Unbound - Authoritative Recursive Caching DNS Server
- Thread starter rgnldo
- Start date
- Status
Thanks...so page 1 allows for manual installation only correct?
It's a long story...
SuperDuke
Regular Contributor
Hello all....I'm now quite intrigued and think that the installer is at a sufficiently dumbed down level for a guy like me!
With that, what flavour of the .conf file are people defaulting to? If anything, that is really the only thing stopping me from plunging for a trial run.
Also, on @Martineaus github, why is DNSSEC and Rebind required to be OFF?
Thanks as always....
With that, what flavour of the .conf file are people defaulting to? If anything, that is really the only thing stopping me from plunging for a trial run.
Also, on @Martineaus github, why is DNSSEC and Rebind required to be OFF?
Thanks as always....
Ok...so dumb question...what's the difference from the doing the manual install on pg. 1 and/or using the script version from link provided above? Can the link provided be posted on pg. 1 as well or this goes back to the "long story"? Reason I'm asking is because I started to re-install unbound using the instructions from pg. 1 but then got stuck on one of the steps so I continued installing from the 2.03 script which helped a lot for me. Then I was getting similar errors that L&LD was getting i.e. syntax errors so I've removed unbound again.
Can page 1 have instructions on how to manually uninstall unbound as well?
Can page 1 have instructions on how to manually uninstall unbound as well?
rgnldo
Very Senior Member
Sorry, my unbound.conf is generated by a script. is by mega. adjusted
SuperDuke
Regular Contributor
I believe the long story may have something to do with the differences of opinion shown over the last number of pages on this thread.....but I may be wrong and don't want to speak for @dave14305
DNSSEC needs to be disabled so that dnsmasq cache can be turned off. This allows Unbound to keep its own cache very fresh.
DNS Rebind really only needs to be disabled if you're going to to use Unbound ad-blocking, which personally I don't recommend. dnsmasq with rebind protection would reject any responses from Unbound like 192.168.1.2 or 127.0.0.1.
I'll continue to promote a minimalist unbound.conf that uses most defaults where appropriate for a small router like my AC68U.
Code:
server:
username: "nobody"
chroot: "/opt/var/lib/unbound"
directory: "/opt/var/lib/unbound"
pidfile: "unbound.pid"
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
root-hints: "root.hints"
auto-trust-anchor-file: "root.key"
logfile: "unbound.log"
log-time-ascii: yes
log-servfail: yes
extended-statistics: yes
interface: 127.0.0.1@53535
do-ip6: no
private-address: 127.0.0.0/8
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
prefetch: yes
prefetch-key: yes
minimal-responses: yes
edns-buffer-size: 1472
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
rrset-roundrobin: yes
harden-glue: yes
harden-referral-path: no
harden-below-nxdomain: yes
harden-algo-downgrade: yes
remote-control:
control-enable: yes
control-use-cert: no
Last edited:
Being wrong never stopped me from posting.
SuperDuke
Regular Contributor
Being wrong never stopped me from posting.
Heck, I'm just keeping my head down on this one....haha
rgnldo
Very Senior Member
Common sense prevails. Posting started with manual installation. There was an invitation and it was accepted. @Martineau commitment continues. The post is for everyone interested. As I said, I will not be able to contribute, I have other commitments. This project is very promising.
Last edited:
SuperDuke
Regular Contributor
So in the minimal conf file Dave, what is the default unbound cache amount set? Is it caching at all?
Yes, each cache (key, msg, rrset) defaults to 4 MB. I've never seen it reach those limits in my small network.
I read through all the defaults at https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/
Skeptical.me
Very Senior Member
unbound Manager/Installer script for ASUS Router running RMerlin firmware.
Script-installer as an easy option for installing Unbound written and maintained by @Martineau. All credits reserved.
For more details and installation:
https://github.com/MartineauUK/Unbound-Asuswrt-Merlin
For a complete newb to Unbound, out of the instructions you have after installation, what should I run/edit to use Unbound effectively?
Treadler
Very Senior Member
What I did:
Log = no
Integrate Stubby = no
Adblocker = no
Disable Firefox DoH = y
Customise cpu = y
L&LD
Part of the Furniture
Okay, I had to nuke the unbound.conf file I was using prior to this post (never did figure out why it was throwing the syntax errors when I tried the suggestions from @rgnldo in the few posts after the above link).
v2.03 Unbound Install Report February 4, 2020 (@Martineau Installer):
2GB swap file on 256GB Supersonic Rage Elite USB Flash Drive using USB 3.0 Port in USB 3 mode
(NOTE: USB 3.0 Port using USB 2.0 Mode recommended unless proved stable (for 2.4GHz band) otherwise).
Note that I also have the ChannelHog script installed from @Adamm too.
Using WinSCP and unbound_manager many times using 'rl' I tried loading the copied unbound.conf from @rgnldo from a few posts back. No luck.
Fast Forward to success:
Using unbound_manager from @Martineau v2.03 and 'i', I created a new unbound.conf file with no errors.
I used the stuning option 'y' and the other options were simply 'Enter' which equals 'no' here.
I then ran the following command at the PuTTY prompt:
and
(Note, the second command above isn't needed if you will reboot the router immediately, but is good to test with while the router is still running).
I then added the following to the end of the init-start file in /jffs/scripts/ using WinSCP:
I then added the following to unbound.conf in /opt/var/lib/unbound/ using WinSCP:
and
At this point, I was able to have an error-free unbound.conf file!
I have been using this configuration for the last 2 1/2 hours with great results. Fast, fast, fast.
I will now reboot my RT-AX88U and report back after waiting for about 15 minutes and checking that everything continues to be stable and error-free afterward.
Please see my post 1047 below!
Edit: I have changed this post to NOT enabling logging as a default.
I had mistakenly thought it was needed to provide stats, similar to how Skynet by @Adamm does. @dave14305 corrected me though and I want to make sure nobody follows my mistake!
v2.03 Unbound Install Report February 4, 2020 (@Martineau Installer):
ISP: 1Gbps/1Gbps up/down Fibre via ONT connection using IPv6 Native Stateless
v384.15 Beta 1 RT-AX88U RMerlin (dirty install)
DNSFilter Global Filter Mode = Router
Connect to DNS Servers Automatically: No
DNS1: 1.1.1.1
DNS2: 1.0.0.1
Forward local domain queries to upstream DNS: No
Enable DNS Rebind Protection: No
Enable DNSSEC support: No
Prevent client auto DoH: Yes
DoT:
DNS over TLS Profile: Strict
DoT Servers: CloudFlare
v3.1.0 FW amtm
v2.7 Disk Check (amtm)
Entware fully up-to-date
DNSFilter Global Filter Mode = Router
Connect to DNS Servers Automatically: No
DNS1: 1.1.1.1
DNS2: 1.0.0.1
Forward local domain queries to upstream DNS: No
Enable DNS Rebind Protection: No
Enable DNSSEC support: No
Prevent client auto DoH: Yes
DoT:
DNS over TLS Profile: Strict
DoT Servers: CloudFlare
v3.1.0 FW amtm
v2.7 Disk Check (amtm)
Entware fully up-to-date
Code:
List of installed Entware packages (59)
ca-bundle - 20190110-2 libopenssl-conf - 1.1.1d-2
ca-certificates - 20190110-2 libpcre - 8.43-2
column - 2.34-2 libpopt - 1.16-2
diffutils - 3.7-2 libpthread - 2.27-9
entware-opt - 227000-3 librt - 2.27-9
entware-release - 1.0-2 libsmartcols - 2.34-2
entware-upgrade - 1.0-1 libssp - 8.3.0-9
findutils - 4.7.0-1 libstdcpp - 8.3.0-9
getdns - 1.5.2-2 libunbound - 1.9.6-1
glib2 - 2.58.3-4 libuuid - 2.34-2
grep - 3.3-1 libyaml - 0.2.2-1
haveged - 1.9.8-2 locales - 2.27-8
htop - 2.2.0-2 logrotate - 3.15.0-2
libattr - 2.4.48-2 ntp-utils - 4.2.8p13-4
libc - 2.27-9 ntpd - 4.2.8p13-4
libcap - 2.27-3 openssl-util - 1.1.1d-2
libcurl - 7.67.0-2 opkg - 2019-06-14-dcbc142e-2
libdbi - 0.9.0-4 pixelserv-tls - 2.3.1-1
libevent2-core - 2.1.11-2 stubby - 0.2.6-2
libevent2-pthreads - 2.1.11-2 syslog-ng - 3.25.1-1
libexpat - 2.2.9-1 terminfo - 6.1-5
libffi - 3.2.1-3 unbound-anchor - 1.9.6-1
libgcc - 8.3.0-9 unbound-checkconf - 1.9.6-1
libhavege - 1.9.8-2 unbound-control - 1.9.6-1
libiconv-full - 1.11.1-4 unbound-control-setup - 1.9.6-1
libintl-full - 0.19.8.1-2 unbound-daemon - 1.9.6-1
libjson-c - 0.13.1-1 zlib - 1.2.11-3
libncurses - 6.1-5 zoneinfo-asia - 2019c-1
libncursesw - 6.1-5 zoneinfo-europe - 2019c-1
libopenssl - 1.1.1d-2
Entware Apps installed in /opt/bin/ (25)
ash grep persist-tool
channelhog htop pixelserv-tls
cmp islebe sdiff
column locale.new sh
diff localedef.new unbound_manager
diff3 loggen update-patterndb
diversion netstat xargs
dqtool openssl
find pdbtool
Non-Entware Scripts installed in /opt/bin/ (9)
YazFi firewall (Skynet) scribe
connmon ntpmerlin uiDivStats
diversion scmerlin uiScribe
Entware Apps installed in /opt/sbin/ (19)
getdns_query ntpq unbound
haveged ntptime unbound-anchor
ifconfig route unbound-checkconf
logread stubby unbound-control
logrotate syslog-ng unbound-control-setup
ntpd syslog-ng-ctl
ntpdc syslog-ng-debun
Press Enter to return to menu2GB swap file on 256GB Supersonic Rage Elite USB Flash Drive using USB 3.0 Port in USB 3 mode
(NOTE: USB 3.0 Port using USB 2.0 Mode recommended unless proved stable (for 2.4GHz band) otherwise).
v4.1.8 Diversion Standard
v7.0.9 Skynet
v3.3.0 YazFi
v2.4.1 scribe
v2.2.0 connmon
v2.2.2 ntpMerlin
v1.0.5 scMerlin
v1.3.0 uiDivStats
v1.2.0 uiScribe
v7.0.9 Skynet
v3.3.0 YazFi
v2.4.1 scribe
v2.2.0 connmon
v2.2.2 ntpMerlin
v1.0.5 scMerlin
v1.3.0 uiDivStats
v1.2.0 uiScribe
Note that I also have the ChannelHog script installed from @Adamm too.
Using WinSCP and unbound_manager many times using 'rl' I tried loading the copied unbound.conf from @rgnldo from a few posts back. No luck.
Fast Forward to success:
Using unbound_manager from @Martineau v2.03 and 'i', I created a new unbound.conf file with no errors.
I used the stuning option 'y' and the other options were simply 'Enter' which equals 'no' here.
I then ran the following command at the PuTTY prompt:
Code:
curl -o /opt/var/lib/unbound/root.zone https://www.internic.net/domain/root.zone
Code:
echo 3 > /proc/sys/net/ipv4/tcp_fastopen(Note, the second command above isn't needed if you will reboot the router immediately, but is good to test with while the router is still running).
I then added the following to the end of the init-start file in /jffs/scripts/ using WinSCP:
Code:
# Enable TCP Fast Open
echo 3 > /proc/sys/net/ipv4/tcp_fastopenI then added the following to unbound.conf in /opt/var/lib/unbound/ using WinSCP:
Code:
# perform a query against AAAA record exists
module-config: "dns64 validator iterator"
dns64-prefix: 64:FF9B::/96
Code:
auth-zone:
name: "."
url: "https://www.internic.net/domain/root.zone"
fallback-enabled: yes
for-downstream: no
for-upstream: yes
zonefile: root.zoneAt this point, I was able to have an error-free unbound.conf file!
I have been using this configuration for the last 2 1/2 hours with great results. Fast, fast, fast.
I will now reboot my RT-AX88U and report back after waiting for about 15 minutes and checking that everything continues to be stable and error-free afterward.
Please see my post 1047 below!
Edit: I have changed this post to NOT enabling logging as a default.
I had mistakenly thought it was needed to provide stats, similar to how Skynet by @Adamm does. @dave14305 corrected me though and I want to make sure nobody follows my mistake!
Last edited:
Regarding the earlier syntax error, you must ensure that new parameters go under the correct section of the conf file. module-config and dns64-prefix must appear under the server: section before another section starts (e.g. remote-control, auth-zone, etc.).@Kingp1n please see my edited post above (give it a minute or two). I have added my unbound.conf file that I'm using right now.
Do you have screenshots?
- Status
Similar threads
Similar threads
-
Can't connect to DYNDNS when Unbound is enabled !
- Started by ComputerSteve
- Replies: 10
-
-
Unbound + Wireguard: is this combination possible at all?
- Started by louisschneider
- Replies: 6
Latest threads
-
-
Gt-axe16000 good upgrade from AX-86U?
- Started by Mamba24
- Replies: 1
-
Please add Asuswrt-merlin to GT-BE98 (Non-pro) version
- Started by kaotic2499
- Replies: 5
-
Corrupted router specific partition on AX88U
- Started by nomad_surfer
- Replies: 1
-
Support SNBForums w/ Amazon
If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!