What's new

Unbound - Authoritative Recursive Caching DNS Server

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.
The script is in the final stages. Ideally, there are more collaborators with shell script knowledge and connectivity at FW Merlin to give an opinion. I want to contribute, but my knowledge is focused on infrastructure and connectivity. I think it contributes enough to the RMerlin project.
 
new script also dosent fix adblock
run unbound_installer.
Choose option 1. Update the installation. Edit /opt/var/lib/unbound/unbound.conf and uncomment the adblock path. Run /opt/etc/init.d/rc.unslung restart. Let's fix the script.
 
run unbound_installer.
Choose option 1. Update the installation. Edit /opt/var/lib/unbound/unbound.conf and uncomment the adblock path. Run /opt/etc/init.d/rc.unslung restart. Let's fix the script.
The adblock feature has worked since v1.07, as your original 'unbound.conf' appeared to use the convention
Code:
# include:......adblock/adservers
where there is a single space between the '#' and the 'include:' directive, however your new 'unbound.conf' now omits the space char
Code:
#include:...….adblock/adservers
and now no version of the script can match '# '

I have patched the script ready for v.1.11 (not yet pushed to GitHub) to accept either style, but in the meantime you should fix 'unbound.conf' hosted on your GitHub to reinstate the space char.
 
Last edited:
This thread and script when in a different direction than I anticipated or feel I could contribute to. I use unbound only as an upstream resolver for dnsmasq, relying on Diversion for adblocking and using no DoT whatsoever.

I want the hook between dnsmasq and Unbound to be failsafe, meaning if unbound isn't running, dnsmasq reverts to the normal WAN DNS servers. I do this through the dnsmasq.postconf script I've posted before in this thread. I also created a cron job to check unbound every 5 minutes and if it isn't running, restart dnsmasq so that the WAN DNS servers will take over, to minimize chances of a DNS-related outage in my home.

I don't understand where some of these requirements are coming from to use Entware Stubby, or use another adblock solution, or to try to force all requests to Unbound. To integrate with the firmware, it needs to have clean edges and integration points IMHO.

To gain widespread adoption, this script should do one thing very well: install Unbound as a recursive, validating resolver. All the extras might distract from other users understanding what it is doing and wanting to install it.

@Martineau will be canonized once his work here is done, or he walks away, whichever comes first. ;)
 
This thread and script when in a different direction than I anticipated or feel I could contribute to. I use unbound only as an upstream resolver for dnsmasq, relying on Diversion for adblocking and using no DoT whatsoever.

I want the hook between dnsmasq and Unbound to be failsafe, meaning if unbound isn't running, dnsmasq reverts to the normal WAN DNS servers. I do this through the dnsmasq.postconf script I've posted before in this thread. I also created a cron job to check unbound every 5 minutes and if it isn't running, restart dnsmasq so that the WAN DNS servers will take over, to minimize chances of a DNS-related outage in my home.

I don't understand where some of these requirements are coming from to use Entware Stubby, or use another adblock solution, or to try to force all requests to Unbound. To integrate with the firmware, it needs to have clean edges and integration points IMHO.

To gain widespread adoption, this script should do one thing very well: install Unbound as a recursive, validating resolver. All the extras might distract from other users understanding what it is doing and wanting to install it.

@Martineau will be canonized once his work here is done, or he walks away, whichever comes first. ;)

I understand your concern. But I assure you, it works the way it should. And query requests are being made by untying normally. I understand that comments like yours strengthens the post. I really appreciate it.

Code:
dig DNSKEY cyberciti.biz +short
256 3 13 oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8 KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA==
257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+ KkxLbxILfDLUT0rAK9iUzy1L53eKGQ==

Code:
dig txt qnamemintest.internet.nl

; <<>> DiG 9.10.6 <<>> txt qnamemintest.internet.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13054
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;qnamemintest.internet.nl.    IN    TXT

;; ANSWER SECTION:
qnamemintest.internet.nl. 3579    IN    CNAME    a.b.qnamemin-test.internet.nl.
a.b.qnamemin-test.internet.nl. 3581 IN    TXT    "HOORAY - QNAME minimisation is enabled on your resolver :)!"

;; Query time: 5 msec
;; SERVER: 10.0.30.1#53(10.0.30.1)
;; WHEN: Fri Dec 27 14:51:33 -03 2019
;; MSG SIZE  rcvd: 157

Code:
dig github.com

; <<>> DiG 9.10.6 <<>> github.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44523
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;github.com.            IN    A

;; ANSWER SECTION:
github.com.        44    IN    A    192.30.253.112

;; Query time: 4 msec
;; SERVER: 10.0.30.1#53(10.0.30.1)
;; WHEN: Fri Dec 27 14:51:25 -03 2019
;; MSG SIZE  rcvd: 55
 
@Martineau The dnsmasq.postconf file is generated in incorrect formatting and without write permission.
Code:
#!/bin/sh
CONFIG=$1
pc_delete "servers-file" $CONFIG                        # unbound_installer
pc_delete "no-negcache" $CONFIG                 # unbound_installer
pc_delete "domain-needed" $CONFIG                       # unbound_installer
pc_delete "bogus-priv" $CONFIG                  # unbound_installer
pc_replace "cache-size=1500" "cache-size=0" $CONFIG                     # unbound_installer
source /usr/sbin/helper.sh
Must is in this format
Code:
#!/bin/sh
source /usr/sbin/helper.sh[
CONFIG=$1
pc_delete "servers-file" $CONFIG                        # unbound_installer
pc_delete "no-negcache" $CONFIG                 # unbound_installer
pc_delete "domain-needed" $CONFIG                       # unbound_installer
pc_delete "bogus-priv" $CONFIG                  # unbound_installer
pc_replace "cache-size=1500" "cache-size=0" $CONFIG                     # unbound_installer
 
@Martineau The dnsmasq.postconf file is generated in incorrect formatting and without write permission.
Code:
#!/bin/sh
CONFIG=$1
pc_delete "servers-file" $CONFIG                        # unbound_installer
pc_delete "no-negcache" $CONFIG                 # unbound_installer
pc_delete "domain-needed" $CONFIG                       # unbound_installer
pc_delete "bogus-priv" $CONFIG                  # unbound_installer
pc_replace "cache-size=1500" "cache-size=0" $CONFIG                     # unbound_installer
source /usr/sbin/helper.sh
Must is in this format
Code:
#!/bin/sh
source /usr/sbin/helper.sh[
CONFIG=$1
pc_delete "servers-file" $CONFIG                        # unbound_installer
pc_delete "no-negcache" $CONFIG                 # unbound_installer
pc_delete "domain-needed" $CONFIG                       # unbound_installer
pc_delete "bogus-priv" $CONFIG                  # unbound_installer
pc_replace "cache-size=1500" "cache-size=0" $CONFIG                     # unbound_installer
Maybe it’s time to do like Diversion and just add a single line to dnsmasq.postconf that invokes a specific script created by the installer to contain all the dnsmasq changes, instead of guessing what might or might not already be present.
Code:
. /jffs/scripts/unbound.postconf “$1”
 
@dave14305 Coexistence with dnsmasq-oriented solutions is perfectly possible. Diversion, No-Track, Pi-Hole (great software) coexist perfectly with the coupling. I speak daily in the forums of these projects. But specifically targeted solutions for unbound are preferable. Forums like PFsense and OPNsense greatly strengthen this reasoning.
 
@dave14305 Coexistence with dnsmasq-oriented solutions is perfectly possible. Diversion, No-Track, Pi-Hole (great software) coexist perfectly with the coupling. I speak daily in the forums of these projects. But specifically targeted solutions for unbound are preferable. Forums like PFsense and OPNsense greatly strengthen this reasoning.
Of course it is possible. My suggestion is that if you want to minimize the problems integrating with existing dnsmasq.postconf files, then consider calling the unbound specific script from dnsmasq.postconf as a one-liner and ensure that line comes after any other modifications to /etc/dnsmasq.conf.

I will wait to discuss with St. @Martineau.
 
. /jffs/scripts/unbound.postconf “$1”
My suggestion is that if you want to minimize the problems integrating with existing dnsmasq.postconf files, then consider calling the unbound specific script from dnsmasq.postconf as a one-liner and ensure that line comes after any other modifications to /etc/dnsmasq.conf.

Of course I agree with you. This is a great solution for dnsmasq-integrated software compatibility such as Diversion.
 
Trying to configure Munin here for Unbound

munin-unbound-graphs.png
 
@Martineau script generated without write permission and with incorrect adblock cron argument.
/jffs/scripts/services-start
Code:
cru a adblock "0 5 * * *" /opt/var/lib/unbound/adblock/gen_adblock.sh                   # unbound
Manually fixed
chmod +x /jffs/scripts/services-start
Code:
cru a adblock "0 5 * * * /opt/var/lib/unbound/adblock/gen_adblock.sh"                    # unbound
 
I tried this
Changed Cru to new code but adblock still dosent work
@Martineau script generated without write permission and with incorrect adblock cron argument.
/jffs/scripts/services-start
Code:
cru a adblock "0 5 * * *" /opt/var/lib/unbound/adblock/gen_adblock.sh                   # unbound
Manually fixed
chmod +x /jffs/scripts/services-start
Code:
cru a adblock "0 5 * * * /opt/var/lib/unbound/adblock/gen_adblock.sh"                    # unbound
 
Unbound Installer v1.11 uploaded

1. Fix Adblock ENABLE (i.e. uncomment '# include:' ) in 'unbound.conf' even if '#include:' format is used by @rgnldo
2. Fix 'services-start' Adblock 'cron' job syntax
3. Fix (Hack??? i.e. issue existing command TWICE!!! o_O) 'chmod +x' to 'services-start'/'dnsmasq.postconf' if they are created
4. Fix 'dnsmasq.postconf' order of statements if it is created
5. Download files '/opt/etc/init.d/S61unbound' and '/opt/etc/init.d/S02haveged' from @rgnldo GitHub
6. Add menu option 'v = View ('/opt/var/lib/unbound/') unbound Configuration (vx=Edit)'
 
Status
Not open for further replies.

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top