Unbound - Authoritative Recursive Caching DNS Server

[Hanston Dsouza]

new script also dosent fix adblock but unbound works good
option selected
all yes except for studdy i selected no

 

[rgnldo]

New script still doesn't fix my issue with interface: 0.0.0.0 (I changed it to 127.0.0.1 anyway)

Manual change is appropriate.

verbosity: 1
statistics-interval: 1800 #every 1/2 hour
statistics-cumulative: yes

Excellent contribution. We hope more will come.

 

[rgnldo]

The script is in the final stages. Ideally, there are more collaborators with shell script knowledge and connectivity at FW Merlin to give an opinion. I want to contribute, but my knowledge is focused on infrastructure and connectivity. I think it contributes enough to the RMerlin project.

 

[rgnldo]

new script also dosent fix adblock but unbound works good
option selected
all yes except for studdy i selected no

I'll give it a check.

 

[rgnldo]

new script also dosent fix adblock

run unbound_installer.
Choose option 1. Update the installation. Edit /opt/var/lib/unbound/unbound.conf and uncomment the adblock path. Run /opt/etc/init.d/rc.unslung restart. Let's fix the script.

 

[Martineau]

run unbound_installer.
Choose option 1. Update the installation. Edit /opt/var/lib/unbound/unbound.conf and uncomment the adblock path. Run /opt/etc/init.d/rc.unslung restart. Let's fix the script.

The adblock feature has worked since v1.07, as your original 'unbound.conf' appeared to use the convention

# include:......adblock/adservers

where there is a single space between the '#' and the 'include:' directive, however your new 'unbound.conf' now omits the space char

#include:...….adblock/adservers

and now no version of the script can match '# '

I have patched the script ready for v.1.11 (not yet pushed to GitHub) to accept either style, but in the meantime you should fix 'unbound.conf' hosted on your GitHub to reinstate the space char.

 

[rgnldo]

dnsmasq.conf

unbound.conf

then to update the 'opt/etc/init.d/S*' scripts from @rgnldo's GitHub select

update

 

[rgnldo]

@Martineau the scripts /opt/etc/init.d/S* should be from my repository, just as it is being done with unbound.conf

 

[dave14305]

This thread and script when in a different direction than I anticipated or feel I could contribute to. I use unbound only as an upstream resolver for dnsmasq, relying on Diversion for adblocking and using no DoT whatsoever.

I want the hook between dnsmasq and Unbound to be failsafe, meaning if unbound isn't running, dnsmasq reverts to the normal WAN DNS servers. I do this through the dnsmasq.postconf script I've posted before in this thread. I also created a cron job to check unbound every 5 minutes and if it isn't running, restart dnsmasq so that the WAN DNS servers will take over, to minimize chances of a DNS-related outage in my home.

I don't understand where some of these requirements are coming from to use Entware Stubby, or use another adblock solution, or to try to force all requests to Unbound. To integrate with the firmware, it needs to have clean edges and integration points IMHO.

To gain widespread adoption, this script should do one thing very well: install Unbound as a recursive, validating resolver. All the extras might distract from other users understanding what it is doing and wanting to install it.

@Martineau will be canonized once his work here is done, or he walks away, whichever comes first.

 

[rgnldo]

This thread and script when in a different direction than I anticipated or feel I could contribute to. I use unbound only as an upstream resolver for dnsmasq, relying on Diversion for adblocking and using no DoT whatsoever.

I want the hook between dnsmasq and Unbound to be failsafe, meaning if unbound isn't running, dnsmasq reverts to the normal WAN DNS servers. I do this through the dnsmasq.postconf script I've posted before in this thread. I also created a cron job to check unbound every 5 minutes and if it isn't running, restart dnsmasq so that the WAN DNS servers will take over, to minimize chances of a DNS-related outage in my home.

I don't understand where some of these requirements are coming from to use Entware Stubby, or use another adblock solution, or to try to force all requests to Unbound. To integrate with the firmware, it needs to have clean edges and integration points IMHO.

To gain widespread adoption, this script should do one thing very well: install Unbound as a recursive, validating resolver. All the extras might distract from other users understanding what it is doing and wanting to install it.

@Martineau will be canonized once his work here is done, or he walks away, whichever comes first.

I understand your concern. But I assure you, it works the way it should. And query requests are being made by untying normally. I understand that comments like yours strengthens the post. I really appreciate it.

dig DNSKEY cyberciti.biz +short
256 3 13 oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8 KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA==
257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+ KkxLbxILfDLUT0rAK9iUzy1L53eKGQ==

dig txt qnamemintest.internet.nl

; <<>> DiG 9.10.6 <<>> txt qnamemintest.internet.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13054
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;qnamemintest.internet.nl.    IN    TXT

;; ANSWER SECTION:
qnamemintest.internet.nl. 3579    IN    CNAME    a.b.qnamemin-test.internet.nl.
a.b.qnamemin-test.internet.nl. 3581 IN    TXT    "HOORAY - QNAME minimisation is enabled on your resolver :)!"

;; Query time: 5 msec
;; SERVER: 10.0.30.1#53(10.0.30.1)
;; WHEN: Fri Dec 27 14:51:33 -03 2019
;; MSG SIZE  rcvd: 157

dig github.com

; <<>> DiG 9.10.6 <<>> github.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44523
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;github.com.            IN    A

;; ANSWER SECTION:
github.com.        44    IN    A    192.30.253.112

;; Query time: 4 msec
;; SERVER: 10.0.30.1#53(10.0.30.1)
;; WHEN: Fri Dec 27 14:51:25 -03 2019
;; MSG SIZE  rcvd: 55

 

[rgnldo]

@Martineau The dnsmasq.postconf file is generated in incorrect formatting and without write permission.

#!/bin/sh
CONFIG=$1
pc_delete "servers-file" $CONFIG                        # unbound_installer
pc_delete "no-negcache" $CONFIG                 # unbound_installer
pc_delete "domain-needed" $CONFIG                       # unbound_installer
pc_delete "bogus-priv" $CONFIG                  # unbound_installer
pc_replace "cache-size=1500" "cache-size=0" $CONFIG                     # unbound_installer
source /usr/sbin/helper.sh

Must is in this format

#!/bin/sh
source /usr/sbin/helper.sh[
CONFIG=$1
pc_delete "servers-file" $CONFIG                        # unbound_installer
pc_delete "no-negcache" $CONFIG                 # unbound_installer
pc_delete "domain-needed" $CONFIG                       # unbound_installer
pc_delete "bogus-priv" $CONFIG                  # unbound_installer
pc_replace "cache-size=1500" "cache-size=0" $CONFIG                     # unbound_installer

 

[dave14305]

@Martineau The dnsmasq.postconf file is generated in incorrect formatting and without write permission.

#!/bin/sh
CONFIG=$1
pc_delete "servers-file" $CONFIG                        # unbound_installer
pc_delete "no-negcache" $CONFIG                 # unbound_installer
pc_delete "domain-needed" $CONFIG                       # unbound_installer
pc_delete "bogus-priv" $CONFIG                  # unbound_installer
pc_replace "cache-size=1500" "cache-size=0" $CONFIG                     # unbound_installer
source /usr/sbin/helper.sh

Must is in this format

#!/bin/sh
source /usr/sbin/helper.sh[
CONFIG=$1
pc_delete "servers-file" $CONFIG                        # unbound_installer
pc_delete "no-negcache" $CONFIG                 # unbound_installer
pc_delete "domain-needed" $CONFIG                       # unbound_installer
pc_delete "bogus-priv" $CONFIG                  # unbound_installer
pc_replace "cache-size=1500" "cache-size=0" $CONFIG                     # unbound_installer

Maybe it’s time to do like Diversion and just add a single line to dnsmasq.postconf that invokes a specific script created by the installer to contain all the dnsmasq changes, instead of guessing what might or might not already be present.

. /jffs/scripts/unbound.postconf “$1”

 

[rgnldo]

@dave14305 Coexistence with dnsmasq-oriented solutions is perfectly possible. Diversion, No-Track, Pi-Hole (great software) coexist perfectly with the coupling. I speak daily in the forums of these projects. But specifically targeted solutions for unbound are preferable. Forums like PFsense and OPNsense greatly strengthen this reasoning.

 

[dave14305]

@dave14305 Coexistence with dnsmasq-oriented solutions is perfectly possible. Diversion, No-Track, Pi-Hole (great software) coexist perfectly with the coupling. I speak daily in the forums of these projects. But specifically targeted solutions for unbound are preferable. Forums like PFsense and OPNsense greatly strengthen this reasoning.

Of course it is possible. My suggestion is that if you want to minimize the problems integrating with existing dnsmasq.postconf files, then consider calling the unbound specific script from dnsmasq.postconf as a one-liner and ensure that line comes after any other modifications to /etc/dnsmasq.conf.

I will wait to discuss with St. @Martineau.

 

[rgnldo]

. /jffs/scripts/unbound.postconf “$1”

My suggestion is that if you want to minimize the problems integrating with existing dnsmasq.postconf files, then consider calling the unbound specific script from dnsmasq.postconf as a one-liner and ensure that line comes after any other modifications to /etc/dnsmasq.conf.

Of course I agree with you. This is a great solution for dnsmasq-integrated software compatibility such as Diversion.

 

[rgnldo]

Trying to configure Munin here for Unbound

 

[rgnldo]

@Martineau script generated without write permission and with incorrect adblock cron argument.
/jffs/scripts/services-start

cru a adblock "0 5 * * *" /opt/var/lib/unbound/adblock/gen_adblock.sh                   # unbound

Manually fixed
chmod +x /jffs/scripts/services-start

cru a adblock "0 5 * * * /opt/var/lib/unbound/adblock/gen_adblock.sh"                    # unbound

 

[Hanston Dsouza]

I tried this
Changed Cru to new code but adblock still dosent work

@Martineau script generated without write permission and with incorrect adblock cron argument.
/jffs/scripts/services-start

cru a adblock "0 5 * * *" /opt/var/lib/unbound/adblock/gen_adblock.sh                   # unbound

Manually fixed
chmod +x /jffs/scripts/services-start

cru a adblock "0 5 * * * /opt/var/lib/unbound/adblock/gen_adblock.sh"                    # unbound

 

[rgnldo]

I tried this
Changed Cru to new code but adblock still dosent work

Read previous posts


Enviado do meu iPhone usando Tapatalk

 

[Martineau]

Unbound Installer v1.11 uploaded

1. Fix Adblock ENABLE (i.e. uncomment '# include:' ) in 'unbound.conf' even if '#include:' format is used by @rgnldo
2. Fix 'services-start' Adblock 'cron' job syntax
3. Fix (Hack??? i.e. issue existing command TWICE!!! ) 'chmod +x' to 'services-start'/'dnsmasq.postconf' if they are created
4. Fix 'dnsmasq.postconf' order of statements if it is created
5. Download files '/opt/etc/init.d/S61unbound' and '/opt/etc/init.d/S02haveged' from @rgnldo GitHub
6. Add menu option 'v = View ('/opt/var/lib/unbound/') unbound Configuration (vx=Edit)'