What's new

Unbound [Release] v3.22

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

yea you was right. i had to edit unbound.conf, that is the smaller unbound.conf.. and make it say

tls-cert-bundle: "/tmp/mnt/Entware/entware/etc/ssl/certs/ca-certificates.crt" # v1.01 as per @dave14305

thank you dave. ive literally spend hours on this. i guess nobody else tried unbound on johns fork or this issue would have came up for someone else by now.
 
Found an issue with 3.22 today when running "dnsmasq disable".

dhcp-option=br1,6,1.1.1.1 1.0.0.1 # unbound_manager
dhcp-option=br2,6,1.1.1.1 1.0.0.1 # unbound_manager

was added to the dnsmasq.conf.add, but the syntax stopped dnsmasq from launching. Needed to replace the space with a comma and now it works.
 
Found an issue with 3.22 today when running "dnsmasq disable".

dhcp-option=br1,6,1.1.1.1 1.0.0.1 # unbound_manager
dhcp-option=br2,6,1.1.1.1 1.0.0.1 # unbound_manager

was added to the dnsmasq.conf.add, but the syntax stopped dnsmasq from launching. Needed to replace the space with a comma and now it works.
I've pushed Beta unbound_manager v3.23b5

1613211876334.png


To install

Code:
e  = Exit Script [?]

A:Option ==> uf dev

    unbound_manager.sh downloaded successfully Github 'dev/development' branch

unbound Manager UPDATE Complete! 6b4a500c071bcbb3f4a6e9596a178d43

+======================================================================+
|  Welcome to the unbound Manager/Installation script (Asuswrt-Merlin) |
|                                                                      |
|                      Version 3.23b5 by Martineau                     |
|                                                                      |
+======================================================================+
To backout
Code:
e  = Exit Script [?]

A:Option ==> uf

Forced Update


    unbound_manager.sh downloaded successfully

unbound Manager UPDATE Complete! 6b4a500c071bcbb3f4a6e9596a178d43

+======================================================================+
|  Welcome to the unbound Manager/Installation script (Asuswrt-Merlin) |
|                                                                      |
|                      Version 3.22 by Martineau                       |
|                                                                      |
+======================================================================+
 
Another item I have been playing with. I like to use the disable dnsmasq, which allows unbound to take over the full DNS for the house. However, it also means that we loose local DNS resolution (like DHCP clients). There is some code to simulate this and create a unbound.conf.localhosts, but it runs onces and generates extra output.

I have been running for months now a config where I move dnsmasq to port 9953 (instead of 0 which disables it), and then setup a forward-zone in my unbound.conf.add file to forward my "lan." domain to use dnsmasq on port 9953. This means that unbound is used for everything except local DNS, and it runs cleanly.

/jffs/addons/unbound/unbound.conf changes to insert port=9953 instead of port=0

/opt/share/unbound/config/unbound.conf.localhosts would get rid of most of what it generates and use this:
#redirect all local lan requests to dnsmasq on port 9953
local-zone: "lan." transparent
forward-zone:
name: "lan."
forward-addr: 127.0.0.1@9953
forward-first: no
forward-no-cache: yes

(of course "lan." comes from whatever is put into the router domain field)



I also added this section above that (so it is in the server section:) to handle local DNS services queries for mDNS items:
#deal with app devices DNS services requests
local-data: "b._dns-sd._udp.lan. 60 IN PTR lan."
local-data: "lb._dns-sd._udp.lan. 60 IN PTR lan."
local-data: "lb._dns-sd._udp.0.2.168.192.in-addr.arpa. 60 IN PTR lan."
local-data: "lb._dns-sd._udp.254.254.254.10.in-addr.arpa. 60 IN PTR lan."
local-data: "lb._dns-sd._udp.1.0.0.192.in-addr.arpa. 60 IN PTR lan."
 
Another thought. Perhaps the script could move away from trying to force a config where everything is run through unbound. For example, the requirement during install that you have DNSFilter on for all devices to point to the router, that doesn't really seem necessary and do not use that config and just say to install anyways. Sometimes you want to run a DNS and point some devices to use it, or all others to continue to use their own. I personally use AdGuard now for filtering and reporting locally, and it simply uses unbound for all lookups. This gives a fast DNS which the power of Adguard home to configure and track all sorts of things.

Also, during the "dnsmasq disable" mode, the scripts pushes dhcp-option,6,$ROUTER_IP to the dnsmasq.conf, which isn't necessary really, since dnsmasq already points to whatever you configure in your DNS settings for LAN. If you do not put any DNS settings, it adds has that exact same line added. Perhaps we could make the script more generic by not changing the DHCP settings and users who want to use unbound would configure their devices or router how they wish to use it. The instructions are as simple as "remove all DNS settings from LAN page :)

Just some suggestions. I really appreciate running this sever locally, but now that I am using adguard and some other changes, am sharing these thoughts as I manually change things after a unbound.conf file update.
 
I have been running for months now a config where I move dnsmasq to port 9953 (instead of 0 which disables it), and then setup a forward-zone in my unbound.conf.add file to forward my "lan." domain to use dnsmasq on port 9953. This means that unbound is used for everything except local DNS, and it runs cleanly.

/jffs/addons/unbound/unbound.conf changes to insert port=9953 instead of port=0
did you mean /etc/dnsmasq.conf ?
 
Another item I have been playing with. I like to use the disable dnsmasq, which allows unbound to take over the full DNS for the house. However, it also means that we loose local DNS resolution (like DHCP clients). There is some code to simulate this and create a unbound.conf.localhosts, but it runs onces and generates extra output.

I have been running for months now a config where I move dnsmasq to port 9953 (instead of 0 which disables it), and then setup a forward-zone in my unbound.conf.add file to forward my "lan." domain to use dnsmasq on port 9953. This means that unbound is used for everything except local DNS, and it runs cleanly.

/jffs/addons/unbound/unbound.conf changes to insert port=9953 instead of port=0

/opt/share/unbound/config/unbound.conf.localhosts would get rid of most of what it generates and use this:


(of course "lan." comes from whatever is put into the router domain field)



I also added this section above that (so it is in the server section:) to handle local DNS services queries for mDNS items:

Local DNS resolution for your home hosts/servers is a very simple entries in unbound.conf or if you wish you can make them in a separate file or even unbound.conf.localhost. I dont think this is a deal breaker.
 
Local DNS resolution for your home hosts/servers is a very simple entries in unbound.conf or if you wish you can make them in a separate file or even unbound.conf.localhost. I dont think this is a deal breaker.

Agree, and was doing that. However, for DHCP devices only dnsmasq has the configuration to know of those changes, so that is why i shared. But for fixed IPs, this can be done as you say for sure.
 
I was always wondering why we need to have non-static clients listed in unbound.conf.localhost.
That is not necessary. BDY, with version 386.1 and 3861_2 unbound does not start automatically anymore on boot or restart. Did you find any workaround?

One thing I have noticed as you did is that unbound code does not set router IP (dnsmasq disabled) in /jffs/configs/dnsmasq.conf.add for quest network VLAN DNS settings. Mine was blank so dnsmasq was complaining on startup. Once I entered the IP it worked fine.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top