Unbound - Authoritative Recursive Caching DNS Server

[Kingp1n]

You have 2 module-config statements in the file. Remove the original one if you're going to keep the dns64 option.

I noticed the new script also has 2 module-config managers. I should manually remove the original correct if using the dns64 option correct?

Update: I believe I don't have to remove since it's currently showing with # sign i.e.
#module-config: "validator iterator"

 

[dave14305]

I noticed the new script also has 2 module-config managers. I should manually remove the original correct if using the dns64 option correct?

Yes, only keep the most inclusive statement for the modules you want to use. I still don't understand what dns64 really does, so I'm not using it myself. Nor do I understand what the purpose of respip module is if not using RPZ (Response Policy Zones) on a home router.

Like investment products, if you don't understand it, it's probably not for you.

 

[Kingp1n]

I'm trying the latest unbound again...I've noticed once installed, I'm having issues with Nest app opening? Any recommendations anyone can provide? It basically just loads and never opens. It's only happening with the app. If I go thru the browser it opens up with no issues.

My router is RT-AC86U running latest Merlin FW (not the beta).

 

[kernol]

Just a thought - unless you are a serious coder - stick with the options available under @Martineau provided script for installing and modifying unbound !!!
There are several "ad hoc" additions and suggestions made in this thread which may well cause more problems than they are worth if you are not a serious self coder.
@Martineau has provided more than enough optionality under unbound_ manager than you could shake a stick at [try option 3 for e.g.] - so unless you understand this unbound stuff REALLY well - don't mess with manual changes to unbound.conf etc .

I got messed up with following some of the suggestions outside @Martineau script - and when I crashed out and did an uninstall - I got custom bits left behind which would NOT have happened had I stuck to the install scripts provided.

 

[dave14305]

I'm trying the latest unbound again...I've noticed once installed, I'm having issues with Nest app opening? Any recommendations anyone can provide? It basically just loads and never opens. It's only happening with the app. If I go thru the browser it opens up with no issues.

My router is RT-AC86U running latest Merlin FW (not the beta).

This would be a good time to temporarily enable Unbound logging in the menu and see what happens when you open the app. If you run Diversion, follow the diversion log as well in case dnsmasq doesn't like something about an answer returned from Unbound.

 

[Martineau]

I noticed the new script also has 2 module-config managers. I should manually remove the original correct if using the dns64 option correct?

Update: I believe I don't have to remove since it's currently showing with # sign i.e.
#module-config: "validator iterator"

Correct...so the script is working!

Yes, I could delete or even edit the existing 'module-config:' directive to include 'dns64', but I decided to comment out the existing statement to be able to easily backout the change if necessary.

 

[Martineau]

I've uploaded 'unbound_manager' v2.05 and 'unbound.conf' v1.02 (no idea what's happening with amtm )

Fix: 'scribe' command (broken in v2.04 update due to missing entries in 'unbound.conf 'v1.01)
Change: 'lo' command to address the issue of the extreme logging >135MB!!!!

A quick update about the 'lo' logging.

For most users, they simply need to be able to prove if unbound is ACTIVE, so during the initial unbound install, if you choose no logging, the unbound log file will now always be created and will only contain three lines:

e.g.

e  = Exit Script

A:Option ==> l

/opt/var/lib/unbound/unbound.log  Press CTRL-C to stop

Feb 04 10:39:38 unbound[25015:0] notice: init module 0: validator
Feb 04 10:39:38 unbound[25015:0] notice: init module 1: iterator
Feb 04 10:39:38 unbound[25015:0] info: start of service (unbound 1.9.6).

If you then enable logging 'lo'

e  = Exit Script

A:Option ==> lo

unbound logging ENABLED

you should then now only see 2 lines per domain - prefix tagged 'query' and 'reply'

e  = Exit Script

A:Option ==> l

/opt/var/log/unbound.log (syslog-ng)  Press CTRL-C to stop

Feb  6 11:14:17 RT-AC86U-6160 unbound: [18488:0] query: 127.0.0.1 www.bing.com. A IN
Feb  6 11:14:17 RT-AC86U-6160 unbound: [18488:0] reply: 127.0.0.1 www.bing.com. A IN NOERROR 0.000000 1 151
Feb  6 11:14:17 RT-AC86U-6160 unbound: [18488:0] query: 127.0.0.1 assets.msn.com. A IN
Feb  6 11:14:17 RT-AC86U-6160 unbound: [18488:0] reply: 127.0.0.1 assets.msn.com. A IN NOERROR 0.000000 1 138
Feb  6 11:14:17 RT-AC86U-6160 unbound: [18488:0] query: 127.0.0.1 img-s-msn-com.akamaized.net. A IN
Feb  6 11:14:17 RT-AC86U-6160 unbound: [18488:0] reply: 127.0.0.1 img-s-msn-com.akamaized.net. A IN NOERROR 0.000000 1 110
Feb  6 11:14:17 RT-AC86U-6160 unbound: [18488:0] query: 127.0.0.1 static-spartan-neu-s-msn-com.akamaized.net. A IN
Feb  6 11:14:17 RT-AC86U-6160 unbound: [18488:0] reply: 127.0.0.1 static-spartan-neu-s-msn-com.akamaized.net. A IN NOERROR 0.000000 1 122
Feb  6 11:14:56 RT-AC86U-6160 unbound: [18488:0] query: 127.0.0.1 myip.opendns.com. A IN
Feb  6 11:14:56 RT-AC86U-6160 unbound: [18488:0] reply: 127.0.0.1 myip.opendns.com. A IN NXDOMAIN 0.000000 1 80

If you install Ad Block, then there are additional verbose messages for the blocked domains, hence the Ad Block update script will delete '/opt/var/lib/unbound/unbound.log' every 24hrs.

However, currently there is no such process for unbound itself, so to prevent '/opt/var/lib/unbound/unbound.log' filling the disk, I recommend use of 'scribe' to manage the unbound logging.

NOTE: If you need to diagnose a query/reply pair, then by all means use

ox verbosity 2

or for TLS details

ox verbosity 4

 

[Martineau]

I have been trying to find the example '/logrotate.d/unbound' file when 'scribe' logging has been enabled. I can't.

I did find /opt/etc/logrotate.d, but no unbound file.

Any hints to find it?

Err .....they should be there?

 

[Martineau]

@Martineau a couple of more issues I'd like to report for you.

RT-AX88U with IPv6 Native Stateless enabled.

1) Connecting to another OpenVPN Server first attempts to use IPv6 and takes up to a minute to actually connect. This wasn't happening before with v2.03.

I have no way of testing IPv6, so not sure how to explain it.

I suggest you try 'unbound_manager' v2.05 with the updated 'unbound.conf' v1.02.
Clearly there is the IPv6 'dns64' tweak so it may be that a directive in 'unbound.conf' is the culprit?

2) Trying to reconfigure Unbound by using the 'i' command doesn't undo the stuning even if just hitting Enter on that option.

By design, 'i = Update' does just that, so (as explained on GitHub) you can add options, i.e. the 'i' doesn't remove existing options.

To be honest, I don't even bother to REBOOT (between the hundred or so re-installs I've had to do) so using

A:Option ==> z

IMPORTANT: It is recommended to REBOOT in order to complete the removal of unbound
             You will be asked to confirm BEFORE proceeding with the REBOOT

Press Y to REMOVE unbound or press [Enter] to CANCEL

Option ==> Y

then skipping the reboot, then (until unbound is added to amtm ) whilst it is tedious to manually retrieve the cURL installation command, it isn't too painful if you use the (advanced) shortcuts to reinstall unbound

e.g. only install unbound logging

e  = Exit Script

A:Option ==> i 1

then later you can opt for the tuning tweak

e  = Exit Script[/COLOR][/FONT][/LEFT]
[FONT=Georgia][COLOR=rgb(20, 20, 20)]
[LEFT]
A:Option ==> i 4

​

etc.

NOTE: As documented on Github, you can also specify

i none

or

i all

to save time by replying (or not) manually to the option prompts.​

 

[L&LD]

@Martineau I have installed v2.05 of the script but unbound still not there. I also ran '3', 'scribe' too in unbound_manager.

Here is a screen snip of WinSCP.

 

[QuikSilver]

@Martineau Anyone else seeing/getting this with you click Y to continue to update anyway it cancels it??

 

[Martineau]

@Martineau I have installed v2.05 of the script but unbound still not there. I also ran '3', 'scribe' too in unbound_manager.

Here is a screen snip of WinSCP.

View attachment 21207

I'm sure you did, but I've been caught out a million times...did you click 'refresh' (Ctrl+R)?

 

[Martineau]

@Martineau Anyone else seeing/getting this with you click Y to continue to update anyway it cancels it?? View attachment 21209

Did you press uppercase 'Y' ? bit hard to read on my screen

 

[QuikSilver]

Also I assume the fact that I use @Jack Yaz 's ntpMerlin thats why I get the message regarding enable local ntp server

 

[QuikSilver]

Did you press uppercase 'Y' ? bit hard to read on my screen

That might be it....I just pressed "y" not thinking it had to be a "Y".

 

[L&LD]

I have no way of testing IPv6, so not sure how to explain it.

I suggest you try 'unbound_manager' v2.05 with the updated 'unbound.conf' v1.02.
Clearly there is the IPv6 'dns64' tweak so it may be that a directive in 'unbound.conf' is the culprit?


By design, 'i = Update' does just that, so (as explained on GitHub) you can add options, i.e. the 'i' doesn't remove existing options.

To be honest, I don't even bother to REBOOT (between the hundred or so installs I've had to do) so using

A:Option ==> z

IMPORTANT: It is recommended to REBOOT in order to complete the removal of unbound
             You will be asked to confirm BEFORE proceeding with the REBOOT

Press Y to REMOVE unbound or press [Enter] to CANCEL

Option ==> Y

then skipping the reboot, then (until unbound is added to amtm ) whilst it is tedious to manually retrieve the cURL installation command, it isn't too painful if you use the (advanced) shortcuts to reinstall unbound

e.g. only install unbound logging

e  = Exit Script

A:Option ==> i 1

then later you can opt for the tuning tweak

e  = Exit Script[/COLOR][/FONT][/LEFT]
[FONT=Georgia][COLOR=rgb(20, 20, 20)]
[LEFT]
A:Option ==> i 4

​

etc.

NOTE: As documented on Github, you can also specify

i none

or

i all

to save time by replying (or not) manually to the option prompts.​

Thank you for your insights! I thought 'i' started fresh, but it adds. Gotcha!

The issue with the slow connecting OpenVPN client is that it tries to resolve first with '64:FF9B::/96', then it receives a

[UNDEF] Inactivity timeout (--ping-restart), restarting
soft,ping-restart] received, process restarting

command and starts connecting again with the IPv4 address which then successfully connects.

I will have time later to uninstall and reinstall Unbound as you note above without the stuning tweaks to test if it goes back to normal.



Edit: Just checked the router GUI and the Unbound log is showing in System Log! Still can't find that file in the indicated directory though. Does it automatically get moved to where it should be?

 

[L&LD]

I'm sure you did, but I've been caught out a million times...did you click 'refresh' (Ctrl+R)?

View attachment 21208

I thought I had, but just did it again, still nothing different.

 

[rgnldo]

Warning: exclusively follow the installer script, which guides the initial post.


I am improving the blocking sequence by CNAME, in adblock / unbound.
One correction, each validator with its option, evoking each module.


dns64
This option has been widely discussed in the IPV6 unbound forums. For me, it works perfectly.

 

[Martineau]

I thought I had, but just did it again, still nothing different.

OK, I manually deleted the 'unbound' file from both '/opt/etc/syslog-ng.d/' and '/opt/etc/logrotate.d/'

then uninstalled unbound, then reinstalled as follows:

e  = Exit Script

A:Option ==> i 1

e  = Exit Script

A:Option ==> scribe

and the two files appeared with identical current (UK) timestamps

e.g.

ls -lah /opt/etc/syslog-ng.d/unbound /opt/etc/logrotate.d/unbound
-rw-------    1 admin    root         139 Feb  6 17:37 /opt/etc/logrotate.d/unbound
-rw-------    1 admin    root         298 Feb  6 17:37 /opt/etc/syslog-ng.d/unbound

 

[L&LD]

OK, I manually deleted the 'unbound' file in both 'opt/etc/syslog-ng.d' and '/opt/etc/logrotate.d'

then uninstalled unbound, then reinstalled as follows:

e  = Exit Script

A:Option ==> e

and the two files appeared with the current (UK) timestamp

e.g.

ls -lah /opt/etc/syslog-ng.d/unbound /opt/etc/logrotate.d/unbound
-rw-------    1 admin    root         139 Feb  6 17:37 /opt/etc/logrotate.d/unbound
-rw-------    1 admin    root         298 Feb  6 17:37 /opt/etc/syslog-ng.d/unbound

The file is in /opt/etc/syslog-ng.d/unbound!

I will try what you did above (later tonight) and see if it puts it in both places too. Thank you.