Menu
What's new
By:
Filters Better Search

Unbound - Authoritative Recursive Caching DNS Server

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.
DNS cache hit/miss ratio performance
Code: 
stub-zone:
    name: rgnldo.lan
    stub-addr: 127.0.0.1
    stub-first: yes

Result:
Code: 
total.num.queries=1710
total.num.queries_ip_ratelimited=0
total.num.cachehits=1027
total.num.cachemiss=683
total.num.prefetch=6
total.num.zero_ttl=0
total.num.recursivereplies=683
 
dave14305 said:
  • DoT should be disabled since it won't be used with Unbound.
  • DNSSEC can be disabled in the GUI since Unbound will do its own DNSSEC.
I've amended my dnsmasq.postconf to account for any DNSMASQ DNSSEC directives from the GUI. I don't change any nvram because if I disable Unbound, I still want DNSSEC for my ISP DNS servers.
Code: 
#!/bin/sh
# Commented out here in case others do not use Diversion
#. /opt/share/diversion/file/post-conf.div # Added by Diversion

CONFIG=$1
. /usr/sbin/helper.sh

if [ -n "$(pidof unbound)" ]; then
        UNBOUNDLISTENADDR=$(netstat -nlup | grep unbound$ | grep "^udp " | grep " 127\.0" | head -1 | awk ' { print $4 } ' | tr ':' '#')
        if [ -n "$UNBOUNDLISTENADDR" ]; then
                pc_delete "servers-file" "$CONFIG"
                pc_delete "no-negcache" "$CONFIG"
                pc_delete "trust-anchor=" "$CONFIG"
                pc_delete "dnssec" "$CONFIG"
                pc_replace "cache-size=1500" "cache-size=0" "$CONFIG"
                pc_append "server=$UNBOUNDLISTENADDR" "$CONFIG"
                pc_append "proxy-dnssec" "$CONFIG"
        fi
fi
Click to expand...
Yea I still use mine with Dot cannot get past the clear text access being sent to root sservers being accessible.
 
rgnldo said:
DNS cache hit/miss ratio performance
Code: 
stub-zone:
    name: rgnldo.lan
    stub-addr: 127.0.0.1
    stub-first: yes

Result:
Code: 
total.num.queries=1710
total.num.queries_ip_ratelimited=0
total.num.cachehits=1027
total.num.cachemiss=683
total.num.prefetch=6
total.num.zero_ttl=0
total.num.recursivereplies=683
Click to expand...
Screenshot_20191103-171620656_1.jpg
 
DNSFilter does not work Chromecast. Selecting by device I don't think is cool.
What do you think about these rules?
Code: 
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53535 -j DNAT --to "$(nvram get lan_ipaddr)"
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53535 -j DNAT --to "$(nvram get lan_ipaddr)"
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -d 8.8.8.8 -p udp --dport 53535 -j DNAT --to 192.168.1.1
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -d 8.8.4.4 -p udp --dport 53535 -j DNAT --to 192.168.1.1
 
With these rules unbound will work very well.
Code: 
iptables -t nat -A PREROUTING -p udp --dport 53 --dst "$(nvram get lan_ipaddr)" -j DNAT --to-destination "$(nvram get lan_ipaddr)":53535
iptables -t nat -A PREROUTING -p tcp --dport 53 --dst "$(nvram get lan_ipaddr)" -j DNAT --to-destination "$(nvram get lan_ipaddr)":53535
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53535 -j DNAT --to "$(nvram get lan_ipaddr)"
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53535 -j DNAT --to "$(nvram get lan_ipaddr)"
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -d 8.8.8.8 -p udp --dport 53535 -j DNAT --to "$(nvram get lan_ipaddr)"
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -d 8.8.4.4 -p udp --dport 53535 -j DNAT --to "$(nvram get lan_ipaddr)"
 
Is this still being tested?
 
I didn't see it in the instructions on pg.1 unless I missed it, but under WAN, should these options be yes/no if we're wanting to try unbound:

Enable DNS rebind protection?
Enable DNSSEC support ?
Validate unsigned DNSSEC replies?

Also does the built in NTP option need to be off?

Under system administration:

Enable local NTP server?
Intercept NTP client requests?
 
Kingp1n said:
I didn't see it in the instructions on pg.1 unless I missed it, but under WAN, should these options be yes/no if we're wanting to try unbound:

Enable DNS rebind protection?
Enable DNSSEC support ?
Validate unsigned DNSSEC replies?
Click to expand...
no
 
rgnldo said:
no
Click to expand...

What does this mean?
"Configure NTP server Merlin"

Also does the built in NTP option need to be off?

Under system administration:

Enable local NTP server? yes or no
Intercept NTP client requests? yes or no
 
Kingp1n said:
What does this mean?
"Configure NTP server Merlin"

Also does the built in NTP option need to be off?

Under system administration:

Enable local NTP server? yes or no
Intercept NTP client requests? yes or no
Click to expand...
Just make sure the normal ntp sync is working. No need for running the extra ntp server. DNSSEC and DoT would need valid time as a prerequisite.
 
Thanks for the assist...one last question....once setup, how can I test if its working or doing its job?
 
Kingp1n said:
once setup, how can I test if its working or doing its job?
Click to expand...

Code: 
/opt/etc/init.d/S61unbound check

Code: 
ps | grep unbound | grep -v grep
netstat -lnptu | grep unbound
netstat -lnpt | grep -E '^Active|^Proto|/unbound'

Code: 
unbound-control status

unbound-control stats_noreset

unbound-control -c /opt/var/lib/unbound/unbound.conf stats_noreset | grep total.num
 
Kingp1n said:
one last question
Click to expand...
Test these arguments with iptables. Many application or service requests have their own dns server encryption.
nano /jffs/scripts/firewall-start
Code: 
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to IP_ROUTER
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to IP_ROUTER
iptables -t nat -A PREROUTING -s IP_ROUTER.0/24 -d 8.8.8.8 -p udp --dport 53 -j DNAT --to IP_ROUTER
iptables -t nat -A PREROUTING -s IP_ROUTER.0/24 -d 8.8.4.4 -p udp --dport 53 -j DNAT --to IP_ROUTER
iptables -t nat -A PREROUTING -p udp --dport 53 --dst IP_ROUTER -j DNAT --to-destination IP_ROUTER:53535
iptables -t nat -A PREROUTING -p tcp --dport 53 --dst IP_ROUTER -j DNAT --to-destination IP_ROUTER:53535
 
I'm back to running Unbound with Diversion and dnsmasq. Smooth as silk. Took a tcpdump (am I allowed to say that?) and saw all the recursive queries going out to the various servers.

I did update my dnsmasq.postconf to combine my grep strings for UNBOUNDLISTENADDR:
Code: 
#!/bin/sh
CONFIG="$1"
. /usr/sbin/helper.sh

if [ -n "$(pidof unbound)" ]; then
       UNBOUNDLISTENADDR=$(netstat -nlup | grep "^udp.* 127\.0\..*\/unbound$" | head -1 | awk ' { print $4 } ' | tr ':' '#')
       if [ -n "$UNBOUNDLISTENADDR" ]; then
               pc_delete "servers-file" "$CONFIG"
               pc_delete "no-negcache" "$CONFIG"
               pc_delete "trust-anchor=" "$CONFIG"
               pc_delete "dnssec" "$CONFIG"
               pc_replace "cache-size=1500" "cache-size=0" "$CONFIG"
               pc_append "server=$UNBOUNDLISTENADDR" "$CONFIG"
               pc_append "proxy-dnssec" "$CONFIG"
       fi
fi

And I added an unbound-anchor update to the S61unbound startup to ensure the updates are happening.
Code: 
#!/bin/sh
if [ "$1" = "start" ] || [ "$1" = "restart" ]; then
       # Wait for NTP before starting
       logger -st "S61unbound" "Waiting for NTP to sync before starting..."
       ntptimer=0
       while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do
               ntptimer=$((ntptimer+1))
               sleep 1
       done

       if [ "$ntptimer" -ge "300" ]; then
               logger -st "S61unbound" "NTP failed to sync after 5 minutes - please check immediately!"
               echo ""
               exit 1
       fi
fi

/opt/sbin/unbound-anchor -a /opt/var/lib/unbound/root.key

export TZ=$(cat /etc/TZ)
ENABLED=yes
PROCS=unbound
ARGS="-c /opt/var/lib/unbound/unbound.conf"
PREARGS="nohup"
PRECMD=""
POSTCMD="service restart_dnsmasq"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func
 
Status
Not open for further replies.

Similar threads

J
Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server) - General questions / discussion thread 2
23 24 25
Replies
499
Views
82K
SomeWhereOverTheRainBow
SomeWhereOverTheRainBow
Similar threads
Thread starter Title Forum Replies Date
C Can't connect to DYNDNS when Unbound is enabled ! Asuswrt-Merlin 10
L "Maximum number of concurrent DNS queries" with strange lb._dns-sd._udp. ... .in-addr.arpa reverse DNS queries (has Pi running Adguard Home + Unbound) Asuswrt-Merlin 2
O PI hole + unbound + domain vpn routing Asuswrt-Merlin 10
L Unbound + Wireguard: is this combination possible at all? Asuswrt-Merlin 6

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 864 (members: 29, guests: 835)
Top