What's new

Unbound - Authoritative Recursive Caching DNS Server

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.
Hello all....I'm now quite intrigued and think that the installer is at a sufficiently dumbed down level for a guy like me! :)

With that, what flavour of the .conf file are people defaulting to? If anything, that is really the only thing stopping me from plunging for a trial run.

Also, on @Martineaus github, why is DNSSEC and Rebind required to be OFF?

Thanks as always....
 
Ok...so dumb question...what's the difference from the doing the manual install on pg. 1 and/or using the script version from link provided above? Can the link provided be posted on pg. 1 as well or this goes back to the "long story"? Reason I'm asking is because I started to re-install unbound using the instructions from pg. 1 but then got stuck on one of the steps so I continued installing from the 2.03 script which helped a lot for me. Then I was getting similar errors that L&LD was getting i.e. syntax errors so I've removed unbound again.

Can page 1 have instructions on how to manually uninstall unbound as well?
 
Can you elaborate on these settings?

key-cache-size: 4
msg-cache-size: 4
rrset-cache-size: 8
Sorry, my unbound.conf is generated by a script. is by mega. adjusted
 
Ok...so dumb question...what's the difference from the doing the manual install on pg. 1 and/or using the script version from link provided above? Can the link provided be posted on pg. 1 as well or this goes back to the "long story"? Reason I'm asking is because I started to re-install unbound using the instructions from pg. 1 but then got stuck on one of the steps so I continued installing from the 2.03 script which helped a lot for me. Then I was getting similar errors that L&LD was getting i.e. syntax errors so I've removed unbound again.

Can page 1 have instructions on how to manually uninstall unbound as well?

I believe the long story may have something to do with the differences of opinion shown over the last number of pages on this thread.....but I may be wrong and don't want to speak for @dave14305
 
Also, on @Martineaus github, why is DNSSEC and Rebind required to be OFF?
DNSSEC needs to be disabled so that dnsmasq cache can be turned off. This allows Unbound to keep its own cache very fresh.

DNS Rebind really only needs to be disabled if you're going to to use Unbound ad-blocking, which personally I don't recommend. dnsmasq with rebind protection would reject any responses from Unbound like 192.168.1.2 or 127.0.0.1.
With that, what flavour of the .conf file are people defaulting to?
I'll continue to promote a minimalist unbound.conf that uses most defaults where appropriate for a small router like my AC68U.
Code:
server:
username: "nobody"
chroot: "/opt/var/lib/unbound"
directory: "/opt/var/lib/unbound"
pidfile: "unbound.pid"
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
root-hints: "root.hints"
auto-trust-anchor-file: "root.key"

logfile: "unbound.log"
log-time-ascii: yes
log-servfail: yes
extended-statistics: yes

interface: 127.0.0.1@53535
do-ip6: no

private-address: 127.0.0.0/8
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16

prefetch: yes
prefetch-key: yes
minimal-responses: yes
edns-buffer-size: 1472
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
rrset-roundrobin: yes
harden-glue: yes
harden-referral-path: no
harden-below-nxdomain: yes
harden-algo-downgrade: yes

remote-control:
control-enable: yes
control-use-cert: no
Edit: fixed duplicate statements.
 
Last edited:
Common sense prevails. Posting started with manual installation. There was an invitation and it was accepted. @Martineau commitment continues. The post is for everyone interested. As I said, I will not be able to contribute, I have other commitments. This project is very promising.
 
Last edited:
DNSSEC needs to be disabled so that dnsmasq cache can be turned off. This allows Unbound to keep its own cache very fresh.

DNS Rebind really only needs to be disabled if you're going to to use Unbound ad-blocking, which personally I don't recommend. dnsmasq with rebind protection would reject any responses from Unbound like 192.168.1.2 or 127.0.0.1.

I'll continue to promote a minimalist unbound.conf that uses most defaults where appropriate for a small router like my AC68U.
Code:
server:
username: "nobody"
chroot: "/opt/var/lib/unbound"
directory: "/opt/var/lib/unbound"
pidfile: "unbound.pid"
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
root-hints: "root.hints"
auto-trust-anchor-file: "root.key"

logfile: "unbound.log"
log-time-ascii: yes
log-servfail: yes
extended-statistics: yes

edns-buffer-size: 1472
interface: 127.0.0.1@53535
private-address: 127.0.0.0/8
private-address: 192.168.1.0/24
do-ip6: no

private-address: 127.0.0.0/8
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16

prefetch: yes
prefetch-key: yes
minimal-responses: yes
edns-buffer-size: 1472
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
rrset-roundrobin: yes
harden-glue: yes
harden-referral-path: no
harden-below-nxdomain: yes
harden-algo-downgrade: yes

remote-control:
control-enable: yes
control-use-cert: no

So in the minimal conf file Dave, what is the default unbound cache amount set? Is it caching at all?
 
unbound Manager/Installer script for ASUS Router running RMerlin firmware.

Captura-de-Tela-2020-02-04-a-s-22-48-02.png


Script-installer as an easy option for installing Unbound written and maintained by @Martineau. All credits reserved.

For more details and installation:
https://github.com/MartineauUK/Unbound-Asuswrt-Merlin


For a complete newb to Unbound, out of the instructions you have after installation, what should I run/edit to use Unbound effectively?
 
Okay, I had to nuke the unbound.conf file I was using prior to this post (never did figure out why it was throwing the syntax errors when I tried the suggestions from @rgnldo in the few posts after the above link).

v2.03 Unbound Install Report February 4, 2020 (@Martineau Installer):

ISP: 1Gbps/1Gbps up/down Fibre via ONT connection using IPv6 Native Stateless

v384.15 Beta 1 RT-AX88U RMerlin (dirty install)

DNSFilter Global Filter Mode = Router
Connect to DNS Servers Automatically: No
DNS1: 1.1.1.1
DNS2: 1.0.0.1
Forward local domain queries to upstream DNS: No
Enable DNS Rebind Protection: No
Enable DNSSEC support: No
Prevent client auto DoH: Yes
DoT:
DNS over TLS Profile: Strict
DoT Servers: CloudFlare

v3.1.0 FW amtm
v2.7 Disk Check (amtm)
Entware fully up-to-date

Code:
 List of installed Entware packages (59)
 ca-bundle - 20190110-2                  libopenssl-conf - 1.1.1d-2
 ca-certificates - 20190110-2            libpcre - 8.43-2
 column - 2.34-2                         libpopt - 1.16-2
 diffutils - 3.7-2                       libpthread - 2.27-9
 entware-opt - 227000-3                  librt - 2.27-9
 entware-release - 1.0-2                 libsmartcols - 2.34-2
 entware-upgrade - 1.0-1                 libssp - 8.3.0-9
 findutils - 4.7.0-1                     libstdcpp - 8.3.0-9
 getdns - 1.5.2-2                        libunbound - 1.9.6-1
 glib2 - 2.58.3-4                        libuuid - 2.34-2
 grep - 3.3-1                            libyaml - 0.2.2-1
 haveged - 1.9.8-2                       locales - 2.27-8
 htop - 2.2.0-2                          logrotate - 3.15.0-2
 libattr - 2.4.48-2                      ntp-utils - 4.2.8p13-4
 libc - 2.27-9                           ntpd - 4.2.8p13-4
 libcap - 2.27-3                         openssl-util - 1.1.1d-2
 libcurl - 7.67.0-2                      opkg - 2019-06-14-dcbc142e-2
 libdbi - 0.9.0-4                        pixelserv-tls - 2.3.1-1
 libevent2-core - 2.1.11-2               stubby - 0.2.6-2
 libevent2-pthreads - 2.1.11-2           syslog-ng - 3.25.1-1
 libexpat - 2.2.9-1                      terminfo - 6.1-5
 libffi - 3.2.1-3                        unbound-anchor - 1.9.6-1
 libgcc - 8.3.0-9                        unbound-checkconf - 1.9.6-1
 libhavege - 1.9.8-2                     unbound-control - 1.9.6-1
 libiconv-full - 1.11.1-4                unbound-control-setup - 1.9.6-1
 libintl-full - 0.19.8.1-2               unbound-daemon - 1.9.6-1
 libjson-c - 0.13.1-1                    zlib - 1.2.11-3
 libncurses - 6.1-5                      zoneinfo-asia - 2019c-1
 libncursesw - 6.1-5                     zoneinfo-europe - 2019c-1
 libopenssl - 1.1.1d-2
 Entware Apps installed in /opt/bin/ (25)
 ash                     grep                    persist-tool
 channelhog              htop                    pixelserv-tls
 cmp                     islebe                  sdiff
 column                  locale.new              sh
 diff                    localedef.new           unbound_manager
 diff3                   loggen                  update-patterndb
 diversion               netstat                 xargs
 dqtool                  openssl
 find                    pdbtool
 Non-Entware Scripts installed in /opt/bin/ (9)
 YazFi                   firewall (Skynet)       scribe
 connmon                 ntpmerlin               uiDivStats
 diversion               scmerlin                uiScribe
 Entware Apps installed in /opt/sbin/ (19)
 getdns_query            ntpq                    unbound
 haveged                 ntptime                 unbound-anchor
 ifconfig                route                   unbound-checkconf
 logread                 stubby                  unbound-control
 logrotate               syslog-ng               unbound-control-setup
 ntpd                    syslog-ng-ctl
 ntpdc                   syslog-ng-debun
 Press Enter to return to menu

2GB swap file on 256GB Supersonic Rage Elite USB Flash Drive using USB 3.0 Port in USB 3 mode
(NOTE: USB 3.0 Port using USB 2.0 Mode recommended unless proved stable (for 2.4GHz band) otherwise).

v4.1.8 Diversion Standard
v7.0.9 Skynet
v3.3.0 YazFi
v2.4.1 scribe
v2.2.0 connmon
v2.2.2 ntpMerlin
v1.0.5 scMerlin
v1.3.0 uiDivStats
v1.2.0 uiScribe

Note that I also have the ChannelHog script installed from @Adamm too. ;)

Using WinSCP and unbound_manager many times using 'rl' I tried loading the copied unbound.conf from @rgnldo from a few posts back. No luck. :(

Fast Forward to success:

Using unbound_manager from @Martineau v2.03 and 'i', I created a new unbound.conf file with no errors.

I used the stuning option 'y' and the other options were simply 'Enter' which equals 'no' here.

I then ran the following command at the PuTTY prompt:
Code:
curl -o /opt/var/lib/unbound/root.zone https://www.internic.net/domain/root.zone
and
Code:
echo  3 > /proc/sys/net/ipv4/tcp_fastopen

(Note, the second command above isn't needed if you will reboot the router immediately, but is good to test with while the router is still running).

I then added the following to the end of the init-start file in /jffs/scripts/ using WinSCP:
Code:
# Enable TCP Fast Open
 echo  3 > /proc/sys/net/ipv4/tcp_fastopen

I then added the following to unbound.conf in /opt/var/lib/unbound/ using WinSCP:

Code:
# perform a query against AAAA record exists
    module-config: "dns64 validator iterator"
    dns64-prefix: 64:FF9B::/96
and
Code:
auth-zone:
    name: "."
    url: "https://www.internic.net/domain/root.zone"
    fallback-enabled: yes
    for-downstream: no
    for-upstream: yes
    zonefile: root.zone

At this point, I was able to have an error-free unbound.conf file!

I have been using this configuration for the last 2 1/2 hours with great results. Fast, fast, fast. :)

I will now reboot my RT-AX88U and report back after waiting for about 15 minutes and checking that everything continues to be stable and error-free afterward. :)

Please see my post 1047 below! :)

Edit: I have changed this post to NOT enabling logging as a default. :)

I had mistakenly thought it was needed to provide stats, similar to how Skynet by @Adamm does. @dave14305 corrected me though and I want to make sure nobody follows my mistake!
 
Last edited:
@L&LD... I noticed rgnldo unbound.conf script has more additional lines compared to the default. ...did you try those additional lines or kept it default?
 
@Kingp1n please see my edited post above (give it a minute or two). I have added my unbound.conf file that I'm using right now. :)
 
@Kingp1n please see my edited post above (give it a minute or two). I have added my unbound.conf file that I'm using right now. :)
Regarding the earlier syntax error, you must ensure that new parameters go under the correct section of the conf file. module-config and dns64-prefix must appear under the server: section before another section starts (e.g. remote-control, auth-zone, etc.).
 
Status
Not open for further replies.

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top