Unbound - Authoritative Recursive Caching DNS Server

[rgnldo]

Dnsmasq runs only as DHCP. The option server =127.0.0.1#53535 for unbound address is equal to server=1.1.1.1 only this.

 

[dave14305]

There is no need to relaunch dnsmasq pid

Dnsmasq runs only as DHCP. The option server =127.0.0.1#53535 for unbound address is equal to server=1.1.1.1 only this.

dnsmasq is still the LAN-facing DNS server that forwards to Unbound. You may wish it was only a DHCP server, but it doesn't make it true unless you further adapt dnsmasq.conf (e.g. port=0).

 

[rgnldo]

You may wish it was only a DHCP server, but it doesn't make it true unless you further adapt dnsmasq.conf (e.g. port=0).

There is no necessity. Dnsmasq comes from dns via DHCP. Removing port 53 from dnsmasq would impair its function of distributing LAN's local DNS IP. Installing unbound on port 53 requires a clean install and a separate dhcp server. Our method is correct.

 

[rgnldo]

Found the problem. The unbound check condition via PID competes in time with entware services initialization. If not PID, unbound.postconf is not launched.

if [ -n "$(pidof unbound)" ];then

Let's fixed

 

[dave14305]

Found the problem. The unbound check condition via PID competes in time with entware services initialization. If not PID, unbound.postconf is not launched.

if [ -n "$(pidof unbound)" ];then

Let's fixed

Right, so if you add the POSTCMD="service restart_dnsmasq" to S61unbound, the dnsmasq.postconf will run again and the pid will be there. The intent is not to break dnsmasq in case unbound won't start or gets uninstalled uncleanly, or someone removes the USB and reboots the router.

 

[SomeWhereOverTheRainBow]

Right, so if you add the POSTCMD="service restart_dnsmasq" to S61unbound, the dnsmasq.postconf will run again and the pid will be there. The intent is not to break dnsmasq in case unbound won't start or gets uninstalled uncleanly, or someone removes the USB and reboots the router.

yea what would happen if the user wanted to remove the USB as they do from time to time....

 

[rgnldo]

Right, so if you add the POSTCMD="service restart_dnsmasq"

He had understood the proposal. The problem is calls to dnsmasq with each unbound restart request.

 

[rgnldo]

The best option is to add the condition to the /jffs/scripts/post-mount file. The AMTM script organizes here.

./jffs/scripts/post-mount.div

/jffs/scripts/post-mount.div

#!/bin/sh

# Added by amtm Entware installer

OF="$(/usr/bin/find $1/entware*/bin/opkg 2> /dev/null)"

if [ "$OF" ]; then
   ln -nsf "$(echo "$OF" | sed 's~/bin/opkg~~g')" /tmp/opt
   /opt/etc/init.d/rc.unslung start $0
fi

 

[dave14305]

He had understood the proposal. The problem is calls to dnsmasq with each unbound restart request.

I don't think it's a problem since dnsmasq will not be caching, so there is no performance impact from the restart. I also don't think unbound will be restarted very often. If you restart it in the adblock script, why not just run unbound-control reload instead?

 

[rgnldo]

so there is no performance impact from the restart.

As they are dependent for now, we will do so.

POSTCMD="service restart_dnsmasq"

Run the installer script, in the update configuration option.

+======================================================================+
|  Welcome to the unbound-Installer-Asuswrt-Merlin installation script |
|  Version 1.17 by Martineau                                           |
|                                                                      |
| Requirements: USB drive with Entware installed                       |
|                                                                      |
| The install script will:                                             |
|   1. Install the unbound Entware package                             |
|   2. Override how the firmware manages DNS                           |
|   3. Optionally Integrate with Stubby                                |
|   4. Optionally Install Ad and Tracker Blocking                      |
|   5. Optionally Customise CPU/Memory usage (Advanced Users)          |
|                                                                      |
| You can also use this script to uninstall unbound to back out the    |
| changes made during the installation. See the project repository at  |
|         https://github.com/rgnldo/Unbound-Asuswrt-Merlin             |
|     for helpful user tips on unbound usage/configuration.            |
+======================================================================+

unbound (pid 1899) is running... uptime: 614 days 12:54:11 version: 1.9.3

1  = Update ('/opt/var/lib/unbound/') unbound Configuration             l  = Show unbound LIVE log entries (lx=Disable Logging)
2  = Remove Existing unbound Installation                               v  = View ('/opt/var/lib/unbound/') unbound Configuration (vx=Edit; vh=View Example Configuration)
?  = About Configuration                                                rl = Reload unbound Configuration (Doesn't interrupt/halt unbound)
                                                                        oq = Query unbound Configuration option e.g 'oq verbosity' (ox=Set) e.g. 'ox log-queries yes'

rs = Restart (or Start) unbound                                         s  = Display unbound statistics (s=Summary Totals; sa=All)

e  = Exit Script

Option ==> 1

I am seeing other options and solutions.

yea what would happen if the user wanted to remove the USB as they do from time to time....

At the time of TomatoUSB, with the release of Optware, there was a script that monitored the connected USB devices. This prevented deadlocks on old routers. I'll see if I can find it.

 

[SomeWhereOverTheRainBow]

At the time of TomatoUSB, with the release of Optware, there was a script that monitored the connected USB devices. This prevented deadlocks on old routers. I'll see if I can find it.

Or maybe see if possible to compile unbound to run locally (in jffs) or only when mounted.

 

[SolluxCaptor]

Hey again all, I read up on some interesting features of Unbound config - namely "serve-expired: yes" which if you live in a home / location with repetitive queries, is extremely helpful. It does NOT keep cached queries forever, but rather once TTL reaches 0 and a client asks for the cached response again, Unbound will fetch a brand new recursive response immediately after, and store it for next use in cache. There is also an option to limit how long this would be acceptable.

I am seeing massive performance gains with this, but as with all configs, your mileage may vary.

In addition, it seems prefetch will only work when there is only 10% of TTL time left. Found the info here: https://forum.netgate.com/topic/142561/serve-expired-clearification/5 where the author of that Unbound feature explains it in the comments. See below:

Spoiler

The issue with the prefetch feature is it only works if you do a DNS lookup when less than 10% of the TTL is left, so basically with a 30 secs TTL, if you dont do another lookup within the last 3 seconds of the TTL, then prefetch isnt providing you any benefit. Its operating scope is too narrow.

So unbound implemented serve expired, what it does is when a record is expired, it will stay in the cache with the TTL value as 0, if another lookup comes in from the LAN (or to whatever networks your unbound is serving), then it will be served as a cached record for performance. However at the same time a new lookup is initiated from unbound to the authoritative server, so when there is a newer lookup later, it will server a newer record.

So its important to note the same expired record isnt served forever, its only served once, then a new one is fetched.

 

[rgnldo]

Or maybe see if possible to compile unbound to run locally (in jffs) or only when mounted.

There is dependence on libopenssl. No chances. You need to walk along with Entware. Smoothly. The same problem is also with AMTM projects. Skynet gives some problems if USB has problems. Overall, it's unbound is working fine.

 

[rgnldo]

vary:

Fix image link.

prefetch

I am very interested in the gain with prefetch. But it must contain security. Better a little more latency than insecurity.

 

[SolluxCaptor]

Fix image link.

I am very interested in the gain with prefetch. But it must contain security. Better a little more latency than insecurity.

Ah! Fixed in BB code editor. And for more security, you can set:

serve-expired-ttl: <seconds>
         Limit serving of expired responses to configured seconds after
         expiration. 0 disables the limit. This option only applies when
         serve-expired is enabled. The default is 0.

This way you control how long this is ok, not wait for a new (client-side) query to replace cache. Since many websites set their TTL to 60 (seconds), the most we will usually see is our minimum TTL - 900 seconds.

Also, separately, for reference, Unbound's default cache-max-negative-ttl is 3600, curious why it is set lower in this instance, is this due to ad-blocking?

 

[rgnldo]

cache-max-negative-ttl

In summary, an NXDOMAIN response would be cached as specified in the SOA of the applicable zone, whereas SERVFAIL is unlikely to be cached, or, if cached, it'll be at most a double-digit number of seconds.

 

[rgnldo]

@SolluxCaptor
Take a test with cache-max-negative-ttl: 0 or 1

 

[rgnldo]

@SolluxCaptor What values did you add in these options. Take the test and return here.

serve-expired-ttl:

serve-expired-ttl-reset:

 

[SolluxCaptor]

@SolluxCaptor What values did you add in these options. Take the test and return here.

serve-expired-ttl:

serve-expired-ttl-reset:

serve-expired: yes
serve-expired-ttl-reset: yes
serve-expired-ttl: 172800 (2 days, for now - to clear out cache that is not used within timeframe)
also
cache-max-negative-ttl: 0

Apologies, how should I test?

 

[rgnldo]

Apologies, how should I test?

It is reported in your link. In the installer script there is also the report option

unbound-control -c /opt/var/lib/unbound/unbound.conf stats_noreset | egrep 'total.num|cache.count

Do you use Diversion?