Unbound - Authoritative Recursive Caching DNS Server

[PeterV]

Interesting, when I allow 2 threads - I get two different responses 1 from each thread of Unbound. It takes three tries to hit cache, dig result's DNS IP shows the router both times. I see two Unbound process IDs when running top command. The behavior immediately reverts when changing back to 1 thread. Reboot did not help when threads set to 2. Reverted with other recommended changes intact for now

I can confirm - with more then one thread the caching quality was decreased. It's look like - the different thread use the different cache space ...

 

[rgnldo]

I don't think it's really needed on a home device. From the unbound github page...

The transmission-bt package is compiled with libevent. Earlier versions of unbound were supported. But there is consensus that it is an unnecessary alternative because of the various models of ARM or MIPS routers.

 

[rgnldo]

I can confirm - with more then one thread the caching quality was decreased. It's look like - the different thread use the different cache space ...

The default setting has been thoroughly tested. It's trustable. Thread "1" makes it disabled.

 

[rgnldo]

I am trying to compile version 1.9.5. Without the option of libevent for better compatibility on many routers. I only encounter problems with organizing dependent libraries in recent entware.

 

[rgnldo]

Another helpful set of logging commands I've made for easy switching of logging on/off, or switching Unbound on/off (these go in /jffs/configs/profile.add):

unboundlog() {
        unbound-control verbosity 2
        unbound-control set_option log-queries: yes
        unbound-control set_option log-replies: yes
        tail -50 -F /opt/var/lib/unbound/unbound.log
}

unboundnolog() {
        unbound-control verbosity 1
        unbound-control set_option log-queries: no
        unbound-control set_option log-replies: no
}

unbounddisable() {
        /opt/etc/init.d/S61unbound stop
        service restart_dnsmasq
        /opt/etc/init.d/S02haveged stop
        sed -i "s/^ENABLED=yes/ENABLED=no/" /opt/etc/init.d/S61unbound
        sed -i "s/^ENABLED=yes/ENABLED=no/" /opt/etc/init.d/S02haveged
}

unboundenable() {
        sed -i "s/^ENABLED=no/ENABLED=yes/" /opt/etc/init.d/S02haveged
        sed -i "s/^ENABLED=no/ENABLED=yes/" /opt/etc/init.d/S61unbound
        /opt/etc/init.d/S02haveged start
        /opt/etc/init.d/S61unbound start
}

Another useful unbound.conf configuration setting for log reading:

log-time-ascii: yes

Great contribution. We need a report pattern. We are trying to organize a report with Zabbix.

 

[rgnldo]

@Hanston Dsouza for configuration with NextDNS. Install unbound via script-installer. Do not install the adblock option and stubby. Add these options to unbound.conf.
https://pastebin.com/9H2crSj0

 

[rgnldo]

Next release unbound on entware 1.9.6 with support libevent. New package. unbound-daemon-heavy. Waiting
"contains the Unbound daemon including 'libevent' and 'libpthread' to better handle large networks with heavy query loads."

PKG_NAME:=unbound
PKG_VERSION:=1.9.6
PKG_RELEASE:=1

define Package/unbound-daemon-heavy/description
  This package contains the Unbound daemon including 'libevent' and
  'libpthread' to better handle large networks with heavy query loads.
endef

 

[dave14305]

Next release unbound on entware 1.9.6 with support libevent. New package. unbound-daemon-heavy. Waiting
"contains the Unbound daemon including 'libevent' and 'libpthread' to better handle large networks with heavy query loads."

PKG_NAME:=unbound
PKG_VERSION:=1.9.6
PKG_RELEASE:=1

define Package/unbound-daemon-heavy/description
  This package contains the Unbound daemon including 'libevent' and
  'libpthread' to better handle large networks with heavy query loads.
endef

It looks like Entware team doesn’t build that package even though it’s available from the Openwrt feed. I had previously looked into why unbound-checkconf has also disappeared in the last Unbound update a few months ago.

https://github.com/Entware/Entware/blob/master/configs/armv7-2.6.config#L5537

 

[rgnldo]

It looks like Entware team doesn’t build that package even though it’s available from the Openwrt feed. I had previously looked into why unbound-checkconf has also disappeared in the last Unbound update a few months ago.

https://github.com/Entware/Entware/blob/master/configs/armv7-2.6.config#L5537

Have to check the current makefile, the preview of the next version of the entware package.
Makefile Unbound Entware

 

[rgnldo]

Another helpful set of logging commands I've made for easy switching of logging on/off, or switching Unbound on/off (these go in /jffs/configs/profile.add):

unboundlog() {
        unbound-control verbosity 2
        unbound-control set_option log-queries: yes
        unbound-control set_option log-replies: yes
        tail -50 -F /opt/var/lib/unbound/unbound.log
}

unboundnolog() {
        unbound-control verbosity 1
        unbound-control set_option log-queries: no
        unbound-control set_option log-replies: no
}

unbounddisable() {
        /opt/etc/init.d/S61unbound stop
        service restart_dnsmasq
        /opt/etc/init.d/S02haveged stop
        sed -i "s/^ENABLED=yes/ENABLED=no/" /opt/etc/init.d/S61unbound
        sed -i "s/^ENABLED=yes/ENABLED=no/" /opt/etc/init.d/S02haveged
}

unboundenable() {
        sed -i "s/^ENABLED=no/ENABLED=yes/" /opt/etc/init.d/S02haveged
        sed -i "s/^ENABLED=no/ENABLED=yes/" /opt/etc/init.d/S61unbound
        /opt/etc/init.d/S02haveged start
        /opt/etc/init.d/S61unbound start
}

Another useful unbound.conf configuration setting for log reading:

log-time-ascii: yes

Approved. Logs go to FW GUI General Log. I agree with the implementation. You have to check if @Martineau agrees.

 

[Hanston Dsouza]

@Hanston Dsouza for configuration with NextDNS. Install unbound via script-installer. Do not install the adblock option and stubby. Add these options to unbound.conf.
https://pastebin.com/9H2crSj0

thank you
this works very well

 

[rgnldo]

thank you
this works very well

Compare unbound's native adblock with the NextDNS implementation. There is a big difference in latency. Unbound offers NXDOMAIN answers with more privacy.

 

[Hanston Dsouza]

cache-min-ttl: 900
does changing this to
cache-min-ttl: 0

make unbound faster as per this post

https://www.reddit.com/r/pihole/comments/d9j1z6/unbound_as_recursive_dns_server_slow_performance/

i have made the changes just to see what happens

 

[Hanston Dsouza]

Compare unbound's native adblock with the NextDNS implementation. There is a big difference in latency. Unbound offers NXDOMAIN answers with more privacy.

this is true but to check for now as a experiment

 

[rgnldo]

cache-min-ttl: 0

Users of DNS-based load balancing or DDoS-prevention may require short TTLs: TTLs may be as short as five minutes, although 15 minutes may provide sufficient agility for many operators. Shorter TTLs here help with agility; they are an exception to our first recommendation of longer TTLs.
cache-min-ttl: 900 => 15 minutes

 

[rgnldo]

Ad and tracker's blocking options available on Unbound. Not only the block is enough, but the answer of this block. The native adblock script installer uses the static option.

refuse
Send an error message reply, with rcode REFUSED. If there is
a match from local data, the query is answered.

static
If there is a match from local data, the query is answered.
Otherwise, the query is answered with nodata or nxdomain.
For a negative answer a SOA is included in the answer if
present as local-data for the zone apex domain.

always_nxdomain
Like static, but ignores local data and returns nxdomain for
the query.

 

[dave14305]

Approved. Logs go to FW GUI General Log. I agree with the implementation. You have to check if @Martineau agrees.

It might get noisy in syslog if someone forgets to disable logging. I always have the logfile path enabled in my unbound.conf. It would be nice to separate log messages from query logs as someone has already suggested on Github.

N.B. My unbounddisable function assumes that the dnsmasq.postconf is checking to verify unbound is running before making the modifications. This allows it to safely revert to GUI DNS settings by restarting dnsmasq after Unbound is stopped. With the current script, those checks are not yet implemented in the Check_dnsmasq_postconf function (present but commented out).

 

[Martineau]

Unbound Installer v1.16 available.

Addresses the following as proposed by @dave14305

My current position is that to keep the Unbound cache fresh, you don't want dnsmasq caching in front of it, so I delete the dnssec options to allow zero cache.
Since there is no one else to trust in between dnsmasq and unbound, I am fine to proxy-dnssec the Unbound responses.

OK, so the dnsmasq error I experienced/reported

dnsmasq[15203]: cannot reduce cache size from default when DNSSEC enabled" >> /jffs/scripts/unbound.postconf
dnsmasq[15203]: FAILED to start up"

is actually by design as described in the dnsmasq man page.

So v1.16 now removes the dnsmasq 'dnssec' directive to allow disabling dnsmasq caching (cache-size=0)

N.B. My unbounddisable function assumes that the dnsmasq.postconf is checking to verify unbound is running before making the modifications. This allows it to safely revert to GUI DNS settings by restarting dnsmasq after Unbound is stopped.
With the current script, those checks are not yet implemented in the Check_dnsmasq_postconf function (present but commented out).

v1.16 now uncomments the 'if' clause in 'unbound.postconf', however, I could not get unbound to work when it attempts to use the dynamiclly retrieved $UNBOUNDLISTENADDR rather than the static "127.0.0.1#53535"

Another helpful set of logging commands I've made for easy switching of logging on/off, or switching Unbound on/off (these go in /jffs/configs/profile.add):
Another useful unbound.conf configuration setting for log reading:

log-time-ascii: yes

I am reluctant to mess with external files, and would prefer to keep the features within the unbound installer script.

v1.16 now incorporates your suggestion and allows (human-friendly timestamped) unbound logging to be dynamically ENABLED/DISABLED see menu below.

Since the logging is dynamic (using unbound-control), being lazy I do not modify the ACTIVE 'unbound.conf' but instead have added the ability to dynamically Query/Set any of the unbound options from the menu.
This does mean that the 'v' option to view the ACTIVE 'unbound.conf' may not reflect the current state of the unbound options.

However, this does mean that if an unbound option is incorrectly set, using the 'rl' option should back-out the damage together with the 'rs' command.

unbound (pid 8516) is running... uptime: 0 Days, 01:50:26 version: 1.9.3

1  = Update ('/opt/var/lib/unbound/') unbound Configuration     l  = Show unbound LIVE log entries (lx=Disable Logging)
2  = Remove Existing unbound Installation                       v  = View ('/opt/var/lib/unbound/') unbound Configuration (vx=Edit) 
                                                                rl = Reload unbound Configuration (Doesn't interrupt/halt unbound)
                                                                oq = Query unbound Configuration option e.g 'oq verbosity' (ox=Set) e.g. 'ox log-queries yes'
rs = Restart (or Start) unbound                                 s  = Display unbound statistics (s=Summary Totals; sa=All)
e  = Exit Script

 

[rgnldo]

Added blocking CNAME's support in unbound native adblock script. Fully functional. I still changed it in the installer script. Here is a brief explanation of the method:

NextDNS post
Apply Pi-Hole blocking to CNAMEs
Blocage des DMP avec Unbound
Address 1st-party tracker blocking

 

[rgnldo]

@Martineau I need to add a new list with CNAME adblock support, but the package comes zipped in the script.