Unbound - Authoritative Recursive Caching DNS Server

[SolluxCaptor]

Hate to jump in here in between your collaborations, but just curious - in the cURL script's current form on page 1.. is fully recursive Unbound working (in tandem with Diversion / Skynet)? Or currently is it forwarding requests to upstream DoT servers? I just couldn't tell with all the work being done at the moment thanks for all your hard work!

 

[rgnldo]

Hate to jump in here in between your collaborations, but just curious - in the cURL script's current form on page 1.. is fully recursive Unbound working (in tandem with Diversion / Skynet)? Or currently is it forwarding requests to upstream DoT servers? I just couldn't tell with all the work being done at the moment thanks for all your hard work!

I suggest you follow the initial post. Stubby will be forwarding TCP TLS to unbound. It's optional. I do not recommend using specific solutions for dnsmasq.

 

[SolluxCaptor]

I suggest you follow the initial post. Stubby will be forwarding TCP TLS to unbound. It's optional. I do not recommend using specific solutions for dnsmasq.

Yes, I fully understand your instructions, and will follow them. I am just ensuring Unbound is working the same (or close), to running Unbound on say a CentOS / Debian server and is fully recursive, not asking the upstream DoT servers each time a request is made (once cached).

Separately, I noticed a large version disparity in Unbound with AArch64 (Entware) version vs. x86_64 versions for servers. They have patched several CVEs since the version running on Entware, if I understand the distribution numbering correctly.. is the current Entware version relatively safe? Again, thank you for your work and I do apologize if this question seems inane or if anyone else has asked the same.

 

[rgnldo]

Separately, I noticed a large version disparity with AArch64 (Entware) version vs. x86_64 versions for servers. They have patched several CVEs since the version running on Entware, if I understand the distribution numbering correctly.. is the current Entware version relatively safe?

That's a good question. Yes, there have been several fixes from version 1.9.3 to 1.9.5. In general the corrections arises due to the implementation that occurred from one version to another. Unbound has simple coding and its development is very strong.

 

[rgnldo]

I am just ensuring Unbound is working the same (or close), to running Unbound on say a CentOS / Debian server and is fully recursive, not asking the upstream DoT

Yes, you can enjoy the unbound as recursive and authorizing local cache server only. If you have knowledge, you can help with suggestions.

 

[rgnldo]

I understand the distribution numbering correctly.. is the current Entware version relatively safe?

You could even compile the current version of unbound, the problem is the library dependency environment. It is safer and less laborious to rely on the Entware-ng development team

 

[SolluxCaptor]

You could even compile the current version of unbound, the problem is the library dependency environment. It is safer and less laborious to rely on the Entware-ng development team

AH. That makes a lot of sense, thank you for the in depth answers - I will definitely be installing this in the next day or so (from page 1).

I do have a spare AC88U I can use for testing, let me know what I can do to help if needed. More than willing to use that device as a test-mule for updates forthcoming, I will admit my coding & scripting skills are newly found. But let me know if that is of any help to you all.

 

[rgnldo]

I will admit my coding & scripting skills are newly found. But let me know if that is of any help to you all.

Good to know. We look forward to your contribution.

 

[Martineau]

I've uploaded 'unbound installer' v1.07

@rgnldo
I have added the use of 'unbound-control' e.g. for the statistics filter (Summary Totals), as per your PM...

Checking unbound status

#!/bin/sh
unboundstatus="unbound-control"
$unboundstatus -q status
if [ "$?" != 0 ]; then
  echo "Unbound not running properly!"
exit 3
fi
echo "Unbound OK | " | tr -d '\n'
$unboundstatus stats | grep -v thread | grep -v histogram | grep -v time. | sed 's/$/; /' | tr -d '\n'

Not sure where/what is histogram? etc.

e.g. statistics filter by Totals display (requires Entware's 'column' package)
NOTE: Not sure why 'unbound-control' uses seconds to report up-time rather than a human-friendly format i.e. 4hrs 9 mins.

+======================================================================+
|  Welcome to the unbound-Installer-Asuswrt-Merlin installation script |
|  Version 1.07 by Martineau                                           |
|                                                                      |
| Requirements: USB drive with Entware installed                       |
|                                                                      |
| The install script will:                                             |
|   1. Install the unbound Entware package                             |
|   2. Override how the firmware manages DNS                           |
|   3. Optionally Integrate with Stubby                                |
|   4. Optionally Install Ad and Tracker Blocking                      |
|                                                                      |
| You can also use this script to uninstall unbound to back out the    |
| changes made during the installation. See the project repository at  |
| https://github.com/rgnldo/Unbound-Asuswrt-Merlin                     |
| for helpful tips.                                                    |
+======================================================================+

unbound (pid 26369) is running... uptime: 14966 seconds version: 1.9.3

1  = Update ('/opt/var/lib/unbound/') unbound Configuration
2  = Remove Existing unbound Installation

u  = Upgrade (Major) unbound_installer v1.06 -> v1.07

rs = Restart (or Start) unbound

s = Display unbound statistics (s=Summary Totals; sa=All)

e  = Exit Script

Option ==> s

total.num.queries=1179              total.num.prefetch=228              total.requestlist.max=3             total.requestlist.current.user=0
total.num.queries_ip_ratelimited=0  total.num.zero_ttl=0                total.requestlist.overwritten=0     total.tcpusage=0
total.num.cachehits=984             total.num.recursivereplies=195      total.requestlist.exceeded=0
total.num.cachemiss=195             total.requestlist.avg=0.255319      total.requestlist.current.all=0

These two events have permission errors in the unbound folder. Daemom can't access it.

[1576756927] unbound[28549:0] error: Could not open logfile /unbound.log: Permission denied
[1576756953] unbound[28549:0] fatal error: could not open autotrust file for writing, /root.key.28549-0-318e5660: Permission denied

Yup, I think I could work that out for myself, however anyone upgrading from v1.06 will encounter this ERROR due to your custom Github hosted 'unbound.conf'

When you copy'n'paste v1.07 from Pastebin to your Github repository, make sure the file is in Unix format.

 

[rgnldo]

Not sure where/what is histogram? etc.

e.g. statistics filter by Totals display (requires Entware's 'column' package)

on unbound.conf

extended-statistics: yes
statistics-cumulative: no

 

[rgnldo]

e.g. for the statistics filter

rgnldo@:/jffs/scripts# sh status_unbound.sh
Unbound OK | total.num.queries=0; total.num.queries_ip_ratelimited=0; total.num.cachehits=0; total.num.cachemiss=0; total.num.prefetch=0; total.num.zero_ttl=0; total.num.recursivereplies=0; total.requestlist.avg=0; total.requestlist.max=0; total.requestlist.overwritten=0; total.requestlist.exceeded=0; total.requestlist.current.all=0; total.requestlist.current.user=0; total.tcpusage=0; mem.cache.rrset=33048; mem.cache.message=33048; mem.mod.iterator=16556; mem.mod.validator=33264; mem.mod.respip=0; mem.streamwait=0; num.query.tcp=0; num.query.tcpout=0; num.query.tls=0; num.query.tls.resume=0; num.query.ipv6=0; num.query.flags.QR=0; num.query.flags.AA=0; num.query.flags.TC=0; num.query.flags.RD=0; num.query.flags.RA=0; num.query.flags.Z=0; num.query.flags.AD=0; num.query.flags.CD=0; num.query.edns.present=0; num.query.edns.DO=0; num.answer.rcode.NOERROR=0; num.answer.rcode.FORMERR=0; num.answer.rcode.SERVFAIL=0; num.answer.rcode.NXDOMAIN=0; num.answer.rcode.NOTIMPL=0; num.answer.rcode.REFUSED=0; num.query.ratelimited=0; num.answer.secure=0; num.answer.bogus=0; num.rrset.bogus=0; num.query.aggressive.NOERROR=0; num.query.aggressive.NXDOMAIN=0; unwanted.queries=0; unwanted.replies=0; msg.cache.count=0; rrset.cache.count=0; infra.cache.count=0; key.cache.count=0; num.query.authzone.up=0; num.query.authzo

 

[SomeWhereOverTheRainBow]

I've uploaded 'unbound installer' v1.07

@rgnldo
I have added the use of 'unbound-control' e.g. for the statistics filter (Summary Totals), as per your PM...

Not sure where/what is histogram? etc.

e.g. statistics filter by Totals display (requires Entware's 'column' package)
NOTE: Not sure why 'unbound-control' uses seconds to report up-time rather than a human-friendly format i.e. 4hrs 9 mins.

+======================================================================+
|  Welcome to the unbound-Installer-Asuswrt-Merlin installation script |
|  Version 1.07 by Martineau                                           |
|                                                                      |
| Requirements: USB drive with Entware installed                       |
|                                                                      |
| The install script will:                                             |
|   1. Install the unbound Entware package                             |
|   2. Override how the firmware manages DNS                           |
|   3. Optionally Integrate with Stubby                                |
|   4. Optionally Install Ad and Tracker Blocking                      |
|                                                                      |
| You can also use this script to uninstall unbound to back out the    |
| changes made during the installation. See the project repository at  |
| https://github.com/rgnldo/Unbound-Asuswrt-Merlin                     |
| for helpful tips.                                                    |
+======================================================================+

unbound (pid 26369) is running... uptime: 14966 seconds version: 1.9.3

1  = Update ('/opt/var/lib/unbound/') unbound Configuration
2  = Remove Existing unbound Installation

u  = Upgrade (Major) unbound_installer v1.06 -> v1.07

rs = Restart (or Start) unbound

s = Display unbound statistics (s=Summary Totals; sa=All)

e  = Exit Script

Option ==> s

total.num.queries=1179              total.num.prefetch=228              total.requestlist.max=3             total.requestlist.current.user=0
total.num.queries_ip_ratelimited=0  total.num.zero_ttl=0                total.requestlist.overwritten=0     total.tcpusage=0
total.num.cachehits=984             total.num.recursivereplies=195      total.requestlist.exceeded=0
total.num.cachemiss=195             total.requestlist.avg=0.255319      total.requestlist.current.all=0

Yup, I think I could work that out for myself, however anyone upgrading from v1.06 will encounter this ERROR due to your custom Github hosted 'unbound.conf'

When you copy'n'paste v1.07 from Pastebin to your Github repository, make sure the file is in Unix format.

dont tell @Jack Yaz that... there may be a UnboundUStats....

 

[Martineau]

I have decided to make v1.08 publicly available to take advantage of the 'more-eyes' principle!

Feel free to use at your own risk.

@rgnldo

I believe we no longer need to continue with PM's, so please use the thread for on-going discussions/bug reporting etc.

i.e. I'm sure there are many who can assist with implementing Option 5 etc.

5. Optionally Customise CPU/Memory usage (Advanced Users)

given the current failed attempts.

NOTE: The prompt is still presented, but the function is disabled i.e. no tweaks to /proc/sys, cache-size,number of threads based on CPUs available etc. are physically applied.

Beware: Additions are made to 'firewall-start', 'dnsmasq.conf.add', 'dnsmasq.conf.add' and 'services-start'

 

[SuperDuke]

I have decided to make v1.08 publicly available to take advantage of the 'more-eyes' principle!

Feel free to use at your own risk.

@rgnldo

I believe we no longer need to continue with PM's, so please use the thread for on-going discussions/bug reporting etc.

i.e. I'm sure there are many who can assist with implementing Option 5 etc.

5. Optionally Customise CPU/Memory usage (Advanced Users)

given the current failed attempts.

NOTE: The prompt is still presented, but the function is disabled i.e. no tweaks to /proc/sys, cache-size,number of threads based on CPUs available etc. are physically applied.

Beware: Additions are made to 'firewall-start', 'dnsmasq.conf.add', 'dnsmasq.conf.add' and 'services-start'

Thanks @Martineau ....this is great......for people like me!

 

[Jack Yaz]

dont tell @Jack Yaz that... there may be a UnboundUStats....

pass, unless we see significant interest in this project

 

[rgnldo]

i.e. I'm sure there are many who can assist with implementing Option 5 etc.

Agree. I'll find a way out. It's not that important.

I'm sorry for the delay in answering.

 

[rgnldo]

pass, unless we see significant interest in this project

It will be an honor to have you as a collaborator.

 

[rgnldo]

given the current failed attempts.

/jffs/scripts# /opt/etc/init.d/S61unbound restart
S61unbound: Waiting for NTP to sync before starting...
 Shutting down unbound...              done.
 Starting unbound...              failed.

Don't worry about this mistake. Only the unbound.conf file had an incorrect line. So the importance of the status returning script unbound Ok.

 

[rgnldo]

@Martineau Come on, test the script v1.08.
This status is best at the beginning of the script, checking the requirements for the installation.

Please wait for up to 30 seconds for status.....


        Installation of unbound completed

Checking Router Configuration pre-reqs.....
[✔] Swapfile=2097148 kB
[✔] DNS Filter=ON
[✔] DNS Filter=ROUTER
[✔] WAN: Use local caching DNS server as system resolver=NO
[✔] Enable local NTP server=YES

The folder owner permission must be seen after unbound installation before any configuration action. Otherwise, the unbound will be dead.

/opt/etc/init.d/rc.unslung check
 Checking haveged...              alive.
 Checking unbound...              dead.
 Checking stubby...              dead.

I did it manually

chown nobody /opt/var/lib/unbound

/opt/etc/init.d/rc.unslung check
 Checking haveged...              alive.
 Checking unbound...              alive.
 Checking stubby...              alive.

My suggestion, the script should check if IPV6 is enabled and adapt unbound.conf to IPV4 only or IPV4/IPV6.
I recommend that the script verify that FW Merlin's DNSSEC is disabled.
I will update the lighter and goal unbound.conf. As for performance option, we can withdraw. The installation will be in Asus Merlin router's ARM, which have a good configuration.

 

[rgnldo]

@Martineau
https://raw.githubusercontent.com/rgnldo/Unbound-Asuswrt-Merlin/master/unbound.conf
https://raw.githubusercontent.com/rgnldo/Unbound-Asuswrt-Merlin/master/stubby.yml