Unbound - Authoritative Recursive Caching DNS Server

[rgnldo]

I took the plunge and installed Unbound. Seems to be working. I did notice this error message in my log after rebooting the router that indicated a parsing error for cron. Any ideas?

Reported here

 

[Martineau]

I took the plunge and installed Unbound. Seems to be working. I did notice this error message in my log after rebooting the router that indicated a parsing error for cron. Any ideas?

Uninstall unbound, then upgrade to v1.21 and select install

 

[PeterV]

Since @rgnldo's unbound.conf on Github allows all interfaces to listen, you have to limit the netstat output to the 127.0.0.1 lines. Plus my method assumes that S61unbound has a "service restart_dnsmasq" POSTCMD included. Which it doesn't anymore on Github. That way dnsmasq is only modified after unbound is successfully started.

Additionally, please take in account, if you use the UDP filter (-u switch), in some cases, due to UDP/netstat specifics, you will see the other "listening" ip+port combination.
When process via UPD after sending the request is waiting for the answer on request, it will be shown as a "listening" socket ....
To explain (in notation with # as port separator , like it used for the environment variable):

• unbound send DNS request to the external DNS server
  • Connection from OUTGOING_IP#RANDOM_PORT to EXT_DNS#53
  • will not be shown by your UNBOUNDLISTENADDR="$(netstat -nlup | awk '/unbound/ { print $4 } ' | tr ':' '#')" # unbound_installer
• unbound is waiting for the answer form remote DNS
  • the answer will not be provided by previously established connection, it will be separate connection from external DNS to the unboud, so
  • unbound will start listen on OUTGOING_IP#RANDOM_PORT
  • and you can catch this IP+Port pair via "$(netstat -nlup | awk '/unbound/ { print $4 } ' | tr ':' '#')"

So, in case of configuring the unbound to work via both protocols (i.e. TCP and UDP), it make sense to use switch -t in "$(netstat -nltp | awk '/unbound/ { print $4 } ' | tr ':' '#')", to get only "real" listen IP+Ports ...

 

[rgnldo]

"$(netstat -nltp | awk '/unbound/ { print $4 } ' | tr ':' '#')"

Return /etc/dnsmasq with line

server=127.0.0.1#953
0.0.0.0#53535
###53535

 

[Smokey613]

Uninstall unbound, then upgrade to v1.21 and select install

I really need to wait until after my first cup of coffee to do this stuff. Unfortunately, I tend to do router changes early in the morning to prevent interrupting my wife’s internet. Maybe I need to setup a different router for her only?

 

[PeterV]

Return /etc/dnsmasq with line

server=127.0.0.1#953
0.0.0.0#53535
###53535

Yes, it's another point, why it required additional
grep -v '0.0.0.0', i.e.
$(netstat -nltp | grep -v '0.0.0.0' | awk '/unbound/ { print $4 } ' | tr ':' '#')

edit: wrong switch was proposed, it have be small one, instead capital in my initial version ...

 

[rgnldo]

$(netstat -nltp | grep -V '0.0.0.0' | awk '/unbound/ { print $4 } ' | tr ':' '#')

server=

 

[rgnldo]

Maybe I need to setup a different router for her only?

No. This error in cron does not interfere with the connection. Just schedule an update of root's server's. But it's quiet.

 

[Smokey613]

What is the difference if using Stubby or not? Right now I selected not to integrate with Stubby?

 

[Smokey613]

Also, for now I am not using the ad blocking services nor am I running Diversion.

 

[PeterV]

server=

any error with direct run of the command ?
please run
netstat -nltp | grep -v '0.0.0.0' | awk '/unbound/ { print $4 } ' | tr ':' '#'
not from the script ... but from command prompt directly ?

Excuse me - use -v switch instead of -V

 

[rgnldo]

What is the difference if using Stubby or not?

It's optional. Adds a TCP/TLS proxy dns layer

 

[rgnldo]

any error with direct run of the command ?
please run
netstat -nltp | grep -V '0.0.0.0' | awk '/unbound/ { print $4 } ' | tr ':' '#'
not from the script ... but from command prompt directly ?

netstat -nltp | grep -V '0.0.0.0' | awk '/unbound/ { print $4 } ' | tr ':' '#'
netstat: showing only processes with your user ID

 

[PeterV]

netstat -nltp | grep -V '0.0.0.0' | awk '/unbound/ { print $4 } ' | tr ':' '#'
netstat: showing only processes with your user ID

Excuse me -
small one -v instead capital one -V in grep ...
i.e.
netstat -nltp | grep -v '0.0.0.0' | awk '/unbound/ { print $4 } ' | tr ':' '#'

 

[Smokey613]

It's optional. Adds a TCP/TLS proxy dns layer

How much does this impact performance if any?

 

[dave14305]

Additionally, please take in account, if you use the UDP filter (-u switch), in some cases, due to UDP/netstat specifics, you will see the other "listening" ip+port combination.
When process via UPD after sending the request is waiting for the answer on request, it will be shown as a "listening" socket ....
To explain (in notation with # as port separator , like it used for the environment variable):

• unbound send DNS request to the external DNS server
  • Connection from OUTGOING_IP#RANDOM_PORT to EXT_DNS#53
  • will not be shown by your UNBOUNDLISTENADDR="$(netstat -nlup | awk '/unbound/ { print $4 } ' | tr ':' '#')" # unbound_installer
• unbound is waiting for the answer form remote DNS
  • the answer will not be provided by previously established connection, it will be separate connection from external DNS to the unboud, so
  • unbound will start listen on OUTGOING_IP#RANDOM_PORT
  • and you can catch this IP+Port pair via "$(netstat -nlup | awk '/unbound/ { print $4 } ' | tr ':' '#')"

So, in case of configuring the unbound to work via both protocols (i.e. TCP and UDP), it make sense to use switch -t in "$(netstat -nltp | awk '/unbound/ { print $4 } ' | tr ':' '#')", to get only "real" listen IP+Ports ...

My own personal dnsmasq.conf contains a different command than adopted by the script. dnsmasq is only going to forward to a udp upstream port (I think), so I don't see the need to include tcp ports.

UNBOUNDLISTENADDR=$(netstat -nlup | grep "^udp.* 127\.0\..*\/unbound$" | head -1 | awk ' { print $4 } ' | tr ':' '#')

 

[SolluxCaptor]

How much does this impact performance if any?

It depends, for me I was seeing over 300ms for initial lookups (before caching) with Stubby using Cloudflare DoH. But once cached, you will get 1ms DNS response as normal for Unbound.

For reference, without Stubby I see about 30ms (normally) to 268ms (with 268 being from another country) lookups without it. Running it this way (no Stubby) will have Unbound find the DNS queries itself rather than rely on someone like Cloudflare, Quad9, etc. That part is all up to personal preference!

As without Stubby, your lookups are in plaintext - but, they cannot be modified mid-stream either due to DNSSEC from root DNS servers being used in Unbound. It all comes down to who do you trust more? ISP, DNS proivder, or your private Unbound instance? Personally, to me, it doesn't matter because my ISP can see my outgoing IPs once DNS is used regardless of encryption. But again, all up to user preference! And Stubby is especially helpful if you live in a more..surveillance friendly country.

TL;DR: Stubby adds a layer of encryption, and also removes Unbound's use as a fully recursive DNS server (it instead becomes a cache / forwarder only to Stubby), which for me, increased DNS query latency about 10 fold (~300ms average). Upside is, your ISP (or snoopers) won't see Unbound going out and getting DNS answers itself. My take is, my ISP will see those IPs anyway once I get the encrypted query back..so it's up to you!

No stubby = faster performance, secure as long as you are comfortable with your ISP seeing Unbound traffic (but it is not possible to manipulate due to DNSSEC @ root). Or if you believe your ISP will track you either way through Deep Packet Inspection (DPI).

Stubby = more secure if you trust the DNS provider, no one can see your lookups, but your ISP will still see all of your (IP) internet traffic, and likely still be able to profile you (via DPI and the IPs you visit). If you don't want that, put your whole network on a VPN

 

[rgnldo]

Excuse me -
small one -v instead capital one -V in grep ...
i.e.
netstat -nltp | grep -v '0.0.0.0' | awk '/unbound/ { print $4 } ' | tr ':' '#'

My own personal dnsmasq.conf contains a different command than adopted by the script. dnsmasq is only going to forward to a udp upstream port (I think), so I don't see the need to include tcp ports.

The script uses the PID condition. This is enough for unbound operation and configuration. There is no need for demand for TCP or UDP. Both will be served.

if [ -n "$(pidof unbound)" ];then

 

[rgnldo]

I am getting better good adblock results with these options. Has anyone tested?
POST

 

[Delusion]

Having to manually edit every time (or execute a script) to change "interface: 0.0.0.0" to "interface: 127.0.0.1" is getting on my nerves. How does it work for everyone but me? there have got to be a reason why 0.0.0.0 just won't work.
I am not running diversion . Only skynet