Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[Ubimo]

How can I disable dynamic logging and logging?

 

[Martineau]

Yes.
And here are the lines:

#########################################
# integration LOG's
#
#verbosity: 1                               # v1.02 '1' is adequate to prove unbound is processing domains
logfile: "/opt/var/lib/unbound/unbound.log" # v1.01 as per @dave14305 minimal config
log-time-ascii: yes                         # v1.01 as per @dave14305 minimal config
#log-tag-queryreply: yes                    # v1.02 @Martineau Explicitly Tag log-queries/replies with 'query'/'reply'
#log-queries: yes
#log-replies: yes
#use-syslog: yes                            # v1.02 @Martineau Let scribe/syslog-ng handle the log as it gets erased daily if Ad Block enabled :-(
#log-local-actions: yes                     # v1.02 @Martineau
log-servfail: yes                           # v1.01 as per @dave14305 minimal config
#########################################

I don't have scribe.

Edit:
Now, when I use "l" again, this shows up

E:Option ==> l

/opt/var/lib/unbound/unbound.log                Press CTRL-C to stop

Feb 13 16:14:22 unbound[1218:0] error: SERVFAIL <ctldl.windowsupdate.com. A IN>: request has exceeded the maximum number restarts (eg. indirections) stop at au.
Feb 13 16:14:22 unbound[1218:0] error: SERVFAIL <ctldl.windowsupdate.com. A IN>: request has exceeded the maximum number restarts (eg. indirections) stop at au.
Feb 13 16:15:22 unbound[1218:0] error: SERVFAIL <ctldl.windowsupdate.com. A IN>: request has exceeded the maximum number restarts (eg. indirections) stop at au.
Feb 13 16:15:22 unbound[1218:0] error: SERVFAIL <ctldl.windowsupdate.com. A IN>: request has exceeded the maximum number restarts (eg. indirections) stop at au.
Feb 13 16:15:22 unbound[1218:0] error: SERVFAIL <ctldl.windowsupdate.com. A IN>: request has exceeded the maximum number restarts (eg. indirections) stop at au.
Feb 13 16:15:22 unbound[1218:0] error: SERVFAIL <ctldl.windowsupdate.com. A IN>: request has exceeded the maximum number restarts (eg. indirections) stop at au.
Feb 13 16:20:23 unbound[1218:0] error: SERVFAIL <ctldl.windowsupdate.com. A IN>: request has exceeded the maximum number restarts (eg. indirections) stop at a7.
Feb 13 16:20:23 unbound[1218:0] error: SERVFAIL <ctldl.windowsupdate.com. A IN>: request has exceeded the maximum number restarts (eg. indirections) stop at a7.
Feb 13 16:20:23 unbound[1218:0] error: SERVFAIL <ctldl.windowsupdate.com. A IN>: request has exceeded the maximum number restarts (eg. indirections) stop at a7.
Feb 13 16:20:23 unbound[1218:0] error: SERVFAIL <ctldl.windowsupdate.com. A IN>: request has exceeded the maximum number restarts (eg. indirections) stop at a7.

I'm running
AsusWRT Merlin 384.15
Diversion
Skynet
unbound
unbound_manager
uiDivStats

Yes, by default I configure unbound to always report SERVFAILs (blame @dave14305 ) so there is an issue with 'ctldl.windowsupdate.com' but not sure what it means

 

[Martineau]

How can I disable dynamic logging and logging?

Use the 'lo'/lx' commands ?

 

[Ubimo]

There is another strange line in the log, see the last line here:

E:Option ==> l

/opt/var/lib/unbound/unbound.log                Press CTRL-C to stop

Feb 13 16:43:17 unbound[1001:0] info:    0.065536    0.131072 12
Feb 13 16:43:17 unbound[1001:0] info:    0.131072    0.262144 19
Feb 13 16:43:17 unbound[1001:0] info:    0.262144    0.524288 2
Feb 13 16:43:17 unbound[1001:0] info:    0.524288    1.000000 1
Feb 13 16:43:17 unbound[1001:0] info:    1.000000    2.000000 5
Feb 13 16:44:54 unbound[1098:0] notice: init module 0: validator
Feb 13 16:44:54 unbound[1098:0] notice: init module 1: iterator
Feb 13 16:44:54 unbound[1098:0] info: start of service (unbound 1.9.6).
Feb 13 16:45:44 unbound[1098:0] info: generate keytag query _ta-4f66. NULL IN
Feb 13 16:59:04 unbound[1098:0] notice: ip_ratelimit exceeded 127.0.0.1 100 e947ey1x7uhwejzhguf212csah1aek7w9fw7fduk.ipleak.net. IN A

Is this normal?
I did a dnsleak test.

 

[dave14305]

There is another strange line in the log, see the last line here:

E:Option ==> l

/opt/var/lib/unbound/unbound.log                Press CTRL-C to stop

Feb 13 16:43:17 unbound[1001:0] info:    0.065536    0.131072 12
Feb 13 16:43:17 unbound[1001:0] info:    0.131072    0.262144 19
Feb 13 16:43:17 unbound[1001:0] info:    0.262144    0.524288 2
Feb 13 16:43:17 unbound[1001:0] info:    0.524288    1.000000 1
Feb 13 16:43:17 unbound[1001:0] info:    1.000000    2.000000 5
Feb 13 16:44:54 unbound[1098:0] notice: init module 0: validator
Feb 13 16:44:54 unbound[1098:0] notice: init module 1: iterator
Feb 13 16:44:54 unbound[1098:0] info: start of service (unbound 1.9.6).
Feb 13 16:45:44 unbound[1098:0] info: generate keytag query _ta-4f66. NULL IN
Feb 13 16:59:04 unbound[1098:0] notice: ip_ratelimit exceeded 127.0.0.1 100 e947ey1x7uhwejzhguf212csah1aek7w9fw7fduk.ipleak.net. IN A

Is this normal?
I did a dnsleak test.

It's due to ip-ratelimit being defined in the unbound.conf file. The default is disabled, but at some point, it was added to the installer config with 100 as a limit. You can remove that line from the file and restart unbound if you are comfortable doing that.

ip-ratelimit: 100

 

[skeal]

@L&LD I get my new router today. This one is pretty messed up. Time for a complete, manual from screenshots and memory, full setup from scratch on the new one. Looking forward to having a client list again and other nice features I lack right now. I'm going to format and reinstall all my scripts as well.

 

[Delusion]

Stubby integration not working ? (latest ver. also on previous version )

 

[Martineau]

I've uploaded v2.10 and unbound.conf v1.04

For this release ONLY - After the standard 'u' command, use of the 'i = Update unbound Installation' **REQUIRED**

FIX: Change 'unbound.conf' directive 'ip-ratelimit: 100' to 'ip-ratelimit: 0' post #465 @L&LD @dave14305
CHANGE: Similar to routers running @john9526's 384.xx LTS Release, allow unbound_manager to execute on RT-AC56U running the last ever RMerlin compatible firmware v382.6 post #398 @elorimer
NEW: Similar to the RMerlin firmware add 'unbound.conf.add' and 'unbound.postconf' capability. post #428 @RacerRon @dave14305

e.g. Example '/opt/share/unbound/configs/unbound.conf.add'

echo -e "# Example custom 'unbound.conf.add' for inclusion in the 'server:' section\nprivate-domain: \"plex.direct\"" > /opt/share/unbound/configs/unbound.conf.add

and '/opt/share/unbound/configs/unbound.postconf'

echo -e "#!/bin/sh\n\nCONFIG=\$1\\n\\nsource /usr/sbin/helper.sh\n\npc_replace \"server:\" \"server:             # unbound.postconf was here! $(date)\" \"\$CONFIG\"\n" > /opt/share/unbound/configs/unbound.postconf

running the 'i' update

##################################################################################################################################################################################### 100.0%
Retrieving Custom unbound configuration
 unbound.conf downloaded successfully
Checking IPv6.....
Customising unbound IPv6 configuration.....
Customising unbound configuration Options:
Option Auto Reply 'y' unbound Logging enabled - 'verbosity: 1'
Adding 'include: "/opt/share/unbound/configs/unbound.conf.add"  '/opt/var/lib/unbound/unbound.conf)'
Executing '/opt/share/unbound/configs/unbound.postconf'
unbound-checkconf: no errors in /opt/var/lib/unbound/unbound.conf
Restarting dnsmasq.....
Done.
 Shutting down unbound...              done.
 Starting unbound...              done.
Auto install unbound Customisation complete 0 minutes and 8 seconds elapsed - Please wait for up to 10 seconds for status.....

Hopefully the 'include:' directive has been added after the 'server:' directive, and the current date and time stamp comment has been added to the end of the 'server:' directive use 'v' or

head -n 12 /opt/var/lib/unbound/unbound.conf

NOTE: If either of the customising files are found, then following the 'i' update, then there is no prompt to restore the previous 'unbound.conf' as it assumed that local customisation has been correctly applied post-downloaded 'unbound.config' file.

 

[dave14305]

NEW: Similar to the RMerlin firmware add 'unbound.conf.add' and 'unbound.postconf' capability. post #428 @RacerRon @dave14305

Nice! I am concerned that we're using the same filename for /jffs/addons/unbound/unbound.postconf and /opt/share/unbound/configs/unbound.postconf.

 

[Martineau]

Nice! I am concerned that we're using the same filename for /jffs/addons/unbound/unbound.postconf and /opt/share/unbound/configs/unbound.postconf.

I'm not

 

[JemTheWire]

I used the ‘i’ option to update but it was still showing v2.09.

I did it twice with the same result. However, when I used the ‘u’ command, the update went OK.

 

[Martineau]

I used the ‘i’ option to update but it was still showing v2.09.

I did it twice with the same result. However, when I used the ‘u’ command, the update went OK.

I'll speak slowly...

Menu option 'u' only appears onscreen when there is a new version of 'unbound_manager' available;either

1. Minor Hotfix (no vX.nn number change)
2. Major Release (vX.nn number change)

'i' is used to Install/Update the unbound environment, which will force update/retrieve Entware packages i.e. unbound/'unbound.conf' and the installed options to retrieve non-Entware filesetc.

 

[JemTheWire]

I speak even slower.

Note says ‘Use of the ‘i = Update unbound installation’ **REQUIRED**

That’s what I did.

Update.

My bad, apologies.

 

[L&LD]

'u' updates to a new version number.

'i' needs to be followed directly afterward to utilize all that good newness.

 

[SuperDuke]

I speak even slower.

Note says ‘Use of the ‘i = Update unbound installation’ **REQUIRED**

That’s what I did.

Could well be that 'i' only updates the unbound guts.....and not the installer itself.....so you may well have new unbound under the hood but still the same 2.09 wrapper.....??

 

[JemTheWire]

Thank you.

Sorted, thank you for the explanation.

 

[Martineau]

I speak even slower.

Note says ‘Use of the ‘i = Update unbound installation’ **REQUIRED**

That’s what I did.

After being informed there is a new 'unbound_manager.sh' script available (either via amtm or because the 'u' message appears on screen), then the only way to update the script (or not) is to use the 'u' command.

This has always been the case since the first releases.

So, having used 'u' to update the script most assumed that it was mandatory to always follow it with the 'i' command, but 99% of the time it isn't necessary to disrupt unbound, but for this v2.10 release it is highly recommended to take the hit.

 

[kernol]

This is an update to the previous post about optimizing unbound.conf. Please read at the link below for further information.

https://www.snbforums.com/threads/r...recursive-dns-server.61669/page-3#post-548469

.....
For the RT-AC86U? Someone else (who has the router in use) needs to test the limits and report back to us.

For anything below the two HND models (RT-AX88U and the RT-AC86U)? Who wants to be a pioneer?

Opening up a shortcut folder (Open all) of 25 or 40 links in Edge Chromium has never happened so quickly before.

Metrics on these kinds of improvements? Like driving a fine car and trying to explain it to someone who only drives a horse and buggy.

You just have to get behind the wheel to find out.

These tweaked settings have been working really well on my RT-AC86U - no crashes and impressive speeds.
RAM consumption runs up to 95% and stays there with small use of Swap file.
Just wish we didn't lose these conf settings and trash the cache to start all over again every time it is necessary to run "u" followed by "i" .

# no threads and no memory slabs for threads
num-threads: 2
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4

# tiny memory cache
key-cache-size: 16m
msg-cache-size: 16m
rrset-cache-size: 32m
cache-max-ttl: 21600
cache-min-ttl: 0
prefetch: yes
prefetch-key: yes
serve-expired: yes
serve-expired-ttl: 3600
incoming-num-tcp: 1024
outgoing-num-tcp: 128
ip-ratelimit: 0                                 
edns-buffer-size: 4096

 

[Martineau]

Just wish we didn't lose these conf settings and trash the cache to start all over again every time it is necessary to run "u" followed by "i" .

As explained here after running the 'i' command (since v2.06) you have been asked

"Do you want to retain/keep your working current config?"
​

so you losing your current ACTIVE 'unbound.config' is by choice.

NOTE:As listed in the v2.10 release notes, you can now exploit the 'unbound.postconf' script to automatically re-apply your custom 'unbound.conf' tweaks every time you use the 'i' command. This gives you the best of both worlds, i.e. take advantage of any community proven tweaks added to the base unbound configuration, but allow you to seamlessly reject or merge your own requirements.

As for the cache, well now you understand you don't have to restart unbound for every script update - your wish has come true.

 

[Mutzli]

These tweaked settings have been working really well on my RT-AC86U - no crashes and impressive speeds.
RAM consumption runs up to 95% and stays there with small use of Swap file.
Just wish we didn't lose these conf settings and trash the cache to start all over again every time it is necessary to run "u" followed by "i" .

We are barely a week into this new script, some adjustments have to be expected. Losing the conf settings is really not a big deal.