What's new

Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

thanks!
is there a size limit to /opt/var/lib/unbound/unbound.log ?
No, - there is no housekeeping performed on 'opt/var/lib/unbound/unbound.log' hence in 'Easy' menu mode, during the install it states on the screen 'NO recommended' to prevent the log silently filling the disk.

However, if you enable 'scribe' (syslog-ng) logging, then you can manage the unbound log using 'logrotate'.
 
vpn starts correctly using my vpn client 2, with command "unbound_manager vpn=2"

but then when i do "?"

i see

[✔] unbound requests via VPN Client 1 (10.119.174.30) tunnel ENABLED


the IP is correctly set to the IP of my client2, but the message says client is "1"

is it because client array starts at position zero? so client 2 is ID=1?
The script usesthe command format, so if you isse the command what VPN ID is returned?
Code:
ip route | grep "10.119.174.30" |  awk '{print substr_($3,4,1) }'

EDIT: Remove the '_' character as the 'awk' command above is blocked :mad:
 
No, - there is no housekeeping performed on 'opt/var/lib/unbound/unbound.log' hence in 'Easy' menu mode, during the install it states on the screen 'NO recommended' to prevent the log silently filling the disk.

However, if you enable 'scribe' (syslog-ng) logging, then you can manage the unbound log using 'logrotate'.

thanks!
 
Last edited:
The script usesthe command format, so if you isse the command what VPN ID is returned?
Code:
ip route | grep "10.119.174.30" |  awk '{print substr_($3,4,1) }'

EDIT: Remove the '_' character as the 'awk' command above is blocked :mad:



cromo@RT-AX88U-8158:/tmp/home/root# ip route | grep "10.119.174.63"
10.119.174.0/23 dev tun12 proto kernel scope link src 10.119.174.63
cromo@RT-AX88U-8158:/tmp/home/root# ip route | grep "10.119.174.63"|awk '{print substr_($3,4,1) }'
1
cromo@RT-AX88U-8158:/tmp/home/root#

this is for my vpnclient2 (which i'm using on unbound)
 
cromo@RT-AX88U-8158:/tmp/home/root# ip route | grep "10.119.174.63"
10.119.174.0/23 dev tun12 proto kernel scope link src 10.119.174.63
cromo@RT-AX88U-8158:/tmp/home/root# ip route | grep "10.119.174.63"|awk '{print substr_($3,4,1) }'
1
cromo@RT-AX88U-8158:/tmp/home/root#

this is for my vpnclient2 (which i'm using on unbound)
Doh… the index should be '5,1' :rolleyes::rolleyes::oops:

I'll eventually push a hotfix
 
Doh… the index should be '5,1' :rolleyes::rolleyes::oops:

I'll eventually push a hotfix

could this be why my vpnclient2-route-up appears to have no effect?
(route-pre-down worked fine)
 
could this be why my vpnclient2-route-up appears to have no effect?
(route-pre-down worked fine)
I don't think so as it's only the '?' command that always shows 'VPN 1 (xxx.xxx.xxx.xxx)'
 
i enabled scribe (via unbound_manager advanced), and have unbound logging enabled, but i don't see any entries in /opt/var/log/unbound.log
is there a delay?

my conf:

#########################################
# integration LOG's
#
verbosity: 1
logfile: "/opt/var/lib/unbound/unbound.log"
log-time-ascii: yes
log-tag-queryreply: yes
log-queries: yes
log-replies: yes
use-syslog: yes
#log-local-actions: yes
log-servfail: yes
#########################################
 
i enabled scribe (via unbound_manager advanced), and have unbound logging enabled, but i don't see any entries in /opt/var/log/unbound.log

is there a delay?

Code:
my conf:

#########################################
# integration LOG's
#
verbosity: 1                          
logfile: "/opt/var/lib/unbound/unbound.log"
log-time-ascii: yes                    
log-tag-queryreply: yes                
log-queries: yes
log-replies: yes
use-syslog: yes
#log-local-actions: yes                  
log-servfail: yes                        
#########################################

There shouldn't be a delay..
Code:
A:Option ==> l

/opt/var/log/unbound.log (syslog-ng)        Press CTRL-C to stop

Apr 19 18:31:06 RT-AC68U unbound: [1013:0] query: 127.0.0.1 ipid.shat.net. A IN
Apr 19 18:31:06 RT-AC68U unbound: [1013:0] query: 127.0.0.1 ipid.shat.net. A IN
Apr 19 18:31:06 RT-AC68U unbound: [1013:0] query: 127.0.0.1 lcprd1.samsungcloudsolution.net. A IN
Apr 19 18:31:06 RT-AC68U unbound: [1013:0] info: lcprd1.samsungcloudsolution.net. always_nxdomain 127.0.0.1@55039 lcprd1.samsungcloudsolution.net. A IN
I'd try another 'rs' command.
 
happened again:
1) cycled the vpn client and got new IP
2) now unbound outgoing-interface has outdated IP in unbound.conf
3) "vpn disable" comments out the outgoing-interface line in the conf file but leaves the ip number there
4) doing vpn =2 uncomments the outgoing-interface line in the conf file but leaves the old IP in place.

feels like starting vpn command, expects to find xxx.xxx.xxx.xxx in the conf file to work properly?
there were no error messages
 
Last edited:
Code:
Apr 20 16:43:13 RT-AC5300-0680 dnsmasq-script[5584]: [SEND_AMAS_NODE_EVENT:(4684)] ERROR connecting:No such file or directory.
Apr 20 16:43:13 RT-AC5300-0680 dnsmasq-script[5584]: connect error: No such file or directory
Apr 20 16:43:13 RT-AC5300-0680 dnsmasq-script[5584]: [SEND_AMAS_NODE_EVENT:(4684)] ERROR connecting:No such file or directory.
Apr 20 16:43:13 RT-AC5300-0680 dnsmasq-script[5584]: connect error: No such file or directory
Apr 20 16:43:13 RT-AC5300-0680 dnsmasq-script[5584]: [SEND_AMAS_NODE_EVENT:(4684)] ERROR connecting:No such file or directory.
Apr 20 16:43:13 RT-AC5300-0680 dnsmasq-script[5584]: connect error: No such file or directory
Apr 20 16:43:13 RT-AC5300-0680 dnsmasq-script[5584]: [SEND_AMAS_NODE_EVENT:(4684)] ERROR connecting:No such file or directory.
Apr 20 16:43:13 RT-AC5300-0680 dnsmasq-script[5584]: connect error: No such file or directory
Apr 20 16:43:13 RT-AC5300-0680 dnsmasq-script[5584]: [SEND_AMAS_NODE_EVENT:(4684)] ERROR connecting:No such file or directory.
Apr 20 16:43:13 RT-AC5300-0680 dnsmasq-script[5584]: connect error: No such file or directory
Apr 20 16:43:13 RT-AC5300-0680 dnsmasq-script[5584]: [SEND_AMAS_NODE_EVENT:(4684)] ERROR connecting:No such file or directory.
Apr 20 16:43:13 RT-AC5300-0680 dnsmasq-script[5584]: connect error: No such file or directory
Apr 20 16:43:13 RT-AC5300-0680 dnsmasq-script[5584]: [SEND_AMAS_NODE_EVENT:(4684)] ERROR connecting:No such file or directory.
Apr 20 16:43:13 RT-AC5300-0680 dnsmasq-script[5584]: connect
An observation

When Unbound is stopped by Option > x the syslog is flooded with the folowing:-
 
how to check that addresses are being retrieved via vpn? It shows me the ip address given by isp on the dnsleak test. this is normal?

The second question is how many queries the default (AC86U) cache stores and what is the optimal time to store it?
 
I've uploaded v3.05

Version=3.05
Github md5=c8c7c2b79e368bcc55577108ed7c5798

use 'u' to update when prompted on screen

Use of the 'i = Update unbound Installation' **Not required**

Code:
FIX:      'vpn x' doesn't always apply new VPN gateway IP, nor does it validate VPN Client instance/Gateway IP
CHANGE:   'vx' command will now ask to restart unbound if the config file was edited.
 
1) cycled the vpn client and got new IP
2) now unbound outgoing-interface has outdated IP in unbound.conf
3) "vpn disable" comments out the outgoing-interface line in the conf file but leaves the ip number there
4) doing vpn =2 uncomments the outgoing-interface line in the conf file but leaves the old IP in place.
feels like starting vpn command, expects to find xxx.xxx.xxx.xxx in the conf file to work properly?
3) "vpn disable" comments out the outgoing-interface line in the conf file but leaves the ip number there
By design, no point in removing the previous IP - it's useful as an eye-catcher to prove the function was used previously.
feels like starting vpn command, expects to find xxx.xxx.xxx.xxx in the conf file to work properly?
Nope, the 2nd word can be any text string.

see post #1554 - hopefully I've fixed your issue.
 
thanks! will try it.
 
Code:
Apr 20 16:43:13 RT-AC5300-0680 dnsmasq-script[5584]: [SEND_AMAS_NODE_EVENT:(4684)] ERROR connecting:No such file or directory.
Apr 20 16:43:13 RT-AC5300-0680 dnsmasq-script[5584]: connect error: No such file or directory
Apr 20 16:43:13 RT-AC5300-0680 dnsmasq-script[5584]: [SEND_AMAS_NODE_EVENT:(4684)] ERROR connecting:No such file or directory.
Apr 20 16:43:13 RT-AC5300-0680 dnsmasq-script[5584]: connect error: No such file or directory
Apr 20 16:43:13 RT-AC5300-0680 dnsmasq-script[5584]: [SEND_AMAS_NODE_EVENT:(4684)] ERROR connecting:No such file or directory.
Apr 20 16:43:13 RT-AC5300-0680 dnsmasq-script[5584]: connect error: No such file or directory
Apr 20 16:43:13 RT-AC5300-0680 dnsmasq-script[5584]: [SEND_AMAS_NODE_EVENT:(4684)] ERROR connecting:No such file or directory.
Apr 20 16:43:13 RT-AC5300-0680 dnsmasq-script[5584]: connect error: No such file or directory
Apr 20 16:43:13 RT-AC5300-0680 dnsmasq-script[5584]: [SEND_AMAS_NODE_EVENT:(4684)] ERROR connecting:No such file or directory.
Apr 20 16:43:13 RT-AC5300-0680 dnsmasq-script[5584]: connect error: No such file or directory
Apr 20 16:43:13 RT-AC5300-0680 dnsmasq-script[5584]: [SEND_AMAS_NODE_EVENT:(4684)] ERROR connecting:No such file or directory.
Apr 20 16:43:13 RT-AC5300-0680 dnsmasq-script[5584]: connect error: No such file or directory
Apr 20 16:43:13 RT-AC5300-0680 dnsmasq-script[5584]: [SEND_AMAS_NODE_EVENT:(4684)] ERROR connecting:No such file or directory.
Apr 20 16:43:13 RT-AC5300-0680 dnsmasq-script[5584]: connect
An observation

When Unbound is stopped by Option > x the syslog is flooded with the folowing:-
see [Release] Asuswrt-Merlin 384.15 (and 384.13_4) are now available

Obviously if you aren't using AiMesh…..:confused:
 
how to check that addresses are being retrieved via vpn? It shows me the ip address given by isp on the dnsleak test. this is normal?

The second question is how many queries the default (AC86U) cache stores and what is the optimal time to store it?
You can see the default cache size with
Code:
e  = Exit Script [?]

A:Option ==> ?

<snip>

 unbound Memory/Cache:

      'key-cache-size:' 8388608 (8.00m)
      'msg-cache-size:' 8388608 (8.00m)
      'rrset-cache-size:' 16777216 (16.00m)
and unfortunately my personal cache.*-TTL values have crept into the default 'unbound.conf'
Code:
grep cache-m /opt/var/lib/unbound/unbound.conf

# v1.08 Martineau - Change  'cache-max-ttl: 21600' and 'cache-min-ttl: 5 to 14400/1200'
cache-max-ttl: 14400                            # v1.08 Martineau
cache-min-ttl: 1200                             # v1.08 Martineau
However, the parameters proposed in this thread doubles the cache sizes and uses custom cache-*-ttl etc, and as the disclaimer says it may not work for non-HND models or even other HND models!

So without knowing individual environments, like all cache-profiling, it depends on how many clients are using it, and the resulting 'churn' rate.

The unbound stats don't show the usage/size of the three cache entities over time (perhaps another opportunity for @juched's Graphical charting skills? ;)

i.e. for the rrset-cache would it be useful to see how much of its 16M is actually in-use say by hour? ...similar to the 3rd graph down on this page
 
Last edited:
It shows me the ip address given by isp on the dnsleak test.

this is normal?
Think about it...

Q. Who is the DNS server when you are forwarding to an upstream DNS server?....if you are not forwarding DNS requests upstream, who can it possibly be? ;)
How to check that addresses are being retrieved via vpn?
Try this... I could be wrong!:)

Create the outbound DNS tracker rule
Code:
iptables -I OUTPUT -p udp -m udp --dport 53 -j LOG -m comment --comment "DNS request tracker"

Now wait a while and check for DNS hits (whilst redacting your real WAN IP if found)

EDIT: Changed 'IN=.*DPT=53' to '^.*DPT=53' to preserve timestamps
Code:
iptables  --line -t filter -nvL OUTPUT

WANIP=$(nvram get wan0_ipaddr);grep -o "^.*DPT=53" /tmp/syslog.log | sed -r 's/LEN.*PROTO=//' | sed -r 's/LEN.*PROTO=//' | sed -r "s/$WANIP/wan.isp.ip.addr/"
Now if you route unbound requests via the VPN, then wait a few minutes then check again....
Code:
iptables  --line -t filter -nvL OUTPUT

WANIP=$(nvram get wan0_ipaddr);grep -o "^.*DPT=53" /tmp/syslog.log | sed -r 's/LEN.*PROTO=//' | sed -r 's/LEN.*PROTO=//' | sed -r "s/$WANIP/wan.isp.ip.addr/"
Feel free to post the results....

Any difference?
 
Last edited:
@Martineau : Sounds that, for folks worried with privacy, and previously using DOT, unbound+vpn is a fair trade, is this a valid statement?
thanks
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top