Unbound - Authoritative Recursive Caching DNS Server

[Smokey613]

I was running Unbound and it worked great but, I have uninstalled it for now until all this settles down and it is included into AMTM.

 

[dave14305]

I've been working on stripping unbound.conf to what I feel are the minimum options I need to run Unbound on my own router. I've reverted to the default values for many parameters, and if it was default, I removed it from my conf file. I also removed the unbound-control certs since I will only run unbound-control from the router via localhost, so no need for cert authentication from another device.

I've yet to see my cache sizes grow anywhere near the default values for the activity level on my home network, so I'm happy. Still very happy with Diversion doing the ad-blocking.

server:
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"
root-hints: "/opt/var/lib/unbound/root.hints"
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
pidfile: "/opt/var/lib/unbound/unbound.pid"
logfile: "/opt/var/lib/unbound/unbound.log"
log-time-ascii: yes
log-servfail: yes
extended-statistics: yes

do-ip6: no
interface: 127.0.0.1@5053
private-address: 127.0.0.0/8
private-address: 192.168.1.0/24

prefetch: yes
prefetch-key: yes
minimal-responses: yes
edns-buffer-size: 1472
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
rrset-roundrobin: yes
harden-glue: yes
harden-referral-path: no
harden-below-nxdomain: yes
harden-algo-downgrade: yes

remote-control:
control-enable: yes
control-use-cert: no

 

[Xentrk]

This is the config file on my pfSense appliance. Most are default values.

##########################
# Unbound Configuration
##########################

##
# Server configuration
##
server:

chroot: /var/unbound
username: "unbound"
directory: "/var/unbound"
pidfile: "/var/run/unbound.pid"
use-syslog: yes
port: 53
verbosity: 1
hide-identity: yes
hide-version: yes
harden-glue: yes
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
module-config: "validator iterator"
unwanted-reply-threshold: 0
num-queries-per-thread: 512
jostle-timeout: 200
infra-host-ttl: 900
infra-cache-numhosts: 10000
outgoing-num-tcp: 10
incoming-num-tcp: 10
edns-buffer-size: 4096
cache-max-ttl: 86400
cache-min-ttl: 0
harden-dnssec-stripped: no
msg-cache-size: 4m
rrset-cache-size: 8m

num-threads: 4
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
outgoing-range: 4096
#so-rcvbuf: 4m
auto-trust-anchor-file: /var/unbound/root.key
prefetch: yes
prefetch-key: yes
use-caps-for-id: no
serve-expired: yes
# Statistics
# Unbound Statistics
statistics-interval: 0
extended-statistics: yes
statistics-cumulative: yes

# TLS Configuration
tls-cert-bundle: "/etc/ssl/cert.pem"

# Interface IP(s) to bind to
interface: 192.168.4.1
interface: 127.0.0.1
interface: ::1

# Outgoing interfaces to be used

# DNS Rebinding
# For DNS Rebinding prevention
private-address: 10.0.0.0/8
private-address: ::ffff:a00:0/104
private-address: 172.16.0.0/12
private-address: ::ffff:ac10:0/108
private-address: 169.254.0.0/16
private-address: ::ffff:a9fe:0/112
private-address: 192.168.0.0/16
private-address: ::ffff:c0a8:0/112
private-address: fd00::/8
private-address: fe80::/10


# Access lists
include: /var/unbound/access_lists.conf

# Static host entries
include: /var/unbound/host_entries.conf

# dhcp lease entries
include: /var/unbound/dhcpleases_entries.conf

# OpenVPN client entries
include: /var/unbound/openvpn.*.conf

# Domain overrides
include: /var/unbound/domainoverrides.conf


# Unbound custom options
log-queries: yes
forward-zone:
  name: "."
  forward-ssl-upstream: yes
  forward-addr: 1.1.1.1@853
  forward-addr: 1.0.0.1@853
server:include: /var/unbound/pfb_dnsbl.*conf


###
# Remote Control Config
###
include: /var/unbound/remotecontrol.conf

 

[SomeWhereOverTheRainBow]

Unbound runs great, would love to see it added to amtm. The setup is great, no issues running it on my test setup. Despite the pitter patter of disagreements between clashing personalities and opinions, You guys have done something beyond awesome.

 

[dave14305]

Unbound runs great, would love to see it added to amtm. The setup is great, no issues running it on my test setup. Despite the pitter patter of disagreements between clashing personalities and opinions, You guys have done something beyond awesome.

Nothing good comes if everyone agrees with one another. Healthy conflict and debate lead to progress.

 

[Kingp1n]

For the average user, when installing unbound, im assuming the installation sets it up in default settings correct? From there folks can strip/edit the file as they wish? I'm not tech (nor script) savvy so the most simplest setup is ideal for me. A simple set and forget haha

 

[L&LD]

@Martineau I've just installed the v1.27 and don't have any issues. Thank you!

Just curious what changes over v1.26 were made? (Sorry, GitHub is another language from a different planet to me).

 

[Martineau]

@Martineau I've just installed the v1.27 and don't have any issues. Thank you!

Just curious what changes over v1.26 were made? (Sorry, GitHub is another language from a different planet to me).

The main change is the ability to manually backup the current 'unbound.config' (Option 'vb = Backup Configuration')
This allows you to use 'i = Update Configuration' and a silent backup of the current 'unbound.conf' is now automatically taken prior to retrieving/installing the GitHub version, but once the update is complete, you will now be prompted to immediately restore the pre-update 'unbound.conf' allowing you to review the downloaded file at your leisure.

The script also now reports both unbound memory/cache stats together with detailed system memory/cache/swap.

Mostly internal changes to accommodate the v2 'unbound.conf' layout allowing indented lines etc. and other tweaks.

 

[SomeWhereOverTheRainBow]

The main change is the ability to manually backup the current 'unbound.config' (Option 'vb = Backup Configuration')
This allows you to use 'i = Update Configuration' and a silent backup of the current 'unbound.conf' is now automatically taken prior to retrieving/installing the GitHub version, but once the update is complete, you will now be prompted to immediately restore the pre-update 'unbound.conf' allowing you to review the downloaded file at your leisure.

The script also now reports both unbound memory/cache stats together with detailed system memory/cache/swap.

Mostly internal changes to accommodate the v2 'unbound.conf' layout allowing indented lines etc. and other tweaks.

What secret hidden menu option do you have that you don't want the general users to know.... Whoops ment to PM you....

 

[rgnldo]

Did anyone with the AC86U router get these values with memory with this services enabled?

Router Model; RT-AC86U
Skynet Version; v7.0.8 (19/01/2020) (c3973d7c8aeb17e2af0d10e91e13926f)
iptables v1.4.15 - (ppp0 @ 10.0.30.1)
ipset v6.32, protocol version: 6
IP Address;
FW Version; 384.15_alpha1-g4fecf771de (Jan 1 2020) (4.1.27)
Install Dir; /tmp/mnt/ENTWARE/skynet (176.7G / 440.1G Space Available)
SWAP File; /tmp/mnt/ENTWARE/myswap.swp (2.0G)

90879 IPs (+0) -- 1588 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked!

Select Menu Option:
[1]  --> Unban
[2]  --> Ban
[3]  --> Malware Blacklist
[4]  --> Whitelist
[5]  --> Import IP List
[6]  --> Deport IP List
[7]  --> Save
[8]  --> Restart Skynet
[9]  --> Temporarily Disable Skynet
[10] --> Update Skynet
[11] --> Settings
[12] --> Debug Options
[13] --> Stats
[14] --> Install Skynet
[15] --> Uninstall

[r]  --> Reload Menu
[e]  --> Exit Menu

rgnldo@rgnldo:/tmp/home/root# /opt/etc/init.d/rc.unslung check
 Checking haveged...              alive.
 Checking unbound...              alive.
 Checking suricata...              alive.

 

[SomeWhereOverTheRainBow]

Did anyone with the AC86U router get these values with memory with this services enabled?

Router Model; RT-AC86U
Skynet Version; v7.0.8 (19/01/2020) (c3973d7c8aeb17e2af0d10e91e13926f)
iptables v1.4.15 - (ppp0 @ 10.0.30.1)
ipset v6.32, protocol version: 6
IP Address;
FW Version; 384.15_alpha1-g4fecf771de (Jan 1 2020) (4.1.27)
Install Dir; /tmp/mnt/ENTWARE/skynet (176.7G / 440.1G Space Available)
SWAP File; /tmp/mnt/ENTWARE/myswap.swp (2.0G)

90879 IPs (+0) -- 1588 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked!

Select Menu Option:
[1]  --> Unban
[2]  --> Ban
[3]  --> Malware Blacklist
[4]  --> Whitelist
[5]  --> Import IP List
[6]  --> Deport IP List
[7]  --> Save
[8]  --> Restart Skynet
[9]  --> Temporarily Disable Skynet
[10] --> Update Skynet
[11] --> Settings
[12] --> Debug Options
[13] --> Stats
[14] --> Install Skynet
[15] --> Uninstall

[r]  --> Reload Menu
[e]  --> Exit Menu

rgnldo@rgnldo:/tmp/home/root# /opt/etc/init.d/rc.unslung check
 Checking haveged...              alive.
 Checking unbound...              alive.
 Checking suricata...              alive.

no but i got similar settings on a 68U

 

[rgnldo]

no but i got similar settings on a 68U

AC86U is complicated with memory. Tweaks!

 

[Martineau]

What secret hidden menu option do you have that you don't want the general users to know.... Whoops ment to PM you....

Well they aren't secret if you know where to look!
I've added the 'missing' menu option descriptors to v1.28 (not published yet) and they will appear under option '3 = Advanced Tools' when running in 'easy' mode.

 

[Martineau]

For the average user, when installing unbound, im assuming the installation sets it up in default settings correct? From there folks can strip/edit the file as they wish? I'm not tech (nor script) savvy so the most simplest setup is ideal for me. A simple set and forget haha

Yes, hopefully, unbound_manager will always endeavour to install a basic 'unbound.conf' that will contain 'safe' IPv4 defaults, and will contain sections that the script can simply uncomment as a block if necessary

e.g. auto configure IPv6 support if enabled on the router.

    #@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    # IPV6 integration
    do-ip6: no
    #do-ip6: yes                   #@From:
    #interface: ::0
    #access-control: ::0/0 refuse
    #access-control: ::1 allow
    #private-address: fd00::/8
    #private-address: fe80::/10    #@@To:
    #@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Furthermore, if others wish to host/share their custom 'unbound.conf' via their Github account, then unbound_manager can download these to '/opt/share/unbound/configs/' to allow users to simply issue

rl config_file

to try them.

I would however impose one restriction (asked for but currently ignored) which is that the first line of the file MUST be a Version header (with an optional second line description) in the form

# ooooooooo zzzzzzzzz.conf Version=v.vv (Date Loaded
# Description:

where

ooooooo is the Owner Name
zzzzzzzzz is the name of the config
v.vv is the version number of the config​

e.g. post #772 would be hosted on @dave14305's Github with the additional two comment lines say

# Dave14305 Dave14305_v1Base.conf Version=1.00 (Date Loaded
# Description: Minimal config retaining Diversion rather than Ad Block

P.S. Weirdly I need to explicitly add 'control port: 953' to get it to load correctly.

So if users wish to test/tweak the unbound options, they can either simply enter them dynamically using the unbound_manager 'oq/ox' commands (which don't update the config file so any damage can instantly be undone by issuing command 'rl' or even 'rs'), or they can of course create their own custom test config files in '/opt/share/unbound/configs' if there are a lot of directives that need to be tested.

 

[rgnldo]

Congratulations, @thelonelycoder. The inclusion of AMTM on AsusWRT-Merlin firmware honors all work focused on improving and securing. My estimates.
Commit b0ba410

 

[thelonelycoder]

Congratulations, @thelonelycoder. The inclusion of AMTM on AsusWRT-Merlin firmware honors all work focused on improving and securing. My estimates.
Commit b0ba410

Thank you, this is a good day for developers, users and - me . I plan to add support for Unbound with a regular update to amtm soon.

 

[rgnldo]

Thank you, this is a good day for developers, users and - me . I plan to add support for Unbound with a regular update to amtm soon.

It is as I mentioned earlier, in consideration for you and other FW Merlin users, feel free. It will be a pleasure to cooperate with you.

 

[dave14305]

P.S. Weirdly I need to explicitly add 'control port: 953' to get it to load correctly.

The default port becomes 8953, so if you change it while unbound is running, unbound-control won’t work. Need to kill unbound, or change the parameters with unbound already stopped.

 

[rgnldo]

Need to kill unbound, or change the parameters with unbound already stopped.

 

[Martineau]

The default port becomes 8953, so if you change it while unbound is running, unbound-control won’t work. Need to kill unbound, or change the parameters with unbound already stopped.

Yes, I had already figured out that sometimes 'rs' is mandatory after 'rl' i.e when using the 'scribe' command, etc., so not sure if I should always issue a disruptive restart of unbound.