Unbound - Authoritative Recursive Caching DNS Server

[rgnldo]

@Jack Yaz if you're interested, this is a start

unbound-control -c /opt/var/lib/unbound/unbound.conf stats_noreset | grep total.num

 

[SuperDuke]

Once the installer is validated, does the user need to install the pre-reqs (like ntp server) before installation?

 

[Martineau]

@Martineau
https://raw.githubusercontent.com/rgnldo/Unbound-Asuswrt-Merlin/master/unbound.conf
https://raw.githubusercontent.com/rgnldo/Unbound-Asuswrt-Merlin/master/stubby.yml

I don't need to be made aware of these files.
The unbound installer script will always download these files that you host on your 'rgnldo' GitHub and any updates to the script itself from the 'martineau' GitHub.

 

[rgnldo]

Once the installer is validated, does the user need to install the pre-reqs (like ntp server) before installation?

This work our script will do for you if you wish.

 

[rgnldo]

For compatibility reasons, I'm testing these changes in ntp clock checking for entware services they need. I removed these arguments on...
/opt/etc/init.d/S*

#!/bin/sh

if [ "$1" = "start" ] || [ "$1" = "restart" ]; then
       # Wait for NTP before starting
       logger -st "S61unbound" "Waiting for NTP to sync before starting..."
       ntptimer=0
       while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do
               ntptimer=$((ntptimer+1))
               sleep 1
       done

       if [ "$ntptimer" -ge "300" ]; then
               logger -st "S61unbound" "NTP failed to sync after 5 minutes - please check immediately!"
               echo ""
               exit 1
       fi
fi

I added this...
/opt/etc/init.d/00netwait

#!/bin/sh

# Copyright (C) 2013-2016 Jeremy Chadwick. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED.  IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.

# Waits for ntpc/ntpdate to properly sync time before starting up any
# daemons past this point.  The way it works is by repeatedly calling
# /bin/date +%Y and seeing if the year returned is later than 1970.
# Most routers do not have battery-backed RTCs, so their clocks always
# start from the epoch (December 31st 1969).  A year later than 1970
# (i.e. 1971 or later) would indicate ntpc has finished.
#
# This is helpful for daemons which are time-sensitive, such as
# BIND/named, where a clock that is extremely skewed can cause errors
# like: checkhints: unable to get root NS rrset from cache: not found
#
# TODO: Implement stop/start/restart/reconfigure/check/kill argument
# support, per rc.unslung.  Right now this just runs blindly every
# time.  stop/reconfigure/check/kill should be no-ops, start/restart
# should actually do something.
#
NAME="netwait[$$]"
INTERVAL=7
MAXCOUNT=13

checkdate() {
  local year=$(/bin/date +%Y)
  if [ $year -gt 1970 ]
  then
    return 0
  fi
  return 1
}

# First thing we do is check the current date.  If the year is
# already compliant, then don't call logger or anything else; just
# exit cleanly immediately.

if checkdate; then
  exit 0
fi

# Otherwise use a loop to check things repeatedly and bail out if
# things look good -- or bail out at the very end with a nastygram
# indicating we're not responsible if daemons misbehave past this
# point.  :-)

i=1
while [ $i -le $MAXCOUNT ]
do
  logger -t $NAME "Waiting for ntpc (attempt ${i}/${MAXCOUNT})"
  sleep $INTERVAL

  if checkdate; then
    logger -t $NAME "Clock synced; good to go!"
    exit 0
  fi
  i=$((i+1))
done

logger -t $NAME "Clock remains unsynced; continuing anyway"
exit 1

Use the @Martineau script for WAN checking.
/jffs/scripts/init-start

sh /jffs/scripts/ChkWAN.sh &

 

[Martineau]

For compatibility reasons, disregard. Remove the DNS redirect option.

iptables -t nat -A PREROUTING -d "$(nvram get lan_ipaddr)" -p tcp --dport 53 -j REDIRECT --to-port 53535;iptables -t nat -A PREROUTING -d "$(nvram get lan_ipaddr)" -p udp --dport 53 -j REDIRECT --to-port 53535

and firewall-start

​

Run

unbound_installer

and it should detect a new v1.09 is available, so the 'u' option should appear

u  = Update (Major) unbound_installer v1.08 -> v1.09

then to update the 'opt/etc/init.d/S*' scripts from @rgnldo's GitHub select

1

​

 

[rgnldo]

@Martineau We're getting there, almost. Adds only the option to check if IPV6 is enabled on the router to fit the unbound.conf file. There are commented lines that should not be commented as to whether IPV6 and Stubby are enabled. I uploaded to Github the startup files of Entware.
Does the memory and CPU performance option work?

 

[rgnldo]

After successfully installing unbound. I relaunch the installer and return this.

sh unbound_installer.sh

unbound: [*] Lock File Detected (firewall) (pid=2236) - Exiting (cpid=16277)

cat /jffs/scripts/firewall-start
#!/bin/sh
sh /jffs/scripts/unbound_installer.sh firewall # unbound Firewall Addition

 

[Martineau]

After successfully installing unbound. I relaunch the installer and return this.

sh unbound_installer.sh

unbound: [*] Lock File Detected (firewall) (pid=2236) - Exiting (cpid=16277)

cat /jffs/scripts/firewall-start
#!/bin/sh
sh /jffs/scripts/unbound_installer.sh firewall # unbound Firewall Addition

Not experienced the Lock File issue....does it always happen during the reboot?

Option 2 should backout any updates to the files - although I noticed that 'dnsmasq.conf' has duplicates lines as the script never checked if the line already exists before inserting it.

I've already patched the v1.10 script, but I haven't pushed the patched version to GitHub pending your new functional requirements.

P.S To save typing, you can invoke the script (from anywhere) by simply using its alias

unbound_installer

 

[rgnldo]

unbound_installer

Nice!

 

[Martineau]

@Martineau We're getting there, almost. Adds only the option to check if IPV6 is enabled on the router to fit the unbound.conf file. There are commented lines that should not be commented as to whether IPV6 and Stubby are enabled. I uploaded to Github the startup files of Entware.
Does the memory and CPU performance option work?

No idea what you mean .

 

[rgnldo]

No idea what you mean .

This is in unbound.conf because the script understands that the router has IPV6 disabled.

#########################################
# integration IPV6
#
# do-ip6: yes
# interface: ::0
# iaccess-control: ::0/0 refuse
# access-control: ::1 allow
# private-address: fd00::/8
# private-address: fe80::/10
#########################################

#########################################
# Options for integration with TCP/TLS Stubby
# udp-upstream-without-downstream: yes
#########################################

With IPV6 and Stubby enabled it will look like this:

#########################################
# integration IPV6
 do-ip6: yes
 interface: ::0
 iaccess-control: ::0/0 refuse
 access-control: ::1 allow
 private-address: fd00::/8
 private-address: fe80::/10
#########################################

#########################################
# Options for integration with TCP/TLS Stubby
 udp-upstream-without-downstream: yes
#########################################

 

[rgnldo]

unbound_installer - script v1.09

unbound-control -c /opt/var/lib/unbound/unbound.conf stats_noreset | grep total.num

total.num.queries=4242
total.num.queries_ip_ratelimited=0
total.num.cachehits=3433 -->> HIT, number of requests answered by cache.
total.num.cachemiss=809 -->> MISS, number of requests not available in cache
total.num.prefetch=39
total.num.zero_ttl=0
total.num.recursivereplies=809

 

[Hanston Dsouza]

how to get over this error
Connection refused for 127.0.0.1 port 953
using script

 

[Jack Yaz]

@Jack Yaz if you're interested, this is a start

unbound-control -c /opt/var/lib/unbound/unbound.conf stats_noreset | grep total.num

i'll take a look when 384.15 is available

 

[rgnldo]

how to get over this error
Connection refused for 127.0.0.1 port 953
using script

Try change directory ownership to nobody, in case you want to drop daemon privileges from root to nobody
chown nobody /opt/var/lib/unbound

/opt/sbin/unbound-anchor -a /opt/var/lib/unbound/root.key


Enviado do meu iPhone usando Tapatalk

 

[rgnldo]

/opt/etc/init.d/rc.unslung check

/opt/etc/init.d/rc.unslung restart



Enviado do meu iPhone usando Tapatalk

 

[rgnldo]

Update post Unbound installer

 

[Delusion]

@rgnldo I have an issue when interface is set to 0.0.0.0 ( in unbound.conf) it is fine when interface is set to 127.0.0.1 . If I remember correctly, the error says that this (0.0.0.0) interface is in use or something like that.. I remember we used 127.0.0.1 in the past .

Can you change it back to 127.0.0.1?

 

[SomeWhereOverTheRainBow]

0.0.0.0 couldn't be in use unless you have something running on the same specified port. 0.0.0.0 just means it listens on all addresses are you running two instances of unbound? try restarting it.


I think this is why the preferred method rgnldo recommends ipv6, but it would make more since to bind it to a specific address if this is what is causing this issue.