What's new

Unbound - Authoritative Recursive Caching DNS Server

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.
pc_delete "dnssec" "$CONFIG" pc_delete "trust-anchor=" "$CONFIG"
Good organization. I do not see the need for these arguments. DNSSEC nor DNS Rebind will not be enabled in the GUI ...
 
Last edited:
I recommend using my adblock script with stubby and iptables redirection. It is wonderful.
 
Good organization. I do not see the need for these arguments. DNSSEC nor DNS Rebind will not be enabled in the GUI ...
They're enabled in my GUI in case Unbound will not be running (deliberately or accidentally). I basically remove any dnsmasq option that would interfere with Unbound responses.
I recommend using my adblock script with stubby and iptables redirection. It is wonderful.
I will study the memory usage compared to Diversion. I don't see the need (for me) for the iptables redirection since I could enable DNSFilter to force dnsmasq. If I were to disable dnsmasq DNS completely with port=0, then I would just move Unbound to port 53 and leave DNSFilter enabled.
There's no need either. Unbound-anchor does automatic update
I am being conservative since the documentation says to run it at system start in case it has been turned off for some time. Important for me since I switch setups often, as a geek hobby.
 
I'm back to running Unbound with Diversion and dnsmasq. Smooth as silk. Took a tcpdump (am I allowed to say that?) and saw all the recursive queries going out to the various servers.

I did update my dnsmasq.postconf to combine my grep strings for UNBOUNDLISTENADDR:
Code:
#!/bin/sh
CONFIG="$1"
. /usr/sbin/helper.sh

if [ -n "$(pidof unbound)" ]; then
       UNBOUNDLISTENADDR=$(netstat -nlup | grep "^udp.* 127\.0\..*\/unbound$" | head -1 | awk ' { print $4 } ' | tr ':' '#')
       if [ -n "$UNBOUNDLISTENADDR" ]; then
               pc_delete "servers-file" "$CONFIG"
               pc_delete "no-negcache" "$CONFIG"
               pc_delete "trust-anchor=" "$CONFIG"
               pc_delete "dnssec" "$CONFIG"
               pc_replace "cache-size=1500" "cache-size=0" "$CONFIG"
               pc_append "server=$UNBOUNDLISTENADDR" "$CONFIG"
               pc_append "proxy-dnssec" "$CONFIG"
       fi
fi

And I added an unbound-anchor update to the S61unbound startup to ensure the updates are happening.
Code:
#!/bin/sh
if [ "$1" = "start" ] || [ "$1" = "restart" ]; then
       # Wait for NTP before starting
       logger -st "S61unbound" "Waiting for NTP to sync before starting..."
       ntptimer=0
       while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do
               ntptimer=$((ntptimer+1))
               sleep 1
       done

       if [ "$ntptimer" -ge "300" ]; then
               logger -st "S61unbound" "NTP failed to sync after 5 minutes - please check immediately!"
               echo ""
               exit 1
       fi
fi

/opt/sbin/unbound-anchor -a /opt/var/lib/unbound/root.key

export TZ=$(cat /etc/TZ)
ENABLED=yes
PROCS=unbound
ARGS="-c /opt/var/lib/unbound/unbound.conf"
PREARGS="nohup"
PRECMD=""
POSTCMD="service restart_dnsmasq"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
running Unbound with Diversion and dnsmasq
. /opt/etc/init.d/rc.func

Apologize for jumping in here, but I have been following the thread and do have unbound up and running per the first post.
I noticed you stated that you are running Unbound with Diversion and dnsmasq, however I do not see in your dnsmasq.postconf the following line. Would that not be required?
Code:
. /opt/share/diversion/file/post-conf.div # Added by Diversion
;)
 
Apologize for jumping in here, but I have been following the thread and do have unbound up and running per the first post.
I noticed you stated that you are running Unbound with Diversion and dnsmasq, however I do not see in your dnsmasq.postconf the following line. Would that not be required?
Code:
. /opt/share/diversion/file/post-conf.div # Added by Diversion
;)
I omitted it in case anyone copying it wasn't a Diversion user. Good eyes!
 
Code:
CONFIG="$1"
. /usr/sbin/helper.sh

if [ -n "$(pidof unbound)" ]; then
       UNBOUNDLISTENADDR=$(netstat -nlup | grep "^udp.* 127\.0\..*\/unbound$" | head -1 | awk ' { print $4 } ' | tr ':' '#')
       if [ -n "$UNBOUNDLISTENADDR" ]; then
               pc_delete "servers-file" "$CONFIG"
               pc_delete "no-negcache" "$CONFIG"
               pc_delete "trust-anchor=" "$CONFIG"
               pc_delete "dnssec" "$CONFIG"
               pc_replace "cache-size=1500" "cache-size=0" "$CONFIG"
               pc_append "server=$UNBOUNDLISTENADDR" "$CONFIG"
               pc_append "proxy-dnssec" "$CONFIG"
       fi
fi
. /opt/share/diversion/file/post-conf.div # Added by Diversion
 
I'm back to running Unbound with Diversion and dnsmasq. Smooth as silk. Took a tcpdump (am I allowed to say that?) and saw all the recursive queries going out to the various servers.

I did update my dnsmasq.postconf to combine my grep strings for UNBOUNDLISTENADDR:
Code:
#!/bin/sh
CONFIG="$1"
. /usr/sbin/helper.sh

if [ -n "$(pidof unbound)" ]; then
       UNBOUNDLISTENADDR=$(netstat -nlup | grep "^udp.* 127\.0\..*\/unbound$" | head -1 | awk ' { print $4 } ' | tr ':' '#')
       if [ -n "$UNBOUNDLISTENADDR" ]; then
               pc_delete "servers-file" "$CONFIG"
               pc_delete "no-negcache" "$CONFIG"
               pc_delete "trust-anchor=" "$CONFIG"
               pc_delete "dnssec" "$CONFIG"
               pc_replace "cache-size=1500" "cache-size=0" "$CONFIG"
               pc_append "server=$UNBOUNDLISTENADDR" "$CONFIG"
               pc_append "proxy-dnssec" "$CONFIG"
       fi
fi

And I added an unbound-anchor update to the S61unbound startup to ensure the updates are happening.
Code:
#!/bin/sh
if [ "$1" = "start" ] || [ "$1" = "restart" ]; then
       # Wait for NTP before starting
       logger -st "S61unbound" "Waiting for NTP to sync before starting..."
       ntptimer=0
       while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do
               ntptimer=$((ntptimer+1))
               sleep 1
       done

       if [ "$ntptimer" -ge "300" ]; then
               logger -st "S61unbound" "NTP failed to sync after 5 minutes - please check immediately!"
               echo ""
               exit 1
       fi
fi

/opt/sbin/unbound-anchor -a /opt/var/lib/unbound/root.key

export TZ=$(cat /etc/TZ)
ENABLED=yes
PROCS=unbound
ARGS="-c /opt/var/lib/unbound/unbound.conf"
PREARGS="nohup"
PRECMD=""
POSTCMD="service restart_dnsmasq"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func
I am running it on my setup. It took me a while to get use to the fact I was sending out plain text traffic though as I was so use to using DoT for a long time. The recursion is nice though.
 
Optional. Unbound ad and tracker blocking function.
Download:
Code:
https://github.com/rgnldo/Unbound-Asuswrt-Merlin/raw/master/unbound_adblock.tar.bz2
Arrange the adblock folder in the jffs directory.
Allow permissions to the file:
Code:
chmod +x /jffs/adblock/gen_adblock.sh

sh /jffs/adblock/gen_adblock.sh
Enter include option in unbound.conf
Code:
include: /jffs/adblock/adservers

File /adblock/permlist contains the allowed domains that the user adds
File /adblock/blockhost contains the unallowed domains that the user adds
File /adblock/adservers Unbound list generated by script
 
Last edited:
I am going to stick with Diversion and pixelserv-tls doing my network-level ad-blocking. I just feel that Diversion is so mature and bullet-proof that I don't want to start over with a home-grown script.
 
I am going to stick with Diversion and pixelserv-tls doing my network-level ad-blocking. I just feel that Diversion is so mature and bullet-proof that I don't want to start over with a home-grown script.
I like Diversion, but I wish the routers were not so limited, I feel like Diversion is held back by the limitations of the router. It is the only bad take away from using it. It is awesome to be able to have it all done locally on the router though. It is so convenient because you don't have to worry about a separate device losing power( or connection) I.e a RPI.
 
I feel like Diversion is held back by the limitations of the router. It is the only bad take away from using it.
The problem is redirecting to Pixelserv-tls. IP redirect lock consumes a lot of memory. Dnsmasq suffers a lot from this.
There is the NoTrack project with the proposal based on MariaDB database. https://gitlab.com/quidsup/notrack.
In my unbound adblock script I can arrange lock by NXDOMAIN. By this mode, memory consumption is reduced and the lock response is more efficient.
 
@rgnldo ....in instruction list, when you say edit unbound daemon, what file are you editing or creating? Apologies for the basic question.....
 
Code:
CONFIG="$1"
. /usr/sbin/helper.sh

if [ -n "$(pidof unbound)" ]; then
       UNBOUNDLISTENADDR=$(netstat -nlup | grep "^udp.* 127\.0\..*\/unbound$" | head -1 | awk ' { print $4 } ' | tr ':' '#')
       if [ -n "$UNBOUNDLISTENADDR" ]; then
               pc_delete "servers-file" "$CONFIG"
               pc_delete "no-negcache" "$CONFIG"
               pc_delete "trust-anchor=" "$CONFIG"
               pc_delete "dnssec" "$CONFIG"
               pc_replace "cache-size=1500" "cache-size=0" "$CONFIG"
               pc_append "server=$UNBOUNDLISTENADDR" "$CONFIG"
               pc_append "proxy-dnssec" "$CONFIG"
       fi
fi
. /opt/share/diversion/file/post-conf.div # Added by Diversion
if you want to be technical, I did a little testing and research, you should be able to leave cache-size alone because you are appending the proxy-dnssec option, this is because the conflict between the dnsmasq caching and unbound caching is due to the dnssec responses stored with in dnsmasq cache become server fails with unbound because dnsmasq does not save authentication data, but if you are using proxy-dnssec it becomes irrelevant and caching behaviors become normal.
Good organization. I do not see the need for these arguments. DNSSEC nor DNS Rebind will not be enabled in the GUI ...
 
Status
Not open for further replies.

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top