Unbound - Authoritative Recursive Caching DNS Server

[dave14305]

I think option three will be my best option as her devices need access to our network printer.

The simplest approach might be to use DNSFilter as recommended on the Diversion FAQ: https://diversion.ch/faq-reader/how-to-exclude-a-client-from-ad-blocking.html

 

[Smokey613]

There are some safe suggestions:

• Create a vlan;
  
• Create a guest network;
• change add static DNS on devices.

Well, option three will not work due to IPv6 still assigns my router as the DNS server

The simplest approach might be to use DNSFilter as recommended on the Diversion FAQ: https://diversion.ch/faq-reader/how-to-exclude-a-client-from-ad-blocking.html

I had read that FAQ and my understanding that would allow any client to manually set their DNS to bypass my router on DNS lookups versus my current setting of “router” which forces queries through my router. Am I understanding this correctly? Also, how does IPv6 interact with this manual DNS setting?

 

[Smokey613]

The only reason I force DNS through my router is I discovered a couple of devices were hard coded to use 8.8.8.8 for DNS regardless of my DHCP settings.

 

[dave14305]

Well, option three will not work due to IPv6 still assigns my router as the DNS server


I had read that FAQ and my understanding that would allow any client to manually set their DNS to bypass my router on DNS lookups versus my current setting of “router” which forces queries through my router. Am I understanding this correctly? Also, how does IPv6 interact with this manual DNS setting?

You can leave Global mode = Router and just add her individual devices to send to your favorite DNS server. I’ve never really tested it with IPv6. We’ll leave that part to you.

 

[Smokey613]

You can leave Global mode = Router and just add her individual devices to send to your favorite DNS server. I’ve never really tested it with IPv6. We’ll leave that part to you.

I tested it on my iPhone and it did assign the 1.1.1.1 I was testing it with. Most of the time, the iPhone queried DNS via the router’s IPv6 address. Maybe I need to just turn off IPv6 on my network.

 

[Treadler]

Added blocking CNAME's support in unbound native adblock script. Fully functional. I still changed it in the installer script. Here is a brief explanation of the method:

NextDNS post
Apply Pi-Hole blocking to CNAMEs
Blocage des DMP avec Unbound
Address 1st-party tracker blocking

Is CNAME now included (by default) in the native Unbound Adblock?

 

[Smokey613]

My other option I guess is to manually assign the IP and DNS on her devices instead of trying to push it using the router.

Sorry I got off topic with this. I was just trying to test ADblock without impacting my wife’s devices while testing.

 

[dave14305]

I tested it on my iPhone and it did assign the 1.1.1.1 I was testing it with. Most of the time, the iPhone queried DNS via the router’s IPv6 address. Maybe I need to just turn off IPv6 on my network.

Try with Quad9 for her devices. It supports an IPv6 address behind the scenes in DNSFilter.

 

[Smokey613]

Try with Quad9 for her devices. It supports an IPv6 address behind the scenes in DNSFilter.

IPv6 is definitely the issue. If I use the router to push custom DNS and the router is set to Enable DNS-based Filtering ON and Global Filter Mode is set to Router, the device will always pick up the IPv6 address of the router for DNS lookups and Apple devices seem to prefer IPv6.

 

[dave14305]

IPv6 is definitely the issue. If I use the router to push custom DNS and the router is set to Enable DNS-based Filtering ON and Global Filter Mode is set to Router, the device will always pick up the IPv6 address of the router for DNS lookups and Apple devices seem to prefer IPv6.

It looks like a bug in DNSFilter after additional options were added to the DNS choices.

@RMerlin I think in order for Quad9 and Cleanbrowsing IPv6 options to work, the upper limit of this loop needs to increase from 13 to 17?
https://github.com/RMerl/asuswrt-merlin.ng/blob/master/release/src/router/rc/dnsfilter.c#L259

 

[Smokey613]

It looks like a bug in DNSFilter after additional options were added to the DNS choices.

@RMerlin I think in order for Quad9 and Cleanbrowsing IPv6 options to work, the upper limit of this loop needs to increase from 13 to 17?
https://github.com/RMerl/asuswrt-merlin.ng/blob/master/release/src/router/rc/dnsfilter.c#L259

Could Unbound be causing an issue in trying to implement this Custom DNS setup?

 

[dave14305]

Could Unbound be causing an issue in trying to implement this Custom DNS setup?

No, it’s just a different approach to DNSFilter with IPv6 than IPv4. If working properly, DNSFilter should tell dnsmasq dhcp to give your specified IPv6 client the Quad9 IPv6 IPs and refuse any DNS requests being sent to other servers.

It’s really now off-topic for Unbound, but still an interesting predicament.

 

[Smokey613]

Okay, last post on this subject. In my DNSFilter tab these are my settings. I actually did a forget network and reconnected and my iPhone no longer resolves DNS lookups. But I can ping out to the internet. Now back to your regularly scheduled topic.

 

[Safemode]

Good day everyone, I'm getting some errors on the about section of unbound. I only use logging from the intial setup. Is it my configuration or something went wrong somewhere.I'm also getting an error when trying to run the l command ( unbound logging '/opt/var/lib/unbound/' NOT ENABLED?)
A:Option ==> ?

Version=1.28
Local md5=3d48043274ddc51416f6a4b419e0c951
Github md5=3d48043274ddc51416f6a4b419e0c951
/jffs/scripts/unbound_manager.md5 md5=128 3d48043274ddc51416f6a4b419e0c951

Router Configuration recommended pre-reqs status:

[✔] Swapfile=262140 kB
[✔] DNS Filter=ON
[✔] DNS Filter=ROUTER
[✔] WAN: Use local caching DNS server as system resolver=NO
[✔] Enable local NTP server=YES
[✔] Enable DNS Rebind protection=NO
[✔] Enable DNSSEC support=NO

Options:

[✔] unbound Logging
[✔] Stubby Integration
/opt/bin/unbound_manager: line 2085: can't open /opt/var/lib/unbound/adblock/adservers: no such file
/opt/bin/unbound_manager: line 2085: can't open /opt/var/lib/unbound/adblock/blockhost: no such file
/opt/bin/unbound_manager: line 2085: can't open /opt/var/lib/unbound/adblock/permlist: no such file
[✔] Ad and Tracker Blocking (No. of Adblock domains=,Blocked Hosts=,Whitelist=, - Warning Diversion is also ACTIVE)
[✔] Firefox DNS-over-HTTPS (DoH) DISABLE/Blocker

 

[rgnldo]

I'm getting some errors

Notice this:
[✔] Ad and Tracker Blocking (No. of Adblock domains=,Blocked Hosts=,Whitelist=, - Warning Diversion is also ACTIVE)

Choose only one ad blocker. After choosing, uninstall unbound and reinstall again.

 

[Safemode]

Notice this:
[✔] Ad and Tracker Blocking (No. of Adblock domains=,Blocked Hosts=,Whitelist=, - Warning Diversion is also ACTIVE)

Choose only one ad blocker. After choosing, uninstall unbound and reinstall again.

i'm not using the unbound adblocker. I only select the first choice which is for logging the rest i skip. This is what i find weird.

 

[Safemode]

i'm not using the unbound adblocker. I only select the first choice which is for logging the rest i skip. This is what i find weird.

i just ran a quick update besides the errors i mentioned above i'm also seeing this error (
Customising 'dnsmasq.postconf' (aka '/jffs/addons/unbound/unbound.postconf')
/opt/bin/unbound_manager: line 2177: can't create /jffs/saddons/unbound/unbound.postconf: nonexistent directory
)

 

[SolluxCaptor]

i just ran a quick update besides the errors i mentioned above i'm also seeing this error (
Customising 'dnsmasq.postconf' (aka '/jffs/addons/unbound/unbound.postconf')
/opt/bin/unbound_manager: line 2177: can't create /jffs/saddons/unbound/unbound.postconf: nonexistent directory
)

Same exact issue as above FWIW. Appears to work regardless, but seeing many repeated messages during update (same messages as described above).

 

[rgnldo]

here's the error
(aka '/jffs/addons/unbound/unbound.postconf')
/opt/bin/unbound_manager: line 2177: can't create /jffs/saddons/unbound/unbound.postconf: nonexistent

will be fixed

 

[rgnldo]

These are some adjustments for updates in sight. If you have the backup of version 1.28.