Replacing DNSMasq DNS with Unbound

[Denna]

@regae ,

How would you use PRECMD with S61unbound ?

I haven't used pixelserv-tls yet.

However, I'm going to use some type of ad blocking with unbound or dnscrypt.​

 

[regae]

maybe with something like this,

#!/bin/sh

unbound_anchor () {
   #here is the command
}

ENABLED=yes
PROCS=unbound
ARGS="-c /opt/etc/unbound/unbound.conf"
PREARGS=""
PRECMD="unbound_anchor"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

 

[Denna]

@regae,

Like this ?

#!/bin/sh

unbound_anchor () {
unbound-anchor -a "/opt/etc/unbound/root.key" -c "/opt/etc/unbound/unbound_server.pem" -4 -p 443
}

ENABLED=yes
PROCS=unbound
ARGS="-c /opt/etc/unbound/unbound.conf"
PREARGS=""
PRECMD="unbound_anchor"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func​

 

[mstombs]

The unbound man (https://unbound.net/documentation/howto_anchor.html) states "unbound-anchor" should be:

1. Run in the init script
2. After NTP runs
   
3. Before unbound starts

The command line is:

unbound-anchor -a "/opt/etc/unbound/root.key" -c "/opt/etc/unbound/unbound_server.pem" -4 -p 443
​

Should this be placed in the "init-start" or "services-start" script ?

I'm sure init-start is too early, why not the post-mount script to make sure usb and Entware running first - but then again surely you just add to Entware init scripts on the usb?

 

[mstombs]

maybe you can put it on PRECMD command on S61unbound.
can unbound working together with pixelserv-tls ?

pixelserv is just the endpoint. It is the adblock scripts that need to known how to configure the dns server with diversions for ad hosts/domains.

 

[Denna]

I'm sure init-start is too early, why not the post-mount script to make sure usb and Entware running first - but then again surely you just add to Entware init scripts on the usb?

The init script on a linux server probably isn't the direct analog to Asuswrt-Rmerlin's init-start script. However, that's what the unbound man refers to.

The /jffs/scripts/services-start script runs /opt/etc/init.d/rc.unslung' which starts the Entware packages.

According to the unbound man, unbound-anchor must run after NTP and before unbound starts.

So I'm looking for the best place to ensure that happens.

1) The first choice is placing the unbound-anchor command before rc.unslung runs. Is this the correct syntax ?

#!/bin/sh
/opt/sbin/unbound-anchor -a "/opt/etc/unbound/root.key" -c "/opt/etc/unbound/unbound_server.pem" -4
RC='/opt/etc/init.d/rc.unslung'
i=30
until [ -x "$RC" ] ; do
i=$(($i-1))
if [ "$i" -lt 1 ] ; then
logger "Could not start Entware-NG"
exit
fi
sleep 5
done
$RC start
​

2) The second choice is modifying the S61unbound file.

#!/bin/sh
unbound_anchor () {
/opt/sbin/unbound-anchor -a "/opt/etc/unbound/root.key" -c "/opt/etc/unbound/unbound_server.pem" -4 -p 443
}
ENABLED=yes
PROCS=unbound
ARGS="-c /opt/etc/unbound/unbound.conf"
PREARGS=""
PRECMD="unbound_anchor"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
. /opt/etc/init.d/rc.func​

Which is better ?

Is there another option ?​

 

[XIII]

I would like to try DNS over TLS via unbound (instead of DNSCrypt, so I can try Quad9), using these instructions: https://calomel.org/unbound_dns.html

Who has this already working? Any tips?

 

[XIII]

I think I got it working, but how can you test whether DNS is really going over TLS?

 

[DonnyJohnny]

I have not try this. But should be the same way as to test dnscrypt-proxy working a not.

-Stop unbound and test if DNS still works.
-According to the instruction above, if ssl-upstream is used, definitely the queries need to pass through 853 with encryption. Assume DNS over TLS is working? You can try a non DNS over TLS ready DNS to try if it is working. Like using Opendns instead with ssl-upstream enabled.

 

[XIII]

Ah, that are the two tests I already performed

 

[Xentrk]

I think I got it working, but how can you test whether DNS is really going over TLS?

I want to test how Unbound over TLS will work with selective routing over the WAN and three vpn clients. Have you tested it using AB-Solution?

 

[XIII]

I want to test how Unbound over TLS will work with selective routing over the WAN and three vpn clients. Have you tested it using AB-Solution?

I use Unbound (DNS over TLS) and AB-Solution, but I'm not familiar with selective routing.

 

[Xentrk]

I use Unbound (DNS over TLS) and AB-Solution, but I'm not familiar with selective routing.

I installed unbound. But I can’t get unbound to start up. I see the log file message that it has started. But doing a check command shows it is not running and nothing appears in top I first tried the sample TLS config on https://calomel.org/unbound_dns.html followed by the simple recursive caching DNS UDP port 53 unencrypted config. I will pick it back up later today to see if I can identify the issue. Are there any configs you had to modify to get it to work?

 

[XIII]

Are there any configs you had to modify to get it to work?

I think this:

username: ""

 

[Xentrk]

I think this:

username: ""

Thank you. Did you change name:="." to be the router's domain name?

From the unbound manual:

A forward-zone entry with name "." and a forward-addr target will forward all queries to that other server (unless it can answer from the cache).

Here is a snip of the unbound.config file.

# If you have an internal or private DNS names the external DNS servers can
  # not resolve, then you can assign domain name strings to be redirected to a
  # seperate dns server. For example, our comapny has the domain
  # organization.com and the domain name internal.organization.com can not be
  # resolved by Google's public DNS, but can be resolved by our private DNS
  # server located at 1.1.1.1. The following tells Unbound that any
  # organization.com domain, i.e. *.organization.com be dns resolved by 1.1.1.1
  # instead of the public dns servers.
  #
  # forward-zone:
  #    name: "organization.com"
  #    forward-addr: 1.1.1.1        # Internal or private DNS

  # Use the following forward-zone to forward all queries to Google DNS,
  # OpenDNS.com or your local ISP's dns servers for example. To test resolution
  # speeds use "drill calomel.org @8.8.8.8" and look for the "Query time:" in
  # milliseconds.
  #
   forward-zone:
      name: "."
      forward-addr: 8.8.4.4        # Google
      forward-addr: 8.8.8.8        # Google
      forward-addr: 37.235.1.174   # FreeDNS
      forward-addr: 37.235.1.177   # FreeDNS
<snip>

 

[XIII]

Did you change name:="." to be the router's domain name?

No, because the behaviour described is exactly what I want (for now): forward to Quad9 via DNS over TLS, unless already cached.

I'm interested in offering AB-Solution over VPN though!

 

[Xentrk]

No, because the behaviour described is exactly what I want (for now): forward to Quad9 via DNS over TLS, unless already cached.

I'm interested in offering AB-Solution over VPN though!

I went back to look at the instructions and understand now. I just realize I can go look at the unbound config on my pfSense to help me get it working on the Asus-Merlin. I only viewed it from the web gui. But I can login to the shell and take a peak on what unbound.conf looks like.

 

[underdose]

The init script on a linux server probably isn't the direct analog to Asuswrt-Rmerlin's init-start script. However, that's what the unbound man refers to.

The /jffs/scripts/services-start script runs /opt/etc/init.d/rc.unslung' which starts the Entware packages.

According to the unbound man, unbound-anchor must run after NTP and before unbound starts.

So I'm looking for the best place to ensure that happens.

1) The first choice is placing the unbound-anchor command before rc.unslung runs. Is this the correct syntax ?

#!/bin/sh
/opt/sbin/unbound-anchor -a "/opt/etc/unbound/root.key" -c "/opt/etc/unbound/unbound_server.pem" -4
RC='/opt/etc/init.d/rc.unslung'
i=30
until [ -x "$RC" ] ; do
i=$(($i-1))
if [ "$i" -lt 1 ] ; then
logger "Could not start Entware-NG"
exit
fi
sleep 5
done
$RC start
​

2) The second choice is modifying the S61unbound file.

#!/bin/sh
unbound_anchor () {
/opt/sbin/unbound-anchor -a "/opt/etc/unbound/root.key" -c "/opt/etc/unbound/unbound_server.pem" -4 -p 443
}
ENABLED=yes
PROCS=unbound
ARGS="-c /opt/etc/unbound/unbound.conf"
PREARGS=""
PRECMD="unbound_anchor"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
. /opt/etc/init.d/rc.func​

Which is better ?

Is there another option ?​

I got Unbound working with DNS over TLS, encrypted BUT have questions:

How did you managed to run unbound automatically at router start?
What are the steps for adding unbound-anchor after NTP and before unbound starts?

Please ELI5 if possible since I'm not experienced with start scripts.

Thanks in advance,

 

[kvic]

How did you managed to run unbound automatically at router start?

Unbound will be started by Entware's rc.unslung script automatically.
Before Entware's init scripts run, your router's clock should have been set by firmware already. So everything is in order..

What are the steps for adding unbound-anchor after NTP and before unbound starts?

You could add it like option #2 in the post you quoted. Or like how I did by adding the line before rc.func.

$ cat /opt/etc/init.d/S61unbound
#!/bin/sh

ENABLED=yes
PROCS=unbound
ARGS="-c /opt/etc/unbound/unbound.conf"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

[[ "$1" == *start ]] && unbound-anchor -a /opt/var/lib/unbound/etc/root.key

. /opt/etc/init.d/rc.func

Note: My unbound-anchor is not setup for "DNS over TLS" but "DNSSEC in resolver" mode. Hence, you perhaps need to adjust the exact "unbound-anchor" commands like discussed earlier in this thread.

 

[XIII]

Unable to implement this:

https://www.ctrl.blog/entry/unbound-tls-forwarding

Is the Entware version of unbound (1.7.1) too old for this?