Unbound - Authoritative Recursive Caching DNS Server

[L&LD]

I have been trying to find the example '/logrotate.d/unbound' file when 'scribe' logging has been enabled. I can't.

I did find /opt/etc/logrotate.d, but no unbound file.

Any hints to find it?

 

[Martineau]

There shouldn't be any options before the server: line.

EDIT: I think the sed is finding the comment at the top of the file and inserting the use-syslog.

sed -i '/log\-time\-ascii:/ause\-syslog: yes' ${CONFIG_DIR}unbound.conf

That will teach me to apply version control!

 

[Martineau]

@Martineau thank you for the new defaults.

On my RT-AX88U everything went smoothly until I went to 3, scribe.

Then the unbound.conf failed with 1 error: syntax error.

The part I see that changed was 'use-syslog: yes'.

Here is the complete unbound.conf.

# rgnldo User Install Custom Version vx.xx (Date Loaded by unbound_manager Wed Feb  5 13:35:49 MST 2020)
# rgnldo Version=v1.01 Martineau update (Date Loaded
# v1.01 Martineau - Added  'auth-zone:', 'edns-buffer-size:' log-time-ascii: 'log-servfail:' IPv6 'dns64-prefix:'
use-syslog: yes
log-local-actions: yes
#                   Change 'interface: 0.0.0.0' to 'interface: 127.0.0.1@53535'
server:
# port to answer queries from
port: 53535

#########################################
# integration LOG's
#
# verbosity: 2
logfile: "/opt/var/lib/unbound/unbound.log" # v1.01 as per @dave14305 minimal config
# log-queries: yes
# log-replies: yes
log-time-ascii: yes                         # v1.01 as per @dave14305 minimal config
use-syslog: yes
log-local-actions: yes
log-servfail: yes                           # v1.01 as per @dave14305 minimal config
#########################################

do-ip4: yes
#do-ip6: no
do-udp: yes
do-tcp: yes

# don't be picky about interfaces but consider your firewall
#interface: 0.0.0.0
interface: 127.0.0.1@53535                      # v1.01 as per @dave14305 minimal config

access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/8 allow
access-control: 172.16.0.0/16 allow
access-control: 192.168.0.0/24 allow

# RFC1918 private IP address - Protects against DNS Rebinding
private-address: 127.0.0.0/8
private-address: 169.254.0.0/16
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16

#########################################
# integration IPV6
#
 do-ip6: yes
 module-config: "dns64 validator iterator"      # v1.01 perform a query against AAAA record exists
 dns64-prefix: 64:FF9B::/96                     # v1.01
 interface: ::0
 access-control: ::0/0 refuse
 access-control: ::1 allow
 private-address: fd00::/8
 private-address: fe80::/10
#########################################

tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"     # v1.01 as per @dave14305 minimal config

# no threads and no memory slabs for threads
num-threads: 1
msg-cache-slabs: 2
rrset-cache-slabs: 2
infra-cache-slabs: 2
key-cache-slabs: 2

# tiny memory cache
key-cache-size: 8m
msg-cache-size: 8m
rrset-cache-size: 16m
cache-max-ttl: 21600
cache-min-ttl: 5
prefetch: yes
prefetch-key: yes
serve-expired: yes
serve-expired-ttl: 3600
incoming-num-tcp: 600
outgoing-num-tcp: 100
ip-ratelimit: 100
edns-buffer-size: 1472                           # v1.01 as per @dave14305 minimal config

#########################################
# Options for integration with TCP/TLS Stubby
# udp-upstream-without-downstream: yes
#########################################

# prefetch
prefetch: yes
prefetch-key: yes
minimal-responses: yes

# gentle on recursion
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
harden-glue: yes
harden-below-nxdomain: yes
rrset-roundrobin: yes
aggressive-nsec: yes
deny-any: yes

# Self jail Unbound with user "unbound" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"

# The pid file
pidfile: "/opt/var/run/unbound.pid"

# ROOT Server's
root-hints: "/opt/var/lib/unbound/root.hints"

# DNSSEC
#module-config: "validator iterator"
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"

#########################################
# Adblock blacklist
#include: /opt/var/lib/unbound/adblock/adservers
#include: /opt/var/lib/unbound/adblock/firefox_DOH
#########################################

remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 953
server-key-file: "/opt/var/lib/unbound/unbound_server.key"
server-cert-file: "/opt/var/lib/unbound/unbound_server.pem"
control-key-file: "/opt/var/lib/unbound/unbound_control.key"
control-cert-file: "/opt/var/lib/unbound/unbound_control.pem"

#########################################
#forward-zone:
#   name: "."
#   forward-addr: 127.0.0.1@5453
#   forward-addr: 0::1@5453 # integration IPV6
#########################################

# v1.01 Added the following
auth-zone:
       name: "."
       url: "https://www.internic.net/domain/root.zone"
       fallback-enabled: yes
       for-downstream: no
       for-upstream: yes
       zonefile: root.zone

Whoops, I was trying to retire the use of the raw 'sed' method, but I forgot to amend the 'unbound.conf' on GitHub

Could you please update and retrieve 'unbound.conf' v1.02

e  = Exit Script

A:Option ==> i

then retry 'scribe' again.

EDIT: GitHub retrieval of the modified 'unbound.conf' baulks at the v1.02 comments?

# rgnldo Github Version=v1.01 Martineau update (Date Loaded
# v1.02 Martineau - Added  '#use-syslog:' '#log-local-actions:' placeholders
# v1.01 Martineau - Added  'auth-zone:', 'edns-buffer-size:' log-time-ascii: 'log-servfail:' IPv6 'dns64-prefix:'
#                   Change 'interface: 0.0.0.0' to 'interface: 127.0.0.1@53535'
server:
# port to answer queries from
port: 53535

#########################################
# integration LOG's
#
# verbosity: 2
logfile: "/opt/var/lib/unbound/unbound.log" # v1.01 as per @dave14305 minimal config
# log-queries: yes
# log-replies: yes
log-time-ascii: yes                         # v1.01 as per @dave14305 minimal config
#use-syslog: yes                            # v1.02 Let scribe/syslog-ng handle the log as it gets erased daily if Ad Block enabled :-(
#log-local-actions: yes                     # v1.02
log-servfail: yes                           # v1.01 as per @dave14305 minimal config

I will look at it tomorrow.

 

[L&LD]

@Martineau I can't seem to update to unbound.conf v1.02. Still shows v1.01 here.

Edit, I just saw you edited your post.

No worries, have a good rest. Tomorrow is another day.

 

[Treadler]

I've uploaded v2.04

New: Create example '/logrotate.d/unbound' file if 'scribe' logging has been enabled.
Fix: When a file contains only two bytes '0d0a' such as the Ad Block /adblock/blockhosts file the script incorretly reported a line count of 1.

I have now reluctantly decided to host the 'unbound.conf' on my Github.

'unbound.conf' v1.01 now includes by default

logfile: "/opt/var/lib/unbound/unbound.log" # v1.01 as per @dave14305 minimal config
log-time-ascii: yes                         # v1.01 as per @dave14305 minimal config
log-servfail: yes                           # v1.01 as per @dave14305 minimal config

tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"   # v1.01 as per @dave14305 minimal config

edns-buffer-size: 1472                      # v1.01 as per @dave14305 minimal config

# v1.01 Added the following
auth-zone:
       name: "."
       url: "https://www.internic.net/domain/root.zone"
       fallback-enabled: yes
       for-downstream: no
       for-upstream: yes
       zonefile: root.zone

NOTE: File 'root.zone' has always been downloaded during the installation and there is a daily cron job to ensure it is current.

New: TCP Fast Open. If you install the performance 'stuning.sh' option, if you have a HND router then the following is added to 'stuning.sh'

start() {

 # Enable TCP Fast Open on HND routers - unbound_manager
 echo 3 > /proc/sys/net/ipv4/tcp_fastopen

I don't think the above needs to be restricted to HND routers, but initially it is prudent pending confirmation that it is fully compatible with non-HND routers.

Change: For IPv6 users the following is added (I don't have the ability to test IPv6):

    #module-config: "validator iterator"
    module-config: "dns64 validator iterator"  # v1.01 perform a query against AAAA record exists
    dns64-prefix: 64:FF9B::/96

Please immediately report any anomalies with the changes in 'unbound.conf' v1.01.

IPv6 appears happy here.
Operations proceeding without any apparent hiccups!

 

[Skeptical.me]

Possibly the addresses you have setup in unbound conf for access control and private address don't match the addresses of your vpn.

ahh, that makes sense.

So would that mean I'd have to change the addresses in the Unbound conf every time I use a different VPN service/server?

 

[dave14305]

ahh, that makes sense.

So would that mean I'd have to change the addresses in the Unbound conf every time I use a different VPN service/server?

Normally, Unbound is only going to receive requests from dnsmasq from/to the loopback interface 127.0.0.1. So I’m not sure that’s the answer. I don’t know much about VPN clients though, so there’s that.

 

[Skeptical.me]

Normally, Unbound is only going to receive requests from dnsmasq from/to the loopback interface 127.0.0.1. So I’m not sure that’s the answer. I don’t know much about VPN clients though, so there’s that.

I'm thinking Unbound may not be for me. Thanks for the reply

 

[L&LD]

@Martineau a couple of more issues I'd like to report for you.

RT-AX88U with IPv6 Native Stateless enabled.

1) Connecting to another OpenVPN Server first attempts to use IPv6 and takes up to a minute to actually connect. This wasn't happening before with v2.03.

2) Trying to reconfigure Unbound by using the 'i' command doesn't undo the stuning even if just hitting Enter on that option.

Let me know if you need me to try anything to help with a fix/workaround for the above issues.

 

[dave14305]

New: TCP Fast Open. If you install the performance 'stuning.sh' option, if you have a HND router then the following is added to 'stuning.sh'

start() {

# Enable TCP Fast Open on HND routers - unbound_manager
echo 3 > /proc/sys/net/ipv4/tcp_fastopen

I don't think the above needs to be restricted to HND routers, but initially it is prudent pending confirmation that it is fully compatible with non-HND routers.

TFO requires a 3.1 Linux kernel, so it would exclude the non-HND routers. Whether it does any harm or not is unclear if set. The path does not exist under /proc on the AC68U.

 

[joe scian]

TFO requires a 3.1 Linux kernel, so it would exclude the non-HND routers. Whether it does any harm or not is unclear if set. The path does not exist under /proc on the AC68U.

I have it set on my AC-5300 - no ill effects even if its not being used.

 

[joe scian]

@Martineau a couple of more issues I'd like to report for you.

RT-AX88U with IPv6 Native Stateless enabled.

1) Connecting to another OpenVPN Server first attempts to use IPv6 and takes up to a minute to actually connect. This wasn't happening before with v2.03.

2) Trying to reconfigure Unbound by using the 'i' command doesn't undo the stuning even if just hitting Enter on that option.

Let me know if you need me to try anything to help with a fix/workaround for the above issues.

BTW regarding unbound.log using scribe - my opt/var/log/unbound.log is only 6K and only unbound starting messages are in there and subsequently being displayed within uiscribe resulting in very fast gui experience when viewing unbound logs.

Feb  3 18:59:58 RT-AC5300-0680 S61unbound: Starting Unbound DNS server /opt/etc/init.d/S61unbound
Feb  4 21:46:34 RT-AC5300-0680 (unbound_manager.sh): 23836 Starting Script Execution (menu)
Feb  4 21:47:28 RT-AC5300-0680 S61unbound: Starting Unbound DNS server /opt/etc/init.d/S61unbound
Feb  5 21:19:43 RT-AC5300-0680 (unbound_manager): 18728 Starting Script Execution (menu)
Feb  5 21:20:16 RT-AC5300-0680 S61unbound: Starting Unbound DNS server /opt/etc/init.d/S61unbound
Feb  5 21:36:11 RT-AC5300-0680 (unbound_manager): 23396 Starting Script Execution (menu)
Feb  5 21:36:16 RT-AC5300-0680 S61unbound: Starting Unbound DNS server /opt/etc/init.d/S61unbound
Feb  6 04:33:28 RT-AC5300-0680 S61unbound: Starting Unbound DNS server /opt/etc/init.d/S61unbound
Feb  6 09:38:26 RT-AC5300-0680 S61unbound: Starting Unbound DNS server /opt/etc/init.d/S61unbound
Feb  6 09:47:34 RT-AC5300-0680 (unbound_manager): 30765 Starting Script Execution (menu)
Feb  6 09:47:48 RT-AC5300-0680 (unbound_manager): 30765 Starting Script Execution (menu)
Feb  6 09:49:50 RT-AC5300-0680 S61unbound: Starting Unbound DNS server /opt/etc/init.d/S61unbound
Feb  6 10:04:44 RT-AC5300-0680 (unbound_manager): 16062 Starting Script Execution (menu)
Feb  6 10:04:56 RT-AC5300-0680 S61unbound: Starting Unbound DNS server /opt/etc/init.d/S61unbound
Feb  6 10:09:53 RT-AC5300-0680 S61unbound: Starting Unbound DNS server /opt/etc/init.d/S61unbound
Feb  6 10:09:55 RT-AC5300-0680 S61unbound: Starting Unbound DNS server /opt/etc/init.d/S61unbound
Feb  6 10:32:26 RT-AC5300-0680 S61unbound: Starting Unbound DNS server /opt/etc/init.d/S61unbound
Feb  6 10:35:45 RT-AC5300-0680 S61unbound: Starting Unbound DNS server /opt/etc/init.d/S61unbound
Feb  6 10:38:44 RT-AC5300-0680 (unbound_manager): 9838 Starting Script Execution (menu)
Feb  6 10:38:52 RT-AC5300-0680 S61unbound: Starting Unbound DNS server /opt/etc/init.d/S61unbound
Feb  6 18:03:48 RT-AC5300-0680 (unbound_manager): 13734 Starting Script Execution (menu)
Feb  6 18:04:14 RT-AC5300-0680 S61unbound: Starting Unbound DNS server /opt/etc/init.d/S61unbound
Feb  6 18:04:23 RT-AC5300-0680 (unbound_manager): 14089 Starting Script Execution (menu)
Feb  6 18:04:40 RT-AC5300-0680 S61unbound: Starting Unbound DNS server /opt/etc/init.d/S61unbound

However opt/var/lib/unbound/unbound.log is about 13Mbyte with a days logs and includes all query and resolving entries. My unbound.conf section relating to logs is as per below

# integration LOG's
#
verbosity: 2
logfile: "/opt/var/lib/unbound/unbound.log" # v1.01 as per @dave14305 minimal config
log-queries: yes
log-replies: yes
log-time-ascii: yes                         # v1.01 as per @dave14305 minimal config
log-servfail: yes                           # v1.01 as per @dave14305 minimal config
#########################################

Which then in my case seeems that the filter below is not capturing all the "program - unbound" . But I think I like it that way since there is no performance hit and subsequent GUI lockup

# log all unbound logs to /opt/var/log/unbound.log and stop processing unbound logs

destination d_unbound {
    file("/opt/var/log/unbound.log");
};

filter f_unbound {
    program("unbound");
};

log {
    source(src);
    filter(f_unbound);
    destination(d_unbound);
    flags(final);
};
#eof

 

[Martineau]

BTW regarding unbound.log using scribe - my opt/var/log/unbound.log is only 6K and only unbound starting messages are in there and subsequently being displayed within uiscribe resulting in very fast gui experience when viewing unbound logs. However opt/var/lib/unbound/unbound.log is about 13Mbyte with a days logs and includes all query and resolving entries. My unbound.conf section relating to logs is as per below

# integration LOG's
#
verbosity: 2
logfile: "/opt/var/lib/unbound/unbound.log" # v1.01 as per @dave14305 minimal config
log-queries: yes
log-replies: yes
log-time-ascii: yes                         # v1.01 as per @dave14305 minimal config
log-servfail: yes                           # v1.01 as per @dave14305 minimal config
#########################################

Clearly if Ad Block is enabled then there will be a lot of unbound messages to show the blocked domains.

Would you mind reducing the verbosity?

e.g.

e  = Exit Script

A:Option ==> ox verbosity 1

unbound-control -c /opt/var/lib/unbound/unbound.conf set_option 'verbosity 1' ok

to try and gauge the effect, i.e. does this significantly reduce the log size (your 13M) for a days usage, or perhaps I shouldn't enable

log-local-actions: yes

 

[joe scian]

Clearly if Ad Block is enabled then there will be a lot of unbound messages to show the blocked domains.

Would you mind reducing the verbosity?

e.g.

e  = Exit Script

A:Option ==> ox verbosity 1

unbound-control -c /opt/var/lib/unbound/unbound.conf set_option 'verbosity 1' ok

to try and gauge the effect, i.e. does this significantly reduce the log size (your 13M) for a days usage, or perhaps I shouldn't enable

log-local-actions: yes

actually Martineau I dont have Ad Block enabled - I commented that out in conf file.

#########################################
# Adblock blacklist
#include: /opt/var/lib/unbound/adblock/adservers
include: /opt/var/lib/unbound/adblock/firefox_DOH
#########################################

BTW setting ox verbosity 1 didnt change the verbosity level in unbound.conf so I have done it manually

 

[Smokey613]

I've uploaded v2.04

New: TCP Fast Open. If you install the performance 'stuning.sh' option, if you have a HND router then the following is added to 'stuning.sh'

start() {

 # Enable TCP Fast Open on HND routers - unbound_manager
 echo 3 > /proc/sys/net/ipv4/tcp_fastopen

I don't think the above needs to be restricted to HND routers, but initially it is prudent pending confirmation that it is fully compatible with non-HND routers.

Where is this stuning.sh file located ?

 

[Martineau]

Where is this stuning.sh file located ?

'/jffs/addons/unbound/

 

[Martineau]

actually Martineau I dont have Ad Block enabled - I commented that out in conf file.

#########################################
# Adblock blacklist
#include: /opt/var/lib/unbound/adblock/adservers
include: /opt/var/lib/unbound/adblock/firefox_DOH
#########################################

BTW setting ox verbosity 1 didnt change the verbosity level in unbound.conf so I have done it manually

By design the 'ox' command is real-time/dynamic, so you may test various settings and can simply use commands 'rs' or 'rl' to quickly recover if things go wrong.

NOTE: Apparently not all unbound options can be set using 'ox' (aka 'unbound-control')

 

[Smokey613]

'/jffs/addons/unbound/

I was just about to reply I had found it. It has been awhile since I used linux and I had forgotten about the find command. I used to run Debian and got used to the locate command so it took me a bit to remember find.

 

[Martineau]

I was just about to reply I had found it. It has been awhile since I used linux and I had forgotten about the find command. I used to run Debian and got used to the locate command so it took me a bit to remember find.

I was told to place 'unbound_manager.sh' and all its auxiliary files in '/jffs/addons/unbound/' rather than continue to 'spam' '/jffs/scripts/' by continuing to save scripts there.

 

[Smokey613]

I have decided to give Unbound another try and so far it is working great. My config is minimal. No ADblock, or FF DoH. Logging set to 1 and I am using the TCP Fast Open.

Thanks to all the contributors on this project!