I don't think you need this in your script as unbound downloads it for you if file doesn't exist.echo "Download root.zone file..."
curl -o /opt/var/lib/unbound/root.zone https://www.internic.net/domain/root.zone
I don't think you need this in your script as unbound downloads it for you if file doesn't exist.echo "Download root.zone file..."
curl -o /opt/var/lib/unbound/root.zone https://www.internic.net/domain/root.zone
In general, I use the unbound_manager installer script. This script is experimental. It generates the personal file unbound.conf that I am currently using. It is to avoid the work of redoing from the beginning.I don't think you need this in your script as unbound downloads it for you if file doesn't exist.
tls-cert-bundle: "/opt/etc/ssl/certs.pem" (or /rom/etc/ssl/cert.pem as appropriate)
I didn't find documentation about SSL certificate? Is it working for you?Fair enough, but it's still not needed Anyway thought it was worth mentioning just in case auth-zone makes it into the default unbound.conf
I didn't find documentation about SSL certificate? Is it working for you?.
https://nlnetlabs.nl/documentation/unbound/unbound.conf/
Yes, with DNS forwarding over TLS it works. With this option set: forward-tls-upstream: yesDNS over TLS feature
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 185.222.222.222@853
forward-addr: 185.184.222.222@853
forward-addr: 2a09::@853
forward-addr: 2a09::1@853
That's right. Checked. Once the location is correct, unbound does the rest with url setting. Keep collaborating. We all thank you!I don't think you need this in your script as unbound downloads it for you if file doesn't exist.
#!/bin/sh
if [ /opt/share/diversion/list/blockinglist -nt /opt/var/lib/unbound/ads.conf ]; then
awk '{for (i=2; i<=NF; i++) print "local-data: \""$i". 0 A 192.168.1.2\""}' /opt/share/diversion/list/blockinglist > /opt/var/lib/unbound/ads.conf
if $(grep -q "ads\.conf" /opt/var/lib/unbound/unbound.conf); then
unbound-control reload
fi
fi
Maybe its better use DoT this way instead of running Stubby?Yes, with DNS forwarding over TLS it works. With this option set: forward-tls-upstream: yes
Code:tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt" forward-zone: name: "." forward-tls-upstream: yes forward-addr: 185.222.222.222@853 forward-addr: 185.184.222.222@853 forward-addr: 2a09::@853 forward-addr: 2a09::1@853
It is a matter of benefits. Stubby is complete with TCP/ TLS and 443 support. I have no problems. Even the maintainer of Dnscrypt, jedisct1 aka Frank Denis, is following this same procedure. Soon we will have native TCP/TLS support without forwarding. I'm currently without stubby, implementing the auth-zone features.DoT this way instead of running Stubby?
Hmmm....@Martineau I had also written a personal script to convert the Diversion blockinglist to an Unbound conf file for Pixelserv ad-block. I came to realize that using local-zone requires too much memory and it works well-enough to only use local-data. I read in the unbound-users maillist that each local-zone requires 8k of memory. Here was my script if anyone wants to compare memory utilization:
In the end, with the Diversion Plus Hosts enabled with the Standard block list, the total memory required for Unbound to use Pixelserv IP was prohibitive on my AC68U. So I stuck with Diversion.Code:#!/bin/sh if [ /opt/share/diversion/list/blockinglist -nt /opt/var/lib/unbound/ads.conf ]; then awk '{for (i=2; i<=NF; i++) print "local-data: \""$i". 0 A 192.168.1.2\""}' /opt/share/diversion/list/blockinglist > /opt/var/lib/unbound/ads.conf if $(grep -q "ads\.conf" /opt/var/lib/unbound/unbound.conf); then unbound-control reload fi fi
e = Exit Script
Option ==> ?
Version=1.25
<snip>
Options:
[✔] unbound Logging
[✔] Ad and Tracker Blocking (No. of Adblock domains=100048,Blocked Hosts=832,Whitelist=21)
e = Exit Script
Option ==> ad
Analysed Diversion file: 'blockinglist' Type=pixelserv, (Adblock Domains=100048) would add 497 entries
Analysed Diversion file: 'blacklist' Type=pixelserv, (Adblock Domains=100048) would add 2 entries
Analysed Diversion file: 'whitelist' Type=URL, (Adblock URLs=21) would add 51 entries
I'm not running the installer script on John's fork. But I had gone through a lot of gyrations seeing how I could replicate the Pixelserv benefits using unbound. My resulting ads.conf looks like this (head of file):Hmmm....
So if you temporarily enable Ad Block
What results do you get fromCode:e = Exit Script Option ==> ? Version=1.25 <snip> Options: [✔] unbound Logging [✔] Ad and Tracker Blocking (No. of Adblock domains=100048,Blocked Hosts=832,Whitelist=21)
e.g. I don't use Diversion Plus Hosts
Code:e = Exit Script Option ==> ad Analysed Diversion file: 'blockinglist' Type=pixelserv, (Adblock Domains=100048) would add 497 entries Analysed Diversion file: 'blacklist' Type=pixelserv, (Adblock Domains=100048) would add 2 entries Analysed Diversion file: 'whitelist' Type=URL, (Adblock URLs=21) would add 51 entries
# head ads.conf
local-data: "diversion-adblocking-ip.address. 0 A 192.168.1.2"
local-data: "-sso.anbtr.com. 0 A 192.168.1.2"
local-data: "0-07.ru. 0 A 192.168.1.2"
local-data: "0-day.us. 0 A 192.168.1.2"
local-data: "0.01.2.13.3.sydneypropertyinvestors.com. 0 A 192.168.1.2"
local-data: "0.01.2.23.3.sydneypropertyinvestors.com. 0 A 192.168.1.2"
local-data: "0.nextyourcontent.com. 0 A 192.168.1.2"
local-data: "0.r.msn.com. 0 A 192.168.1.2"
local-data: "000.9.009.09.ekurbani.com. 0 A 192.168.1.2"
local-data: "000.9.019.09.ekurbani.com. 0 A 192.168.1.2"
Well technically the scipt is now more of manager rather than a one-off installer , but are you saying the script won run on the LTS fork?I'm not running the installer script on John's fork.
With John’s fork, there are some dnsmasq.conf differences I added to dnsmasq.postconf (or unbound.postconf in your repo):Well technically the scipt is now more of manager rather than a one-off installer , but are you saying the script won run on the LTS fork?
No matter, I was only curious to see the possible magnitude of the differences between the two lists (even with the additional 40K of 'first-party' Ad Block entries !)
P.S. I haven't seen any issue with unbound RAM usage, but I need to let the additional 40K entries settle.
pc_delete "resolv-file" "$CONFIG"
pc_append "no-resolv" "$CONFIG"
pc_delete "addn-hosts=/opt/share/diversion/list/" "$CONFIG"
pc_delete "stop-dns-rebind" "$CONFIG"
I was also keen on this, but unfortunately the python module is not compiled into entware unbound. For fun I tried to compile it in for my AC68U, but get stuck on python dev requirements so gave up (and frankly the python script is rather likely too complex for my setup anyway!)There is an unbound python module, which reads a python script with blocking guidelines.
https://github.com/cbuijs/unbound-dns-firewall/blob/master/dns-firewall.py
opkg install coreutils-nproc
grep -c processor /proc/cpuinfo
He had noticed. This is the reason for not organizing the script.python script
Yes.opkg install coreutils-nproc
there is no needgrep -c processor /proc/cpuinfo
calculated in bytes. reserved = 12582912 = 12mrrset=msg*2.
availableMemory=$((1024 * $( (grep -F MemAvailable /proc/meminfo || grep -F MemTotal /proc/meminfo) | sed 's/[^0-9]//g')))
if [ $availableMemory -le $((reserved * 2)) ]; then
Sigh he's been here before post #255 so I included Entware's 'nproc' then he changed his mind.I'm curious as to where you get formula for rrset-cache-size & mem-cache-size? Unbound have an optimised setting for forked operation that suggests rrset=msg*2.
Also FYI nproc is not installed by default (well not in Merlin, perhaps in Johns?) - would need toor you could tryCode:opkg install coreutils-nproc
Code:grep -c processor /proc/cpuinfo
ad = Analyse Diversion White/Black lists ([ file_name [type=adblock] ])
ca = Cache Size Optimisation ([ 'reset' ])
e = Exit Script
[Enter] leave Advanced Tools Menu
Option ==> ca
unbound-control set_option 'msg-cache-size 62307328' ok
unbound-control set_option 'key-cache-size 62307328' ok
unbound-control set_option 'rrset-cache-size 83076437' ok
Option ==> ?
Memory/Cache:
'key-cache-size:' 62307328 (59.42m)
'msg-cache-size:' 62307328 (59.42m)
'rrset-cache-size:' 83076437 (79.23m)
I understand your observation. The perception of those who organize from different sides is normal. I've used unbound since version 1.6.6. Many things have changed and will change again.
The concern is with the planning in the final installation, with the AMTM.
It is not what is desired, but it is very easy when planning alone. In a week, Skynet made several updates.
The 40k list is perfectly viable on my router, but on an AC68U router it is poor. You have to think as a whole.
I recognize your efforts, but you have shown disrespect towards me, including the leak of PM.
The unbound project is open source and available to everyone on the forum. The goal is just to share.
I give up.
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!