Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)
- Thread starter Martineau
- Start date
joe scian
Very Senior Member
Juched
"from my debugging of unbound logs at a high verbosity a couple of nights ago, I see that this causes an HTTP 301 (permanently moved) code, which unbound fails on. It redirects to the HTTPS version, which currently doesn't work with unbound on that site due to the issue (https://github.com/NLnetLabs/unbound/issues/193). So, for now, even putting https in front doesn't help and just causes extra network traffic. I have tested, and for now, I would just leave URL: commented out, or remove it altogether. The file is downloaded via the RPZ script every 15 minutes and reloaded."
If you comment out url: "http://urlhaus.abuse.ch/downloads/rpz/" the following errors are obtained
"from my debugging of unbound logs at a high verbosity a couple of nights ago, I see that this causes an HTTP 301 (permanently moved) code, which unbound fails on. It redirects to the HTTPS version, which currently doesn't work with unbound on that site due to the issue (https://github.com/NLnetLabs/unbound/issues/193). So, for now, even putting https in front doesn't help and just causes extra network traffic. I have tested, and for now, I would just leave URL: commented out, or remove it altogether. The file is downloaded via the RPZ script every 15 minutes and reloaded."
If you comment out url: "http://urlhaus.abuse.ch/downloads/rpz/" the following errors are obtained
Code:
[1586862044] unbound-checkconf[30159:0] error: cannot open zonefile rpz.urlhaus.abuse.ch.zone for rpz.urlhaus.abuse.ch.: No such file or directory
[1586862044] unbound-checkconf[30159:0] fatal error: Could not setup authority zones
***ERROR INVALID unbound configuration - use option 'vx' to correct 'unbound.conf' or 'rl' to load a valid configuration file
juched
Very Senior Member
Ya, I saw that too, but is complaining of the file name. I tested that RPZ was working (using test site - testentry.rpz.urlhaus.abuse.ch) and the log shows RPZ applied.
I think it is an output error for check conf.
Martineau
Part of the Furniture
Try changing 'unbound.conf'
i.e.
Code:
zonefile: /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone # v1.09 Match @juched's 'rpzsites'Martineau
Part of the Furniture
I pushed Beta 3.03 for testing by the brave.
EDIT: One issue with the 'DNS Firewall' occurs reported here and a workaround
i.e. 'Advanced' mode
EDIT: One issue with the 'DNS Firewall' occurs reported here and a workaround
i.e. 'Advanced' mode
Code:
e = Exit Script
A:Option ==> uf dev
Last edited:
JGrana
Very Senior Member
Still having issues with setting up the DNS firewall.
First, I uninstalled my previous Unbound/Unbound_Manager installation
I then used amtm to install Unbound_manager. After the initial installation I did not ye ant install unbound. I quite amtm and then ran unbound_manager advanced. I did an uf dev to install 3.03 Beta.
Ran unbound_manager (now 3.03 Beta) and did the Unbound install.
After unbound installed and ran fine, I then selected 7 - Enable DNS Firewall.
Here is the output:
unbound_rpz.sh downloaded successfully
Created startup hook in services-start.
Created cron job.
/jffs/addons/unbound/unbound_rpz.sh: line 150: can't open /opt/share/unbound/configs/rpzsites: no such file
Installed.
unbound DNS Firewall ENABLED
[1586871887] unbound-checkconf[12216:0] error: cannot open zonefile rpz.urlhaus.abuse.ch.zone for rpz.urlhaus.abuse.ch.: No such file or directory
[1586871887] unbound-checkconf[12216:0] fatal error: Could not setup authority zones
***ERROR requested re(Start) of unbound ABORTed! - use option 'vx' to correct 'unbound.conf' or 'rl' to load a valid configuration file
Here is the relative section of unbound.conf:
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
# v1.08 Example rpz ( see https://medium.com/nlnetlabs/response-policy-zones-in-unbound-5d453de75f26)
# Uses @juched's script so until NLLabs fix the 'url:' download issue - assume the zonefile will be downloaded externa
# and an external cron job will update the DNS Firewall every 00:15 minutes
#
rpz:#RPZ # v1.08 DNS Firewall
name: rpz.urlhaus.abuse.ch
#url: "http://urlhaus.abuse.ch/downloads/rpz/"
zonefile: "rpz.urlhaus.abuse.ch.zone" # v1.09 Match @juched's 'rpzsites'
rpz-log: yes
rpz-log-name: "rpz.urlhaus.abuse.ch"
rpz-action-override: nxdomain
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Any advice?
First, I uninstalled my previous Unbound/Unbound_Manager installation
I then used amtm to install Unbound_manager. After the initial installation I did not ye ant install unbound. I quite amtm and then ran unbound_manager advanced. I did an uf dev to install 3.03 Beta.
Ran unbound_manager (now 3.03 Beta) and did the Unbound install.
After unbound installed and ran fine, I then selected 7 - Enable DNS Firewall.
Here is the output:
unbound_rpz.sh downloaded successfully
Created startup hook in services-start.
Created cron job.
/jffs/addons/unbound/unbound_rpz.sh: line 150: can't open /opt/share/unbound/configs/rpzsites: no such file
Installed.
unbound DNS Firewall ENABLED
[1586871887] unbound-checkconf[12216:0] error: cannot open zonefile rpz.urlhaus.abuse.ch.zone for rpz.urlhaus.abuse.ch.: No such file or directory
[1586871887] unbound-checkconf[12216:0] fatal error: Could not setup authority zones
***ERROR requested re(Start) of unbound ABORTed! - use option 'vx' to correct 'unbound.conf' or 'rl' to load a valid configuration file
Here is the relative section of unbound.conf:
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
# v1.08 Example rpz ( see https://medium.com/nlnetlabs/response-policy-zones-in-unbound-5d453de75f26)
# Uses @juched's script so until NLLabs fix the 'url:' download issue - assume the zonefile will be downloaded externa
# and an external cron job will update the DNS Firewall every 00:15 minutes
#
rpz:#RPZ # v1.08 DNS Firewall
name: rpz.urlhaus.abuse.ch
#url: "http://urlhaus.abuse.ch/downloads/rpz/"
zonefile: "rpz.urlhaus.abuse.ch.zone" # v1.09 Match @juched's 'rpzsites'
rpz-log: yes
rpz-log-name: "rpz.urlhaus.abuse.ch"
rpz-action-override: nxdomain
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Any advice?
Martineau
Part of the Furniture
see this post
I was hoping not to have to force a new version 1.10 of 'unbound.conf' for 'unbound_manager' v3.03 because then the user must always ensure that they accept the new default configuration, and will need to manually reapply the firewall.
To be honest I don't think use of the 'i' command is that much of an imposition, given the availability of 'dnsmasq.conf.add' / 'dnsmasq.postconf' to auto-apply any custom tweaks.
You can see what I mean to have the problem fix itself
Code:
e = Exit Script
A:Option ==> i dev
Last edited:
D
Deleted member 62525
Guest
Your unbound.conf should have this
rpz:#RPZ # v1.08 DNS Firewall
name: rpz.urlhaus.abuse.ch
url: "http://urlhaus.abuse.ch/downloads/rpz/"
zonefile: "rpz.urlhaus.abuse.ch.zone" # v1.09 Match @juched's 'rpzsites'
rpz-log: yes
rpz-log-name: "rpz.urlhaus.abuse.ch"
rpz-action-override: nxdomain
Also, confirm that rpz.urlhaus.abuse.ch.zone file exists in the same location as unbound.conf. Further make sure you have rpzsites file in /opt/share/unbound/configs location.
Martineau
Part of the Furniture
see this error report by @joe scian
So with the 'url:' statement' you get 'hidden' errors, without it, then you need to use a full path to the 'zonefile:' as it appears even if the file physically exists, unbound throws a hissy fit with just the implied relative path.
Last edited:
Martineau
Part of the Furniture
Please have a little patience, I'm sure they will appear when the scripting is ready.
i.e. the implementation of the 'DNS Firewall' isn't fully fool-proof (yet) and hasn't even been made installable to the masses, but whilst the feasibility study proves it works, I'm not sure how well it scales in the real world.
So out of interest, how many 'DNS Firewall' events are you experiencing, that need to be charted statistically in the GUI?
Last edited:
Martineau
Part of the Furniture
Well in the couple of days that I have had the DNS Firewall ENABLED I don't believe I have had any real- world DNS Firewall blocked events.
but wait, would you believe it! I do have one.....
Recommended Scribe logging (use '/opt/var/lib/unbound/unbound.log' if using the unbound log)
Code:
grep RPZ /opt/var/log/unbound.log
Apr 14 18:08:19 RT-AC68U unbound: [13142:0] info: RPZ applied [rpz.urlhaus.abuse.ch] testentry.rpz.urlhaus.abuse.ch. nxdomain 127.0.0.1@33916 testentry.rpz.urlhaus.abuse.ch. A INSummarise the observed interval count - first by Hourly Total and then (after the separator '---') sub-Total by Minute
Code:
awk '/RPZ/ {print $1" "$2" "$3}' /opt/var/log/unbound.log | awk -F: '{h[$1]++;m[$1":"$2]++;}END{for(x in h)print x,h[x]; print "---"; for(x in m)print x,m[x]}'
Apr 14 18 1
---
Apr 14 18:08 1
Last edited:
JGrana
Very Senior Member
Hi @Martineau. I ended up bailing on using the supplied script to create/update the zone file.
I did use the script to make a simplified cron script:
Seems to be working fine. I attempted to access a few places in the zone file. This showed in the unbound.log:
Apr 14 15:55:40 unbound[31043:0] query: 127.0.0.1 49parallel.ca. A IN
Apr 14 15:55:40 unbound[31043:0] info: RPZ applied [rpz.urlhaus.abuse.ch] 49parallel.ca. nxdomain 127.0.0.1@7255 49parallel.ca. A IN
Apr 14 15:55:40 unbound[31043:0] reply: 127.0.0.1 49parallel.ca. A IN NXDOMAIN 0.000000 1 31
Apr 14 15:55:40 unbound[31043:0] query: 127.0.0.1 www.49parallel.ca. A IN
Apr 14 15:55:40 unbound[31043:0] reply: 127.0.0.1 www.49parallel.ca. A IN NOERROR 0.185061 0 65
I did use the script to make a simplified cron script:
Code:
#!/bin/sh
curl -o /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone "https://urlhaus.abuse.ch/downloads/rpz/"
dos2unix /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone
unbound-control auth_zone_reload rpz.urlhaus.abuse.chSeems to be working fine. I attempted to access a few places in the zone file. This showed in the unbound.log:
Apr 14 15:55:40 unbound[31043:0] query: 127.0.0.1 49parallel.ca. A IN
Apr 14 15:55:40 unbound[31043:0] info: RPZ applied [rpz.urlhaus.abuse.ch] 49parallel.ca. nxdomain 127.0.0.1@7255 49parallel.ca. A IN
Apr 14 15:55:40 unbound[31043:0] reply: 127.0.0.1 49parallel.ca. A IN NXDOMAIN 0.000000 1 31
Apr 14 15:55:40 unbound[31043:0] query: 127.0.0.1 www.49parallel.ca. A IN
Apr 14 15:55:40 unbound[31043:0] reply: 127.0.0.1 www.49parallel.ca. A IN NOERROR 0.185061 0 65
Martineau
Part of the Furniture
I'm sure @juched will comment, but there should be a scheduled every-15 min cron job, but you can execute the script manually
e.g.
Code:
./unbound_rpz.sh download
Attempting to Download 1 of 1 from https://urlhaus.abuse.ch/downloads/rpz/.
######################################################################## 100.0%
Reload unbound for zone named rpz.urlhaus.abuse.ch
ok
Last edited:
JGrana
Very Senior Member
Thanks, I did put the short script into cron - every 15 mins.
As far as @juched script, It would never install correctly - first complained it could not find the file rpzsites
I then created an rpzsites file and put the https line pointing to rpz.urlhaus.abuse.ch into it. (so curl would would work)
It then complained it could not create a directory.
I looked over the script and simply dumbed it down with constants. Just to see if I could get the RPZ zone working with unbound.
BTW, maybe a question for @juched , in looking at the function download_reload, it seems to be called with 2 arguments.
How does it derive $3 on this line?
$UNBOUNCTRLCMD auth_zone_reload "$3"
If it helps, this is on an AX88u running 384.16.
As far as @juched script, It would never install correctly - first complained it could not find the file rpzsites
I then created an rpzsites file and put the https line pointing to rpz.urlhaus.abuse.ch into it. (so curl would would work)
It then complained it could not create a directory.
I looked over the script and simply dumbed it down with constants. Just to see if I could get the RPZ zone working with unbound.
BTW, maybe a question for @juched , in looking at the function download_reload, it seems to be called with 2 arguments.
How does it derive $3 on this line?
$UNBOUNCTRLCMD auth_zone_reload "$3"
If it helps, this is on an AX88u running 384.16.
dave14305
Part of the Furniture
It's reading it from the file at the end of the loop.
juched
Very Senior Member
Correct, once you enter the loop, $1/$2/$3 are changed to the arguments of that current line.
I can confirm, even though the check conf call shows that error, the file is loaded and run by unbound. If you open the rpz zone file and pick a newly entered entry (ie. search for today's date), you can try it in a browser and it will generate an RPZ event.
Good to know that a full path will stop the error, that is a good fix.
Martineau
Part of the Furniture
Indeed.
Might I suggest that to provide feedback that the script is working that you replace the 'echo' statements with 'logger' statements where appropriate?
e.g.
Code:
download_reload() {
sitesfile=$1
reload=$2
count=1
while read -r line
do
set -- $line
#[ "${$line:0:1}" == "#" ] && continue
logger -st unbound $$ "Attempting to Download $count of $(awk 'NF && !/^[:space:]*#/' $sitesfile | wc -l) from $1."
curl --progress-bar $1 > $2
dos2unix $2
if [ "$reload" == "reload" ] && [ ! -z "$(pidof unbound)" ]; then
logger -st unbound $$ "Reload unbound for zone named $3"
$UNBOUNCTRLCMD auth_zone_reload "$3"
fi
count=$((count + 1))
done < "$sitesfile"
}
Code:
Apr 14 23:33:24 RT-AC68U unbound: 15925 Attempting to Download 1 of 1 from https://urlhaus.abuse.ch/downloads/rpz/.
Apr 14 23:33:24 RT-AC68U unbound: 15925 Reload unbound for zone named rpz.urlhaus.abuse.ch
SomeWhereOverTheRainBow
Part of the Furniture
I concur @Martineau statement as the echo is only useful if outputting to a file or viewing it in the ssh terminal from a dry-run/manual-run.
Similar threads
Similar threads
Similar threads
-
Unbound Force all DNS requests through Unbound using iptables?- Started by muffintastic
- Replies: 14
-
-
-
-
-
-
Is it possible to use nord dns with unbound or any way to add it?- Started by Jack-Sparr0w
- Replies: 9
-
-
Unbound Use unbound/router as default DNS server
- Started by BeachGuy
- Replies: 2
-