Unbound - Authoritative Recursive Caching DNS Server

[rgnldo]

It worked now. Download with wget. Run do2linux

 

[SomeWhereOverTheRainBow]

The error continues

syntax is everything.

It worked now. Download with wget. Run do2linux

 

[Martineau]

I think you need to fix the installer name in line 83 since it is currently named with beta.

Erm, because clearly v1.03 is buggy ...so I'm happy for it to say Beta,! although I'm surprised @rgnldo decided to post the cURL link until he had verified that all the settings had been correctly added to 'unbound.conf'

i.e. unbound will apparently seemingly start, but fail to remain UP if you have selected the 'Integrate with Stubby' option

However, I have posted v1.04.

 

[rgnldo]

surprised @rgnldo decided to post the cURL

im beta tester. Coletive work!

 

[Martineau]

im beta tester.

OK.... but I didn't expect you to take down the manual configuration steps/details in post #1 so soon.

I provided the basic Beta (aka 'incomplete') script, but primarily focused on ensuring that the desired acceptance criteria was addressed

i.e. Entware, Swap file enabled and advanced Router Configuration etc.

The tedious process of modifying the 'unbound.conf' directives took a lower priority, and I know I didn't get around to adding ALL of them, and now my source of reference has gone.

 

[Martineau]

@dave14305 Thanks for the feedback.

Pushed v1.05 to Pastebin to correctly implement 'check_dnsmasq_postconf()'

 

[rgnldo]

Pushed v1.05 to Pastebin

https://pastebin.com/jumj7TB2

 

[rgnldo]

Pushed v1.05

no-negcache
cache-size=1500
min-port=4096
domain-needed

The dnsmasq.postconf file is generated by the script, but needs permission to change the /etc/dnsmasq.
I manually gave a chmod +x. Working perfectly.
Because I don't know the logic of the script, if you can add the option with adblock, better

 

[rgnldo]

Automatic update adblock

nano /jffs/scripts/services-start

## Run my adblock script every day
cru a adblock "0 5 * * * /jffs/adblock/gen_adblock.sh"

 

[SomeWhereOverTheRainBow]

no-negcache
cache-size=1500
min-port=4096
domain-needed

The dnsmasq.postconf file is generated by the script, but needs permission to change the /etc/dnsmasq.
I manually gave a chmod +x. Working perfectly.
Because I don't know the logic of the script, if you can add the option with adblock, better

I want to add a recommendation for dnsmasq custom options to use Local-cache Yes
and listen-address=127.0.0.1 be appended to dnsmasq.
like add a menu option for it for users to decide.

 

[Martineau]

Automatic update adblock

nano /jffs/scripts/services-start

## Run my adblock script every day
cru a adblock "0 5 * * * /jffs/adblock/gen_adblock.sh"

You should copy'n'paste v1.06 from Pastebin to your GitHub repository, then I'm sure you can simply include the new feature in v1.07!

 

[rgnldo]

listen-address=127.0.0.1

I tried that option. But you need to remove all DNS listening options from dnsmasq

 

[rgnldo]

You should copy'n'paste v1.06 from Pastebin to your GitHub repository

Done.

 

[rgnldo]

listen-address=127.0.0.1

There are some have organize unbound for embedded devices that depend on dnsmasq. I started at tomato's forum, with the help of @AndreDVJ. With AsusWRT it's a challenge.

 

[rgnldo]

simply include the new feature in v1.07

The ideal is to adapt the installation of the unbound cpu capacity and system memory.

reserved=12582912
availableMemory=$((1024 * $( (fgrep MemAvailable /proc/meminfo || fgrep MemTotal /proc/meminfo) | sed 's/[^0-9]//g' ) ))
if [ $availableMemory -le $(($reserved * 2)) ]; then
    echo "Not enough memory" >&2
    exit 1
fi
availableMemory=$(($availableMemory - $reserved))
msg_cache_size=$(($availableMemory / 3))
rr_cache_size=$(($availableMemory / 3))
nproc=$(nproc)
if [ $nproc -gt 1 ]; then
    threads=$(($nproc - 1))
else
    threads=1
fi
# Lookup IP of Stubby container as work around because forward-host did not
# resolve stubby correctly and does not support @port syntax.
# This uses ping rather than 'dig +short stubby' to avoid needing dnsutils
# package.
stubby_ip=$(ping -4 -c 1 stubby | head -n 1 | cut -d ' ' -f 3 | cut -d '(' -f 2 | cut -d ')' -f 1)
stubby_port=@8053
stubby=$stubby_ip$stubby_port

# Use this default unbound.conf unless a user mounts a custom one:
if [ ! -f /opt/unbound/etc/unbound/unbound.conf ]; then
sed \
    -e "s/@MSG_CACHE_SIZE@/${msg_cache_size}/" \
    -e "s/@RR_CACHE_SIZE@/${rr_cache_size}/" \
    -e "s/@THREADS@/${threads}/" \
    -e "s/@STUBBY@/${stubby}/" \
    > /opt/unbound/etc/unbound/unbound.conf << EOT

https://github.com/MatthewVance/stubby-docker/blob/master/unbound/unbound.sh

 

[rgnldo]

I use tweaks in TransmissionBT tweaks in sysctl. Started by Cron.

## On and off TransmissionBT
cru a TransmissionINI "0 1 * * * ON_transmission.sh"
cru a TransmissionDESL "0 4 * * * OFF_transmission.sh"

#!/bin/sh
echo 8388608 > /proc/sys/net/core/rmem_max
echo 2097152 > /proc/sys/net/core/wmem_max
sleep 1
/opt/etc/init.d/88transmission start

#!/bin/sh
echo 524288 > /proc/sys/net/core/rmem_max
echo 524288 > /proc/sys/net/core/wmem_max
sleep 1
/opt/etc/init.d/88transmission stop

With unbound, I need volunteers to study sysctl for TCP optimization and restore if I uninstall unbound.
Link: https://wiki.mikejung.biz/Sysctl_tweaks

@Martineau path location on adblock folder is better in unbound folder due to USB capability, due to the creation of mega user lists.

 

[SomeWhereOverTheRainBow]

I use tweaks in TransmissionBT tweaks in sysctl. Started by Cron.

## On and stop TransmissionBT
cru a TransmissionINI "0 1 * * * ON_tramission.sh"
cru a TransmissionDESL "0 4 * * * OFF_tramission.sh"

#!/bin/sh
echo 8388608 > /proc/sys/net/core/rmem_max
echo 2097152 > /proc/sys/net/core/wmem_max
sleep 1
/opt/etc/init.d/88transmission start

#!/bin/sh
echo 524288 > /proc/sys/net/core/rmem_max
echo 524288 > /proc/sys/net/core/wmem_max
sleep 1
/opt/etc/init.d/88transmission stop

With unbound, I need volunteers to study sysctl for TCP optimization and restore if I uninstall unbound.
Link: https://wiki.mikejung.biz/Sysctl_tweaks

@Martineau path location on adblock folder is better in unbound folder due to USB capability, due to the creation of mega user lists.

i use customary

echo 524288 > /proc/sys/net/core/rmem_max

echo 524288 > /proc/sys/net/core/wmem_max

echo 8192 > /proc/sys/vm/min_free_kbytes

 

[rgnldo]

echo 524288 > /proc/sys/net/core/rmem_max

echo 524288 > /proc/sys/net/core/wmem_max

It is the default of AsusWRT-Merlin. But when we compiled TransmissionBT for TomatoUSB the proper value is different. But only when TransmissionBT is enabled. To save the router from stress by multi-connection, run TransmissionBT at dawn via Cron.

 

[Ubimo]

I read the OP, first few pages, wiki and the last few pages, but I cannot understand what "unbound" is or what it means?
Can someone please ELI5 this for me?
What are the pros and cons?

 

[Martineau]

@Martineau path location on adblock folder is better in unbound folder due to USB capability, due to the creation of mega user lists

v1.07Beta sent in PM

DO NOT publically repost link (rather share with beta testers by PM), as when my Pastebin links expire, I can simply update the OP so I don't need the hassle of trying to hunt down all of the links scattered in various posts across the forum.

v1.07Beta Changes:

/jffs/adblock changed/moved to /opt/var/lib/unbound
Added cron adblock fresh schedule as per post #249
Download 'unbound.config' template from Github rather than edit the verbose Entware Example 'unbound.config'
Added Option: https://github.com/MatthewVance/stubby-docker/blob/master/unbound/unbound.sh code, but it breaks unbound?
Added Option: Enable unbound logging.

Not sure if there is now something incompatible with your custom 'unbound.config', but unbound apparently initialises but has a fatal error 15 secs later?

S61unbound: Waiting for NTP to sync before starting...
 Starting unbound...              done.
Creating Daily cron job for Ad and Tracker update
S61unbound: Waiting for NTP to sync before starting...
 Shutting down unbound...              done.
 Starting unbound...              done.

Paused for 20 sec to allow unbound to validate 'unbound.conf'

 ***ERROR Unsuccessful installation of unbound detected

Dec 19 12:00:48 RT-AC86U (unbound_installer): 26517 Starting Script Execution (menu)
Dec 19 12:01:46 RT-AC86U S61unbound: Waiting for NTP to sync before starting...
Dec 19 12:01:47 RT-AC86U admin: Started unbound from .
Dec 19 12:01:47 RT-AC86U S61unbound: Waiting for NTP to sync before starting...
Dec 19 12:01:47 RT-AC86U admin: Started unbound from .
[1576756927] unbound[28549:0] error: Could not open logfile /unbound.log: Permission denied
[1576756927] unbound[28549:0] notice: init module 0: validator
[1576756927] unbound[28549:0] notice: init module 1: iterator
[1576756927] unbound[28549:0] info: start of service (unbound 1.9.3).
[1576756953] unbound[28549:0] info: 127.0.0.1 dns.msftncsi.com. A IN
[1576756953] unbound[28549:0] info: resolving dns.msftncsi.com. A IN
[1576756953] unbound[28549:0] info: response for dns.msftncsi.com. A IN
[1576756953] unbound[28549:0] info: reply from <.> 127.0.0.1#5453
[1576756953] unbound[28549:0] info: query response was ANSWER
[1576756953] unbound[28549:0] info: prime trust anchor
[1576756953] unbound[28549:0] info: generate keytag query _ta-4f66. NULL IN
[1576756953] unbound[28549:0] info: resolving . DNSKEY IN
[1576756953] unbound[28549:0] info: resolving _ta-4f66. NULL IN
[1576756953] unbound[28549:0] info: response for . DNSKEY IN
[1576756953] unbound[28549:0] info: reply from <.> 127.0.0.1#5453
[1576756953] unbound[28549:0] info: query response was ANSWER
[1576756953] unbound[28549:0] fatal error: could not open autotrust file for writing, /root.key.28549-0-318e5660: Permission denied

 Rerun unbound_installer.sh and select the Remove option to backout changes

I think I've gone as far as possible with the script (unless it is syntactically buggy), as I regard having the ability to download a basic human-friendly readable working 'unbound.conf' removes the need for the script to further tweak 'unbound.conf' directives, given, as the designated 'Subject Matter Expert' (SME) YOU can provide dynamic updates etc.