Unbound - Authoritative Recursive Caching DNS Server

[rgnldo]

pc_delete "dnssec" "$CONFIG" pc_delete "trust-anchor=" "$CONFIG"

Good organization. I do not see the need for these arguments. DNSSEC nor DNS Rebind will not be enabled in the GUI ...

 

[rgnldo]

I recommend using my adblock script with stubby and iptables redirection. It is wonderful.

 

[rgnldo]

/opt/sbin/unbound-anchor -a /opt/var/lib/unbound/root.key

There's no need either. Unbound-anchor does automatic update

 

[dave14305]

Good organization. I do not see the need for these arguments. DNSSEC nor DNS Rebind will not be enabled in the GUI ...

They're enabled in my GUI in case Unbound will not be running (deliberately or accidentally). I basically remove any dnsmasq option that would interfere with Unbound responses.

I recommend using my adblock script with stubby and iptables redirection. It is wonderful.

I will study the memory usage compared to Diversion. I don't see the need (for me) for the iptables redirection since I could enable DNSFilter to force dnsmasq. If I were to disable dnsmasq DNS completely with port=0, then I would just move Unbound to port 53 and leave DNSFilter enabled.

There's no need either. Unbound-anchor does automatic update

I am being conservative since the documentation says to run it at system start in case it has been turned off for some time. Important for me since I switch setups often, as a geek hobby.

 

[HardCat]

I'm back to running Unbound with Diversion and dnsmasq. Smooth as silk. Took a tcpdump (am I allowed to say that?) and saw all the recursive queries going out to the various servers.

I did update my dnsmasq.postconf to combine my grep strings for UNBOUNDLISTENADDR:

#!/bin/sh
CONFIG="$1"
. /usr/sbin/helper.sh

if [ -n "$(pidof unbound)" ]; then
       UNBOUNDLISTENADDR=$(netstat -nlup | grep "^udp.* 127\.0\..*\/unbound$" | head -1 | awk ' { print $4 } ' | tr ':' '#')
       if [ -n "$UNBOUNDLISTENADDR" ]; then
               pc_delete "servers-file" "$CONFIG"
               pc_delete "no-negcache" "$CONFIG"
               pc_delete "trust-anchor=" "$CONFIG"
               pc_delete "dnssec" "$CONFIG"
               pc_replace "cache-size=1500" "cache-size=0" "$CONFIG"
               pc_append "server=$UNBOUNDLISTENADDR" "$CONFIG"
               pc_append "proxy-dnssec" "$CONFIG"
       fi
fi

And I added an unbound-anchor update to the S61unbound startup to ensure the updates are happening.

#!/bin/sh
if [ "$1" = "start" ] || [ "$1" = "restart" ]; then
       # Wait for NTP before starting
       logger -st "S61unbound" "Waiting for NTP to sync before starting..."
       ntptimer=0
       while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do
               ntptimer=$((ntptimer+1))
               sleep 1
       done

       if [ "$ntptimer" -ge "300" ]; then
               logger -st "S61unbound" "NTP failed to sync after 5 minutes - please check immediately!"
               echo ""
               exit 1
       fi
fi

/opt/sbin/unbound-anchor -a /opt/var/lib/unbound/root.key

export TZ=$(cat /etc/TZ)
ENABLED=yes
PROCS=unbound
ARGS="-c /opt/var/lib/unbound/unbound.conf"
PREARGS="nohup"
PRECMD=""
POSTCMD="service restart_dnsmasq"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
running Unbound with Diversion and dnsmasq
. /opt/etc/init.d/rc.func

Apologize for jumping in here, but I have been following the thread and do have unbound up and running per the first post.
I noticed you stated that you are running Unbound with Diversion and dnsmasq, however I do not see in your dnsmasq.postconf the following line. Would that not be required?

. /opt/share/diversion/file/post-conf.div # Added by Diversion

 

[dave14305]

Apologize for jumping in here, but I have been following the thread and do have unbound up and running per the first post.
I noticed you stated that you are running Unbound with Diversion and dnsmasq, however I do not see in your dnsmasq.postconf the following line. Would that not be required?

. /opt/share/diversion/file/post-conf.div # Added by Diversion

I omitted it in case anyone copying it wasn't a Diversion user. Good eyes!

 

[rgnldo]

CONFIG="$1"
. /usr/sbin/helper.sh

if [ -n "$(pidof unbound)" ]; then
       UNBOUNDLISTENADDR=$(netstat -nlup | grep "^udp.* 127\.0\..*\/unbound$" | head -1 | awk ' { print $4 } ' | tr ':' '#')
       if [ -n "$UNBOUNDLISTENADDR" ]; then
               pc_delete "servers-file" "$CONFIG"
               pc_delete "no-negcache" "$CONFIG"
               pc_delete "trust-anchor=" "$CONFIG"
               pc_delete "dnssec" "$CONFIG"
               pc_replace "cache-size=1500" "cache-size=0" "$CONFIG"
               pc_append "server=$UNBOUNDLISTENADDR" "$CONFIG"
               pc_append "proxy-dnssec" "$CONFIG"
       fi
fi
. /opt/share/diversion/file/post-conf.div # Added by Diversion

 

[SomeWhereOverTheRainBow]

I'm back to running Unbound with Diversion and dnsmasq. Smooth as silk. Took a tcpdump (am I allowed to say that?) and saw all the recursive queries going out to the various servers.

I did update my dnsmasq.postconf to combine my grep strings for UNBOUNDLISTENADDR:

#!/bin/sh
CONFIG="$1"
. /usr/sbin/helper.sh

if [ -n "$(pidof unbound)" ]; then
       UNBOUNDLISTENADDR=$(netstat -nlup | grep "^udp.* 127\.0\..*\/unbound$" | head -1 | awk ' { print $4 } ' | tr ':' '#')
       if [ -n "$UNBOUNDLISTENADDR" ]; then
               pc_delete "servers-file" "$CONFIG"
               pc_delete "no-negcache" "$CONFIG"
               pc_delete "trust-anchor=" "$CONFIG"
               pc_delete "dnssec" "$CONFIG"
               pc_replace "cache-size=1500" "cache-size=0" "$CONFIG"
               pc_append "server=$UNBOUNDLISTENADDR" "$CONFIG"
               pc_append "proxy-dnssec" "$CONFIG"
       fi
fi

And I added an unbound-anchor update to the S61unbound startup to ensure the updates are happening.

#!/bin/sh
if [ "$1" = "start" ] || [ "$1" = "restart" ]; then
       # Wait for NTP before starting
       logger -st "S61unbound" "Waiting for NTP to sync before starting..."
       ntptimer=0
       while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do
               ntptimer=$((ntptimer+1))
               sleep 1
       done

       if [ "$ntptimer" -ge "300" ]; then
               logger -st "S61unbound" "NTP failed to sync after 5 minutes - please check immediately!"
               echo ""
               exit 1
       fi
fi

/opt/sbin/unbound-anchor -a /opt/var/lib/unbound/root.key

export TZ=$(cat /etc/TZ)
ENABLED=yes
PROCS=unbound
ARGS="-c /opt/var/lib/unbound/unbound.conf"
PREARGS="nohup"
PRECMD=""
POSTCMD="service restart_dnsmasq"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

I am running it on my setup. It took me a while to get use to the fact I was sending out plain text traffic though as I was so use to using DoT for a long time. The recursion is nice though.

 

[rgnldo]

This commit seems to help the unbound script.
https://github.com/RMerl/asuswrt-merlin.ng/commit/935c9e8e293b0993651961331f9cad8d5bee4960

 

[rgnldo]

Optional. Unbound ad and tracker blocking function.
Download:

https://github.com/rgnldo/Unbound-Asuswrt-Merlin/raw/master/unbound_adblock.tar.bz2

Arrange the adblock folder in the jffs directory.
Allow permissions to the file:

chmod +x /jffs/adblock/gen_adblock.sh

sh /jffs/adblock/gen_adblock.sh

Enter include option in unbound.conf

include: /jffs/adblock/adservers

File /adblock/permlist contains the allowed domains that the user adds
File /adblock/blockhost contains the unallowed domains that the user adds
File /adblock/adservers Unbound list generated by script

 

[RMerlin]

This commit seems to help the unbound script.
https://github.com/RMerl/asuswrt-merlin.ng/commit/935c9e8e293b0993651961331f9cad8d5bee4960

Why would it? It's just an help message shown on the webui which was rewritten... Zero code change in it.

 

[dave14305]

I am going to stick with Diversion and pixelserv-tls doing my network-level ad-blocking. I just feel that Diversion is so mature and bullet-proof that I don't want to start over with a home-grown script.

 

[rgnldo]

Zero code change in it.

I got carried away.

 

[SomeWhereOverTheRainBow]

I am going to stick with Diversion and pixelserv-tls doing my network-level ad-blocking. I just feel that Diversion is so mature and bullet-proof that I don't want to start over with a home-grown script.

I like Diversion, but I wish the routers were not so limited, I feel like Diversion is held back by the limitations of the router. It is the only bad take away from using it. It is awesome to be able to have it all done locally on the router though. It is so convenient because you don't have to worry about a separate device losing power( or connection) I.e a RPI.

 

[rgnldo]

I feel like Diversion is held back by the limitations of the router. It is the only bad take away from using it.

The problem is redirecting to Pixelserv-tls. IP redirect lock consumes a lot of memory. Dnsmasq suffers a lot from this.
There is the NoTrack project with the proposal based on MariaDB database. https://gitlab.com/quidsup/notrack.
In my unbound adblock script I can arrange lock by NXDOMAIN. By this mode, memory consumption is reduced and the lock response is more efficient.

 

[SuperDuke]

@rgnldo ....in instruction list, when you say edit unbound daemon, what file are you editing or creating? Apologies for the basic question.....

 

[dave14305]

@rgnldo ....in instruction list, when you say edit unbound daemon, what file are you editing or creating? Apologies for the basic question.....

/opt/etc/init.d/S61unbound

 

[SuperDuke]

/opt/etc/init.d/S61unbound

thank you as always dave.....so much to learn!

 

[dave14305]

thank you as always dave.....so much to learn!

Or I should get a life!

 

[SomeWhereOverTheRainBow]

CONFIG="$1"
. /usr/sbin/helper.sh

if [ -n "$(pidof unbound)" ]; then
       UNBOUNDLISTENADDR=$(netstat -nlup | grep "^udp.* 127\.0\..*\/unbound$" | head -1 | awk ' { print $4 } ' | tr ':' '#')
       if [ -n "$UNBOUNDLISTENADDR" ]; then
               pc_delete "servers-file" "$CONFIG"
               pc_delete "no-negcache" "$CONFIG"
               pc_delete "trust-anchor=" "$CONFIG"
               pc_delete "dnssec" "$CONFIG"
               pc_replace "cache-size=1500" "cache-size=0" "$CONFIG"
               pc_append "server=$UNBOUNDLISTENADDR" "$CONFIG"
               pc_append "proxy-dnssec" "$CONFIG"
       fi
fi
. /opt/share/diversion/file/post-conf.div # Added by Diversion

if you want to be technical, I did a little testing and research, you should be able to leave cache-size alone because you are appending the proxy-dnssec option, this is because the conflict between the dnsmasq caching and unbound caching is due to the dnssec responses stored with in dnsmasq cache become server fails with unbound because dnsmasq does not save authentication data, but if you are using proxy-dnssec it becomes irrelevant and caching behaviors become normal.

Good organization. I do not see the need for these arguments. DNSSEC nor DNS Rebind will not be enabled in the GUI ...