Unbound - Authoritative Recursive Caching DNS Server

[rgnldo]

Unbound Installer v1.11 uploaded

1. Fix Adblock ENABLE (i.e. uncomment '# include:' ) in 'unbound.conf' even if '#include:' format is used by @rgnldo
2. Fix 'services-start' Adblock 'cron' job syntax
3. Fix (Hack??? i.e. issue existing command TWICE!!! ) 'chmod +x' to 'services-start'/'dnsmasq.postconf' if they are created
4. Fix 'dnsmasq.postconf' order of statements if it is created
5. Download files '/opt/etc/init.d/S61unbound' and '/opt/etc/init.d/S02haveged' from @rgnldo GitHub
6. Add menu option 'v = View ('/opt/var/lib/unbound/') unbound Configuration (vx=Edit)'

Thanks!!


Enviado do meu iPhone usando Tapatalk

 

[Martineau]

Maybe it’s time to do like Diversion and just add a single line to dnsmasq.postconf that invokes a specific script created by the installer to contain all the dnsmasq changes, instead of guessing what might or might not already be present.

. /jffs/scripts/unbound.postconf “$1”

Adopted in v1.11 although there is no 'guessing' in either method since the script needs to explicitly scan the target file for explicitly recognised directives.

 

[rgnldo]

There will be no more additions. It is enough for the script. Now focus on inclusion in the AMTM. I hope you all enjoy Unbound. Happy new year to all.


Enviado do meu iPhone usando Tapatalk

 

[dave14305]

Unbound Installer v1.11 uploaded

1. Fix Adblock ENABLE (i.e. uncomment '# include:' ) in 'unbound.conf' even if '#include:' format is used by @rgnldo
2. Fix 'services-start' Adblock 'cron' job syntax
3. Fix (Hack??? i.e. issue existing command TWICE!!! ) 'chmod +x' to 'services-start'/'dnsmasq.postconf' if they are created
4. Fix 'dnsmasq.postconf' order of statements if it is created
5. Download files '/opt/etc/init.d/S61unbound' and '/opt/etc/init.d/S02haveged' from @rgnldo GitHub
6. Add menu option 'v = View ('/opt/var/lib/unbound/') unbound Configuration (vx=Edit)'

You can probably do away with dnsmasq.conf.add now since you are appending the server= directive in dnsmasq.postconf/unbound.postconf now. I am still a proponent of only modifying dnsmasq.conf if and only if unbound is confirmed to be running (e.g. pid check or unbound-control status).
My own postconf excerpt for example:

if [ -n "$(pidof unbound)" ]; then
       UNBOUNDLISTENADDR=$(netstat -nlup | grep "^udp.* 127\.0\..*\/unbound$" | head -1 | awk ' { print $4 } ' | tr ':' '#')
       if [ -n "$UNBOUNDLISTENADDR" ]; then
                pc_delete "servers-file" "$CONFIG"
                pc_append "server=$UNBOUNDLISTENADDR" "$CONFIG"
                pc_replace "cache-size=1500" "cache-size=0" "$CONFIG"
                pc_delete "trust-anchor=" "$CONFIG"
                pc_delete "dnssec" "$CONFIG"
                pc_append "proxy-dnssec" "$CONFIG"
       fi
fi

 

[rgnldo]

I am traveling. Stay free for changes and contributions. I can't help it now. But feel free.


Enviado do meu iPhone usando Tapatalk

 

[rgnldo]

Remotely accessing my router to get feedback from the script installer. It works perfectly. Some final corrections needed.

• In the unbound.conf file there is the do-ip6 option. Line 15 is do-ip6: no, for IPV4 support only. On line 37 is do-ip6: yes, for IPV6 support. This option must contain only one.
• In the directory after executing or stopping the gen_adblock.sh script, temporary files should be removed, otherwise there will be errors in block list formatting on next script execution.
  

  @rgnldo:/tmp/home/root# ls /opt/var/lib/unbound/adblock/
  adlist.tmp      adservers       blockhost       gen_adblock.sh  permlist        tmp.finalhost   tmp.host

  Must be just these
  

  @rgnldo:/tmp/home/root# ls /opt/var/lib/unbound/adblock/
  adservers       blockhost       gen_adblock.sh  permlist

  .

Just this. The script is great. I hope you are welcomed by the amtm project and other FW Merlin users will benefit. Thank you very much for your efforts @Martineau.

P.S.: Friends, all contributions are welcome. But when you contribute, you should maintain end user support. This is the purpose of this post, to benefit all FW Merlin users. All my changes and contributions have been thoroughly tested and debugged. I only support the ones I add.

 

[Martineau]

• In the unbound.conf file there is the do-ip6 option. Line 15 is do-ip6: no, for IPV4 support only. On line 37 is do-ip6: yes, for IPV6 support. This option must contain only one.
• In the directory after executing or stopping the gen_adblock.sh script, temporary files should be removed, otherwise there will be errors in block list formatting on next script execution.

Unbound Installer v1.12 uploaded

Fixes to the two issues described above.

NOTE: In the generated 'unbound.postconf' I have included (as comments) the check proposed in post #344 by @dave14305 but not yet activated.

 

[rgnldo]

@Martineau pardon, had not checked, before the release of script v1.12. The stubby.yml file needs IPV6 adaptation.

 

[rgnldo]

@Martineau on unbound.conf has been removed do-ip4: yes. It is to stay. The change is only do-ip6: Must be changed to either yes or no.
Another detail, at the end of the installation, the file /etc/dnsmasq.conf was not changed yet. I needed manual manually launch service restart_dnsmasq.

 

[Martineau]

@Martineau on unbound.conf has been removed do-ip4: yes. It is to stay.
The change is only do-ip6: Must be changed to either yes or no.
Another detail, at the end of the installation, the file /etc/dnsmasq.conf was not changed yet.
I needed manual manually launch service restart_dnsmasq.

Pretty sure the original '/opt/etc/init.d/S61unbound' file hosted on your Github included a POSTCMD to restart dnsmasq as noted in the script...

@Martineau pardon, had not checked, before the release of script v1.12.
The stubby.yml file needs IPV6 adaptation.

Well in lieu of any details (again) I'll just guess then shall I? i.e. assume that everyone must/will use Cloudflare IPv6.

Like I have stated previously, you host the base config files so hosting both an IPv4 and IPv6 version of the file would mean that the script would only need to overwrite the appropriate local config file with either the IPv4 or IPv6 version rather than have to be aware of esoteric syntax and formatting.

Anyway Unbound Installer v1.13 uploaded.

 

[rgnldo]

Pretty sure the original '/opt/etc/init.d/S61unbound' file hosted on your Github included a POSTCMD to restart dnsmasq as noted in the script...

That's right. Turns out, for technical reasons, I removed this option from S61unbound. It makes no sense to start dnsmasq restart without limits. Imagine the router boot scenario or even the unlimited reboot. It takes a while, as in the rc.unslung script. The FW Merlin or even the original official ASUSwrt code undergoes code modifications. I often observe this and adapt to the scenario.

Like I have stated previously, you host the base config files so hosting both an IPv4 and IPv6 version of the file would mean that the script would only need to overwrite the appropriate local config file with either the IPv4 or IPv6 version rather than have to be aware of esoteric syntax and formatting.

I agree.
All of these modifications have unbound the necessary optimization. It is excellent.
@Martineau don't worry about stubby.yml, it's not that important. Brotherly hug

 

[dave14305]

That's right. Turns out, for technical reasons, I removed this option from S61unbound. It makes no sense to start dnsmasq restart without limits. Imagine the router boot scenario or even the unlimited reboot. It takes a while, as in the rc.unslung script. The FW Merlin or even the original official ASUSwrt code undergoes code modifications. I often observe this and adapt to the scenario.

How do you ensure dnsmasq will point to Unbound after Unbound starts? What is the trigger?

 

[rgnldo]

How do you ensure dnsmasq will point to Unbound after Unbound starts? What is the trigger?

% dig +nocmd +noall +answer @a.nic.ch ch. soa
ch.            900    IN    SOA    a.nic.ch. dns-operation.switch.ch. 2019122922 900 600 1123200 900

% dig github.com

; <<>> DiG 9.10.6 <<>> github.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46831
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;github.com.            IN    A

;; ANSWER SECTION:
github.com.        896    IN    A    18.231.5.6

;; Query time: 1 msec
;; SERVER: 2804:4474:200:8400::1#53(2804:4474:200:8400::1)
;; WHEN: Sun Dec 29 18:14:31 -03 2019
;; MSG SIZE  rcvd: 55

% dig a.b.qnamemin-test.internet.nl TXT

; <<>> DiG 9.10.6 <<>> a.b.qnamemin-test.internet.nl TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3816
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;a.b.qnamemin-test.internet.nl.    IN    TXT

;; ANSWER SECTION:
a.b.qnamemin-test.internet.nl. 896 IN    TXT    "HOORAY - QNAME minimisation is enabled on your resolver :)!"

;; Query time: 1 msec
;; SERVER: 2804:4474:200:8400::1#53(2804:4474:200:8400::1)
;; WHEN: Sun Dec 29 18:16:39 -03 2019
;; MSG SIZE  rcvd: 130

% dig pir.org +dnssec +multi


; <<>> DiG 9.10.6 <<>> pir.org +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29497
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;pir.org.        IN A

;; ANSWER SECTION:
pir.org.        889 IN A 97.107.141.235
pir.org.        889 IN RRSIG A 5 2 300 (
                20200112084004 20191229084004 12435 pir.org.
                u9FBlkXxnIr9mxvDToIgr3Z4gOIbd5AXsjRWGh2pSiGf
                AW91tUQWrc49CdTMDtDwCgqay2EbuXu+BRhht6e444Pm
                v27acP+q94tAkFGcq/PJiqtE7E6GNh1Y1oX5bA4xezUK
                DQy3duQfmIfrMBeGo5lcQUgVsrFXsK0rl21RLSM= )

;; Query time: 1 msec
;; SERVER: 2804:4474:200:8400::1#53(2804:4474:200:8400::1)
;; WHEN: Sun Dec 29 18:20:12 -03 2019
;; MSG SIZE  rcvd: 219

% dig www.cloudflare-dnssec-auth.com A +dnssec

; <<>> DiG 9.10.6 <<>> www.cloudflare-dnssec-auth.com A +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22034
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.cloudflare-dnssec-auth.com.    IN    A

;; ANSWER SECTION:
www.cloudflare-dnssec-auth.com.    893 IN    A    104.20.176.24
www.cloudflare-dnssec-auth.com.    893 IN    A    104.20.177.24
www.cloudflare-dnssec-auth.com.    893 IN    RRSIG    A 13 3 300 20191230222106 20191228202106 34505 cloudflare-dnssec-auth.com. nHfBH/uuG4yPjY9z5PwLNmvs0ghyUD2nI/SUjxBZKFyYm7fJptc7IGUl K00jF6MZtJ64TfTc8J1zfsIk69v/YA==

;; Query time: 1 msec
;; SERVER: 2804:4474:200:8400::1#53(2804:4474:200:8400::1)
;; WHEN: Sun Dec 29 18:21:15 -03 2019
;; MSG SIZE  rcvd: 213

I understand your concern, but verification should be done on the internal network. DNSFILTER does a good job helping with redirection.
HIT performance is excellent. I am getting in 1ms over a wifi network.

 

[rgnldo]

@rgnldo:/tmp/home/root# unbound-control -c /opt/var/lib/unbound/unbound.conf stats_noreset | grep total.num

total.num.queries=1217
total.num.queries_ip_ratelimited=0
total.num.cachehits=621
total.num.cachemiss=596
total.num.prefetch=2
total.num.zero_ttl=0
total.num.recursivereplies=596

 

[SomeWhereOverTheRainBow]

% dig +nocmd +noall +answer @a.nic.ch ch. soa
ch.            900    IN    SOA    a.nic.ch. dns-operation.switch.ch. 2019122922 900 600 1123200 900

% dig github.com

; <<>> DiG 9.10.6 <<>> github.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46831
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;github.com.            IN    A

;; ANSWER SECTION:
github.com.        896    IN    A    18.231.5.6

;; Query time: 1 msec
;; SERVER: 2804:4474:200:8400::1#53(2804:4474:200:8400::1)
;; WHEN: Sun Dec 29 18:14:31 -03 2019
;; MSG SIZE  rcvd: 55

% dig a.b.qnamemin-test.internet.nl TXT

; <<>> DiG 9.10.6 <<>> a.b.qnamemin-test.internet.nl TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3816
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;a.b.qnamemin-test.internet.nl.    IN    TXT

;; ANSWER SECTION:
a.b.qnamemin-test.internet.nl. 896 IN    TXT    "HOORAY - QNAME minimisation is enabled on your resolver :)!"

;; Query time: 1 msec
;; SERVER: 2804:4474:200:8400::1#53(2804:4474:200:8400::1)
;; WHEN: Sun Dec 29 18:16:39 -03 2019
;; MSG SIZE  rcvd: 130

% dig pir.org +dnssec +multi


; <<>> DiG 9.10.6 <<>> pir.org +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29497
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;pir.org.        IN A

;; ANSWER SECTION:
pir.org.        889 IN A 97.107.141.235
pir.org.        889 IN RRSIG A 5 2 300 (
                20200112084004 20191229084004 12435 pir.org.
                u9FBlkXxnIr9mxvDToIgr3Z4gOIbd5AXsjRWGh2pSiGf
                AW91tUQWrc49CdTMDtDwCgqay2EbuXu+BRhht6e444Pm
                v27acP+q94tAkFGcq/PJiqtE7E6GNh1Y1oX5bA4xezUK
                DQy3duQfmIfrMBeGo5lcQUgVsrFXsK0rl21RLSM= )

;; Query time: 1 msec
;; SERVER: 2804:4474:200:8400::1#53(2804:4474:200:8400::1)
;; WHEN: Sun Dec 29 18:20:12 -03 2019
;; MSG SIZE  rcvd: 219

% dig www.cloudflare-dnssec-auth.com A +dnssec

; <<>> DiG 9.10.6 <<>> www.cloudflare-dnssec-auth.com A +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22034
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.cloudflare-dnssec-auth.com.    IN    A

;; ANSWER SECTION:
www.cloudflare-dnssec-auth.com.    893 IN    A    104.20.176.24
www.cloudflare-dnssec-auth.com.    893 IN    A    104.20.177.24
www.cloudflare-dnssec-auth.com.    893 IN    RRSIG    A 13 3 300 20191230222106 20191228202106 34505 cloudflare-dnssec-auth.com. nHfBH/uuG4yPjY9z5PwLNmvs0ghyUD2nI/SUjxBZKFyYm7fJptc7IGUl K00jF6MZtJ64TfTc8J1zfsIk69v/YA==

;; Query time: 1 msec
;; SERVER: 2804:4474:200:8400::1#53(2804:4474:200:8400::1)
;; WHEN: Sun Dec 29 18:21:15 -03 2019
;; MSG SIZE  rcvd: 213

I understand your concern, but verification should be done on the internal network. DNSFILTER does a good job helping with redirection.
HIT performance is excellent. I am getting in 1ms over a wifi network.

So are you telling traffic to by pass DNSMASQ and the router to bypass its own local traffic? you are missing the "ad" flag responses in all your dnssec test. does your router store correct time? how does your dhcp behave? I am curious to see what it does when tested with AIMESH.

 

[rgnldo]

@Martineau error format cru

gnldo:/tmp/home/root# cat /jffs/scripts/services-start
#!/bin/sh

cru a adblock 0 5 * * * /opt/var/lib/unbound/adblock/gen_adblock.sh                     # unbound_installer

rgnldo:/tmp/home/root# cru l
0 5 bin bootfs cifs1 cifs2 data debug dev etc home jffs lib media mmc mnt opt proc rom root sbin sys sysroot tmp usr var www bin bootfs cifs1 cifs2 data debug dev etc home jffs lib media mmc mnt opt proc rom root sbin sys sysroot tmp usr var www bin bootfs cifs1 cifs2 data debug dev etc home jffs lib media mmc mnt opt proc rom root sbin sys sysroot tmp usr var www /opt/var/lib/unbound/adblock/gen_adblock.sh #adblock#

Fixed:

CODE]gnldo:/tmp/home/root# cat /jffs/scripts/services-start
#!/bin/sh

cru a adblock "0 5 * * * /opt/var/lib/unbound/adblock/gen_adblock.sh"                     # unbound_installer

 

[rgnldo]

So are you telling traffic to by pass DNSMASQ and the router to bypass its own local traffic?

Dnsmasq is very flexible. It is also designed to work with DHCP only, as long as you remove all DNS options. Simple. DNSFILTER further strengthens this. AD lock logs are only possible if

are missing the "ad" flag responses in all your dnssec test.

QUERY, status: NXDOMAIN, id: 38881

dig 000free.us +dnssec +multi


; <<>> DiG 9.10.6 <<>> 000free.us +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 38881
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;000free.us.        IN A

;; Query time: 2 msec
;; SERVER: 2804:4474:200:8400::1#53(2804:4474:200:8400::1)
;; WHEN: Mon Dec 30 07:45:53 -03 2019
;; MSG SIZE  rcvd: 39

% dig 042707d90914.agrigid.com +dnssec +multi


; <<>> DiG 9.10.6 <<>> 042707d90914.agrigid.com +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45189
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;042707d90914.agrigid.com. IN A

;; Query time: 1 msec
;; SERVER: 2804:4474:200:8400::1#53(2804:4474:200:8400::1)
;; WHEN: Mon Dec 30 07:49:12 -03 2019
;; MSG SIZE  rcvd: 53

does your router store correct time?

Work

;; SERVER: 2804:4474:200:8400::1#53(2804:4474:200:8400::1)
;; WHEN: Mon Dec 30 07:45:53 -03 2019

I am curious to see what it does when tested with AIMESH.

You can help with this test.

 

[Martineau]

@Martineau error format cru

gnldo:/tmp/home/root# cat /jffs/scripts/services-start
#!/bin/sh

cru a adblock 0 5 * * * /opt/var/lib/unbound/adblock/gen_adblock.sh                     # unbound_installer

rgnldo:/tmp/home/root# cru l
0 5 bin bootfs cifs1 cifs2 data debug dev etc home jffs lib media mmc mnt opt proc rom root sbin sys sysroot tmp usr var www bin bootfs cifs1 cifs2 data debug dev etc home jffs lib media mmc mnt opt proc rom root sbin sys sysroot tmp usr var www bin bootfs cifs1 cifs2 data debug dev etc home jffs lib media mmc mnt opt proc rom root sbin sys sysroot tmp usr var www /opt/var/lib/unbound/adblock/gen_adblock.sh #adblock#

Fixed:

CODE]gnldo:/tmp/home/root# cat /jffs/scripts/services-start
#!/bin/sh

cru a adblock "0 5 * * * /opt/var/lib/unbound/adblock/gen_adblock.sh"                     # unbound_installer

Unbound Installer v1.13 patched.

Use option 'u'

u  = Update (Minor) unbound_installer v1.13

1  = Begin unbound Installation Process ('/opt/var/lib/unbound/')        l  = Show unbound log entries
2  = Remove Existing unbound Installation             
                                  

                      

e  = Exit Script

Option ==> u

    unbound_installer.sh downloaded successfully

Update Complete! 2474c216043a552173348b3dc5667299

then either manually remove the incorrect '#adblock#' cru statement from 'services-start' or use option '2';

then use option '1'

 

[rgnldo]

Unbound Installer v1.13 patched.

100% work fine.

then either manually remove the incorrect '#adblock#' cru statement from 'services-start'

Next patch. Thanks very much!

 

[rgnldo]

[optional cosmetics] @Martineau Correct bash color red formatting at script termination when REBOOT option is selected. For amtm will be useful. I use Termius SSH cliente on macOS.