Unbound - Authoritative Recursive Caching DNS Server

[rgnldo]

if you want to be technical, I did a little testing and research, you should be able to leave cache-size alone because you are appending the proxy-dnssec option

If I understand, the proxy-dnssec option will only take effect with the cache-size option with values by caching. If this is it, it makes sense.

 

[rgnldo]

I've removed all DNS options

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_delete "servers-file" $CONFIG
pc_delete "no-negcache" $CONFIG
pc_delete "domain-needed" "$CONFIG"
pc_replace "cache-size=1500" "cache-size=0" $CONFIG
pc_append "server=127.0.0.1#53535" $CONFIG

 

[rgnldo]

Update post https://www.snbforums.com/threads/unbound-authoritative-recursive-caching-dns-server.58967/

 

[dave14305]

I’ve removed most of the dnsmasq modifications except for the server parameters to point to unbound. I am allowing dnsmasq to use DNSSEC from the GUI to forward to Unbound which does the recursive validation. Both are caching. So far so good.

#!/bin/sh
CONFIG="$1"
. /usr/sbin/helper.sh
#. /opt/share/diversion/file/post-conf.div # Added by Diversion

if [ -n "$(pidof unbound)" ]; then
       UNBOUNDLISTENADDR=$(netstat -nlup | grep "^udp.* 127\.0\..*\/unbound$" | head -1 | awk ' { print $4 } ' | tr ':' '#')
       if [ -n "$UNBOUNDLISTENADDR" ]; then
               pc_delete "servers-file" "$CONFIG"
               pc_append "server=$UNBOUNDLISTENADDR" "$CONFIG"
       fi
fi

 

[rgnldo]

I’ve removed most of the dnsmasq modifications except for the server parameters to point to unbound. I am allowing dnsmasq to use DNSSEC from the GUI to forward to Unbound which does the recursive validation. Both are caching. So far so good.

#!/bin/sh
CONFIG="$1"
. /usr/sbin/helper.sh
#. /opt/share/diversion/file/post-conf.div # Added by Diversion

if [ -n "$(pidof unbound)" ]; then
       UNBOUNDLISTENADDR=$(netstat -nlup | grep "^udp.* 127\.0\..*\/unbound$" | head -1 | awk ' { print $4 } ' | tr ':' '#')
       if [ -n "$UNBOUNDLISTENADDR" ]; then
               pc_delete "servers-file" "$CONFIG"
               pc_append "server=$UNBOUNDLISTENADDR" "$CONFIG"
       fi
fi

Take the test with the current ity of the post

 

[Martineau]

Hello!
I use your CONNECTION verification script by WAN. Liked. I know little about shell script. I organize a post for installation of the unbound dns server.
Is there any way to organize you organize an installation script based on the post?

The script should support enabling these features or not.

Install Entware.
DNSFilter: ON - mode Router
Tools/Other WAN DNS local cache: NO # for the FW Merlin development team, it is desirable and safer by this mode.
Create Swap file
We will need the Entware-NG repository to install Unbound packages.
Configure NTP server Merlin

This should get you started unbound.sh v1.0Beta with acknowledgement to @Xentrk; whose Stubby installer I've borrowed/hacked!

Spoiler: Install

+======================================================================+
|  Welcome to the unbound-Installer-Asuswrt-Merlin installation script |
|  Version v1.0Beta by Martineau                                       |
|                                                                      |
| Requirements: USB drive with Entware installed                       |
|                                                                      |
| The install script will:                                             |
|   1. Install the unbound Entware package                             |
|   2. Override how the firmware manages DNS                           |
|   3. Disable the firmware DNSSEC setting                             |
|                                                                      |
| You can also use this script to uninstall unbound to back out the    |
| changes made during the installation. See the project repository at  |
| https://github.com/Martineau/unbound-Installer-Asuswrt-Merlin        |
| for helpful tips.                                                    |
+======================================================================+
1 = Update unbound Configuration
2 = Remove Existing unbound Installation
3 = Update install_unbound.sh
e = Exit Script

Option ==> 1

Entware package list successfully updated
Installing unbound-daemon (1.9.3-1) to root...
Downloading http://bin.entware.net/aarch64-k3.10/unbound-daemon_1.9.3-1_aarch64-3.10.ipk
Installing unbound-control (1.9.3-1) to root...
Downloading http://bin.entware.net/aarch64-k3.10/unbound-control_1.9.3-1_aarch64-3.10.ipk
Installing unbound-control-setup (1.9.3-1) to root...
Downloading http://bin.entware.net/aarch64-k3.10/unbound-control-setup_1.9.3-1_aarch64-3.10.ipk
Installing unbound-anchor (1.9.3-1) to root...
Downloading http://bin.entware.net/aarch64-k3.10/unbound-anchor_1.9.3-1_aarch64-3.10.ipk
Configuring unbound-daemon.
Configuring unbound-control.
Configuring unbound-control-setup.
Configuring unbound-anchor.
unbound successfully installed
Package haveged (1.9.6-1) installed in root is up to date.
Haveged successfully updated
S02haveged: Waiting for NTP to sync before starting...
 Shutting down haveged...              done.
 Starting haveged...              done.
Adding server=127.0.0.1#53535 to /jffs/configs/dnsmasq.conf.add
Required dnsmasq parm server=127.0.0.1#53535 found in /etc/dnsmasq.conf
Linking '/opt/etc/unbound/unbound.conf' --> '/opt/var/lib/unbound/unbound.conf'
Initialising 'unbound-control-setup'
setup in directory /opt/var/lib/unbound
generating unbound_server.key
Generating RSA private key, 3072 bit long modulus
...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................++++
...............................................................................................................................................++++
e is 65537 (0x10001)
generating unbound_control.key
Generating RSA private key, 3072 bit long modulus
........................++++
.....................................................++++
e is 65537 (0x10001)
create unbound_server.pem (self signed certificate)
create unbound_control.pem (signed client certificate)
Signature ok
subject=/CN=unbound-control
Getting CA Private Key
Setup success. Certificates created. Enable in unbound.conf file to use
Enabling unbound 'remote-control:' in '/opt/etc/unbound/unbound.conf'
Use 'unbound-control stats_noreset' to monitor unbound performance
Customising '/opt/etc/unbound/unbound.conf'
Retrieving '/opt/var/lib/unbound/root-hints'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3316  100  3316    0     0   3167      0  0:00:01  0:00:01 --:--:--  5427
S61unbound: Waiting for NTP to sync before starting...
 Starting unbound...              done.
Installation of unbound completed
Swapfile=262140

      ***ERROR DNS Filter is OFF! -  see LAN->DNSFilter->DNS-based Filtering

      ***ERROR WAN: Use local caching DNS server as system resolver=YES  see Tools->Other Settings->Advanced Tweaks and Hacks

      ***ERROR Enable local NTP server=NO  see Administration->System

This script isn't perfect, nor is it hosted on GitHub (the /opt/etc/init.d scripts are hosted inline), but hopefully it meets your requirements.

The script doesn't alter 'dnsmasq.postconf' instead it creates 'dnsmasq.postconfX' but does update 'dnsmasq.conf.add'

You can test/tweak the script, but installing Entware/Swap file is already handled by 'amtm', and whilst the 'inappropriate' NVRAM variables are detected, enforcing the NVRAM prereqs is not (yet) implemented.

 

[rgnldo]

This helps a lot. I will give the credits. I'll call more users to contribute. @dave14305 @SomeWhereOverTheRainBow @Delusion

 

[dave14305]

This helps a lot. I will give the credits. I'll call more users to contribute. @dave14305

Would love to help!

 

[rgnldo]

Would love to help!

Get script https://pastebin.com/jumj7TB2

 

[dave14305]

Get script https://pastebin.com/jumj7TB2

Will you upload to your GitHub? We need to manage version control and multiple contributors.

 

[rgnldo]

GitHub?

I have no experience with development at Github, but let's try

 

[rgnldo]

@dave14305 https://github.com/rgnldo/Unbound-Asuswrt-Merlin
You can clone and try to collaborate

 

[rgnldo]

@Voxel does an excellent job with Unbound + Stubby. It's pretty advanced. I intend to compile the updated unbound binaries, a repo for Entware. I'm going to try.

 

[SomeWhereOverTheRainBow]

@Voxel does an excellent job with Unbound + Stubby. It's pretty advanced. I intend to compile the updated unbound binaries, a repo for Entware. I'm going to try.

you are welcome to drop me a line any time if you get stuck or want another perspective.

 

[rgnldo]

Update post

 

[rgnldo]

@Martineau

sh unbound_installer.sh
: not foundtaller.sh: line 24:
: not foundtaller.sh: line 25:
: not foundtaller.sh: line 28:
: not foundtaller.sh: line 32:
unbound_installer.sh: line 99: syntax error: unexpected word (expecting "in")

 

[dave14305]

@Martineau

sh unbound_installer.sh
: not foundtaller.sh: line 24:
: not foundtaller.sh: line 25:
: not foundtaller.sh: line 28:
: not foundtaller.sh: line 32:
unbound_installer.sh: line 99: syntax error: unexpected word (expecting "in")

I think you need to fix the installer name in line 83 since it is currently named with beta.

 

[SomeWhereOverTheRainBow]

I think you need to fix the installer name in line 83 since it is currently named with beta.

I see where you are going.

 

[dave14305]

I think you need to fix the installer name in line 83 since it is currently named with beta.

The file needs to be run through dos2unix after downloading. No CR/LF in Github!

 

[rgnldo]

I think you need to fix the installer name in line 83 since it is currently named with beta.

The error continues