
port: 53                                 # v1.08 If 53 (Requires 'port=0' in '/etc/dnsmasq.conf') to answer queries direct from LAN clients
interface: 192.168.2.1                  # v1.01 as per @dave14305 minimal config
#port: 53 #NOdnsmasq                        # v1.08 https://www.snbforums.com/threads/unbound-gui-stats-including-top-blocked-top-replies-todays-replies.63188/
#interface: 0.0.0.0
interface: 127.0.0.1@53
#access-control: 0.0.0.0/0 allow      <<=== this should match the subnet for the 'interface: 192.168.2.1 above i.e. 192.168.1.0/24

When bypassing dnsmasq, 'unbound_manager' should use

nvram get lan_ipaddr_rt

in the unbound configuration.

EDIT: I've uploaded a Hotfix v3.11Beta 2 to correct 192.168.2.1-->192.168.2.240 ??

A:Option ==> uf dev

    unbound_manager.sh downloaded successfully Github 'dev/development' branch

unbound Manager UPDATE Complete! 6126e734d0ea5c65965cbae5a221f322

Hi Martineau

Its working with latest 3.11b3 !! That is Unbound is starting Thanks heaps. The only issue is when I run debug and it gives message saying that Address already in use for 192.168.2.240 port 53. ( but its in use by Unbound). And if I comment out #interface:192.168.2.240 debug gives Address already in use for 127.0.0.1 port 53. ( again in use by Unbound already) .
BUT Unbound IS up and alive and dnsmasq IS being bypassed !

port=0                           # unbound_manager
dhcp-option=lan,6,192.168.2.240      # unbound_manager

server:

##@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
port: 53                                 # v1.08 If 53 (Requires 'port=0' in '/etc/dnsmasq.conf') to answer queries direct from LAN clients
interface: 192.168.2.240                  # v1.01 as per @dave14305 minimal config
#port: 53 #NOdnsmasq                        # v1.08 https://www.snbforums.com/threads/unbound-gui-stats-including-top-blocked-top-replies-todays-replies.63188/
#interface: 0.0.0.0
interface: 127.0.0.1@53
#access-control: 0.0.0.0/0 allow
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/8 allow
access-control: 172.16.0.0/16 allow
access-control: 192.168.0.0/16 allow

# RFC1918 private IP address - Protects against DNS Rebinding
private-address: 127.0.0.0/8
private-address: 169.254.0.0/16
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16

A:Option ==> debug


tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      5481/portmap
tcp        0      0 0.0.0.0:18017           0.0.0.0:*               LISTEN      244/wanduck
tcp        0      0 0.0.0.0:2049            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      13062/vsftpd
tcp        0      0 0.0.0.0:3394            0.0.0.0:*               LISTEN      1130/u2ec
tcp        0      0 0.0.0.0:3702            0.0.0.0:*               LISTEN      12741/wsdd2
tcp        0      0 0.0.0.0:40939           0.0.0.0:*               LISTEN      12762/statd
tcp        0      0 0.0.0.0:45071           0.0.0.0:*               LISTEN      12800/mountd
tcp        0      0 0.0.0.0:54131           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:5473            0.0.0.0:*               LISTEN      1130/u2ec
tcp        0      0 0.0.0.0:6800            0.0.0.0:*               LISTEN      4649/aria2c
tcp        0      0 0.0.0.0:7788            0.0.0.0:*               LISTEN      440/cfg_server
tcp        0      0 0.0.0.0:81              0.0.0.0:*               LISTEN      4605/lighttpd
tcp        0      0 127.0.0.1:139           0.0.0.0:*               LISTEN      12704/smbd
tcp        0      0 127.0.0.1:445           0.0.0.0:*               LISTEN      12704/smbd
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      8252/unbound
tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN      358/httpd
tcp        0      0 127.0.0.1:8443          0.0.0.0:*               LISTEN      357/httpds
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      8252/unbound
tcp        0      0 192.168.2.240:139       0.0.0.0:*               LISTEN      12704/smbd
tcp        0      0 192.168.2.240:22        0.0.0.0:*               LISTEN      298/dropbear
tcp        0      0 192.168.2.240:3838      0.0.0.0:*               LISTEN      1135/lpd
tcp        0      0 192.168.2.240:445       0.0.0.0:*               LISTEN      12704/smbd
tcp        0      0 192.168.2.240:515       0.0.0.0:*               LISTEN      1135/lpd
tcp        0      0 192.168.2.240:53        0.0.0.0:*               LISTEN      8252/unbound
tcp        0      0 192.168.2.240:80        0.0.0.0:*               LISTEN      358/httpd
tcp        0      0 192.168.2.240:8443      0.0.0.0:*               LISTEN      357/httpds
tcp        0      0 192.168.2.240:9100      0.0.0.0:*               LISTEN      1135/lpd
tcp        0      0 :::1193                 :::*                    LISTEN      1900/vpnserver1
[1588985442] unbound[19366:0] notice: Start of unbound 1.10.0.
May 09 00:50:42 unbound[19366:0] error: can't bind socket: Address already in use for 192.168.2.240 port 53
May 09 00:50:42 unbound[19366:0] fatal error: could not open ports

A:Option ==> debug


tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      5481/portmap
tcp        0      0 0.0.0.0:18017           0.0.0.0:*               LISTEN      244/wanduck
tcp        0      0 0.0.0.0:2049            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      13062/vsftpd
tcp        0      0 0.0.0.0:3394            0.0.0.0:*               LISTEN      1130/u2ec
tcp        0      0 0.0.0.0:3702            0.0.0.0:*               LISTEN      12741/wsdd2
tcp        0      0 0.0.0.0:40939           0.0.0.0:*               LISTEN      12762/statd
tcp        0      0 0.0.0.0:45071           0.0.0.0:*               LISTEN      12800/mountd
tcp        0      0 0.0.0.0:54131           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:5473            0.0.0.0:*               LISTEN      1130/u2ec
tcp        0      0 0.0.0.0:6800            0.0.0.0:*               LISTEN      4649/aria2c
tcp        0      0 0.0.0.0:7788            0.0.0.0:*               LISTEN      440/cfg_server
tcp        0      0 0.0.0.0:81              0.0.0.0:*               LISTEN      4605/lighttpd
tcp        0      0 127.0.0.1:139           0.0.0.0:*               LISTEN      12704/smbd
tcp        0      0 127.0.0.1:445           0.0.0.0:*               LISTEN      12704/smbd
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      20347/unbound
tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN      358/httpd
tcp        0      0 127.0.0.1:8443          0.0.0.0:*               LISTEN      357/httpds
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      20347/unbound
tcp        0      0 192.168.2.240:139       0.0.0.0:*               LISTEN      12704/smbd
tcp        0      0 192.168.2.240:22        0.0.0.0:*               LISTEN      298/dropbear
tcp        0      0 192.168.2.240:3838      0.0.0.0:*               LISTEN      1135/lpd
tcp        0      0 192.168.2.240:445       0.0.0.0:*               LISTEN      12704/smbd
tcp        0      0 192.168.2.240:515       0.0.0.0:*               LISTEN      1135/lpd
tcp        0      0 192.168.2.240:80        0.0.0.0:*               LISTEN      358/httpd
tcp        0      0 192.168.2.240:8443      0.0.0.0:*               LISTEN      357/httpds
tcp        0      0 192.168.2.240:9100      0.0.0.0:*               LISTEN      1135/lpd
tcp        0      0 :::1193                 :::*                    LISTEN      1900/vpnserver1
[1588985605] unbound[20938:0] notice: Start of unbound 1.10.0.
May 09 00:53:25 unbound[20938:0] error: can't bind socket: Address already in use for 127.0.0.1 port 53
May 09 00:53:25 unbound[20938:0] fatal error: could not open ports

A:Option ==> ?

        Version=3.11b3
        Local                                           md5=09e5b41d225c506ca4106ce5ede8eb2b
        Github                                          md5=6126e734d0ea5c65965cbae5a221f322
        /jffs/addons/unbound/unbound_manager.md5        md5=09e5b41d225c506ca4106ce5ede8eb2b

        Router Configuration recommended pre-reqs status:

        [✔] Swapfile=2097148 kB
        [✔] DNS Filter=ON
        [✔] DNS Filter=ROUTER
        [✔] WAN: Use local caching DNS server as system resolver=NO
        [✔] Entware NTP server is running
        [✔] Enable DNS Rebind protection=NO
        [✔] Enable DNSSEC support=NO
        [✖] Warning Skynet's Country BAN feature is currently ACTIVE and may significantly reduce unbound performance and in some cases block sites

        Options: Auto Reply='y' for User Selectable Options ('1 3 4') unbound Logging,Ad Block,Performance Tweaks

        [✔] unbound Logging
        [✔] Ad and Tracker Blocking (No. of Adblock domains=55204,Blocked Hosts=0,Whitelist=19)
        [✔] unbound CPU/Memory Performance tweaks
        [✔] Router Graphical GUI statistics TAB installed
        [✔] unbound-control FAST response ENABLED
        [✔] DNS Firewall ENABLED
        [✔] Unbound is the Primary DNS for ALL LAN Clients (dnsmaq DNS features DISABLED e.g. IPSET auto-populate)

 

[joe scian]

May  9 10:53:11 RT-AC5300-0680 joescian: Started unbound from .
May  9 10:53:12 RT-AC5300-0680 custom_config: Appending content of /jffs/configs/dnsmasq.conf.add.
May  9 10:53:12 RT-AC5300-0680 custom_script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf)
May  9 10:53:12 RT-AC5300-0680 (dnsmasq.postconf): Updating /etc/dnsmasq.conf for unbound.....
May  9 10:53:12 RT-AC5300-0680 (dnsmasq.postconf): dnsmasq DNS bypassed. unbound will be the primary DNS for ALL LAN Clients.
May  9 10:53:13 RT-AC5300-0680 dnsmasq[20616]: started, version 2.81-32-g93cb543 DNS disabled
May  9 10:53:13 RT-AC5300-0680 dnsmasq[20616]: compile time options: IPv6 GNU-getopt no-RTC no-DBus no-UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset no-auth DNSSEC no-ID loop-detect no-inotify no-dumpfile
May  9 10:53:13 RT-AC5300-0680 dnsmasq[20616]: warning: interface pptp* does not currently exist
May  9 10:53:13 RT-AC5300-0680 dnsmasq[20616]: asynchronous logging enabled, queue limit is 5 messages
May  9 10:53:13 RT-AC5300-0680 dnsmasq-dhcp[20616]: DHCP, IP range 192.168.3.2 -- 192.168.3.254, lease time 12h
May  9 10:53:13 RT-AC5300-0680 dnsmasq-dhcp[20616]: DHCP, IP range 192.168.2.4 -- 192.168.2.254, lease time 1d
May  9 11:00:09 RT-AC5300-0680 rc_service: service 26293:notify_rc stop_dnsmasq
May  9 11:00:10 RT-AC5300-0680 custom_script: Running /jffs/scripts/service-event (args: stop dnsmasq)
May  9 11:00:11 RT-AC5300-0680 dnsmasq[20616]: exiting on receipt of SIGTERM
May  9 11:00:14 RT-AC5300-0680 rc_service: service 26435:notify_rc restart_dnsmasq
May  9 11:00:14 RT-AC5300-0680 custom_script: Running /jffs/scripts/service-event (args: restart dnsmasq)
May  9 11:00:15 RT-AC5300-0680 joescian: Started unbound from .
May  9 11:00:15 RT-AC5300-0680 custom_config: Appending content of /jffs/configs/dnsmasq.conf.add.
May  9 11:00:15 RT-AC5300-0680 custom_script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf)
May  9 11:00:17 RT-AC5300-0680 (dnsmasq.postconf): Updating /etc/dnsmasq.conf for unbound.....
May  9 11:00:17 RT-AC5300-0680 (dnsmasq.postconf): dnsmasq DNS bypassed. unbound will be the primary DNS for ALL LAN Clients.
May  9 11:00:19 RT-AC5300-0680 dnsmasq[26721]: started, version 2.81-32-g93cb543 DNS disabled
May  9 11:00:19 RT-AC5300-0680 dnsmasq[26721]: compile time options: IPv6 GNU-getopt no-RTC no-DBus no-UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset no-auth DNSSEC no-ID loop-detect no-inotify no-dumpfile
May  9 11:00:19 RT-AC5300-0680 dnsmasq[26721]: warning: interface pptp* does not currently exist
May  9 11:00:19 RT-AC5300-0680 dnsmasq[26721]: asynchronous logging enabled, queue limit is 5 messages
May  9 11:00:19 RT-AC5300-0680 dnsmasq-dhcp[26721]: DHCP, IP range 192.168.3.2 -- 192.168.3.254, lease time 12h
May  9 11:00:19 RT-AC5300-0680 dnsmasq-dhcp[26721]: DHCP, IP range 192.168.2.4 -- 192.168.2.254, lease time 1d
May  9 11:15:40 RT-AC5300-0680 kernel: nvram: consolidating space!

 

[ttgapers]

For me I use it to allow for better reporting. Now I can see which client is making the DNS request, and that shows up in the Unbound GUI tab.

Only other reason is because it is one less item in the chain to getting a DNS request, but to be honest, it likely isn't a big deal.

Along with the unbound thread where it might be bringing native DoT to life, and therefore you can also bypass Cloudflare for DoT requests, and thus better privacy as all requests can now be fulfilled by your local unbound recursive server

 

[glehel]

nvram get custom_clientlist AC86U client HOSTNAME and MAC pair (and other data in number)
nvram get dhcp_staticlist only client MAC and IP
nvram get dhcp_hostnames full empty

 

[Martineau]

I've uploaded v3.11 unbound.conf v1.10

Version=3.11
Github md5=a52ec854a6e06e3e8f2383065f6fc236​

use 'u' to update when prompted on screen
EDIT: If upgrading from v3.11betaX, you will need to force the upgrade using 'uf'

EDIT2: Due to a typo with the cron schedule for the YouTube Video Ad Blocking, all users should reset the Ad Blocking if currently implemented

e  = Exit Script [?]

A:Option ==> youtube uninstall

e  = Exit Script [?]

A:Option ==> adblock uninstall

then reinstall as required

e  = Exit Script [?]

A:Option ==> adblock

e  = Exit Script [?]

A:Option ==> youtube

Use of the 'i = Update unbound Installation' ** optional ** see changelog

FIX:    'unbound.conf' contains incorrect CIDRs
             access-control: 172.16.0.0/12  allow        # v1.10 Martineau  Fix CIDR 16->12
             access-control: 192.168.0.0/16 allow        # v1.10 @dave14305 Fix CIDR 24->16
FIX:    Bypass dnsmasq incorrectly assumes '.1' is ALWAYS the last octet for the router e.g. '192.168.0.1' - @joe scian
FIX:    Bypass dnsmasq wasn't retained over reboot.
FIX:    Bypass dnsmasq when migrating dnsmasq localhosts to unbound, now ignores invalid IP's with no host name - @glehel
CHANGE: Include LISTEN sockets display when using 'debug', and warn if unbound is already UP
CHANGE: Bypass dnsmasq may incorrectly detect Diversion during Diversion/Ad Block switch - @tomsk
CHANGE: YouTube Ad block was installed/removed as part of the Ad Block feature. - now it is a separate Option
        and is now displayed in status '?'

[✔] unbound Logging
[✔] Ad and Tracker Blocking (No. of Adblock domains=63966,Blocked Hosts=0,Whitelist=19)
[✔] unbound CPU/Memory Performance tweaks
[✔] Router Graphical GUI statistics TAB installed
[✔] unbound-control FAST response ENABLED
[✔] DNS Firewall ENABLED
[✔] Unbound is the Primary DNS for ALL LAN Clients (dnsmaq DNS features DISABLED e.g. IPSET auto-populate)
[✔] YouTube Ad Blocking (Forcing to use YT IP 62.24.208.80)


Thanks to @juched, @tomsk, @joe scian and @glehel for testing / feedback

 

[Ubimo]

I don't understand, when should I use "i"? (instead of "u")?

 

[Martineau]

I don't understand, when should I use "i"? (instead of "u")?

Read the prompt description?

'Easy' menu mode

1  = Update unbound files and configuration

or 'Advanced' menu mode

i  = Update unbound and configuration ('/opt/var/lib/unbound/')

either of the above invoked will update/overwrite the existing unbound configuration files including Entware packages/libraries.

NOTE: For 'Advanced' menu users, it is now possible to simply update/retrieve certain files, rather than (tediously) go thru' the complete file refresh (saves 50-90 seconds?)

Option 'u' will only be displayed onscreen when there is a new version of the 'unbound_manager' script available.

u  = Update (Major) unbound_manager v3.09 -> v3.11
     or
u  = Update (Minor Hofix) unbound_manager v3.11 -> v3.11

if invoked will update 'unbound_manager.sh' ONLY (for bug fixes/new features) without impacting any executing instance of unbound

 

[juched]

Read the prompt description?

'Easy' menu mode

1  = Update unbound files and configuration

or 'Advanced' menu mode

i  = Update unbound and configuration ('/opt/var/lib/unbound/')

either of the above invoked will update/overwrite the existing unbound configuration files including Entware packages/libraries.

NOTE: For 'Advanced' menu users, it is now possible to simply update/retrieve certain files, rather than (tediously) go thru' the complete file refresh (saves 50-90 seconds?)

Option 'u' will only be displayed onscreen when there is a new version of the 'unbound_manager' script available.

u  = Update (Major) unbound_manager v3.09 -> v3.11
     or
u  = Update (Minor Hofix) unbound_manager v3.11 -> v3.11

if invoked will update 'unbound_manager.sh' ONLY (for bug fixes/new features) without impacting any executing instance of unbound

Does dnsmasq disable survive a reboot? I thought I read you saying at one point it didn’t, but from what I see I think it should.

Is it reapplied if you use the “i” command in the future? Or does it work like the scribe command where you need to apply it again?

Thank you! Great release. Does this mean I should move the YT Adblock to master branch?

 

[tomsk]

Does dnsmasq disable survive a reboot? I thought I read you saying at one point it didn’t, but from what I see I think it should.

Is it reapplied if you use the “i” command in the future? Or does it work like the scribe command where you need to apply it again?

Thank you! Great release. Does this mean I should move the YT Adblock to master branch?

its survived through 4 reboots so far for me ... but i have a fairly vanilla setup ( no VPN etc)

 

[Martineau]

Does dnsmasq disable survive a reboot? I thought I read you saying at one point it didn’t, but from what I see I think it should.

Yes 'unbound_manager' v3.11 should allow the bypass dnsmasq to be retained over a reboot.

There was some concern over the 'Use local caching DNS server as system resolver' setting:

[✔] Swapfile=1048572 kB
[✔] DNS Filter=ON
[✔] DNS Filter=ROUTER
[✖] Warning WAN: Use local caching DNS server as system resolver=YES see http://xxx.xxx.xxx.1:80/Tools_OtherSettings.asp ->Advanced Tweaks and Hacks
[✔] Entware NTP server is running
[✔] Enable DNS Rebind protection=NO
[✔] Enable DNSSEC support=NO

but I have always run with this set to 'YES' and bypass dnsmasq has always survived a reboot.

Is it reapplied if you use the “i” command in the future? Or does it work like the scribe command where you need to apply it again?

It is indeed like the 'scribe' command etc, so is never an initial install option and must be reapplied if it is manually removed.

Does this mean I should move the YT Adblock to master branch?

Entirely up to you.....it's your (support) choice!

 

[ugandy]

It downloads the Steven black master list
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

with the adblock option enabled, does it get refreshed on a schedule?
thanks

 

[Martineau]

does it get refreshed on a schedule?
thanks

Have you checked the cru (cron) jobs? or even better GitHub

 

[tomsk]

Have you checked the cru (cron) jobs?...but the answer is YES - Daily.

beat me to it

Yes 'unbound_manager' v3.11 should allow the bypass dnsmasq to be retained over a reboot.

There was some concern over the 'Use local caching DNS server as system resolver' setting:

[✔] Swapfile=1048572 kB
[✔] DNS Filter=ON
[✔] DNS Filter=ROUTER
[✖] Warning WAN: Use local caching DNS server as system resolver=YES see http://xxx.xxx.xxx.1:80/Tools_OtherSettings.asp ->Advanced Tweaks and Hacks
[✔] Entware NTP server is running
[✔] Enable DNS Rebind protection=NO
[✔] Enable DNSSEC support=NO

but I have always run with this set to 'YES' and bypass dnsmasq has always survived a reboot.

It is indeed like the 'scribe' command etc, so is never an initial install option and must be reapplied if it is manually removed.

Entirely up to you.....it's your (support) choice!

Local caching DNS server will be dnsmasq initially wont it?... you look for the presence of the unbound pid in the unbound.postconf which wont exist until entware starts it up.

 

[Martineau]

Local caching DNS server will be dnsmasq initially wont it?

Yes as one would expect.

... you look for the presence of the unbound pid in the unbound.postconf which wont exist until entware starts it up.

Correct! ...and if you attentively read my code.....

Q. What happens if unbound isn't UP when 'unbound.postconf' executes?

EDIT: Answer: Syslog during the boot pocess..

May  5 06:05:11 custom_script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf)
May  5 06:05:11 (dnsmasq.postconf): 352 Starting ..... [/etc/dnsmasq.conf]

May  5 06:05:11 (dnsmasq.postconf): Updating /etc/dnsmasq.conf for unbound.....
May  5 06:05:11 (dnsmasq.postconf): FAILSAFE: dnsmasq reset as primary DNS for ALL LAN clients.

 

[penguin22]

Coming from 3.11b3, the update didn't seem to want to get rid of the b3 and hash didn't match. I ended up removing and reloading, though dnsmasq needed to be enabled and then disabled following the reload for clients to resolve DNS.

Since a greenfield reload of things a week ago, I didn't install Diversion, relying on the unbound AD-block, though notice an erroneous grep notice on a clean install

        Version=3.11
        Local                                           md5=6819dc92f908c0604f910eb11913f2d5
        Github                                          md5=6819dc92f908c0604f910eb11913f2d5
        /jffs/addons/unbound/unbound_manager.md5        md5=6819dc92f908c0604f910eb11913f2d5

        Router Configuration recommended pre-reqs status:

        [✔] Swapfile=2097148 kB
        [✔] DNS Filter=ON
        [✔] DNS Filter=ROUTER
        [✔] WAN: Use local caching DNS server as system resolver=NO
        [✔] Enable local NTP server=YES
        [✔] Enable DNS Rebind protection=NO
        [✔] Enable DNSSEC support=NO

        Options: Auto Reply='y' for User Selectable Options ('1 3 4 5') unbound Logging,Ad Block,Performance Tweaks,Firefox DoH

        [✔] unbound Logging
grep: /opt/share/diversion/.conf/diversion.conf: No such file or directory
        [✔] Ad and Tracker Blocking (No. of Adblock domains=55204,Blocked Hosts=0,Whitelist=19)
        [✔] unbound CPU/Memory Performance tweaks
        [✔] Firefox DNS-over-HTTPS (DoH) DISABLE/Blocker
        [✔] Router Graphical GUI statistics TAB installed
        [✔] unbound-control FAST response ENABLED
        [✔] DNS Firewall ENABLED
        [✔] Unbound is the Primary DNS for ALL LAN Clients (dnsmaq DNS features DISABLED e.g. IPSET auto-populate)
        [✔] YouTube Ad Blocking (Forcing to use YT IP 74.125.0.12)

        unbound Memory/Cache:

        'key-cache-size:'       8388608 (8.00 MB)
        'msg-cache-size:'       8388608 (8.00 MB)       2% used 244284  (238.56 KB)        'rrset-cache-size:'     16777216 (16.00 MB)     4% used 820803  (801.57 KB)
        System Memory/Cache:

                     total       used       free     shared    buffers     cached
        Mem:        440420     333516     106904       1384       2896      79156
        -/+ buffers/cache:     251464     188956
        Swap:      2097148          0    2097148

        About unbound: https://nlnetlabs.nl/projects/unbound/about/

        SNB Forums unbound support: https://www.snbforums.com/threads/unbound-authoritative-recursive-caching-dns-server.58967/

Aside from that, everything is working well with 3.11 and without dnsmasq, it's great seeing client IPs.

I'm still seeing the ISP when performing a DNS Leak test, though cache hit from unbound is over 90%; is there a configuration needed that will eliminate that status since unbound resolves directly to root DNS directly?

 

[Torson]

The upgrade from 3.11b3 to 3.11 didn't show matching md5 checks. I did an 'uf' and now everything looks well with the exception of the 'grep' line mentioned by @penguin22. I do not have Diversion installed.