Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[kernol]

@L&LD - I have RT-AC86U and can confirm your performance tweaks [but with 2 threads] working very well indeed.
I do not have IP6 enabled on the router.

In my testing I "throw the book" at the router - pushing multiple DNS requests from multiple devices at the same time [several thousand]
Absolutely zero hiccups [see my signature for all add-ons running happily with unbound] - and 86U behaving like its on STEROIDS .

@Martineau - congrats on the new thread - and the fully amazing implementation of a complex concept made utterly easy for non-coders like me {Major Thumbs Up}.

 

[L&LD]

The defaults for Unbound work very well and showcase convincingly how much we need to use this program on any supported Asus/RMerlin router. All you have to do is install it at bare defaults and answering 'no' (by pressing the Enter button in unbound_manager v2.06) to each question presented. Now, go browse your favorite sites. Make sure to open links within the main site to see unbound at work. Open amtm in a PuTTY session (or the terminal of your choice) and check for updates, or, simply see how fast your shares show up on your NAS or other shared network drives and compare how the network responded before.

With the link to the nitty-gritty details of how Unbound works under the hood, I thought I would see what changes I could make, if any, to make my network respond faster.

https://nlnetlabs.nl/documentation/unbound/unbound.conf/

The link above is what I'm trying to comprehend and implement in my suggestions below for improved performance over the original defaults.

I also answer 'y' to the installer ('i') when asked for the CPU/Memory Performance tweaks (stuning), so the 'defaults/Orig' values below may reflect that too.

My current router is a 4 core, 1GB RAM, RT-AX88U connected to a 1Gbps up/down symmetrical ISP (nominal) connection running RMerlin 384.15 Beta 1 firmware.

The changes I have made have been commented with what the current default was and a suggested setting for the RT-AC86U which is a 2 core, 512GB RAM router that unbound also supports.

# no threads and no memory slabs for threads
num-threads: 4                    # L&LDv1.03 (Orig 1) RT-AX88U For RT-AC86U use (2)
msg-cache-slabs: 4                # L&LDv1.03 (Orig 2) RT-AX88U For RT-AC86U use (2)
rrset-cache-slabs: 4                # L&LDv1.03 (Orig 2) RT-AX88U For RT-AC86U use (2)
infra-cache-slabs: 4                # L&LDv1.03 (Orig 2) RT-AX88U For RT-AC86U use (2)
key-cache-slabs: 4                # L&LDv1.03 (Orig 2) RT-AX88U For RT-AC86U use (2)

# tiny memory cache
key-cache-size: 16m                # L&LDv1.03 (Orig 8m) RT-AX88U For RT-AC86U use (8m)
msg-cache-size: 16m                # L&LDv1.03 (Orig 8m) RT-AX88U For RT-AC86U use (8m)
rrset-cache-size: 32m                # L&LDv1.03 (Orig 16m) RT-AX88U For RT-AC86U use (16m)
cache-max-ttl: 21600              
cache-min-ttl: 0                # L&LDv1.03 (Orig 5) RT-AX88U or RT-AC86U
prefetch: yes
prefetch-key: yes
serve-expired: yes
serve-expired-ttl: 3600
incoming-num-tcp: 1024                # L&LDv1.03 (Orig 600) RT-AX88U For RT-AC86U use (1024)
outgoing-num-tcp: 256                # L&LDv1.03 (Orig 100) RT-AX88U For RT-AC86U use (512)
ip-ratelimit: 0                    # L&LDv1.03 (Orig 100) RT-AX88U For RT-AC86U use (0)
edns-buffer-size: 4096                # L&LDv1.03 RT-AX88U (Orig (1472) v1.01 as per @dave14305 minimal config)

Some key points to note about the changes above. Please refer to the link above and offer corrections on my assumptions.

​

Proceed only if you take full responsibility for any possible disruptions
to your network or your working router configuration.
I will try to explain each change I've made, but it is up to you to understand
how this may impact your router and the network.​

Before making any changes to your unbound.conf file located in /opt/var/lib/unbound/ make a backup and store it in a safe location.

1. num-threads:
   1. This should equal the number of Cores your router's CPU has. For the RT-AX88U: 4.
2. The following should all be the same:
   1. msg-cache-slabs:
      1. This should be close to the number of Cores and must be a power of 2. For the RT-AX88U: 4.
   2. rrset-cache-slabs:
      1. This should be close to the number of Cores and must be a power of 2. For the RT-AX88U: 4.
   3. infra-cache-slabs:
      1. This should be close to the number of Cores and must be a power of 2. For the RT-AX88U: 4.
   4. key-cache-slabs:
      1. This should be close to the number of Cores and must be a power of 2. For the RT-AX88U: 4.
3. key-cache-size:
   1. The largest value that didn't crash the RT-AX88U: 16m.
4. msg-cache-size:
   1. The largest value that didn't crash the RT-AX88U: 16m.
5. rrset-cache-size:
   1. This value should be twice the value of the msg-cache-size above. For the RT-AX88U: 32m.
6. cache-min-ttl: '0' is the (DNS) servers' default value (anything else here over-rides that).
7. incoming-num-tcp: '1024' is the maximum value allowed (except in a Linux build).
8. outgoing-num-tcp: '256' is 1024 divided by the number of cores.
9. ip-ratelimit: '0' disables global rate-limiting per IP address. Look at the link above to see if you want to change from the '5' default.
10. edns-buffer-size: '4096' is the RFC recommended value.

With the above settings for my RT-AX88U, surfing and networking performance seems to be at a peak but I welcome any suggestions to make it even faster and more reliable too.


Finally, I'll repeat here what I've posted previously:

I recommend having both PuTTY and WinSCP open when trying this (or your terminal and editors of choice).

Use WinSCP to keep the unbound.conf file open (make sure you hit save after any changes, of course).

Use PuTTY to issue an 'rs' restart command to unbound_manager after saving your changes.

Restart unbound_manager and after it starts up normally see if the unbound.log file is 'clean' (using WinSCP). Make sure to refresh the file a few times. If you are using Scribe and uiScribe, you can see this output in System Log and the 'unbound.log' log.

(If you have installed Scribe and uiScribe already from amtm, in unbound_manager, simply select 3, scribe (enter) to see the log in the GUI).

Browse some sites, making sure to click on links that stay within that main site, open up some files on your NAS, if available and report back, please.

If there is an issue, simply undo the changes you made and save the unbound.conf file again. You may need to reboot the router to be able to issue an 'rs' command again though.

Remember to reboot the router and test afterward too that unbound is still running (let your router settle for 5 minutes or so before testing after the reboot).

The default settings should work with all routers. But if you're using a router other than the RT-AC86U or the RT-AX88U that is also dual-core, change just the following from their default values:

1. num-threads: 2
   
2. cache-min-ttl: 0
   
3. incoming-num-tcp: 1024
   
4. outgoing-num-tcp: 256
   
5. ip-ratelimit: 0
   
6. edns-buffer-size: 4096

And most of all, I would recommend running your networks with the unbound_manager defaults for at least a few hours of actual use. Then, see if the changes above improve on that.


Thank you @rgnldo and @Martineau and the many others who created this for Asus/RMerlin users!

Happy, fast and 'snappy' network browsing to all!

I hope this small 'guide' allows us to find (and share) the best settings for Unbound for each of us.

 

[Treadler]

The defaults for Unbound work very well and showcase convincingly how much we need to use this program on any supported Asus/RMerlin router. All you have to do is install it at bare defaults and answering 'no' (by pressing the Enter button in unbound_manager v2.06) to each question presented. Now, go browse your favorite sites. Make sure to open links within the main site to see unbound at work. Open amtm in a PuTTY session (or the terminal of your choice) and check for updates, or, simply see how fast your shares show up on your NAS or other shared network drives and compare how the network responded before.

With the link to the nitty-gritty details of how Unbound works under the hood, I thought I would see what changes I could make, if any, to make my network respond faster.

https://nlnetlabs.nl/documentation/unbound/unbound.conf/

The link above is what I'm trying to comprehend and implement in my suggestions below for improved performance over the original defaults.

I also answer 'y' to the installer ('i') when asked for the CPU/Memory Performance tweaks (stuning), so the 'defaults/Orig' values below may reflect that too.

My current router is a 4 core, 1GB RAM, RT-AX88U connected to a 1Gbps up/down symmetrical ISP (nominal) connection running RMerlin 384.15 Beta 1 firmware.

The changes I have made have been commented with what the current default was and a suggested setting for the RT-AC86U which is a 2 core, 512GB RAM router that unbound also supports.

# no threads and no memory slabs for threads
num-threads: 4                    # L&LDv1.03 (Orig 1) RT-AX88U For RT-AC86U use (2)
msg-cache-slabs: 4                # L&LDv1.03 (Orig 2) RT-AX88U For RT-AC86U use (2)
rrset-cache-slabs: 4                # L&LDv1.03 (Orig 2) RT-AX88U For RT-AC86U use (2)
infra-cache-slabs: 4                # L&LDv1.03 (Orig 2) RT-AX88U For RT-AC86U use (2)
key-cache-slabs: 4                # L&LDv1.03 (Orig 2) RT-AX88U For RT-AC86U use (2)

# tiny memory cache
key-cache-size: 16m                # L&LDv1.03 (Orig 8m) RT-AX88U For RT-AC86U use (8m)
msg-cache-size: 16m                # L&LDv1.03 (Orig 8m) RT-AX88U For RT-AC86U use (8m)
rrset-cache-size: 32m                # L&LDv1.03 (Orig 16m) RT-AX88U For RT-AC86U use (16m)
cache-max-ttl: 21600              
cache-min-ttl: 0                # L&LDv1.03 (Orig 5) RT-AX88U or RT-AC86U
prefetch: yes
prefetch-key: yes
serve-expired: yes
serve-expired-ttl: 3600
incoming-num-tcp: 1024                # L&LDv1.03 (Orig 600) RT-AX88U For RT-AC86U use (1024)
outgoing-num-tcp: 256                # L&LDv1.03 (Orig 100) RT-AX88U For RT-AC86U use (512)
ip-ratelimit: 0                    # L&LDv1.03 (Orig 100) RT-AX88U For RT-AC86U use (0)
edns-buffer-size: 4096                # L&LDv1.03 RT-AX88U (Orig (1472) v1.01 as per @dave14305 minimal config)

Some key points to note about the changes above. Please refer to the link above and offer corrections on my assumptions.

​

Proceed only if you take full responsibility for any possible disruptions
to your network or your working router configuration.
I will try to explain each change I've made, but it is up to you to understand
how this may impact your router and the network.​

Before making any changes to your unbound.conf file located in /opt/var/lib/unbound/ make a backup and store it in a safe location.

1. num-threads:
   1. This should equal the number of Cores your router's CPU has. For the RT-AX88U: 4.
2. The following should all be the same:
   1. msg-cache-slabs:
      1. This should be close to the number of Cores and must be a power of 2. For the RT-AX88U: 4.
   2. rrset-cache-slabs:
      1. This should be close to the number of Cores and must be a power of 2. For the RT-AX88U: 4.
   3. rrset-cache-slabs:
      1. This should be close to the number of Cores and must be a power of 2. For the RT-AX88U: 4.
   4. infra-cache-slabs:
      1. This should be close to the number of Cores and must be a power of 2. For the RT-AX88U: 4.
   5. key-cache-slabs:
      1. This should be close to the number of Cores and must be a power of 2. For the RT-AX88U: 4.
3. key-cache-size:
   1. The largest value that didn't crash the RT-AX88U: 16m.
4. msg-cache-size:
   1. The largest value that didn't crash the RT-AX88U: 16m.
5. rrset-cache-size:
   1. This value should be twice the value of the msg-cache-size above. For the RT-AX88U: 32m.
6. cache-min-ttl: '0' is the (DNS) servers' default value (anything else here over-rides that).
7. incoming-num-tcp: '1024' is the maximum value allowed (except in a Linux build).
8. outgoing-num-tcp: '256' is 1024 divided by the number of cores.
9. ip-ratelimit: '0' disables global rate-limiting per IP address. Look at the link above to see if you want to change from the '5' default.
10. edns-buffer-size: '4096' is the RFC recommended value.

With the above settings for my RT-AX88U, surfing and networking performance seems to be at a peak but I welcome any suggestions to make it even faster and more reliable too.


Finally, I'll repeat here what I've posted previously:

I recommend having both PuTTY and WinSCP open when trying this (or your terminal and editors of choice).

Use WinSCP to keep the unbound.conf file open (make sure you hit save after any changes, of course).

Use PuTTY to issue an 'rs' restart command to unbound_manager after saving your changes.

After restarting unbound_manager and it starts up normally, see if the unbound.log file is 'clean' (using WinSCP). Make sure to refresh the file a few times. If you are using Scribe and uiScribe, you can see this output in System Log and the 'unbound.log' log.

(If you have installed Scribe and uiScribe already from amtm, in unbound_manager, simply select 3, scribe (enter) to see the log in the GUI).

Browse some sites, making sure to click on links that stay within that main site, open up some files on your NAS, if available and report back, please.

If there is an issue, simply undo the changes you made and save the unbound.conf file again. You may need to reboot the router to be able to issue an 'rs' command again though.

Remember to reboot the router and test afterward too that unbound is still running (let your router settle for 5 minutes or so before testing after the reboot).

The default settings should work with all routers. But if you're using a router other than the RT-AC86U or the RT-AX88U that is also dual-core, change just the following from their default values:

1. num-threads: 2
   
2. cache-min-ttl: 0
   
3. incoming-num-tcp: 1024
   
4. outgoing-num-tcp: 256
   
5. ip-ratelimit: 0
   
6. edns-buffer-size: 4096

And most of all, I would recommend running your networks with the unbound_manager defaults for at least a few hours of actual use. Then, see if the changes above improve on that.


Thank you @rgnldo and @Martineau and the many others who created this for Asus/RMerlin users!

Happy, fast and 'snappy' network browsing to all!

I hope this small 'guide' allows us to find (and share) the best settings for Unbound for each of us.

Nice work!

 

[joe scian]

Hi L&LD - you have this mentioned twice above

1. rrset-cache-slabs:
   1. This should be close to the number of Cores and must be a power of 2. For the RT-AX88U: 4.

 

[DeDragonSlayer]

I hope this small 'guide' allows us to find (and share) the best settings for Unbound for each of us.

First of all, thanks a lot for your time investigating this. I have copied your recommended settings for my AX88U and everything runs really nicely at lightning speed.

On a side note, before installing Unbound, every so often I used to run Steve Gibson's DNS Benchmark to find out the fastest DNS servers.
Running DNS Benchmark now gives random and meaningless results, which I suppose is to be expected. But what is interesting is that the 192.168.1.1 IP (which is my router) now consistently returns the worst results of the bunch, while before Unbound it was one of the fastest, especially caching-wise. Which is a bit weird, I suppose. Unless there is some bit of configuration I have missed somewhere along the line?

 

[SomeWhereOverTheRainBow]

This thread is for the discussion topic : unbound_manager script.

'Advanced' mode

View attachment 21219

'Easy' mode

View attachment 21220


INSTALLATION;

Pre-reqs:

• Asus Router running the RMerlin firmware (see AsusWRT-Merlin)
  
• Entware must be installed (Many popular 3rd Party scripts now require Entware e.g. amtm)

Manual installation of unbound - like most tasks - is easy once you know how, but for non-techies, why spend time frustratingly typing in cryptic text/commands into the router when you could simply let someone else facilitate the task, who will remain accountable when it goes wrong!

If you are running amtm v3.x.x, then 'ud - unbound' may appear as a selectable installer option, otherwise see the one-line command unbound_manager Manual Installation

This unbound_manager.sh script is hosted on GitHub, and you can follow the development history here.

Good job with giving this bird wings to fly. @Martineau && @Jack Yaz

 

[LimJK]

L&LD,

Thanks for sharing what you have done and hours you spent. After reading on the sideline for about 2 weeks, I have decided to have a go at "unbound" using unbound_manager v2.06 this morning, however, I only have the very basic unbound, by skipping all the more advanced options for the start.

So far things are running as it should. After that, I will follow your guide for some optimisation on my RT-AX88U v1 (). Oh, I do not use iPv6 as my ISP has somehow not been able to get it working for me for over a year. So I will stick to iPv4 for now.

 

[Mutzli]

@Mutzli, depending on what you have running on your router currently, it works great.

Everything looks good so far. Have it running in advance mode with all the options enabled.

 

[skeal]

Hey fellow unbound user's can someone tell me why when using unbound and setting DoT on the router to cloudflare, when I run a dnsleak.com test, I'm seeing 2 USA servers I've never seen before? I should see either cloudflare in Toronto or Richmond.

 

[Martineau]

The default settings should work with all routers. But if you're using a router other than the RT-AC86U or the RT-AX88U that is also dual-core, change just the following from their default values:

1. num-threads: 2
   
2. cache-min-ttl: 0
   
3. incoming-num-tcp: 1024
   
4. outgoing-num-tcp: 256
   
5. ip-ratelimit: 0
   
6. edns-buffer-size: 4096

For the convenience of those that can't resist tinkering on the weekend (you know who you are! ), I have added your tweaks above (except for the change in the number of threads) to the 'dev' Github branch.

So if anyone wants to try them, simply use the 'dev' keyword when using the 'i = Update unbound Installation'

e.g. only enable logging

e  = Exit Script

A:Option ==> i 1 dev

and during the update/install you will see

Use

e  = Exit Script

A:Option ==> v

to confirm 'unbound.conf' 'v1.04a' has been downloaded from the GitHub 'dev' branch'.

Obviously, to backout the pre-release alpha? 'unbound.conf' v1.04a simply rerun the update without the 'dev' keyword.

 

[Mutzli]

After I did a router reboot the clients couldn't get an internet connection. The internet was up on the router but the clients were locked out. I checked the router settings and they are as recommended with DNS Filter = On and set to Router. What could have gone wrong.

 

[Martineau]

After I did a router reboot the clients couldn't get an internet connection. The internet was up on the router but the clients were locked out. I checked the router settings and they are as recommended with DNS Filter = On and set to Router. What could have gone wrong.

Does the menu appear when you run

unbound_manager

if it doesn't, run

unbound_manager   nochk

and you should be able to access the unbound_manager menu to uninstall unbound to restore Internet connectivity.

Did you install the CPU/Performance tweaks?

 

[skeal]

Hey fellow unbound user's can someone tell me why when using unbound and setting DoT on the router to cloudflare, when I run a dnsleak.com test, I'm seeing 2 USA servers I've never seen before? I should see either cloudflare in Toronto or Richmond.

The servers listed are the servers provided by my Torguard VPN service. My dnsfilter is set to router with my VPN dns set to disabled and two devices on the VPN use 1.1.1.1. Why is this all messed up?

 

[Mutzli]

Does the menu appear when you run

unbound_manager

if it doesn't, run

unbound_manager   nochk

and you should be able to access the unbound_manager menu to uninstall unbound to restore Internet connectivity.

Did you install the CPU/Performance tweaks?

It seems everything runs:

 

[skeal]

The servers listed are the servers provided by my Torguard VPN service. My dnsfilter is set to router with my VPN dns set to disabled and two devices on the VPN use 1.1.1.1. Why is this all messed up?

I've tried a few different things and still no luck my dns still leaks or whatever you call that. Will have to uninstall soon.

 

[Mutzli]

Does the menu appear when you run

unbound_manager

if it doesn't, run

unbound_manager   nochk

and you should be able to access the unbound_manager menu to uninstall unbound to restore Internet connectivity.

Did you install the CPU/Performance tweaks?

I uninstalled and reinstalled everything and now it works after rebooting the router. Client access is restored. Unfortunately I had the log disabled when the connection went down.

 

[skeal]

Ok I've got it narrowed down to this unbound doesn't allow you to use disabled in OVPN client settings or it leaks. It adds servers in the US I have never seen before. If I'm doing something stupid tell me what I should be doing here please.

 

[heysoundude]

Hey fellow unbound user's can someone tell me why when using unbound and setting DoT on the router to cloudflare, when I run a dnsleak.com test, I'm seeing 2 USA servers I've never seen before? I should see either cloudflare in Toronto or Richmond.

Massapequa...that’s quite a ways from you in Sask. Very good question, but it may be one for Cloudflare or possibly your provider. Or, unbound is has found the fastest internet route and latched on, maybe?


Sent from my iPhone using Tapatalk

 

[skeal]

Massapequa...that’s quite a ways from you in Sask. Very good question, but it may be one for Cloudflare or possibly your provider. Or, unbound is has found the fastest internet route and latched on, maybe?


Sent from my iPhone using Tapatalk

It has me stumped!

 

[dave14305]

Ok I've got it narrowed down to this unbound doesn't allow you to use disabled in OVPN client settings or it leaks. It adds servers in the US I have never seen before. If I'm doing something stupid tell me what I should be doing here please.

Unbound isn’t really aware of your VPN. It just sits behind dnsmasq, so anything that would normally use your router for DNS will go through Unbound.

If Unbound is working properly, it should show your WAN IP as DNS server in leak tests.

You’ve had quite a streak of bad luck this week.