What's new

Unbound - Authoritative Recursive Caching DNS Server

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.
Code:
RT-AX88U-ACA0:/tmp/home/root# unbound -V
Version 1.9.6

Configure line: --target=aarch64-openwrt-linux --host=aarch64-openwrt-linux --build=x86_64-pc-linux-gnu --program-prefit
Linked libs: pluggable-event internal (it uses select), OpenSSL 1.1.1d  10 Sep 2019
Linked modules: dns64 respip validator iterator
TCP Fastopen feature available

BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues
 
I've uploaded v2.03

unbound v1.9.6 now includes 'unbound-checkconf' which was apparently removed/omitted in unbound v1.9.3.
(Thanks @dave14305 for the heads-up) .....[/CODE]

Awesome ... great job @Martineau ... now that the dust has settled - confusing Githubs cleared up - V2.03 with its 2.5+k lines of code fully documented ... I had the courage to take the plunge into the "unbound" world ... and am blown away by the performance improvement. Probably particularly relevant for those of us at the Southern tip of Africa ... far removed from the primary DNS servers you 1st Worlder's enjoy.

Running on my RT-AC86U with all add-ons per signature - and zero ill-effects.:D
 
Awesome ... great job @Martineau ... now that the dust has settled - confusing Githubs cleared up - V2.03 with its 2.5+k lines of code fully documented ... I had the courage to take the plunge into the "unbound" world ... and am blown away by the performance improvement. Probably particularly relevant for those of us at the Southern tip of Africa ... far removed from the primary DNS servers you 1st Worlder's enjoy.

Running on my RT-AC86U with all add-ons per signature - and zero ill-effects.:D
I will take credit for the unbound_manager script, but credit where credit is due....

@rgnldo was the passionate driving force for the adoption of unbound to replace dnsmasq on ASUS routers, so hopefully the script allows non-techies to give unbound a completely risk-free trial, and can decide for themselves if they too are impressed by the performance gains.
 
Unfortunately, I can't help much because there are routers with different configurations and kernels. I can only confirm from my AC86U. Anyone who has experience in the ASUS environment, with other routers, can help other models.

I organized the final unbound.conf (initial post) after much consultation and adapted to the corrections of version 1.9.6 of unbound. It is not having memory and a long cache, but efficiency and security. This is a never-ending debate, but the consensus is for less memory and cache lifetime. Even in dnsmasq, I prefer, cache-size=512. Well, I will not enter this debate.

For those who have the AC86U (I don't know of other models) going forward, due to the kernel, you can benefit from TCP Fast Open (https://dnsprivacy.org/wiki/display/DP/TCP+Fast+Open) by adding this line to the stuning script.
Code:
 # Enable TCP Fast Open
 echo  3 > /proc/sys/net/ipv4/tcp_fastopen
Another feature enabled in unbound is the DNS64 validator (initial post) . For those who enable IPV6, it is useful. You can check this out here: https://ecdysis.viagenie.ca/instructions.html
Consider it useful or disregard it.

The installer script will be useful and I hope it will continue to help others with less knowledge.
My contributions will be in this profile. There are other commitments that prevent me from helping with more emphasis.
 
Last edited:
@rgnldo, thank you for these tips. :)

Everyone,

I have the RT-AX88U (same as RT-AC86U with 2x more RAM and 4 cores) and did find the stuning script in /jffs/addons/unbound.

However, I am not sure where to insert the code to enable TCP Fast Open. :oops:

Similarly, I use IPv6 but am at a loss on how to implement the instructions linked to my router without messing up bad. :oops:

Is it possible to have these options available during install @Martineau?

Thanks to anyone who can make this easier or more accessible to non-scripters like myself. :)
 
@rgnldo, thank you for these tips. :)

Everyone,

I have the RT-AX88U (same as RT-AC86U with 2x more RAM and 4 cores) and did find the stuning script in /jffs/addons/unbound.

However, I am not sure where to insert the code to enable TCP Fast Open. :oops:

Similarly, I use IPv6 but am at a loss on how to implement the instructions linked to my router without messing up bad. :oops:

Is it possible to have these options available during install @Martineau?

Thanks to anyone who can make this easier or more accessible to non-scripters like myself. :)

+1

I too would like the option to easily try these modifications.

If they have a tangible benefit, great, if not, the ability to ‘untry’ them would be great as well! :p
 
@rgnldo, thank you for these tips. :)

Everyone,

I have the RT-AX88U (same as RT-AC86U with 2x more RAM and 4 cores) and did find the stuning script in /jffs/addons/unbound.

However, I am not sure where to insert the code to enable TCP Fast Open. :oops:

Similarly, I use IPv6 but am at a loss on how to implement the instructions linked to my router without messing up bad. :oops:

Is it possible to have these options available during install @Martineau?

Thanks to anyone who can make this easier or more accessible to non-scripters like myself. :)

@L&LD, great question. I use WinSCP and I was going to manually update the scripts per the instructions on pg. 1 but I have a feeling I might screw something up haha!
 
@Kingp1n, I have WinSCP running and ready for any command(s) anyone offers. :)

I don't think I might screw up. I know! lol :D
 
Is it possible to have these options available during install
Although they disagree, I use stuning and for my reality and router is another level and experience of use.

I believe that to help the maintainer of the script-installer, any addition or removal must be related to technical feasibility studies. Organization is everything. In a while the script-installer will be more mature and clean.

You can add this option at:
nano /jffs/scripts/init-start
Code:
 # Enable TCP Fast Open
 echo  3 > /proc/sys/net/ipv4/tcp_fastopen
To apply soon, just launch
echo 3 > /proc/sys/net/ipv4/tcp_fastopen

I use IPv6
Add to unbound.conf
Code:
module-config: "dns64 validator iterator"
dns64-prefix: 64:FF9B::/96
Continue with auth-zone
Use the unbound.conf proposed at the beginning of the post and return me here to report.

It is stable and excellent for me. Using Adblock/Unbound.
 
@rgnldo I am using Auth-zone successfully already.

I added the
Code:
module-config: "dns64 validator iterator"
dns64-prefix: 64:FF9B::/96
to the end of the unbound.conf file and when I run unbound_manager it shows there are syntax errors in /opt/var/lib/unbound/unbound.conf. It suggests to use 'vx' correct the file but I don't know what I need to correct.

For now, I just entered the
Code:
echo  3 > /proc/sys/net/ipv4/tcp_fastopen
into the command prompt and received no error or confirmation. Is this enough to test with? :)
 
to unbound.conf and when I run unbound_manager it shows there are syntax errors in /opt/var/lib/unbound/unbound.conf.
For me, everything is fine.
Code:
@rgnldo:/tmp/home/root# unbound-checkconf -f /opt/var/lib/unbound/unbound.conf
unbound-checkconf: no errors in /opt/var/lib/unbound/unbound.conf
As all warnings exist when installing even firmware's, you need to know what you are doing. But unbound_manager has the option to restore. It's quiet.
use this my unbound.conf
Code:
server:
    interface: 127.0.0.1@53535
    access-control: 127.0.0.1/32 allow
    access-control: 192.168.1.1/24 allow
    access-control: 172.16.0.0/12 allow
    access-control: 10.0.0.0/8 allow
    access-control: ::0/0 refuse
    access-control: ::1 allow

    # RFC1918 private IP address - Protects against DNS Rebinding
    private-address: 10.0.0.0/8
    private-address: ::ffff:a00:0/104
    private-address: 172.16.0.0/12
    private-address: ::ffff:ac10:0/108
    private-address: 169.254.0.0/16
    private-address: ::ffff:a9fe:0/112
    private-address: 192.168.0.0/16
    private-address: ::ffff:c0a8:0/112
    private-address: fd00::/8
    private-address: fe80::/10
 
    # perform a query against AAAA record exists
    module-config: "dns64 validator iterator"
    dns64-prefix: 64:FF9B::/96
 
    # Memory cache and responsive performance
    num-threads: 1
    key-cache-size: 4m
    msg-cache-size: 4m
    rrset-cache-size: 8m
    cache-max-ttl: 21600
    cache-min-ttl: 5
    prefetch: yes
    prefetch-key: yes
    serve-expired: yes
    serve-expired-ttl: 3600
    ip-ratelimit: 100
    neg-cache-size: 4M
    edns-buffer-size: 1472
    ratelimit: 1000
    unwanted-reply-threshold: 10000

    # Privacy & security
    hide-version: yes
    hide-identity: yes
    harden-algo-downgrade: yes
    harden-below-nxdomain: yes
    harden-dnssec-stripped: yes
    harden-large-queries: yes
    harden-short-bufsize: yes
    harden-glue: yes
    do-not-query-localhost: no
    qname-minimisation: yes
    minimal-responses: yes
    rrset-roundrobin: yes
    do-daemonize: no
    val-clean-additional: yes

    # Self jail Unbound with user "unbound" to /var/lib/unbound
    username: "nobody"
    directory: "/opt/var/lib/unbound"
    chroot: "/opt/var/lib/unbound"

    # The pid file
    pidfile: "/opt/var/run/unbound.pid"

    # ROOT Server's
    root-hints: "root.hints"

    # DNSSEC
    module-config: "validator iterator"
    auto-trust-anchor-file: "root.key"

    remote-control:
    control-enable: yes
    control-interface: 127.0.0.1
 
    auth-zone:
    name: "."
    url: "https://www.internic.net/domain/root.zone"
    fallback-enabled: yes
    for-downstream: no
    for-upstream: yes
    zonefile: root.zone
 
Last edited:
@rgnldo thanks, I will give your unbound.conf file a try. Any restrictions on how I name and save it using WinSCP?
 
Do not know. I only use Termius software on the MacBook. When I edit the nano or the VI. On the Mac, I use the Atom editor. But it's easy.
 
For me, everything is fine.
Code:
@rgnldo:/tmp/home/root# unbound-checkconf -f /opt/var/lib/unbound/unbound.conf
unbound-checkconf: no errors in /opt/var/lib/unbound/unbound.conf
As all warnings exist when installing even firmware's, you need to know what you are doing. But unbound_manager has the option to restore. It's quiet.
use this my unbound.conf
Code:
server:
    interface: 127.0.0.1@53535
    access-control: 127.0.0.1/32 allow
    access-control: 192.168.1.1/24 allow
    access-control: 172.16.0.0/12 allow
    access-control: 10.0.0.0/8 allow
    access-control: ::0/0 refuse
    access-control: ::1 allow

    # RFC1918 private IP address - Protects against DNS Rebinding
    private-address: 10.0.0.0/8
    private-address: ::ffff:a00:0/104
    private-address: 172.16.0.0/12
    private-address: ::ffff:ac10:0/108
    private-address: 169.254.0.0/16
    private-address: ::ffff:a9fe:0/112
    private-address: 192.168.0.0/16
    private-address: ::ffff:c0a8:0/112
    private-address: fd00::/8
    private-address: fe80::/10
 
    # perform a query against AAAA record exists
    module-config: "dns64 validator iterator"
    dns64-prefix: 64:FF9B::/96
 
    # Memory cache and responsive performance
    num-threads: 1
    key-cache-size: 4
    msg-cache-size: 4
    rrset-cache-size: 8
    cache-max-ttl: 21600
    cache-min-ttl: 5
    prefetch: yes
    prefetch-key: yes
    serve-expired: yes
    serve-expired-ttl: 3600
    ip-ratelimit: 100
    neg-cache-size: 4M
    edns-buffer-size: 1472
    ratelimit: 1000
    unwanted-reply-threshold: 10000

    # Privacy & security
    hide-version: yes
    hide-identity: yes
    harden-algo-downgrade: yes
    harden-below-nxdomain: yes
    harden-dnssec-stripped: yes
    harden-large-queries: yes
    harden-short-bufsize: yes
    harden-glue: yes
    do-not-query-localhost: no
    qname-minimisation: yes
    minimal-responses: yes
    rrset-roundrobin: yes
    do-daemonize: no
    val-clean-additional: yes

    # Self jail Unbound with user "unbound" to /var/lib/unbound
    username: "nobody"
    directory: "/opt/var/lib/unbound"
    chroot: "/opt/var/lib/unbound"

    # The pid file
    pidfile: "/opt/var/run/unbound.pid"

    # ROOT Server's
    root-hints: "root.hints"

    # DNSSEC
    module-config: "validator iterator"
    auto-trust-anchor-file: "root.key"

    remote-control:
    control-enable: yes
    control-interface: 127.0.0.1
 
    auth-zone:
    name: "."
    url: "https://www.internic.net/domain/root.zone"
    fallback-enabled: yes
    for-downstream: no
    for-upstream: yes
    zonefile: root.zone

Can you elaborate on these settings?

key-cache-size: 4
msg-cache-size: 4
rrset-cache-size: 8
 
Have to say, Unbound working just fine here, as it came out of the box!:D

Always open to suggestion/tinkering though......
 
How do I find script 2.03 for unbound installation?
 
Status
Not open for further replies.

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top