What's new

Unbound - Authoritative Recursive Caching DNS Server

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.
Hate to jump in here in between your collaborations, but just curious - in the cURL script's current form on page 1.. is fully recursive Unbound working (in tandem with Diversion / Skynet)? Or currently is it forwarding requests to upstream DoT servers? I just couldn't tell with all the work being done at the moment ;) thanks for all your hard work!
 
Hate to jump in here in between your collaborations, but just curious - in the cURL script's current form on page 1.. is fully recursive Unbound working (in tandem with Diversion / Skynet)? Or currently is it forwarding requests to upstream DoT servers? I just couldn't tell with all the work being done at the moment ;) thanks for all your hard work!
I suggest you follow the initial post. Stubby will be forwarding TCP TLS to unbound. It's optional. I do not recommend using specific solutions for dnsmasq.
 
I suggest you follow the initial post. Stubby will be forwarding TCP TLS to unbound. It's optional. I do not recommend using specific solutions for dnsmasq.
Yes, I fully understand your instructions, and will follow them. I am just ensuring Unbound is working the same (or close), to running Unbound on say a CentOS / Debian server and is fully recursive, not asking the upstream DoT servers each time a request is made (once cached).

Separately, I noticed a large version disparity in Unbound with AArch64 (Entware) version vs. x86_64 versions for servers. They have patched several CVEs since the version running on Entware, if I understand the distribution numbering correctly.. is the current Entware version relatively safe? Again, thank you for your work and I do apologize if this question seems inane or if anyone else has asked the same.
 
Separately, I noticed a large version disparity with AArch64 (Entware) version vs. x86_64 versions for servers. They have patched several CVEs since the version running on Entware, if I understand the distribution numbering correctly.. is the current Entware version relatively safe?
That's a good question. Yes, there have been several fixes from version 1.9.3 to 1.9.5. In general the corrections arises due to the implementation that occurred from one version to another. Unbound has simple coding and its development is very strong.
 
I am just ensuring Unbound is working the same (or close), to running Unbound on say a CentOS / Debian server and is fully recursive, not asking the upstream DoT
Yes, you can enjoy the unbound as recursive and authorizing local cache server only. If you have knowledge, you can help with suggestions.
 
I understand the distribution numbering correctly.. is the current Entware version relatively safe?
You could even compile the current version of unbound, the problem is the library dependency environment. It is safer and less laborious to rely on the Entware-ng development team
 
You could even compile the current version of unbound, the problem is the library dependency environment. It is safer and less laborious to rely on the Entware-ng development team
AH. That makes a lot of sense, thank you for the in depth answers - I will definitely be installing this in the next day or so (from page 1).

I do have a spare AC88U I can use for testing, let me know what I can do to help if needed. More than willing to use that device as a test-mule for updates forthcoming, I will admit my coding & scripting skills are newly found. But let me know if that is of any help to you all.
 
I've uploaded 'unbound installer' v1.07

@rgnldo
I have added the use of 'unbound-control' e.g. for the statistics filter (Summary Totals), as per your PM...
Checking unbound status
Code:
#!/bin/sh
unboundstatus="unbound-control"
$unboundstatus -q status
if [ "$?" != 0 ]; then
  echo "Unbound not running properly!"
exit 3
fi
echo "Unbound OK | " | tr -d '\n'
$unboundstatus stats | grep -v thread | grep -v histogram | grep -v time. | sed 's/$/; /' | tr -d '\n'
Not sure where/what is histogram? etc.

e.g. statistics filter by Totals display (requires Entware's 'column' package)
NOTE: Not sure why 'unbound-control' uses seconds to report up-time rather than a human-friendly format i.e. 4hrs 9 mins.
Code:
+======================================================================+
|  Welcome to the unbound-Installer-Asuswrt-Merlin installation script |
|  Version 1.07 by Martineau                                           |
|                                                                      |
| Requirements: USB drive with Entware installed                       |
|                                                                      |
| The install script will:                                             |
|   1. Install the unbound Entware package                             |
|   2. Override how the firmware manages DNS                           |
|   3. Optionally Integrate with Stubby                                |
|   4. Optionally Install Ad and Tracker Blocking                      |
|                                                                      |
| You can also use this script to uninstall unbound to back out the    |
| changes made during the installation. See the project repository at  |
| https://github.com/rgnldo/Unbound-Asuswrt-Merlin                     |
| for helpful tips.                                                    |
+======================================================================+

unbound (pid 26369) is running... uptime: 14966 seconds version: 1.9.3

1  = Update ('/opt/var/lib/unbound/') unbound Configuration
2  = Remove Existing unbound Installation

u  = Upgrade (Major) unbound_installer v1.06 -> v1.07

rs = Restart (or Start) unbound

s = Display unbound statistics (s=Summary Totals; sa=All)

e  = Exit Script

Option ==> s

total.num.queries=1179              total.num.prefetch=228              total.requestlist.max=3             total.requestlist.current.user=0
total.num.queries_ip_ratelimited=0  total.num.zero_ttl=0                total.requestlist.overwritten=0     total.tcpusage=0
total.num.cachehits=984             total.num.recursivereplies=195      total.requestlist.exceeded=0
total.num.cachemiss=195             total.requestlist.avg=0.255319      total.requestlist.current.all=0

These two events have permission errors in the unbound folder. Daemom can't access it.
Code:
[1576756927] unbound[28549:0] error: Could not open logfile /unbound.log: Permission denied
[1576756953] unbound[28549:0] fatal error: could not open autotrust file for writing, /root.key.28549-0-318e5660: Permission denied
Yup, I think I could work that out for myself, however anyone upgrading from v1.06 will encounter this ERROR due to your custom Github hosted 'unbound.conf'

When you copy'n'paste v1.07 from Pastebin to your Github repository, make sure the file is in Unix format.
 
e.g. for the statistics filter
Code:
rgnldo@:/jffs/scripts# sh status_unbound.sh
Unbound OK | total.num.queries=0; total.num.queries_ip_ratelimited=0; total.num.cachehits=0; total.num.cachemiss=0; total.num.prefetch=0; total.num.zero_ttl=0; total.num.recursivereplies=0; total.requestlist.avg=0; total.requestlist.max=0; total.requestlist.overwritten=0; total.requestlist.exceeded=0; total.requestlist.current.all=0; total.requestlist.current.user=0; total.tcpusage=0; mem.cache.rrset=33048; mem.cache.message=33048; mem.mod.iterator=16556; mem.mod.validator=33264; mem.mod.respip=0; mem.streamwait=0; num.query.tcp=0; num.query.tcpout=0; num.query.tls=0; num.query.tls.resume=0; num.query.ipv6=0; num.query.flags.QR=0; num.query.flags.AA=0; num.query.flags.TC=0; num.query.flags.RD=0; num.query.flags.RA=0; num.query.flags.Z=0; num.query.flags.AD=0; num.query.flags.CD=0; num.query.edns.present=0; num.query.edns.DO=0; num.answer.rcode.NOERROR=0; num.answer.rcode.FORMERR=0; num.answer.rcode.SERVFAIL=0; num.answer.rcode.NXDOMAIN=0; num.answer.rcode.NOTIMPL=0; num.answer.rcode.REFUSED=0; num.query.ratelimited=0; num.answer.secure=0; num.answer.bogus=0; num.rrset.bogus=0; num.query.aggressive.NOERROR=0; num.query.aggressive.NXDOMAIN=0; unwanted.queries=0; unwanted.replies=0; msg.cache.count=0; rrset.cache.count=0; infra.cache.count=0; key.cache.count=0; num.query.authzone.up=0; num.query.authzo
 
I've uploaded 'unbound installer' v1.07

@rgnldo
I have added the use of 'unbound-control' e.g. for the statistics filter (Summary Totals), as per your PM...

Not sure where/what is histogram? etc.

e.g. statistics filter by Totals display (requires Entware's 'column' package)
NOTE: Not sure why 'unbound-control' uses seconds to report up-time rather than a human-friendly format i.e. 4hrs 9 mins.
Code:
+======================================================================+
|  Welcome to the unbound-Installer-Asuswrt-Merlin installation script |
|  Version 1.07 by Martineau                                           |
|                                                                      |
| Requirements: USB drive with Entware installed                       |
|                                                                      |
| The install script will:                                             |
|   1. Install the unbound Entware package                             |
|   2. Override how the firmware manages DNS                           |
|   3. Optionally Integrate with Stubby                                |
|   4. Optionally Install Ad and Tracker Blocking                      |
|                                                                      |
| You can also use this script to uninstall unbound to back out the    |
| changes made during the installation. See the project repository at  |
| https://github.com/rgnldo/Unbound-Asuswrt-Merlin                     |
| for helpful tips.                                                    |
+======================================================================+

unbound (pid 26369) is running... uptime: 14966 seconds version: 1.9.3

1  = Update ('/opt/var/lib/unbound/') unbound Configuration
2  = Remove Existing unbound Installation

u  = Upgrade (Major) unbound_installer v1.06 -> v1.07

rs = Restart (or Start) unbound

s = Display unbound statistics (s=Summary Totals; sa=All)

e  = Exit Script

Option ==> s

total.num.queries=1179              total.num.prefetch=228              total.requestlist.max=3             total.requestlist.current.user=0
total.num.queries_ip_ratelimited=0  total.num.zero_ttl=0                total.requestlist.overwritten=0     total.tcpusage=0
total.num.cachehits=984             total.num.recursivereplies=195      total.requestlist.exceeded=0
total.num.cachemiss=195             total.requestlist.avg=0.255319      total.requestlist.current.all=0


Yup, I think I could work that out for myself, however anyone upgrading from v1.06 will encounter this ERROR due to your custom Github hosted 'unbound.conf'

When you copy'n'paste v1.07 from Pastebin to your Github repository, make sure the file is in Unix format.
dont tell @Jack Yaz that... there may be a UnboundUStats....
 
Last edited:
I have decided to make v1.08 publicly available to take advantage of the 'more-eyes' principle! ;)

Feel free to use at your own risk.

@rgnldo

I believe we no longer need to continue with PM's, so please use the thread for on-going discussions/bug reporting etc.

i.e. I'm sure there are many who can assist with implementing Option 5 etc.
Code:
5. Optionally Customise CPU/Memory usage (Advanced Users)
given the current failed attempts.

NOTE: The prompt is still presented, but the function is disabled i.e. no tweaks to /proc/sys, cache-size,number of threads based on CPUs available etc. are physically applied.

Beware: Additions are made to 'firewall-start', 'dnsmasq.conf.add', 'dnsmasq.conf.add' and 'services-start'
 
Last edited:
I have decided to make v1.08 publicly available to take advantage of the 'more-eyes' principle! ;)

Feel free to use at your own risk.

@rgnldo

I believe we no longer need to continue with PM's, so please use the thread for on-going discussions/bug reporting etc.

i.e. I'm sure there are many who can assist with implementing Option 5 etc.
Code:
5. Optionally Customise CPU/Memory usage (Advanced Users)
given the current failed attempts.

NOTE: The prompt is still presented, but the function is disabled i.e. no tweaks to /proc/sys, cache-size,number of threads based on CPUs available etc. are physically applied.

Beware: Additions are made to 'firewall-start', 'dnsmasq.conf.add', 'dnsmasq.conf.add' and 'services-start'

Thanks @Martineau ....this is great......for people like me! :)
 
i.e. I'm sure there are many who can assist with implementing Option 5 etc.
Agree. I'll find a way out. It's not that important.

I'm sorry for the delay in answering.
 
given the current failed attempts.
Code:
/jffs/scripts# /opt/etc/init.d/S61unbound restart
S61unbound: Waiting for NTP to sync before starting...
 Shutting down unbound...              done.
 Starting unbound...              failed.
Don't worry about this mistake. Only the unbound.conf file had an incorrect line. So the importance of the status returning script unbound Ok.
 
@Martineau Come on, test the script v1.08.
This status is best at the beginning of the script, checking the requirements for the installation.
Code:
Please wait for up to 30 seconds for status.....


        Installation of unbound completed

Checking Router Configuration pre-reqs.....
[✔] Swapfile=2097148 kB
[✔] DNS Filter=ON
[✔] DNS Filter=ROUTER
[✔] WAN: Use local caching DNS server as system resolver=NO
[✔] Enable local NTP server=YES

The folder owner permission must be seen after unbound installation before any configuration action. Otherwise, the unbound will be dead.
Code:
/opt/etc/init.d/rc.unslung check
 Checking haveged...              alive.
 Checking unbound...              dead.
 Checking stubby...              dead.
I did it manually
Code:
chown nobody /opt/var/lib/unbound
Code:
/opt/etc/init.d/rc.unslung check
 Checking haveged...              alive.
 Checking unbound...              alive.
 Checking stubby...              alive.

My suggestion, the script should check if IPV6 is enabled and adapt unbound.conf to IPV4 only or IPV4/IPV6.
I recommend that the script verify that FW Merlin's DNSSEC is disabled.
I will update the lighter and goal unbound.conf. As for performance option, we can withdraw. The installation will be in Asus Merlin router's ARM, which have a good configuration.
 
Status
Not open for further replies.

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top