rgnldo
Very Senior Member
Enjoy the benefits of TFO, since it is enabled in unbound/entware. https://dnsprivacy.org/wiki/display/DP/TCP+Fast+Open
Excellent. Also, I was curious, how can we see the parameters which Entware packages were compiled? For example, how can I check if Unbound was compiled (this time) with Libevent support?Enjoy the benefits of TFO, since it is enabled in unbound/entware. https://dnsprivacy.org/wiki/display/DP/TCP+Fast+Open
Excellent. Also, I was curious, how can we see the parameters which Entware packages were compiled? For example, how can I check if Unbound was compiled (this time) with Libevent support?
unbound -V
RT-AX88U-ACA0:/tmp/home/root# unbound -V
Version 1.9.6
Configure line: --target=aarch64-openwrt-linux --host=aarch64-openwrt-linux --build=x86_64-pc-linux-gnu --program-prefit
Linked libs: pluggable-event internal (it uses select), OpenSSL 1.1.1d 10 Sep 2019
Linked modules: dns64 respip validator iterator
TCP Fastopen feature available
BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues
I've uploaded v2.03
unbound v1.9.6 now includes 'unbound-checkconf' which was apparently removed/omitted in unbound v1.9.3.
(Thanks @dave14305 for the heads-up) .....[/CODE]
I will take credit for the unbound_manager script, but credit where credit is due....Awesome ... great job @Martineau ... now that the dust has settled - confusing Githubs cleared up - V2.03 with its 2.5+k lines of code fully documented ... I had the courage to take the plunge into the "unbound" world ... and am blown away by the performance improvement. Probably particularly relevant for those of us at the Southern tip of Africa ... far removed from the primary DNS servers you 1st Worlder's enjoy.
Running on my RT-AC86U with all add-ons per signature - and zero ill-effects.
# Enable TCP Fast Open
echo 3 > /proc/sys/net/ipv4/tcp_fastopen
@rgnldo, thank you for these tips.
Everyone,
I have the RT-AX88U (same as RT-AC86U with 2x more RAM and 4 cores) and did find the stuning script in /jffs/addons/unbound.
However, I am not sure where to insert the code to enable TCP Fast Open.
Similarly, I use IPv6 but am at a loss on how to implement the instructions linked to my router without messing up bad.
Is it possible to have these options available during install @Martineau?
Thanks to anyone who can make this easier or more accessible to non-scripters like myself.
@rgnldo, thank you for these tips.
Everyone,
I have the RT-AX88U (same as RT-AC86U with 2x more RAM and 4 cores) and did find the stuning script in /jffs/addons/unbound.
However, I am not sure where to insert the code to enable TCP Fast Open.
Similarly, I use IPv6 but am at a loss on how to implement the instructions linked to my router without messing up bad.
Is it possible to have these options available during install @Martineau?
Thanks to anyone who can make this easier or more accessible to non-scripters like myself.
Although they disagree, I use stuning and for my reality and router is another level and experience of use.Is it possible to have these options available during install
# Enable TCP Fast Open
echo 3 > /proc/sys/net/ipv4/tcp_fastopen
Add to unbound.confI use IPv6
module-config: "dns64 validator iterator"
dns64-prefix: 64:FF9B::/96
module-config: "dns64 validator iterator"
dns64-prefix: 64:FF9B::/96
echo 3 > /proc/sys/net/ipv4/tcp_fastopen
For me, everything is fine.to unbound.conf and when I run unbound_manager it shows there are syntax errors in /opt/var/lib/unbound/unbound.conf.
@rgnldo:/tmp/home/root# unbound-checkconf -f /opt/var/lib/unbound/unbound.conf
unbound-checkconf: no errors in /opt/var/lib/unbound/unbound.conf
server:
interface: 127.0.0.1@53535
access-control: 127.0.0.1/32 allow
access-control: 192.168.1.1/24 allow
access-control: 172.16.0.0/12 allow
access-control: 10.0.0.0/8 allow
access-control: ::0/0 refuse
access-control: ::1 allow
# RFC1918 private IP address - Protects against DNS Rebinding
private-address: 10.0.0.0/8
private-address: ::ffff:a00:0/104
private-address: 172.16.0.0/12
private-address: ::ffff:ac10:0/108
private-address: 169.254.0.0/16
private-address: ::ffff:a9fe:0/112
private-address: 192.168.0.0/16
private-address: ::ffff:c0a8:0/112
private-address: fd00::/8
private-address: fe80::/10
# perform a query against AAAA record exists
module-config: "dns64 validator iterator"
dns64-prefix: 64:FF9B::/96
# Memory cache and responsive performance
num-threads: 1
key-cache-size: 4m
msg-cache-size: 4m
rrset-cache-size: 8m
cache-max-ttl: 21600
cache-min-ttl: 5
prefetch: yes
prefetch-key: yes
serve-expired: yes
serve-expired-ttl: 3600
ip-ratelimit: 100
neg-cache-size: 4M
edns-buffer-size: 1472
ratelimit: 1000
unwanted-reply-threshold: 10000
# Privacy & security
hide-version: yes
hide-identity: yes
harden-algo-downgrade: yes
harden-below-nxdomain: yes
harden-dnssec-stripped: yes
harden-large-queries: yes
harden-short-bufsize: yes
harden-glue: yes
do-not-query-localhost: no
qname-minimisation: yes
minimal-responses: yes
rrset-roundrobin: yes
do-daemonize: no
val-clean-additional: yes
# Self jail Unbound with user "unbound" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"
# The pid file
pidfile: "/opt/var/run/unbound.pid"
# ROOT Server's
root-hints: "root.hints"
# DNSSEC
module-config: "validator iterator"
auto-trust-anchor-file: "root.key"
remote-control:
control-enable: yes
control-interface: 127.0.0.1
auth-zone:
name: "."
url: "https://www.internic.net/domain/root.zone"
fallback-enabled: yes
for-downstream: no
for-upstream: yes
zonefile: root.zone
Do not know. I only use Termius software on the MacBook. When I edit the nano or the VI. On the Mac, I use the Atom editor. But it's easy.WinSCP?
For me, everything is fine.
As all warnings exist when installing even firmware's, you need to know what you are doing. But unbound_manager has the option to restore. It's quiet.Code:@rgnldo:/tmp/home/root# unbound-checkconf -f /opt/var/lib/unbound/unbound.conf unbound-checkconf: no errors in /opt/var/lib/unbound/unbound.conf
use this my unbound.conf
Code:server: interface: 127.0.0.1@53535 access-control: 127.0.0.1/32 allow access-control: 192.168.1.1/24 allow access-control: 172.16.0.0/12 allow access-control: 10.0.0.0/8 allow access-control: ::0/0 refuse access-control: ::1 allow # RFC1918 private IP address - Protects against DNS Rebinding private-address: 10.0.0.0/8 private-address: ::ffff:a00:0/104 private-address: 172.16.0.0/12 private-address: ::ffff:ac10:0/108 private-address: 169.254.0.0/16 private-address: ::ffff:a9fe:0/112 private-address: 192.168.0.0/16 private-address: ::ffff:c0a8:0/112 private-address: fd00::/8 private-address: fe80::/10 # perform a query against AAAA record exists module-config: "dns64 validator iterator" dns64-prefix: 64:FF9B::/96 # Memory cache and responsive performance num-threads: 1 key-cache-size: 4 msg-cache-size: 4 rrset-cache-size: 8 cache-max-ttl: 21600 cache-min-ttl: 5 prefetch: yes prefetch-key: yes serve-expired: yes serve-expired-ttl: 3600 ip-ratelimit: 100 neg-cache-size: 4M edns-buffer-size: 1472 ratelimit: 1000 unwanted-reply-threshold: 10000 # Privacy & security hide-version: yes hide-identity: yes harden-algo-downgrade: yes harden-below-nxdomain: yes harden-dnssec-stripped: yes harden-large-queries: yes harden-short-bufsize: yes harden-glue: yes do-not-query-localhost: no qname-minimisation: yes minimal-responses: yes rrset-roundrobin: yes do-daemonize: no val-clean-additional: yes # Self jail Unbound with user "unbound" to /var/lib/unbound username: "nobody" directory: "/opt/var/lib/unbound" chroot: "/opt/var/lib/unbound" # The pid file pidfile: "/opt/var/run/unbound.pid" # ROOT Server's root-hints: "root.hints" # DNSSEC module-config: "validator iterator" auto-trust-anchor-file: "root.key" remote-control: control-enable: yes control-interface: 127.0.0.1 auth-zone: name: "." url: "https://www.internic.net/domain/root.zone" fallback-enabled: yes for-downstream: no for-upstream: yes zonefile: root.zone
It's oddly 4 bytes and 8 bytes of cache, since there is no k, m or g following.Can you elaborate on these settings?
key-cache-size: 4
msg-cache-size: 4
rrset-cache-size: 8
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!