Unbound - Authoritative Recursive Caching DNS Server

[L&LD]

@Martineau thank you. I removed that temp fix.

Would you have any thoughts on why I need this option on 'Yes' and also if it will come back to haunt me if I leave it this way?

I am also using the Auth-zone (root zone, AXFR speedup) option too.

https://www.snbforums.com/threads/u...-caching-dns-server.58967/page-36#post-542322

However, I do use the Wan: Use local caching DNS server as system resolver (default: No) set to Yes. Otherwise, amtm and unbound (and any other script I try) seems to be slow as molasses.

 

[dave14305]

Would you have any thoughts on why I need this option on 'Yes' and also if it will come back to haunt me if I leave it this way?

It would depend on what you are using for WAN DNS servers. If those are slow or one is not responding, it could make things look slow.

 

[Treadler]

Unbound+native Adblock, v2.01 working great!
Many thanks Martineau.

 

[L&LD]

@dave14305 thank you. Right now I have Connect to DNS servers Automatically set to Yes.

I'm also not using DoT right now.

If I do enable DoT, do I need to change the 'Wan: Use local caching DNS server as system resolver (default: No)' back to the default 'No'? Or not?

Particularly with Auth-zone configured too?

 

[Smokey613]

Updated to 2.01, everything seems to be working !!

 

[joe scian]

Martineau
found another small issue with 2.01 and previous version 1.97 - when entering x to stop unbound

Invalid Option "x" Please enter a valid option

 

[dave14305]

Right now I have Connect to DNS servers Automatically set to Yes.

You should test them at the router command line to see if either seems slow or times out.

for i in $(nvram get wan_dns); do time nslookup raw.githubusercontent.com $i; done

If I do enable DoT, do I need to change the 'Wan: Use local caching DNS server as system resolver (default: No)' back to the default 'No'? Or not?

I would have it set to No in almost every situation. You just need reliable WAN DNS servers. When you have the router requiring dnsmasq, unbound AND Stubby to be available so it can resolve its own lookups (e.g. for NTP, script updates, etc.), you’re eventually asking for trouble.

All these DNS extras (e.g. unbound, NextDNS) are at a disadvantage because the firmware is not designed around them. There is no watchdog to ensure they stay running, for example. So keep the router healthy by not requiring it to use its own DNS service to startup its DNS service.

 

[L&LD]

@dave14305 thank you so much.

Would you have any idea why the scripts run like molasses when it is set to 'No'?

 

[Treadler]

@dave14305 thank you so much.

Would you have any idea why the scripts run like molasses when it is set to 'No'?

FWIW, I don’t have the issue.
(I don’t have stubby integrated, & I’m using the Unbound ad blocker.)

Speed wise I see no difference between yes/no.

 

[dave14305]

@dave14305 thank you so much.

Would you have any idea why the scripts run like molasses when it is set to 'No'?

My guess is one of your WAN DNS servers times out when a script tries to resolve a name. Did you run the command to test them and time them?

 

[joe scian]

@Smokey


FWIW, I don’t have the issue.
(I don’t have stubby integrated, & I’m using the Unbound ad blocker.)

Speed wise I see no difference between yes/no.

no issue here either - using Diversion and no integration to Stubby

 

[L&LD]

My guess is one of your WAN DNS servers times out when a script tries to resolve a name. Did you run the command to test them and time them?

Sorry, I haven't had time yet to do that. I will be home later (much...).

 

[Martineau]

Martineau
found another small issue with 2.01 and previous version 1.97 - when entering x to stop unbound

Invalid Option "x" Please enter a valid option

Whoops.

You can type 'stop' as this was always a hidden menu option, I decided that 'x' would look better in the menu, and forgot to add 'x' as an alias for 'stop'

I'll push a hotfix in due course, pending any other bugs/issues coming to light with v2.01

NOTE: Simply stopping unbound will more than likely impact Internet access, and as documented on GitHub or using the script's help function

unbound_manager   -h

(i.e. having stopped unbound), exiting unbound_manager and attempting to rerun unbound_manager will seemingly fail to initialise/display the menu options, so the stop option should be used with caution.

 

[rgnldo]

Added support adblock whitelist for x3mRouting using the IPSET Shell Scripts Method. Excellent solution with IPSET. Available on AMTM.

 

[Martineau]

Added support adblock whitelist for x3mRouting using the IPSET Shell Scripts Method. Excellent solution with IPSET. Available on AMTM.

As asked/requested before, as per post post #784 it is good practice to include a 'Version Header' particularly when updating 'unbound.conf' on your GitHub so users can see what features have been added/removed.

Fix it.

 

[Martineau]

Update post release:
Post link

Please remove the copied installation details.

Instead provide a link to my GitHub page, so out of date information is not held in post#1

 

[L&LD]

You should test them at the router command line to see if either seems slow or times out.

for i in $(nvram get wan_dns); do time nslookup raw.githubusercontent.com $i; done

I would have it set to No in almost every situation. You just need reliable WAN DNS servers. When you have the router requiring dnsmasq, unbound AND Stubby to be available so it can resolve its own lookups (e.g. for NTP, script updates, etc.), you’re eventually asking for trouble.

All these DNS extras (e.g. unbound, NextDNS) are at a disadvantage because the firmware is not designed around them. There is no watchdog to ensure they stay running, for example. So keep the router healthy by not requiring it to use its own DNS service to startup its DNS service.

Finally had a chance to track down why scripts were so slow when 'Wan: Use local caching DNS server as system resolver (default: No) was set to 'No' (default).

When 'Connect to DNS Servers Automatically' was set to 'Yes' on the WAN page, the nslookup command above was giving a time of over 5 seconds!

When I set to connect to DNS servers to 'No' and used Cloudflare servers (1.1.1.1 and 1.0.0.1), the times went to 0.01 seconds.

Now, I have the local WAN caching set to 'No' and everything is fast.

Thank you @dave14305 for giving me the tools to track this down.

 

[rgnldo]

Please remove the copied installation details.

Instead provide a link to my GitHub page, so out of date information is not held in post#1

done

 

[Xentrk]

I installed the utility last night. I first ran the "?" option and made the config changes recommended before running the install option. I then ran the install option "i". One of my OpenVPN Clients was not able to connect due to a DNS error that it was unable to resolve the domain name of the VPN server. The other three OpenVPN Clients were able to connect. All but one of the OpenVPN Clients have Accept DNS Configuration set to Disabled. The other one is set to Exclusive.

In my attempt to debug, I noticed that all of my DNS settings on the WAN page were unchanged. I have "Connect to DNS Server automatically" set to No and specify the Cloudflare servers so the router has DNS during the boot process until DoT can kick in. DoT is enabled using Cloudflare. It was getting late so I backed out the changes and plan to try again over the weekend.

What are the recommended DNS settings on the WAN page if one wants to use Unbound?

 

[rgnldo]

What are the recommended DNS settings on the WAN page if one wants to use Unbound?

I performed all possible scenarios with VPN or Streaming services. Fortunately, the FW Merlin team organized DNS/WAN resolution as "NO" to allow compatibility between the different services. By the way it is organized, unbound or FW Merlin does not interfere with connectivity.