Unbound - Authoritative Recursive Caching DNS Server

[rafagomes]

access-control: would still need to be 0.0.0.0/0 allow unless you can identify the range of possible WAN IPs when your Android phone is on cellular networking.

https://github.com/RMerl/asuswrt-merlin.ng/wiki/User-scripts#ddns-start
This explains the /jffs/scripts/ddns-start script you would need to create. But it would take some fancy sed commands to replace the WAN IP in unbound.conf with $1 in the ddns-start script. Quite possible, but takes some work to do reliably. Martineau is very good at swapping values in the unbound.conf script.

Does the DoT connection work yet from the WAN? Once it does, you could enable logging to see the source IPs from the Internet to determine if they fall within a more specific IP range.

Skynet will block bad IPs regardless of port, so no special configuration required.

I could not test yet. I will test and put the feedback here tomorrow morning.

Do I have to put these firewall changes in some file to make it persistent?

 

[dave14305]

Do I have to put these firewall changes in some file to make it persistent?

They should be added to /jffs/scripts/firewall-start. You can remove the 853/udp rule.

 

[rafagomes]

They should be added to /jffs/scripts/firewall-start. You can remove the 853/udp rule.

Thanks @dave14305 and @rgnldo I now able to use my unbound with dns firewall, adblock and (still not sure how well works) youtube adblocking on all my devices at all times.
I am taking as side project to create a PR to martineau script, I just need to figure it out the logic for: 1) Finding if DDNS is enable, find the DDNS FQDN and if it has a Let's Encrypt certificate.

There is only on thing I wasn't able to figure it out: when I enable Private DNS, when I am on my LAN, I no longer can access my media server using its local domain. Would you have any idea on how to "fix" that?

 

[rgnldo]

Finding if DDNS is enable, find the DDNS FQDN and if it has a Let's Encrypt certificate.

DDNS has no relation to a resolver. It should work without you connecting a firewall. Unbound TLS alone does not have root server support. It will have to match port 53. I was able to organize Unbound TLS.

youtube adblocking on all my devices at all times

tried it, but I use Youtube premium and it was a problem

I enable Private DNS, when I am on my LAN, I no longer can access my media server using its local domain. Would you have any idea on how to "fix" that?

try to identify in unbound

 

[dave14305]

DDNS has no relation to a resolver. It should work without you connecting a firewall. Unbound TLS alone does not have root server support. It will have to match port 53. I was able to organize Unbound TLS.

He is making an Internet-facing DoT server with Unbound.

 

[kernol]

I really enjoy Unbound - but in its "pure" form as an authoritative recursive caching DNS server.

Trouble is ... the official [Release] thread has grown like Topsy along with the unbound_manager code that goes with it [now over 4,500 lines] - the majority of which seems to have to do with "add-ons" [Advert blocking / firewalls / YouTube / etc.]. Hardly a day goes by without some update or other being posted - but no change log ... so if you miss the post you have no idea what's fixed/changed. I'm sure it works well for those perpetually updating the adblocking and other extra features.

This thread used to have in the very first post - the steps required to install and get Unbound up and running.
Is it possible to reinstate those - so that others like me can simply have use of Unbound as a DNS and continue to enjoy Diversion and Skynet as our advert blockers/firewalls etc? I have no intention of leaving either of those two well established, stable and utterly reliable script providers.

Wishful thinking? Or could we return to Unbound Roots [pun intended] .

 

[rgnldo]

Wishful thinking? Or could we return to Unbound Roots [pun intended]

I have observed the development of the unbound_manager script, the project remains fully competent. I recommend the unbound_manager script. To be honest, I believe that there are two topics that are more difficult than helpful. I recommend that you use the unbound_manager script in the standard installation. After completion, manually configure what you want.

As I use the gen_unbound.sh personal script on demand, I use the dynamic and clean unbound installation.

In summary, I believe that two topics with the same theme are unnecessary. So I added the unbound_manager link script. I hope to end this thread.

 

[Centrifuge]

Is it possible to reinstate those - so that others like me can simply have use of Unbound as a DNS and continue to enjoy Diversion and Skynet as our advert blockers/firewalls etc?

At this point you could just stop updating the unbound_manager script, make your own mods to .conf and benefit form the residual stats, restart and cache management in place from it.

 

[joe scian]

I really enjoy Unbound - but in its "pure" form as an authoritative recursive caching DNS server.

Trouble is ... the official [Release] thread has grown like Topsy along with the unbound_manager code that goes with it [now over 4,500 lines] - the majority of which seems to have to do with "add-ons" [Advert blocking / firewalls / YouTube / etc.]. Hardly a day goes by without some update or other being posted - but no change log ... so if you miss the post you have no idea what's fixed/changed. I'm sure it works well for those perpetually updating the adblocking and other extra features.

This thread used to have in the very first post - the steps required to install and get Unbound up and running.
Is it possible to reinstate those - so that others like me can simply have use of Unbound as a DNS and continue to enjoy Diversion and Skynet as our advert blockers/firewalls etc? I have no intention of leaving either of those two well established, stable and utterly reliable script providers.

Wishful thinking? Or could we return to Unbound Roots [pun intended] .

I really enjoy Unbound - but in its "pure" form as an authoritative recursive caching DNS server.

Trouble is ... the official [Release] thread has grown like Topsy along with the unbound_manager code that goes with it [now over 4,500 lines] - the majority of which seems to have to do with "add-ons" [Advert blocking / firewalls / YouTube / etc.]. Hardly a day goes by without some update or other being posted - but no change log ... so if you miss the post you have no idea what's fixed/changed. I'm sure it works well for those perpetually updating the adblocking and other extra features.

This thread used to have in the very first post - the steps required to install and get Unbound up and running.
Is it possible to reinstate those - so that others like me can simply have use of Unbound as a DNS and continue to enjoy Diversion and Skynet as our advert blockers/firewalls etc? I have no intention of leaving either of those two well established, stable and utterly reliable script providers.

Wishful thinking? Or could we return to Unbound Roots [pun intended] .

Well choose to install it as a recursive caching DNS server and dont install Adblock - keep your Diversion and Skynet. You can do that by simply installing it via AMTM and choosing not to install Adblock. Dont install DNS firewall - dont install Youtube. What is it exactly that you have trouble with ? A simple menu structure with options that AMTM and Martineau provides? Your bleating isnt helpful to anyone.

 

[kernol]

I have observed the development of the unbound_manager script, the project remains fully competent. I recommend the unbound_manager script. To be honest, I believe that there are two topics that are more difficult than helpful. I recommend that you use the unbound_manager script in the standard installation. After completion, manually configure what you want.

As I use the gen_unbound.sh personal script on demand, I use the dynamic and clean unbound installation.

In summary, I believe that two topics with the same theme are unnecessary. So I added the unbound_manager link script. I hope to end this thread.

BIG thanks to you for bringing Unbound to our Routers - really appreciate that - and for your generosity in stepping aside for another to run with the project. {Double Thumbs Up}. .

In my book it is just a pity that the Unbound [Release] thread didn't spawn a separate thread to deal with all the add-ons - which mainly feature partial Diversion and Skynet replacements.

 

[kernol]

Well choose to install it as a recursive caching DNS server and dont install Adblock - keep your Diversion and Skynet. You can do that by simply installing it via AMTM and choosing not to install Adblock. Dont install DNS firewall - dont install Youtube. What is it exactly that you have trouble with ? A simple menu structure with options that AMTM and Martineau provides? Your bleating isnt helpful to anyone.

Thanks Joe - precisely what I have done up to now ... and not a "bleating" session - simply an honest appeal for an Unbound install script which simply provides the DNS services - with a separate thread for all the other features which some [possibly even a minority] may want to bolt on to Unbound.

 

[SomeWhereOverTheRainBow]

Thanks Joe - precisely what I have done up to now ... and not a "bleating" session - simply an honest appeal for an Unbound install script which simply provides the DNS services - with a separate thread for all the other features which some [possibly even a minority] may want to bolt on to Unbound.

why do you need a script? you seem knowledgeable enough to type a couple lines in ssh and copy and paste a few places. the addons are just that, they are addons. they don't become active until you the user decide to use them. what is all the excitement about? @Martineau @juched @Jack Yaz are nice enough to take the time to accommodate users with feature options. Most are hidden until the user feels the need to ask how to use them. if you don't want an over complicated for you type of setup then stick with the easy menu. As for a separate thread, that is up to the developers of unbound manager.

 

[Smokey613]

I will admit to having the same opinion as kernol initially when they started adding all these “extras” to Unbound. But they finally got the new manager install cleaned up and now it is easier to install just the options you want so I am back on Unbound and very happy with it. Big thanks to all contributors to this project!

 

[SomeWhereOverTheRainBow]

I will admit to having the same opinion as kernol initially when they started adding all these “extras” to Unbound. But they finally got the new manager install cleaned up and now it is easier to install just the options you want so I am back on Unbound and very happy with it. Big thanks to all contributors to this project!

Good to hear, I tested out how easy the easy menu was to use and I had to say @Martineau nailed it.

 

[rgnldo]

Personally, I have a customized installation, with my own script, since I need to add interesting features for me.
But I reinforce the importance of the unbound_manager script. Its development is honest and competent. I recommend. Even if I was wrongly misunderstood, I recommend it.
For this reason, I hope that unbound issues will be focused on the unbound_manager thread

 

[kernol]

why do you need a script? you seem knowledgeable enough to type a couple lines in ssh and copy and paste a few places. the addons are just that, they are addons. they don't become active until you the user decide to use them. what is all the excitement about? @Martineau @juched @Jack Yaz are nice enough to take the time to accommodate users with feature options. Most are hidden until the user feels the need to ask how to use them. if you don't want an over complicated for you type of setup then stick with the easy menu. As for a separate thread, that is up to the developers of unbound manager.

Thanks for your response ... perhaps you missed my affirmation of the other Unbound thread in my first post ...?

... "I'm sure it works well for those perpetually updating the adblocking and other extra features."

No "excitement" on my part - just a simple request. Barring a major update to Unbound itself [as happened recently] - it strikes me that Unbound can be a "set and forget" experience for most of us wanting to use it.

I am aware that there are a number of Unbound users who are coders themselves and don't use the unbound_manager script. Perhaps there are many non-coders like me who would enjoy the significant benefits of Unbound purely as their DNS ... in a "set and forget" manner.

Perhaps it will make its way into the firmware one day - that would be awesome. .

 

[SomeWhereOverTheRainBow]

Thanks for your response ... perhaps you missed my affirmation of the other Unbound thread in my first post ...?


No "excitement" on my part - just a simple request. Barring a major update to Unbound itself [as happened recently] - it strikes me that Unbound can be a "set and forget" experience for most of us wanting to use it.

I am aware that there are a number of Unbound users who are coders themselves and don't use the unbound_manager script. Perhaps there are many non-coders like me who would enjoy the significant benefits of Unbound purely as their DNS ... in a "set and forget" manner.

Perhaps it will make its way into the firmware one day - that would be awesome. .

No I get your post above, I just wonder why the topic keeps getting rehashed every "monday". The reason why I ask is because the devs of the installer have taken the time to accommodate an easy menu for the users who don't want the flashy adblock or the DNSfirewall. The users who want a set it and forget it. It is easy to set it , why haven't the users forgot it yet?

 

[thiggins]

@rgnldo has requested this thread be closed so that all unbound related discussion is in one place. Please continue unbound discussion here.