rgnldo
Very Senior Member
Good organization. I do not see the need for these arguments. DNSSEC nor DNS Rebind will not be enabled in the GUI ...pc_delete "dnssec" "$CONFIG" pc_delete "trust-anchor=" "$CONFIG"
Last edited:
Good organization. I do not see the need for these arguments. DNSSEC nor DNS Rebind will not be enabled in the GUI ...pc_delete "dnssec" "$CONFIG" pc_delete "trust-anchor=" "$CONFIG"
There's no need either. Unbound-anchor does automatic update/opt/sbin/unbound-anchor -a /opt/var/lib/unbound/root.key
They're enabled in my GUI in case Unbound will not be running (deliberately or accidentally). I basically remove any dnsmasq option that would interfere with Unbound responses.Good organization. I do not see the need for these arguments. DNSSEC nor DNS Rebind will not be enabled in the GUI ...
I will study the memory usage compared to Diversion. I don't see the need (for me) for the iptables redirection since I could enable DNSFilter to force dnsmasq. If I were to disable dnsmasq DNS completely with port=0, then I would just move Unbound to port 53 and leave DNSFilter enabled.I recommend using my adblock script with stubby and iptables redirection. It is wonderful.
I am being conservative since the documentation says to run it at system start in case it has been turned off for some time. Important for me since I switch setups often, as a geek hobby.There's no need either. Unbound-anchor does automatic update
I'm back to running Unbound with Diversion and dnsmasq. Smooth as silk. Took a tcpdump (am I allowed to say that?) and saw all the recursive queries going out to the various servers.
I did update my dnsmasq.postconf to combine my grep strings for UNBOUNDLISTENADDR:
Code:#!/bin/sh CONFIG="$1" . /usr/sbin/helper.sh if [ -n "$(pidof unbound)" ]; then UNBOUNDLISTENADDR=$(netstat -nlup | grep "^udp.* 127\.0\..*\/unbound$" | head -1 | awk ' { print $4 } ' | tr ':' '#') if [ -n "$UNBOUNDLISTENADDR" ]; then pc_delete "servers-file" "$CONFIG" pc_delete "no-negcache" "$CONFIG" pc_delete "trust-anchor=" "$CONFIG" pc_delete "dnssec" "$CONFIG" pc_replace "cache-size=1500" "cache-size=0" "$CONFIG" pc_append "server=$UNBOUNDLISTENADDR" "$CONFIG" pc_append "proxy-dnssec" "$CONFIG" fi fi
And I added an unbound-anchor update to the S61unbound startup to ensure the updates are happening.
Code:#!/bin/sh if [ "$1" = "start" ] || [ "$1" = "restart" ]; then # Wait for NTP before starting logger -st "S61unbound" "Waiting for NTP to sync before starting..." ntptimer=0 while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do ntptimer=$((ntptimer+1)) sleep 1 done if [ "$ntptimer" -ge "300" ]; then logger -st "S61unbound" "NTP failed to sync after 5 minutes - please check immediately!" echo "" exit 1 fi fi /opt/sbin/unbound-anchor -a /opt/var/lib/unbound/root.key export TZ=$(cat /etc/TZ) ENABLED=yes PROCS=unbound ARGS="-c /opt/var/lib/unbound/unbound.conf" PREARGS="nohup" PRECMD="" POSTCMD="service restart_dnsmasq" DESC=$PROCS PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin running Unbound with Diversion and dnsmasq . /opt/etc/init.d/rc.func
. /opt/share/diversion/file/post-conf.div # Added by Diversion
I omitted it in case anyone copying it wasn't a Diversion user. Good eyes!Apologize for jumping in here, but I have been following the thread and do have unbound up and running per the first post.
I noticed you stated that you are running Unbound with Diversion and dnsmasq, however I do not see in your dnsmasq.postconf the following line. Would that not be required?
Code:. /opt/share/diversion/file/post-conf.div # Added by Diversion
CONFIG="$1"
. /usr/sbin/helper.sh
if [ -n "$(pidof unbound)" ]; then
UNBOUNDLISTENADDR=$(netstat -nlup | grep "^udp.* 127\.0\..*\/unbound$" | head -1 | awk ' { print $4 } ' | tr ':' '#')
if [ -n "$UNBOUNDLISTENADDR" ]; then
pc_delete "servers-file" "$CONFIG"
pc_delete "no-negcache" "$CONFIG"
pc_delete "trust-anchor=" "$CONFIG"
pc_delete "dnssec" "$CONFIG"
pc_replace "cache-size=1500" "cache-size=0" "$CONFIG"
pc_append "server=$UNBOUNDLISTENADDR" "$CONFIG"
pc_append "proxy-dnssec" "$CONFIG"
fi
fi
. /opt/share/diversion/file/post-conf.div # Added by Diversion
I am running it on my setup. It took me a while to get use to the fact I was sending out plain text traffic though as I was so use to using DoT for a long time. The recursion is nice though.I'm back to running Unbound with Diversion and dnsmasq. Smooth as silk. Took a tcpdump (am I allowed to say that?) and saw all the recursive queries going out to the various servers.
I did update my dnsmasq.postconf to combine my grep strings for UNBOUNDLISTENADDR:
Code:#!/bin/sh CONFIG="$1" . /usr/sbin/helper.sh if [ -n "$(pidof unbound)" ]; then UNBOUNDLISTENADDR=$(netstat -nlup | grep "^udp.* 127\.0\..*\/unbound$" | head -1 | awk ' { print $4 } ' | tr ':' '#') if [ -n "$UNBOUNDLISTENADDR" ]; then pc_delete "servers-file" "$CONFIG" pc_delete "no-negcache" "$CONFIG" pc_delete "trust-anchor=" "$CONFIG" pc_delete "dnssec" "$CONFIG" pc_replace "cache-size=1500" "cache-size=0" "$CONFIG" pc_append "server=$UNBOUNDLISTENADDR" "$CONFIG" pc_append "proxy-dnssec" "$CONFIG" fi fi
And I added an unbound-anchor update to the S61unbound startup to ensure the updates are happening.
Code:#!/bin/sh if [ "$1" = "start" ] || [ "$1" = "restart" ]; then # Wait for NTP before starting logger -st "S61unbound" "Waiting for NTP to sync before starting..." ntptimer=0 while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do ntptimer=$((ntptimer+1)) sleep 1 done if [ "$ntptimer" -ge "300" ]; then logger -st "S61unbound" "NTP failed to sync after 5 minutes - please check immediately!" echo "" exit 1 fi fi /opt/sbin/unbound-anchor -a /opt/var/lib/unbound/root.key export TZ=$(cat /etc/TZ) ENABLED=yes PROCS=unbound ARGS="-c /opt/var/lib/unbound/unbound.conf" PREARGS="nohup" PRECMD="" POSTCMD="service restart_dnsmasq" DESC=$PROCS PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin . /opt/etc/init.d/rc.func
https://github.com/rgnldo/Unbound-Asuswrt-Merlin/raw/master/unbound_adblock.tar.bz2
chmod +x /jffs/adblock/gen_adblock.sh
sh /jffs/adblock/gen_adblock.sh
include: /jffs/adblock/adservers
This commit seems to help the unbound script.
https://github.com/RMerl/asuswrt-merlin.ng/commit/935c9e8e293b0993651961331f9cad8d5bee4960
I got carried away.Zero code change in it.
I like Diversion, but I wish the routers were not so limited, I feel like Diversion is held back by the limitations of the router. It is the only bad take away from using it. It is awesome to be able to have it all done locally on the router though. It is so convenient because you don't have to worry about a separate device losing power( or connection) I.e a RPI.I am going to stick with Diversion and pixelserv-tls doing my network-level ad-blocking. I just feel that Diversion is so mature and bullet-proof that I don't want to start over with a home-grown script.
The problem is redirecting to Pixelserv-tls. IP redirect lock consumes a lot of memory. Dnsmasq suffers a lot from this.I feel like Diversion is held back by the limitations of the router. It is the only bad take away from using it.
/opt/etc/init.d/S61unbound@rgnldo ....in instruction list, when you say edit unbound daemon, what file are you editing or creating? Apologies for the basic question.....
thank you as always dave.....so much to learn!/opt/etc/init.d/S61unbound
Or I should get a life!thank you as always dave.....so much to learn!
if you want to be technical, I did a little testing and research, you should be able to leave cache-size alone because you are appending the proxy-dnssec option, this is because the conflict between the dnsmasq caching and unbound caching is due to the dnssec responses stored with in dnsmasq cache become server fails with unbound because dnsmasq does not save authentication data, but if you are using proxy-dnssec it becomes irrelevant and caching behaviors become normal.Code:CONFIG="$1" . /usr/sbin/helper.sh if [ -n "$(pidof unbound)" ]; then UNBOUNDLISTENADDR=$(netstat -nlup | grep "^udp.* 127\.0\..*\/unbound$" | head -1 | awk ' { print $4 } ' | tr ':' '#') if [ -n "$UNBOUNDLISTENADDR" ]; then pc_delete "servers-file" "$CONFIG" pc_delete "no-negcache" "$CONFIG" pc_delete "trust-anchor=" "$CONFIG" pc_delete "dnssec" "$CONFIG" pc_replace "cache-size=1500" "cache-size=0" "$CONFIG" pc_append "server=$UNBOUNDLISTENADDR" "$CONFIG" pc_append "proxy-dnssec" "$CONFIG" fi fi . /opt/share/diversion/file/post-conf.div # Added by Diversion
Good organization. I do not see the need for these arguments. DNSSEC nor DNS Rebind will not be enabled in the GUI ...
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!