Unbound - Authoritative Recursive Caching DNS Server

[Kingp1n]

I am getting better good adblock results with these options. Has anyone tested?
POST

I wld like to test but I'm not sure how by looking at your post.

 

[rgnldo]

have got to be a reason why 0.0.0.0 just won't work.

Take a look at OpenVPN, dnsfilter, AiProtect, as they are configured.

 

[Delusion]

Take a look at OpenVPN, dnsfilter, AiProtect, as they are configured.

dnsfilter : Router
And I do use OpenVPN maybe it causes issues ? If so, can you add a simple check in the script which changes interface to 127.0.0.1 if OpenVPN client is running?

Is there any difference between using 127.0.0.1 or 0.0.0.0 ?

 

[rgnldo]

Is there any difference between using 127.0.0.1 or 0.0.0.0 ?

It is the support we need. @Xentrk @Martineau could you help us?

check_openvpn_event() {
        SERVER="$1"
        COUNTER="0"
        for OPENVPN_CLIENT in 1 2 3 4 5; do
            if [ "$(nvram get vpn_client${OPENVPN_CLIENT}_state)" -eq "2" ]; then
                COUNTER=$((COUNTER + 1))
            fi
        done

        if [ "$COUNTER" -gt "0" ]; then
        # need /jffs/configs/resolv.dnsmasq override
            echo "server=${SERVER}" > /jffs/configs/resolv.dnsmasq
            if [ "$COUNTER" -gt "1" ]; then
                  WORD="Clients"
            elif [ "$COUNTER" -eq "1" ]; then
                  WORD="Client"
            fi

            # require override file if OpenVPN Clients are used
            echo "$COUNTER active OpenVPN $WORD found"
            if [ -s "/jffs/scripts/openvpn-event" ]; then  # file exists
                if ! grep -q "cp /jffs/configs/resolv.dnsmasq /tmp/resolv.dnsmasq" "/jffs/scripts/openvpn-event"; then
                    echo "cp /jffs/configs/resolv.dnsmasq /tmp/resolv.dnsmasq" >> /jffs/scripts/openvpn-event
                    printf 'Updated %b/jffs/scripts/openvpn-event%b\n' "$COLOR_GREEN" "$COLOR_WHITE"
                else
                    printf 'Required entry already exists in %b/jffs/scripts/openvpn-event%b\n' "$COLOR_GREEN" "$COLOR_WHITE"
                    printf 'Skipping update of %b/jffs/scripts/openvpn-event%b\n' "$COLOR_GREEN" "$COLOR_WHITE"
                fi
            else
                echo "#!/bin/sh" > /jffs/scripts/openvpn-event
                echo "cp /jffs/configs/resolv.dnsmasq /tmp/resolv.dnsmasq" >> /jffs/scripts/openvpn-event
                chmod 755 /jffs/scripts/openvpn-event
                printf 'Created %b/jffs/scripts/openvpn-event%b\n' "$COLOR_GREEN" "$COLOR_WHITE"
            fi
        else
            printf 'No active OpenVPN Clients found. Skipping creation of %b/jffs/scripts/openvpn-event%b\n' "$COLOR_GREEN" "$COLOR_WHITE"
            echo "If you decide to run an OpenVPN Client in the future, rerun the installer script"
            echo "to update /jffs/scripts/openvpn-event"
        fi
}

 

[rgnldo]

It is the support we need. @Xentrk @Martineau could you help us?

check_openvpn_event() {
        SERVER="$1"
        COUNTER="0"
        for OPENVPN_CLIENT in 1 2 3 4 5; do
            if [ "$(nvram get vpn_client${OPENVPN_CLIENT}_state)" -eq "2" ]; then
                COUNTER=$((COUNTER + 1))
            fi
        done

        if [ "$COUNTER" -gt "0" ]; then
        # need /jffs/configs/resolv.dnsmasq override
            echo "server=${SERVER}" > /jffs/configs/resolv.dnsmasq
            if [ "$COUNTER" -gt "1" ]; then
                  WORD="Clients"
            elif [ "$COUNTER" -eq "1" ]; then
                  WORD="Client"
            fi

            # require override file if OpenVPN Clients are used
            echo "$COUNTER active OpenVPN $WORD found"
            if [ -s "/jffs/scripts/openvpn-event" ]; then  # file exists
                if ! grep -q "cp /jffs/configs/resolv.dnsmasq /tmp/resolv.dnsmasq" "/jffs/scripts/openvpn-event"; then
                    echo "cp /jffs/configs/resolv.dnsmasq /tmp/resolv.dnsmasq" >> /jffs/scripts/openvpn-event
                    printf 'Updated %b/jffs/scripts/openvpn-event%b\n' "$COLOR_GREEN" "$COLOR_WHITE"
                else
                    printf 'Required entry already exists in %b/jffs/scripts/openvpn-event%b\n' "$COLOR_GREEN" "$COLOR_WHITE"
                    printf 'Skipping update of %b/jffs/scripts/openvpn-event%b\n' "$COLOR_GREEN" "$COLOR_WHITE"
                fi
            else
                echo "#!/bin/sh" > /jffs/scripts/openvpn-event
                echo "cp /jffs/configs/resolv.dnsmasq /tmp/resolv.dnsmasq" >> /jffs/scripts/openvpn-event
                chmod 755 /jffs/scripts/openvpn-event
                printf 'Created %b/jffs/scripts/openvpn-event%b\n' "$COLOR_GREEN" "$COLOR_WHITE"
            fi
        else
            printf 'No active OpenVPN Clients found. Skipping creation of %b/jffs/scripts/openvpn-event%b\n' "$COLOR_GREEN" "$COLOR_WHITE"
            echo "If you decide to run an OpenVPN Client in the future, rerun the installer script"
            echo "to update /jffs/scripts/openvpn-event"
        fi
}

@Xentrk @Martineau pardon. disregard.

And I do use OpenVPN maybe it causes issues ? If so, can you add a simple check in the script which changes interface to 127.0.0.1 if OpenVPN client is running?

VPN work fine with unbound.
status VPN

Unbound.conf

dnsmasq.conf

Check services and reboot = OK!

 

[Martineau]

Having to manually edit every time (or execute a script) to change "interface: 0.0.0.0" to "interface: 127.0.0.1" is getting on my nerves.

How does it work for everyone but me? there have got to be a reason why 0.0.0.0 just won't work.

Until the SMEs figure-out your issue, rather than having to run a script is to create a permanent custom .conf

e.g.
'/opt/share/unbound/configs/Delusion.conf'

FN="/opt/share/unbound/configs/Delusion.conf";echo -e "# Delusion Delusion.conf Version=1.01 (Date Loaded xxxxxxxxxx" >  $FN; cat /opt/share/unbound/configs/user.conf >> $FN; sed -i 's/^interface:.*0\.0\.0\.0/interface: 127\.0\.0\.1/' $FN;unset $FN

which you can quickly reload

e  = Exit Script

Option ==> rl Delusion

 

[dave14305]

Is there any difference between using 127.0.0.1 or 0.0.0.0 ?

Using 0.0.0.0 enables Unbound to listen for incoming queries on any IPv4 address your router has, including the WAN IP. However, your firewall won't expose this to the Internet and unbound will be configured to refuse queries from public IPs, so it's not a grave concern, but it's overkill.

Generally, unbound only needs to listen on localhost (127.0.0.1) if you only intend for it to receive requests from dnsmasq. If you want the LAN clients to query unbound directly, you would need to add the LAN IP as a second interface (e.g. interface: 192.168.1.1). But since the default unbound port with this installer is 53535, no LAN client is going to resolve using that port with default tools in the OS. And we already know dnsmasq is occupying 192.168.1.1:53.

I would imagine your problem with 0.0.0.0 could be in the unlikely event that some other service is using port 53535 on either tcp or udp, since unbound binds to both protocols. You could stop unbound and check with "netstat -nap | grep 53535".

Try starting unbound interactively as a test to look for errors binding ports:

unbound -vvdc /opt/var/lib/unbound/unbound.conf

Spoiler: Example debug output

# unbound -vvvdc /opt/var/lib/unbound/unbound.conf
[1579095542] unbound[5756:0] notice: Start of unbound 1.9.3.
Jan 15 08:39:02 unbound[5756:0] debug: creating udp4 socket 0.0.0.0 53535
Jan 15 08:39:02 unbound[5756:0] debug: creating tcp4 socket 0.0.0.0 53535
Jan 15 08:39:02 unbound[5756:0] error: Setting TCP Fast Open as server failed: Protocol not available
Jan 15 08:39:02 unbound[5756:0] debug: creating tcp4 socket 127.0.0.1 953
Jan 15 08:39:02 unbound[5756:0] error: Setting TCP Fast Open as server failed: Protocol not available
Jan 15 08:39:02 unbound[5756:0] debug: setup SSL certificates
Jan 15 08:39:02 unbound[5756:0] debug: chdir to /opt/var/lib/unbound
Jan 15 08:39:02 unbound[5756:0] debug: chroot to /opt/var/lib/unbound
Jan 15 08:39:02 unbound[5756:0] debug: drop user privileges, run as nobody
Jan 15 08:39:02 unbound[5756:0] debug: switching log to /opt/var/lib/unbound/unbound.log

 

[Martineau]

With the next release of amtm, it is expected to include the installation/manager script.

However it would be prudent for the script to be renamed to avoid unnecessary confusion.

If you have 'unbound_installer.sh' installed please run the three commands:

rm unbound_installer.sh

rm /opt/bin/unbound_installer

curl --retry 3 "https://raw.githubusercontent.com/MartineauUK/Unbound-Asuswrt-Merlin/master/unbound_manager.sh" -o "/jffs/scripts/unbound_manager.sh" && chmod 755 "/jffs/scripts/unbound_manager.sh" && /jffs/scripts/unbound_manager.sh

and you will now use the new script name

unbound_manager

Abject apologies for any inconvenience caused.

 

[Smokey613]

With the next release of amtm, it is expected to include the installation/manager script.

However it would be prudent for the script to be renamed to avoid unnecessary confusion.

If you have 'unbound_installer.sh' installed please run the three commands:

rm unbound_installer.sh

rm /opt/bin/unbound_installer

curl --retry 3 "https://raw.githubusercontent.com/MartineauUK/Unbound-Asuswrt-Merlin/master/unbound_manager.sh" -o "/jffs/scripts/unbound_manager.sh" && chmod 755 "/jffs/scripts/unbound_manager.sh" && /jffs/scripts/unbound_manager.sh

Abject apologies for any inconvenience caused.

Do we need to do this now, ahead of the amtm update?

 

[Martineau]

Do we need to do this now, ahead of the amtm update?

Yes please, as it will also install v1.23

 

[Smokey613]

Yes please, as it will also install v1.23

Done.... back up and running.
Thanks!!

 

[Kingp1n]

Yes please, as it will also install v1.23

I will reinstall unbound. Anyone here using unbound with diversion without issues. I read its recommended not use diversion but I've black/whitelisted so many sites I wouldn't want to start all over.

 

[dave14305]

I will reinstall unbound. Anyone here using unbound with diversion without issues. I read its recommended not use diversion but I've black/whitelisted so many sites I wouldn't want to start all over.

I do and it’s fine.

 

[Martineau]

Was trying to find a way to check for inteNIC update. As we do not know or the exact day of the update, better organize the schedule as daily schedule.

Hmm, so as the SME, are you just guessing at best practice or did you actually pose your concern to the developers given they are ultimately responsible for shipping a product that is fit for purpose? i.e. unbound should always contain a valid current internal 'root.hints' list.

i.e. one Wiki States

Seems overkill to check every 15 days as is the case now ...but everyday????

 

[SomeWhereOverTheRainBow]

Hmm, so as the SME, are you just guessing at best practice or did you actually pose your concern to the developers given they are ultimately responsible for shipping a product that is fit for purpose? i.e. unbound should always contain a valid current internal 'root.hints' list.

i.e. one Wiki States

View attachment 20878

Seems overkill to check every 15 days as is the case now ...but everyday????

Some one has to keep those ever changing root hints in check. This guarantees unbound will always know what's up and where the fun is at.

 

[rgnldo]

Hmm, so as the SME, are you just guessing at best practice or did you actually pose your concern to the developers given they are ultimately responsible for shipping a product that is fit for purpose? i.e. unbound should always contain a valid current internal 'root.hints' list.

i.e. one Wiki States

View attachment 20878

Seems overkill to check every 15 days as is the case now ...but everyday????

I do not understand this question. There are so many things I care about unbound that I have to do the information myself. I've always known that root.key updates automatically. But root.hints was unaware of more information. Everything happens very fast. If you found information, great, let's add it. It makes all the work easier. What I find is that there are many contributions without the least effectiveness and debugging. If you find any solution, great, bring it and you're done.



Tapatalk

 

[SuperDuke]

Not quite what I asked about.

I read this article earlier and figured the TLS names were important to explicitly configure:
https://www.ctrl.blog/entry/unbound-tls-forwarding.html

Hi all....following this all with interest and trying to make sense of some things. From the above link, it appears that DoT encryption can me made to play nice with Unbound, but I don't think this has been applied to the current install....although I have no (and I mean no) basis on which to make this claim....can someone confirm? And also, if Unbound is currently querying without encryption, how is the privacy maintained?

 

[DocUmibozu]

Hi all....following this all with interest and trying to make sense of some things. From the above link, it appears that DoT encryption can me made to play nice with Unbound, but I don't think this has been applied to the current install....although I have no (and I mean no) basis on which to make this claim....can someone confirm? And also, if Unbound is currently querying without encryption, how is the privacy maintained?

I'm also interested...

 

[dave14305]

if Unbound is currently querying without encryption, how is the privacy maintained?

It’s privacy in the sense that you are not sharing all your DNS queries with a middleman (e.g. ISP, Google, Cloudflare, etc.). You are sending each domain request to its authoritative nameserver. No single entity is building a dossier of your DNS activity.

There’s no secrecy (i.e. encryption) in that configuration, but privacy has many facets.

 

[SuperDuke]

It’s privacy in the sense that you are not sharing all your DNS queries with a middleman (e.g. ISP, Google, Cloudflare, etc.). You are sending each domain request to its authoritative nameserver. No single entity is building a dossier of your DNS activity.

There’s no secrecy (i.e. encryption) in that configuration, but privacy has many facets.

Thanks as always @dave14305. That makes very good sense. With that though, I presume then that the only value of DoT in this case would be that the nameserver itself accept the TLS handshake and reciprocate in kind for DoT to be allowed. In looking at the link from the previous message, DoT can be made to play nice with unbound, I'm just not sure why we wouldn't to implement it if it can be made to do so......thoughts??