Unbound - Authoritative Recursive Caching DNS Server

[Cam]

stub-zone:
    name: "rgnldo.lan"
    stub-addr: 192.168.1.3
stub-zone:
    name: "1.168.192.in-addr.arp"
    stub-addr: 192.168.1.3

Goal here is to provide performance and latency reduction. A good experience High response and performance.

Has this had any effect?

I may be wrong, but I thought stub zones were for unbound to forward sub-domains (in your case *.rgnldo.lan) to an upstream dns server,. And as pixelserv isnt a DNS server, doesn't it just timeout and fall back to unbound to resolve - hence taking longer (until cached)?
I think the "local-zone", "local-data" is the directive to spoof resolved DNS to pixelserv.

Sent from my Nokia 7 plus using Tapatalk

 

[rgnldo]

Has this had any effect?

I may be wrong, but I thought stub zones were for unbound to forward sub-domains (in your case *.rgnldo.lan) to an upstream dns server,. And as pixelserv isnt a DNS server, doesn't it just timeout and fall back to unbound to resolve - hence taking longer (until cached)?
I think the "local-zone", "local-data" is the directive to spoof resolved DNS to pixelserv.

Sent from my Nokia 7 plus using Tapatalk

Yes. Pixelserv-tls also has the function of speeding up responses as well as SNI. It is being used in conjunction with adblock. In the same logic, I am testing with NGINX and Lighttpd.

 

[SomeWhereOverTheRainBow]

Has this had any effect?

I may be wrong, but I thought stub zones were for unbound to forward sub-domains (in your case *.rgnldo.lan) to an upstream dns server,. And as pixelserv isnt a DNS server, doesn't it just timeout and fall back to unbound to resolve - hence taking longer (until cached)?
I think the "local-zone", "local-data" is the directive to spoof resolved DNS to pixelserv.

Sent from my Nokia 7 plus using Tapatalk

Yea I would think it is simple as redirecting responses of blocked domains to pixelserv-tls, but stub zone may still be required for for proper caching of responses.

this may be able to be utilized, don't know if it is set right.
access-control-tag: 192.168.1.3/24 "tag2 tag1"
access-control-tag-data: 192.168.1.3/24 tag2 "A 127.0.0.1"
access-control-tag-action: 192.168.1.3/24 tag1 redirect
access-control-view: 192.168.1.3/24 viewname

local-zone: "adserver.example.com" redirect
local-data: "adserver.example.com A 127.0.0.1"

or

local-zone: "adserver.example.com" redirect
local-data: "adserver.example.com A 192.168.1.3"

should suffice.

 

[Seij]

Just noticed I'm getting an error parsing the cron job added in the most recent release:

Log output:
Jan 13 09:01:00 RT-AC5300 crond[385]: user user1: parse error at \*\/15
Jan 13 09:01:00 RT-AC5300 crond[385]: user user1: parse error at \*
Jan 13 09:01:00 RT-AC5300 crond[385]: user user1: parse error at \*


cru l output:
0 2 \*\/15 \* \* curl -o \/opt\/var\/lib\/unbound\/root\.hints https://www.internic.net/domain/named.cache #root_servers#

EDIT: Upon investigation it looks like this is an issue with line #429 in v1.2.0 of unbound_installer.sh:
$(Smart_LineInsert "/jffs/scripts/services-start" "$(echo -e "cru a root_servers \"0 2 \*\/15 \* \* curl -o \/opt\/var\/lib\/unbound\/root\.hints https://www.internic.net/domain/named.cache\"\t# unbound_installer")" )

The escape characters are mistakenly added into the services-start file:
Excerpt from services-start:
cru a root_servers "0 2 \*\/15 \* \* curl -o \/opt\/var\/lib\/unbound\/root\.hints https://www.internic.net/domain/named.cache" # unbound_installer

 

[rgnldo]

- Fixed. added unbound file performance and security improvements.
- Improved blocking of ads and tracker's (including youtube).
Enjoy!

 

[Kingp1n]

- Fixed. added unbound file performance and security improvements.
- Improved blocking of ads and tracker's (including youtube).
Enjoy!

If we want to try the unbound built in ad blocking, do we need to disable either Skynet or diversion?

 

[rgnldo]

If we want to try the unbound built in ad blocking, do we need to disable either Skynet or diversion?

Disable Diversion only.

 

[Kingp1n]

- Fixed. added unbound file performance and security improvements.
- Improved blocking of ads and tracker's (including youtube).
Enjoy!

For the recent fixes do we have to wait for the script update or fo we simply update unbound to get them? Thanks for the assist.

 

[rgnldo]

For the recent fixes do we have to wait for the script update or fo we simply update unbound to get them? Thanks for the assist.

No. Launch the script and choose update setting. Return your feedback.

 

[rgnldo]

Just noticed I'm getting an error parsing the cron job added in the most recent release:

Log output:
Jan 13 09:01:00 RT-AC5300 crond[385]: user user1: parse error at \*\/15
Jan 13 09:01:00 RT-AC5300 crond[385]: user user1: parse error at \*
Jan 13 09:01:00 RT-AC5300 crond[385]: user user1: parse error at \*


cru l output:
0 2 \*\/15 \* \* curl -o \/opt\/var\/lib\/unbound\/root\.hints https://www.internic.net/domain/named.cache #root_servers#

EDIT: Upon investigation it looks like this is an issue with line #429 in v1.2.0 of unbound_installer.sh:
$(Smart_LineInsert "/jffs/scripts/services-start" "$(echo -e "cru a root_servers \"0 2 \*\/15 \* \* curl -o \/opt\/var\/lib\/unbound\/root\.hints https://www.internic.net/domain/named.cache\"\t# unbound_installer")" )

The escape characters are mistakenly added into the services-start file:
Excerpt from services-start:
cru a root_servers "0 2 \*\/15 \* \* curl -o \/opt\/var\/lib\/unbound\/root\.hints https://www.internic.net/domain/named.cache" # unbound_installer

It will be fixed. Add manual on /jffs/scripts/services.start

cru a root_servers  "0 2 */15 * * curl -o /opt/var/lib/unbound/root.hints https://www.internic.net/domain/named.cache"

 

[Martineau]

Just noticed I'm getting an error parsing the cron job added in the most recent release:

Log output:
Jan 13 09:01:00 RT-AC5300 crond[385]: user user1: parse error at \*\/15
Jan 13 09:01:00 RT-AC5300 crond[385]: user user1: parse error at \*
Jan 13 09:01:00 RT-AC5300 crond[385]: user user1: parse error at \*


cru l output:
0 2 \*\/15 \* \* curl -o \/opt\/var\/lib\/unbound\/root\.hints https://www.internic.net/domain/named.cache #root_servers#

EDIT: Upon investigation it looks like this is an issue with line #429 in v1.2.0 of unbound_installer.sh:
$(Smart_LineInsert "/jffs/scripts/services-start" "$(echo -e "cru a root_servers \"0 2 \*\/15 \* \* curl -o \/opt\/var\/lib\/unbound\/root\.hints https://www.internic.net/domain/named.cache\"\t# unbound_installer")" )

The escape characters are mistakenly added into the services-start file:
Excerpt from services-start:
cru a root_servers "0 2 \*\/15 \* \* curl -o \/opt\/var\/lib\/unbound\/root\.hints https://www.internic.net/domain/named.cache" # unbound_installer

Which version of the script are you running?

 

[Seij]

Which version of the script are you running?

1.20

Pretty sure line 429 is the culprit, as my services-start file contained the "\" escape character

428: echo -e $cBCYA"Creating Bi-weekly InterNIC Root DNS Servers cron job"$cRESET
429: $(Smart_LineInsert "/jffs/scripts/services-start" "$(echo -e "cru a root_servers \"0 2 \*\/15 \* \* curl -o \/opt\/var\/lib\/unbound\/root\.hints https://www.internic.net/domain/named.cache\"\t# unbound_installer")" )

 

[Martineau]

1.20

Pretty sure line 429 is the culprit, as my services-start file contained the "\" escape character

428: echo -e $cBCYA"Creating Bi-weekly InterNIC Root DNS Servers cron job"$cRESET
429: $(Smart_LineInsert "/jffs/scripts/services-start" "$(echo -e "cru a root_servers \"0 2 \*\/15 \* \* curl -o \/opt\/var\/lib\/unbound\/root\.hints https://www.internic.net/domain/named.cache\"\t# unbound_installer")" )

Whoops, apologies.... (I haven't rebooted so the ACTIVE cru #root_servers# job is fine.)

I may release v1.21, but I doubt it is critical, to retrieve the file every two weeks (it was originally retrieved every day ) and according to the HDR is a month old anyway?

;       This file is made available by InterNIC
;       under anonymous FTP as
;           file                /domain/named.cache
;           on server           FTP.INTERNIC.NET
;       -OR-                    RS.INTERNIC.NET
;
;       last update:     December 05, 2019
;       related version of root zone:     2019120501

 

[rgnldo]

I may release v1.21, but I doubt it is critical, to retrieve the file every two weeks (it was originally retrieved every day ) and according to the HDR is a month old anyway?

Ideally check for the update. If daily resolves, that's fine. We removed from the script because of the option to install adblock or not.

 

[rgnldo]

[Will not go to script] in tests, stub-zone and auth-zone with interNIC and dns.opennic.glue. A security layer with root.zone.
https://www.nlnetlabs.nl/downloads/presentations/unbound_privacy_apricot2019.pdf

# auth-zone
include: /opt/var/lib/unbound/root.zone

auth-zone:
    name: "."
    url: "https://www.internic.net/domain/root.zone"
    fallback-enabled: yes
    for-downstream: no
    for-upstream: yes
    zonefile: root.zone

curl -o /opt/var/lib/unbound/root.zone https://www.internic.net/domain/root.zone

# stub-zone
include: /opt/var/lib/unbound/stub.zone

stub-zone:
    name: "dns.opennic.glue"
    stub-addr: "127.0.0.1@552"   #  Authorative Slave DNS server
stub-zone:
    name: "bbs"
    stub-addr: "127.0.0.1@552"
stub-zone:
    name: "bit"
    stub-addr: "127.0.0.1@552"
stub-zone:
    name: "chan"
    stub-addr: "127.0.0.1@552"
stub-zone:
    name: "cyb"
    stub-addr: "127.0.0.1@552"
stub-zone:
    name: "dyn"
    stub-addr: "127.0.0.1@552"
stub-zone:
    name: "free"
    stub-addr: "127.0.0.1@552"
stub-zone:
    name: "fur"
    stub-addr: "127.0.0.1@552"
stub-zone:
    name: "geek"
    stub-addr: "127.0.0.1@552"
stub-zone:
    name: "gopher"
    stub-addr: "127.0.0.1@552"
stub-zone:
    name: "indy"
    stub-addr: "127.0.0.1@552"
stub-zone:
    name: "libre"
    stub-addr: "127.0.0.1@552"
stub-zone:
    name: "neo"
    stub-addr: "127.0.0.1@552"
stub-zone:
    name: "null"
    stub-addr: "127.0.0.1@552"
stub-zone:
    name: "o"
    stub-addr: "127.0.0.1@552"
stub-zone:
    name: "opennic.glue"
    stub-addr: "127.0.0.1@552"
stub-zone:
    name: "oss"
    stub-addr: "127.0.0.1@552"
stub-zone:
    name: "oz"
    stub-addr: "127.0.0.1@552"
stub-zone:
    name: "parody"
    stub-addr: "127.0.0.1@552"
stub-zone:
    name: "pirate"
    stub-addr: "127.0.0.1@552"
# OpenNIC Peers:
stub-zone:
    name: "baza"
    stub-host: "seed1.emercoin.com"
    stub-host: "seed2.emercoin.com"
stub-zone:
    name: "coin"
    stub-host: "seed1.emercoin.com"
    stub-host: "seed2.emercoin.com"
stub-zone:
    name: "emc"
    stub-host: "seed1.emercoin.com"
    stub-host: "seed2.emercoin.com"
stub-zone:
    name: "lib"
    stub-host: "seed1.emercoin.com"
    stub-host: "seed2.emercoin.com"
stub-zone:
    name: "ku"
    stub-addr: "127.0.0.1@552"
    stub-addr: "5.45.96.220"    # ns1.new-nations.ku
    stub-addr: "185.82.22.133"  # ns2.new-nations.ku
stub-zone:
    name: "te"
    stub-addr: "127.0.0.1@552"
    stub-addr: "5.45.96.220"    # ns1.new-nations.te
    stub-addr: "185.82.22.133"  # ns2.new-nations.te
stub-zone:
    name: "ti"
    stub-addr: "127.0.0.1@552"
    stub-addr: "5.45.96.220"    # ns1.new-nations.ti
    stub-addr: "185.82.22.133"  # ns2.new-nations.ti
stub-zone:
    name: "uu"
    stub-addr: "127.0.0.1@552"
    stub-addr: "5.45.96.220"    # ns1.new-nations.uu
    stub-addr: "185.82.22.133"  # ns2.new-nations.uu

 

[Kingp1n]

[Will not go to script] in tests, stub-zone and auth-zone with interNIC and dns.opennic.glue. A security layer with root.zone.
https://www.nlnetlabs.nl/downloads/presentations/unbound_privacy_apricot2019.pdf

# auth-zone
include: /opt/var/lib/unbound/auth.zone

auth-zone:
    name: "."
    url: "https://www.internic.net/domain/root.zone"
    fallback-enabled: yes
    for-downstream: no
    for-upstream: yes
    zonefile: /run/root.zone

# stub-zone
include: /opt/var/lib/unbound/stub.zone

stub-zone:
    name: "dns.opennic.glue"
    stub-addr: "127.0.0.1@552"   #  Authorative Slave DNS server
stub-zone:
    name: "bbs"
    stub-addr: "127.0.0.1@552"
stub-zone:
    name: "bit"
    stub-addr: "127.0.0.1@552"
stub-zone:
    name: "chan"
    stub-addr: "127.0.0.1@552"
stub-zone:
    name: "cyb"
    stub-addr: "127.0.0.1@552"
stub-zone:
    name: "dyn"
    stub-addr: "127.0.0.1@552"
stub-zone:
    name: "free"
    stub-addr: "127.0.0.1@552"
stub-zone:
    name: "fur"
    stub-addr: "127.0.0.1@552"
stub-zone:
    name: "geek"
    stub-addr: "127.0.0.1@552"
stub-zone:
    name: "gopher"
    stub-addr: "127.0.0.1@552"
stub-zone:
    name: "indy"
    stub-addr: "127.0.0.1@552"
stub-zone:
    name: "libre"
    stub-addr: "127.0.0.1@552"
stub-zone:
    name: "neo"
    stub-addr: "127.0.0.1@552"
stub-zone:
    name: "null"
    stub-addr: "127.0.0.1@552"
stub-zone:
    name: "o"
    stub-addr: "127.0.0.1@552"
stub-zone:
    name: "opennic.glue"
    stub-addr: "127.0.0.1@552"
stub-zone:
    name: "oss"
    stub-addr: "127.0.0.1@552"
stub-zone:
    name: "oz"
    stub-addr: "127.0.0.1@552"
stub-zone:
    name: "parody"
    stub-addr: "127.0.0.1@552"
stub-zone:
    name: "pirate"
    stub-addr: "127.0.0.1@552"
# OpenNIC Peers:
stub-zone:
    name: "baza"
    stub-host: "seed1.emercoin.com"
    stub-host: "seed2.emercoin.com"
stub-zone:
    name: "coin"
    stub-host: "seed1.emercoin.com"
    stub-host: "seed2.emercoin.com"
stub-zone:
    name: "emc"
    stub-host: "seed1.emercoin.com"
    stub-host: "seed2.emercoin.com"
stub-zone:
    name: "lib"
    stub-host: "seed1.emercoin.com"
    stub-host: "seed2.emercoin.com"
stub-zone:
    name: "ku"
    stub-addr: "127.0.0.1@552"
    stub-addr: "5.45.96.220"    # ns1.new-nations.ku
    stub-addr: "185.82.22.133"  # ns2.new-nations.ku
stub-zone:
    name: "te"
    stub-addr: "127.0.0.1@552"
    stub-addr: "5.45.96.220"    # ns1.new-nations.te
    stub-addr: "185.82.22.133"  # ns2.new-nations.te
stub-zone:
    name: "ti"
    stub-addr: "127.0.0.1@552"
    stub-addr: "5.45.96.220"    # ns1.new-nations.ti
    stub-addr: "185.82.22.133"  # ns2.new-nations.ti
stub-zone:
    name: "uu"
    stub-addr: "127.0.0.1@552"
    stub-addr: "5.45.96.220"    # ns1.new-nations.uu
    stub-addr: "185.82.22.133"  # ns2.new-nations.uu

Is there reason why it wouldnt be added to the script?

 

[rgnldo]

Is there reason why it wouldnt be added to the script?

The user should organize on their own. The focus now is to try to add the script in AMTM and fixed's. We have enough for unbound. I'm waiting for monitoring with Zabbix, but it won't go to the script either.

 

[Jumpstarter]

Disable Diversion only.

Will you be adding root user ipset rules for both ipv4 and ipv6 so we can safely disable skynet?

 

[rgnldo]

Will you be adding root user ipset rules for both ipv4 and ipv6 so we can safely disable skynet?

Recommended.

 

[Smokey613]

I took the plunge and installed Unbound. Seems to be working. I did notice this error message in my log after rebooting the router that indicated a parsing error for cron. Any ideas?