Unbound - Authoritative Recursive Caching DNS Server

[Mutzli]

How come when I install Unbound, the address https://www.asrock.com/ doesn't work?
Both pre-install and after-uninstall makes the site work again.

No problem loading it. Did you use Stubby integration?

 

[L&LD]

How come when I install Unbound, the address https://www.asrock.com/ doesn't work?
Both pre-install and after-uninstall makes the site work again.

Is this after a reboot?

 

[maxbraketorque]

Instead of relying on a Google DNS, Cloudflare, Quad9 or NextDNS, Unbound will let you perform the same DNS functions as those public resolvers. Unbound will deal directly with the authoritative name server (i.e. domain owner) instead of relying on a third-party to do that. You cut out that middle-man. If you only want to use Unbound as another forwarder, it won't really offer much benefit over the built-in dnsmasq.

When Unbound gets a DNS request from a client, it will not use a single upstream server like you may be used to. Say it gets a request to lookup www.snbforums.com. First it will query the root DNS servers to see what server is the owner of the .com top-level domain. Once it knows that server identity, it will query that one to see which DNS nameserver owns snbforums.com within the .com domain. Once it gets that response, it will query the snbforums.com DNS server to get the IP for www within snbforums.com.

It does all that directly between you and those servers, without sharing your DNS query data with a third-party DNS resolver like the ones I mentioned earlier.

I agree that this explanation should be added to the first post of this thread. It would also be nice if there were an explanation of how to configure this relative to the built-in Merlin firmware DNSSEC and DoT setting. I guess "Unbound_manager" is meant to provide that.

 

[SuperDuke]

I agree that this explanation should be added to the first post of this thread. It would also be nice if there were an explanation of how to configure this relative to the built-in Merlin firmware DNSSEC and DoT setting. I guess "Unbound_manager" is meant to provide that.

I think you may have missed the point of @dave14305 s post. If you run Unbound, there is no point in configuring DoT, DNSSEC or NextDNS since in two out of those three, you're your own DNS resolver.....and as far as DNSSEC goes, Unbound is configured to handle that on it's own......

 

[Smokey613]

https://www.asrock.com/ Loads fine for me also, but I do not run any type of ad blockers.

 

[^Tripper^]

How come when I install Unbound, the address https://www.asrock.com/ doesn't work?
Both pre-install and after-uninstall makes the site work again.

Load fine here. Cool name btw.

 

[rgnldo]

How come when I install Unbound, the address https://www.asrock.com/ doesn't work?
Both pre-install and after-uninstall makes the site work again.

This will depend on how you set up unbound and other services. Unbound use some time ago and I can access https://www.asrock.com/

Spoiler: answer asrock.com

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62097
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;asrock.com. IN A

;; ANSWER SECTION:
asrock.com. 14400 IN A 206.225.80.203

;; Query time: 636 msec
;; SERVER: 127.0.0.1#53535(127.0.0.1)
;; WHEN: Mon Feb 10 23:24:40 BRT 2020
;; MSG SIZE rcvd: 55

rgnldo@rgnldo-lan:/tmp/home/root# dig asrock.com @127.0.0.1 -p 53535

; <<>> DiG 9.14.8 <<>> asrock.com @127.0.0.1 -p 53535
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64293
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;asrock.com. IN A

;; ANSWER SECTION:
asrock.com. 14398 IN A 206.225.80.203

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53535(127.0.0.1)
;; WHEN: Mon Feb 10 23:24:42 BRT 2020
;; MSG SIZE rcvd: 55

 

[rgnldo]

What's next

rgnldo@rgnldo-lan:/tmp/home/root# sh /jffs/scripts/gen_unbound.sh
Removing unbound.conf files..
Removing log's files...
Memory management...
Configuring REDIS support...
Restarting services...
 Starting ntpdate...              done.
 Shutting down unbound...              done.
 Starting unbound...              done.
 Shutting down haveged...              done.
 Shutting down suricata...              done.
 Starting suricata...              done.
 Shutting down clamav...              done.
 Starting clamav...              done.
 Checking haveged...              alive.
 Checking unbound...              alive.
 Checking ntpdate...              alive.
 Checking suricata...              alive.
 Checking clamav...              alive.
 unbound-checkconf: no errors in /opt/var/lib/unbound/unbound.conf

 

[maxbraketorque]

I think you may have missed the point of @dave14305 s post. If you run Unbound, there is no point in configuring DoT, DNSSEC or NextDNS since in two out of those three, you're your own DNS resolver.....and as far as DNSSEC goes, Unbound is configured to handle that on it's own......

Thanks. Now that I understand that I'm still unsure what Unbound gets me over DoT+DNSSEC using Quad9, especially when considering the additional effort and complexity of installed software on the router to get Unbound running.

 

[L&LD]

@maxbraketorque the complexity has fallen to zero.

What I like about Unbound besides the fact that I am the DNS authority, is the performance benefits it offers. Within each website after the initial connection, it is like I am turning pages on a book. i.e. real-time.

Security is not likely when online, may as well make it as quick and painless as possible.

Besides, being your own DNS authority is a type of security in itself.

Have a spare USB drive and want to see this for yourself?

Prepare the router:

• enable JFFS custom scripts and configs.
• enable shh, LAN Only.
• enable the built-in NTP server, if you haven't already.
• set the DNSFilter to Router for the Global Filter Mode.
• disable DoT, if enabled.
• use Manual DNS WAN servers (eg. 1.1.1.1 and 1.0.0.1).

Install Unbound and dependencies:

• ssh into the router with PuTTY or your terminal of choice.
• type amtm and hit Enter.
• type 'uu' to make sure you are on the latest amtm version.
• insert the USB drive and type 'fd', Enter.
• format the USB drive to Ext4 with journaling enabled.
• after the reboot, create a swap file with the 'sw' command.
• install the disk checker with 'dc'.
• install Entware with 'ep.
• install Unbound with '7'.

Reboot the router and let it settle a few minutes before judging the changes made.

Use your network normally and see if this is an enhancement you need.

Reverse the steps above if it isn't.

 

[maxbraketorque]

Yeah, that indeed is easy. However, I think I'll wait to see what rgnldo is hinting at in Post 1188. Looks like installation complexity might be dropping to negative numbers.

 

[L&LD]

@maxbraketorque, @rgnldo is adding complexity* in a simple way.

*Suricata, ClamAV and I think ntpdate too.

You will still need to do what I outlined in either case.

 

[Val D.]

Suricata, ClamAV

I don't know about Suricata and ClamAV on a router hardware... I don't currently use ClamAV, but had it running together with Suricata at one point and the result at 300Mbps speed is few GB or RAM used and like 50% load on Intel i5 CPU. Lower priced Netgate devices can't do it, for example.

 

[L&LD]

Maybe this is the 'lite' version?

See post 1188...

 

[Val D.]

Maybe this is the 'lite' version?

Must be a very light version. Depending on what it is checking for, that thing can kill a server hardware. ClamAV is actually heavier than normally setup Suricata, in my experience. And there is no much control over it.

 

[ICDeadPpl]

How come when I install Unbound, the address https://www.asrock.com/ doesn't work?
Both pre-install and after-uninstall makes the site work again.

It might have something to do with the fact that when I installed Unbound earlier, I didn't have Diversion ad-blocking enabled.
Now when I reinstalled and had Diversion ad-blocking enabled, everything seems to work just fine!

 

[rgnldo]

Must be a very light version. Depending on what it is checking for, that thing can kill a server hardware. ClamAV is actually heavier than normally setup Suricata, in my experience. And there is no much control over it.

Disregard for the purposes of this post. It is not the focus. Some time ago I organized Suricata and Clamav. Suricata for routers via Entware. It all depends on the configuration and the rules.

Spoiler: Initial Log's Suricata

10/2/2020 -- 15:05:57 - <Notice> - This is Suricata version 4.1.4 RELEASE
10/2/2020 -- 15:05:57 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2024192 and 1 o>
10/2/2020 -- 15:05:57 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.binary' is checked but not set. Checked in 2025195 and 1 other si>
10/2/2020 -- 15:05:57 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient' is checked but not set. Checked in 2017557 and 1 othe>
10/2/2020 -- 15:05:57 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.JavaArchiveOrClass' is checked but not set. Checked in 2017772 and 1 o>
10/2/2020 -- 15:05:57 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.pdf.in.http' is checked but not set. Checked in 2017790 and 0 other si>
10/2/2020 -- 15:05:58 - <Notice> - AFL mode starting
10/2/2020 -- 15:05:58 - <Notice> - AFL mode starting
10/2/2020 -- 15:05:58 - <Notice> - all 2 packet processing threads, 0 management threads initialized, engine started.

 

[rgnldo]

*Suricata, ClamAV and I think ntpdate too.

They appeared there because I launched the restart of all services. Disregard for the purposes of this post...

 

[rgnldo]

If you want my opinion about forwarding queries via unbound, my answer: there are countless advantages to using unbound only as a forwarder. Dnsmasq is a DNS/DHCP server. It is possible to configure DNSMASQ for only the DHCP function, pointing to unbound as a DNS server, as is done on an exclusive DHCP server. Even if you don't use the recursive root server's function, you will still have DNSSEC, QNAME MINIMIZATION and other custom privacy functions that the user can add.
Thankfully, unbound is modular.

 

[dave14305]

Even if you don't use the recursive root server's function, you will still have DNSSEC, QNAME MINIMIZATION and

This got me thinking about QName minimization. I’m not certain qname minimization is active in forward mode, but even if it is, it can’t provide much benefit because you still end up forwarding the entire qname to the forward server eventually, so you’ve still lost your privacy benefit by relying on a forwarder.