Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[dave14305]

Now I'm confused. When unbound is off I can access the website even though it's blocked in Skynet. When unbound is on it's blocked.

Yes, because when Unbound is off, you're using a WAN DNS server that isn't residing in a banned country. It's the authoritative DNS server that's banned, not the website.

 

[Mutzli]

Yes, because when Unbound is off, you're using a WAN DNS server that isn't residing in a banned country. It's the authoritative DNS server that's banned, not the website.

Thank you, that makes total sense. Now I have figure out why hulu stopped working.

 

[Stevens243]

I uninstalled unbound with unbound_manager and rebooted.
I redownloaded the script with amtm and installed unbound_manager with all defaults.
I enabled logging.
I enabled scribe
I set verbosity to 4.

With Chrome, I navigated to usaa.com. It loaded fine.
I refreshed the page, and got the blank page: A brief flash of the top of the blue banner and then all white.

With Firefox, I navigated to usaa.com and it loaded fine. I reloaded the page several times. I closed Firefox and then reloaded the page fine; Chrome still blank. I closed Firefox again, reloaded the page, and got a blank: same flash and white.

I ran a diff between my log file and yours, and they are completely different from the get-go but it doesn't seem to be a fail:

Feb 11 16:49:00 RT-AC86U unbound: [32101:0] query: 127.0.0.1 usaa.com. A IN
Feb 11 16:49:00 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 usaa.com. A IN NOERROR 0.000000 1 42
Feb 11 16:49:00 RT-AC86U unbound: [32101:0] query: 127.0.0.1 usaa.com. A IN
Feb 11 16:49:00 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 usaa.com. A IN NOERROR 0.000000 1 42
Feb 11 16:49:00 RT-AC86U unbound: [32101:0] query: 127.0.0.1 usaa.com. A IN
Feb 11 16:49:00 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 usaa.com. A IN NOERROR 0.000000 1 42
Feb 11 16:49:00 RT-AC86U unbound: [32101:0] query: 127.0.0.1 usaa.com. AAAA IN
Feb 11 16:49:00 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 usaa.com. AAAA IN NOERROR 0.000000 1 79
Feb 11 16:49:00 RT-AC86U unbound: [32101:0] query: 127.0.0.1 www.usaa.com. A IN
Feb 11 16:49:00 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 www.usaa.com. A IN NOERROR 0.000000 1 119
Feb 11 16:49:00 RT-AC86U unbound: [32101:0] query: 127.0.0.1 www.usaa.com. A IN
Feb 11 16:49:00 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 www.usaa.com. A IN NOERROR 0.000000 1 119
Feb 11 16:49:00 RT-AC86U unbound: [32101:0] query: 127.0.0.1 e6962.b.akamaiedge.net. A IN
Feb 11 16:49:00 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 e6962.b.akamaiedge.net. A IN NOERROR 0.008633 0 56
Feb 11 16:49:00 RT-AC86U unbound: [32101:0] query: 127.0.0.1 e6962.b.akamaiedge.net. AAAA IN
Feb 11 16:49:00 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 e6962.b.akamaiedge.net. AAAA IN NOERROR 0.000000 1 101
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] query: 127.0.0.1 content.usaa.com. A IN
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 content.usaa.com. A IN NOERROR 0.000000 1 123
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] query: 127.0.0.1 s.go-mpulse.net. AAAA IN
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 s.go-mpulse.net. AAAA IN NOERROR 0.000000 1 172
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] query: 127.0.0.1 mboxedge17.tt.omtrdc.net. AAAA IN
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 mboxedge17.tt.omtrdc.net. AAAA IN NOERROR 0.000000 1 111
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] query: 127.0.0.1 api.usaa.com. A IN
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 api.usaa.com. A IN NOERROR 0.000000 1 119
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] query: 127.0.0.1 api.usaa.com. A IN
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 api.usaa.com. A IN NOERROR 0.000000 1 119
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] query: 127.0.0.1 e6968.b.akamaiedge.net. A IN
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 e6968.b.akamaiedge.net. A IN NOERROR 0.011016 0 56
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] query: 127.0.0.1 e6968.b.akamaiedge.net. AAAA IN
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 e6968.b.akamaiedge.net. AAAA IN NOERROR 0.000000 1 101
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] query: 127.0.0.1 c.go-mpulse.net. AAAA IN
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 c.go-mpulse.net. AAAA IN NOERROR 0.000000 1 200
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] query: 127.0.0.1 tms.usaa.com. A IN
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 tms.usaa.com. A IN NOERROR 0.000000 1 119
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] query: 127.0.0.1 tms.usaa.com. A IN
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 tms.usaa.com. A IN NOERROR 0.000000 1 119
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] query: 127.0.0.1 e7059.x.akamaiedge.net. A IN
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] query: 127.0.0.1 tags.tiqcdn.com. AAAA IN
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 tags.tiqcdn.com. AAAA IN NOERROR 0.000000 1 123
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 e7059.x.akamaiedge.net. A IN NOERROR 0.011858 0 56
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] query: 127.0.0.1 e7059.x.akamaiedge.net. AAAA IN
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 e7059.x.akamaiedge.net. AAAA IN NOERROR 0.000000 1 101
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] query: 127.0.0.1 dpm.demdex.net. AAAA IN
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 dpm.demdex.net. AAAA IN NOERROR 0.000000 1 222
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] query: 127.0.0.1 www.everestjs.net. AAAA IN
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 www.everestjs.net. AAAA IN NOERROR 0.000000 1 169

Feb 11 16:49:01 RT-AC86U unbound: [32101:0] query: 127.0.0.1 da.usaa.com. A IN
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 da.usaa.com. A IN NOERROR 0.000000 1 118
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] query: 127.0.0.1 dcs-edge-va6-802167536.us-east-1.elb.amazonaws.com. AAAA IN
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 dcs-edge-va6-802167536.us-east-1.elb.amazonaws.com. AAAA IN NOERROR 0.000000 0 150
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] query: 127.0.0.1 scontent.xx.fbcdn.net. A IN
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 scontent.xx.fbcdn.net. A IN NOERROR 0.025262 0 55
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 scontent.xx.fbcdn.net. A IN NOERROR 0.051173 0 55
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] query: 127.0.0.1 scontent.xx.fbcdn.net. AAAA IN
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 scontent.xx.fbcdn.net. AAAA IN NOERROR 0.000000 1 67
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] query: 127.0.0.1 gb.usaa360.com. A IN
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 gb.usaa360.com. A IN NOERROR 0.000000 1 121
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] query: 127.0.0.1 gb.usaa360.com. A IN
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 gb.usaa360.com. A IN NOERROR 0.000000 1 121
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] query: 127.0.0.1 e8561.x.akamaiedge.net. A IN
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 e8561.x.akamaiedge.net. A IN NOERROR 0.013634 0 56
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] query: 127.0.0.1 e8561.x.akamaiedge.net. AAAA IN
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 e8561.x.akamaiedge.net. AAAA IN NOERROR 0.000000 1 101
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] query: 127.0.0.1 gb.usaa360.com. A IN
Feb 11 16:49:01 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 gb.usaa360.com. A IN NOERROR 0.000000 1 121

Feb 11 16:49:04 RT-AC86U unbound: [32101:0] query: 127.0.0.1 localhost. SSHFP IN
Feb 11 16:49:04 RT-AC86U unbound: [32101:0] info: localhost. redirect 127.0.0.1@46630 localhost. SSHFP IN
Feb 11 16:49:04 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 localhost. SSHFP IN NOERROR 0.000000 1 88
Feb 11 16:49:04 RT-AC86U unbound: [32101:0] query: 127.0.0.1 localhost. SSHFP IN
Feb 11 16:49:04 RT-AC86U unbound: [32101:0] info: localhost. redirect 127.0.0.1@55083 localhost. SSHFP IN
Feb 11 16:49:04 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 localhost. SSHFP IN NOERROR 0.000000 1 88
Feb 11 16:49:11 RT-AC86U unbound: [32101:0] query: 127.0.0.1 e8561.x.akamaiedge.net. AAAA IN
Feb 11 16:49:11 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 e8561.x.akamaiedge.net. AAAA IN NOERROR 0.000000 1 101
Feb 11 16:49:11 RT-AC86U unbound: [32101:0] query: 127.0.0.1 l.usaa.com. A IN
Feb 11 16:49:11 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 l.usaa.com. A IN NOERROR 0.000000 1 117
Feb 11 16:49:11 RT-AC86U unbound: [32101:0] query: 127.0.0.1 e6962.b.akamaiedge.net. AAAA IN
Feb 11 16:49:11 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 e6962.b.akamaiedge.net. AAAA IN NOERROR 0.000000 1 101
Feb 11 16:49:12 RT-AC86U unbound: [32101:0] query: 127.0.0.1 mtalk.google.com. A IN
Feb 11 16:49:12 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 mtalk.google.com. A IN NOERROR 0.000000 1 79
Feb 11 16:49:18 RT-AC86U unbound: [32101:0] query: 127.0.0.1 17.client-channel.google.com. A IN
Feb 11 16:49:18 RT-AC86U unbound: [32101:0] reply: 127.0.0.1 17.client-channel.google.com. A IN NOERROR 0.000000 1 62

Before I got quite this far, I uninstalled Unbound, rebooted and still have no USAA access...I'm looking into other things.

(Solved). Purge your pixelserv-tls certs and re-issue them. Flush browser cache if needed and then re-install Unbound. I know that I used the "use pixelserv for the webui" function in AMTM on Sunday to see if it worked. But, purging the certificate and doing it over solved this issue for me.

More data: in Diversion select EP, then opt 3 and purge the TLS domain cert.

 

[elorimer]

A few things:

1. Thanks, @Martineau, for this script. I've installed and uninstalled unbound a few times today, exploring, and I would never have waded in without the script.
2. The problem with USAA is, I think, unrelated to unbound or pixelserv. I've uninstalled unbound and purged the pixelserv domain certs (but NOT the ca.crt, oy what a headache that would be), rebooted everything and I still have the problem.
3. Using the old school Diversion log follow, I see going to usaa.com produces a lot of blocked domains:

20:10:43 blocked by blockinglist usaa.tt.omtrdc.net
 20:10:43 blocked by blockinglist s.go-mpulse.net
 20:10:44 blocked by blockinglist tags.tiqcdn.com
 20:10:44 blocked by blockinglist dpm.demdex.net
 20:10:44 blocked by blockinglist www.everestjs.net
 20:10:44 blocked by blockinglist www.google-analytics.com
 20:10:44 blocked by blockinglist www.googletagmanager.com
 20:10:44 blocked by blockinglist datacloud.tealiumiq.com
 20:10:44 blocked by blockinglist d.agkn.com
 20:10:44 blocked by blockinglist sp.analytics.yahoo.com
 20:10:44 blocked by blockinglist browser.pipe.aria.microsoft.com

If I unblock the first one, the pages load fine. So, sorry for the detour, nothing to see here.
Except USAA and I will have a few words after googling tt.omtrdc.net:

Adobe Target is the Adobe Experience Cloud solution that provides everything you need to tailor and personalize your customers' experience so you can maximize revenue on your web and mobile sites, apps, social media, and other digital channels.

Also, since I will be away from this mission-critical location for 2 months, I've left things as they were before (as to which, see #1) and will explore this further on a 56U and 87U.

 

[Safemode]

Please see post #261 and provide feedback if it still fails.

Everything is working perfectly. Thank you again for looking into this.

 

[SomeWhereOverTheRainBow]

Now I'm confused. When unbound is off I can access the website even though it's blocked in Skynet. When unbound is on it's blocked.

unbound is providing a cleaner name resolution.

 

[Kingp1n]

If I uninstall unbound, what's the process to remove unbound.logs thru the GUI under system logs? Thanks

I installed unbound but the logs tab is still showing up.

 

[Stevens243]

A few things:

1. Thanks, @Martineau, for this script. I've installed and uninstalled unbound a few times today, exploring, and I would never have waded in without the script.
2. The problem with USAA is, I think, unrelated to unbound or pixelserv. I've uninstalled unbound and purged the pixelserv domain certs (but NOT the ca.crt, oy what a headache that would be), rebooted everything and I still have the problem.
3. Using the old school Diversion log follow, I see going to usaa.com produces a lot of blocked domains:

20:10:43 blocked by blockinglist usaa.tt.omtrdc.net
 20:10:43 blocked by blockinglist s.go-mpulse.net
 20:10:44 blocked by blockinglist tags.tiqcdn.com
 20:10:44 blocked by blockinglist dpm.demdex.net
 20:10:44 blocked by blockinglist www.everestjs.net
 20:10:44 blocked by blockinglist www.google-analytics.com
 20:10:44 blocked by blockinglist www.googletagmanager.com
 20:10:44 blocked by blockinglist datacloud.tealiumiq.com
 20:10:44 blocked by blockinglist d.agkn.com
 20:10:44 blocked by blockinglist sp.analytics.yahoo.com
 20:10:44 blocked by blockinglist browser.pipe.aria.microsoft.com

If I unblock the first one, the pages load fine. So, sorry for the detour, nothing to see here.
Except USAA and I will have a few words about googling tt.omtrdc.net:

Adobe Target is the Adobe Experience Cloud solution that provides everything you need to tailor and personalize your customers' experience so you can maximize revenue on your web and mobile sites, apps, social media, and other digital channels.

Also, since I will be away from this mission-critical location for 2 months, I've left things as they were before (as to which, see #1) and will explore this further on a 56U and 87U.

Hmmph. It worked when I checked it after purging the TLS domain cert, but I saw your post, rechecked and not working again. So, I checked and the tt.omtrdc is being blocked and whitelisting it in diversion solved it.

But now, I cannot uninstall Unbound either. Opt Z, then Y and it says Uninstall cancelled. No difference after a reboot either

 

[smkk]

[✖] ***Warning Entware NTP Server installed but not running?

I already reinstall unbound and reboot the router, but still getting this error.

Anyone facing this problem?

 

[SomeWhereOverTheRainBow]

[✖] ***Warning Entware NTP Server installed but not running?

I already reinstall unbound and reboot the router, but still getting this error.

Anyone facing this problem?

it is a known issue, many attempts have been made to fix this issue. for now it shall be dubbed parking lot.

 

[L&LD]

@smkk, what router? What firmware version? What scripts do you have installed?

 

[Martineau]

If I uninstall unbound, what's the process to remove unbound.logs thru the GUI under system logs? Thanks

I installed unbound but the logs tab is still showing up.

Not sure - I don't use the GUI.

Originally I wasn't sure if I should remove the scribe logs in case they were supposed to be retained or simply because unbound_manager hadn't actually configured scribe.

However, I can alter option 'z' which will execute the following

rm /opt/etc/syslog-ng.d/unbound /opt/var/log/unbound.log

and also restart scribe.

Not sure if this will resolve your scribe GUI issue?, but you can manually try the process and report back.

 

[Chris_J]

Those who have the 86U, have you tried the config tweaks with success? Everything is running great with the defaults, but I am far too tempted to break things.

 

[Martineau]

[✖] ***Warning Entware NTP Server installed but not running?

I already reinstall unbound and reboot the router, but still getting this error.

I assume that the Entware NTP Server was manually installed to explicitly override the native firmware NTP Server.

Subsequently the script presumes that the presence of the Entware NTP Server should take priority, but seemingly doesn't detect it running.

I suppose it could be that my assumption logic is currently flawed, and you may have previously installed the Entware NTP Server, didn't like it, so reverted to the native firmware NTP Server option, but forgot to uninstall the Entware NTP version.

However, could you please run the following two commands and post the results.

which ntpd

/opt/etc/init.d/S77ntpd check

 

[Martineau]

Those who have the 86U, have you tried the config tweaks with success? Everything is running great with the defaults, but I am far too tempted to break things.

If you are referring to these performance tweaks post #50 then I recall that at least one user has posted that they were a little too unstable so were backed out.

I personally don't use the 'unbound_config' performance tweaks, but welcome any proven settings to be added as defaults for a first install..

For the script option

o4. Customise CPU/Memory usage (Advanced Users)

I need to ensure that any performance tweaks provided by the script remain conservative/safe for a fuss free install.

Consequently, as shown at the top of post #1 this is now implemented when using '2. Advanced Install' in 'Easy' mode', as I have deemed that it is a safe decision.

P.S. Not had any negative feedback, but could it be that everyone elects for an 'Advanced' install to explicitly ignore that option. ?

 

[smkk]

I assume that the Entware NTP Server was manually installed to explicitly override the native firmware NTP Server.

which ntpd

/opt/etc/init.d/S77ntpd check

Checking ntpd... dead.

 

[Martineau]

Checking ntpd... dead.

So are you wanting/expecting to use the 'dead' Entware NTP Server?

If not, then I suggest that you uninstall it, or you should identify why it is 'dead' and fix it.

 

[Chris_J]

If you are referring to these performance tweaks post #50 then I recall that at least one user has posted that they were a little too unstable so were backed out.

I personally don't use the 'unbound_config' performance tweaks, but welcome any proven settings to be added as defaults for a first install..

For the script option

o4. Customise CPU/Memory usage (Advanced Users)

I need to ensure that any performance tweaks provided by the script remain conservative/safe for a fuss free install.

Consequently, as shown at the top of post #1 this is now implemented when using '2. Advanced Install' in 'Easy' mode', as I have deemed that it is a safe decision.

P.S. Not had any negative feedback, but it could be that everyone elects for an 'Advanced' install to explicitly ignore that option.

Thanks, I will test out the alpha version of the config and see how it goes.

 

[dave14305]

Potential conflict with Diversion email functions if you’ve installed Unbound.

Diversion - the Router Ad-Blocker

 

[JemTheWire]

Is that why I didn’t receive my weekly email stats from Diversion, I wonder?