From diversion -> b (blocking list) -> 1 (change composition custom) -> 2 (customize hosts list) -> 1 (Add hosts list) -> paste new hosts link link here -> e (exit) -> 1 (yes to update list now).
It will take some time to update the lists.
Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server) - General questions / discussion thread 2
- Thread starter JaimeZX
- Start date
It will take some time to update the lists.
Do you have this in cronjob?
I just realized I only have these now related to unbound. Other cronjob are loaded properly. I am not sure why this seems the only one missing.
Code:
1 0 * * * /opt/bin/find /opt/var/lib/unbound/unbound.log -size +10M -exec rm -f {} \; #unboundLOG#I just realized I only have these now related to unbound. Other cronjob are loaded properly. I am not sure why this seems the only one missing.
Code:
12 4 * * * curl -o \/opt\/var\/lib\/unbound\/root\.hints https://www.internic.net/domain/named.cache #root_servers#
*/15 * * * * /jffs/addons/unbound/unbound_rpz.sh download #Unbound_RPZ.sh#
59 * * * * /jffs/addons/unbound/unbound_stats.sh generate #Unbound_Stats.sh#
57 * * * * /jffs/addons/unbound/unbound_log.sh #Unbound_Log.sh#
Martineau
Part of the Furniture
If Adblock is ENABLED, there are several Advanced menu commands to edit the various AdBlock files...
e.g.
Code:
i = Update unbound and configuration ('/opt/var/lib/unbound/') l = Show unbound log entries (lo=Enable FULL Logging [log_level])
z = Remove unbound/unbound_manager v = View ('/opt/var/lib/unbound/') unbound Configuration (vx=Edit;vh=help)
x = Stop unbound vb = Backup current (/opt/var/lib/unbound/unbound.conf) Configuration [filename]
rl = Reload Configuration (Doesn't halt unbound) e.g. 'rl test1[.conf]' (Recovery use 'rl reset/user')
? = About Configuration oq = Query unbound Configuration option e.g 'oq verbosity' (ox=Set) e.g. 'ox log-queries yes'
sd = Show dnsmasq Statistics/Cache Size s = Show unbound Extended statistics (s=Summary Totals; sa=All; http://10.88.8.1:80/user1.asp)
adblock = Install Ad Block [uninstall | update | track]
DisableFirefoxDoH = Disable Firefox DoH [yes | no] youtube = Install YouTube Ad Block [uninstall | update]
Stubby = Enable Stubby Integration DoT = Enable DNS-over-TLS
firewall = Enable DNS Firewall [disable | ?]
bind = BIND unbound to WAN [debug | disable | debug show] vpn = BIND unbound to VPN {vpnid [debug]} | [disable | debug show] e.g. vpn 1
scribe = Enable scribe (syslog-ng) unbound logging ad = Analyse Diversion White/Block lists ([ file_name [type=adblock] ])
dnsmasq = Disable dnsmasq [disable | interfaces | nointerfaces] ea = Edit Ad Block Allowlist (eb=Blocklist; eca=Config-AllowSites; ecb=Config-BlockSites; el {Ad Block file})
dumpcache = [bootrest] (or Manually use restorecache after REBOOT) ca = Cache Size Optimisation [ min | calc ]
views = [? | uninstall] | {view_name [? | remove]} | {view_name [[type] domain_name[...] | IP_address[...]] [del]} ]
safesearch = Enable Safe Search [disable | status | ? ] e.g. redirect google.com to forcesafesearch.google.com
localhost = Add { domain_name {IP_address | del} }
dig = {domain} [time] Show dig info e.g. dig asciiart.com lookup = {domain} Show the name servers used for domain e.g. lookup asciiart.eu
dnsinfo = {dns} Show DNS Server e.g. dnsinfo dnssec = {url} Show DNSSEC Validation Chain e.g. dnssec www.snbforums.com
links = Show list of external URL links
[Enter] Leave Advanced Tools Menu
e = Exit Script [?] ecbto apply custom edits to the Blocklist ('/opt/share/unbound/configs/blocksites') file to append additional resource lists to the default StevenBlack hosts file, such as:
Code:
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
#
# User added Custom entries
# =========================
#
#
#TikTok
#
https://raw.githubusercontent.com/llacb47/mischosts/master/tiktok-hosts
#
#
https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites/master/hacked-domains.list
https://blocklist.cyberthreatcoalition.org/vetted/domain.txt
#
#Zones_in_unbound_format
#
https://gitlab.com/my-privacy-dns/rpz-dns-firewall-tools/unbound/-/raw/master/nxdomain/adaway/mobileadtrackers.zone
https://gitlab.com/my-privacy-dns/rpz-dns-firewall-tools/unbound/-/raw/master/nxdomain/mypdns/mypdns.adware.zone
https://gitlab.com/my-privacy-dns/rpz-dns-firewall-tools/unbound/-/raw/master/nxdomain/mypdns/mypdns.typosquatting.zone
Last edited:
How do you find Unbound's ad block compares to Diversion? Does it have the ability to share whitelists with Skynet too? Or does it not need Skynet as Unbound also has it's own built in firewall too?
Last edited:
Martineau
Part of the Furniture
I don't use either skynet or diversion, but as per the Q&A, both diversion (and skynet) can successfully coexist with an
unbound_manager 
Unbound - unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)
This thread is for the discussion topic : unbound_manager script. As per the GitHub Hints/Tips: Differences between the operational modes Easy mode Advanced Mode 'Easy' mode - you have limited Install options: i.e. Advanced Options Stubby Integration DoT installs are not available...
www.snbforums.com
Do you have to manage these firewall lists yourself too in that case, or does it just work? I'm considering using Unbound's solution instead if it has the same functionality and it will probably lower ram usage too.I don't use either skynet or diversion, but as per the Q&A, both diversion (and skynet) can successfully coexist with anunbound_manager
Adblock/DNS Firewall configuration, but their respective esoteric block/allow lists cannot be directly shared.Unbound - unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)
This thread is for the discussion topic : unbound_manager script. As per the GitHub Hints/Tips: Differences between the operational modes Easy mode Advanced Mode 'Easy' mode - you have limited Install options: i.e. Advanced Options Stubby Integration DoT installs are not available...
Martineau
Part of the Furniture
The
unbound block/allow rules are refreshed at least daily by cron schedulesi.e. for the DNSN Firewall (RPZ) and Adblock lists respectively.
Code:
*/15 * * * * /jffs/addons/unbound/unbound_rpz.sh download #Unbound_RPZ.sh#
0 5 * * * /opt/var/lib/unbound/adblock/gen_adblock.sh #adblock#NOTE: The contents of the external lists provided by the hosting repository could be stale (or contain false positives) depending on the management/scheduled publication of the files, so whilst set-and-forget should 'just work', it is prudent to manually periodically review the rules to ensure that they meet your current expectations/needs.
miniterror
Regular Contributor
Not sure if i understand this unbound correctly but i just broke my internet with playing and this tool.
Luckily i can easy set it up again so no biggie there.
As for the problem, from my understanding i can have the Unbound addblocker active.
With winscp i edited the file for blacklist URL's, these contain 17 URL's now and combine a numer of 1.7.xx.xxx domains.
The update proccess looked ok and all downloaded and seemed to be converted.
It took a long time though and the router interface and internet traffic was a bit of a hit and miss.
Using top i could see the load hovering 5 and 6 wich obviously is way to much for the CPU to handle.
Cant unbound handle such a 'big' list?
Memory was filled and approx 800mb of swap used, keep in mind, there was no other script installed at this time as i factory resetted the device before i started the unbound route.
Edit: redone everything and now it seesm to be working.
Weird thing though, i now have free memory on the RAM itself and SWAP used.
With the same list in Diversion i did not have this.
Is it expected to have SWAP used now with Unbound?
Luckily i can easy set it up again so no biggie there.
As for the problem, from my understanding i can have the Unbound addblocker active.
With winscp i edited the file for blacklist URL's, these contain 17 URL's now and combine a numer of 1.7.xx.xxx domains.
The update proccess looked ok and all downloaded and seemed to be converted.
It took a long time though and the router interface and internet traffic was a bit of a hit and miss.
Using top i could see the load hovering 5 and 6 wich obviously is way to much for the CPU to handle.
Cant unbound handle such a 'big' list?
Memory was filled and approx 800mb of swap used, keep in mind, there was no other script installed at this time as i factory resetted the device before i started the unbound route.
Edit: redone everything and now it seesm to be working.
Weird thing though, i now have free memory on the RAM itself and SWAP used.
With the same list in Diversion i did not have this.
Is it expected to have SWAP used now with Unbound?
Last edited:
Martineau
Part of the Furniture
I will eventually formally release it as v3.23, given I will soon run out of my self-imposed single character Beta version release numbers
i.e. currently on 'bB' with only 'bC-bF' remaining to be used.
Hopefully forum members brave enough (if any?) to have used unbound_manager command
uf dev to install v3.23bB would have immediately reported any issues, but currently v3.23b* has been stable for many months on my friends/families routers.
Last edited:
I must have missed what is included in this update. Just did it anyway. Hope I get it right.
Code:
E:Option ==> uf dev
unbound_manager.sh downloaded successfully Github 'dev/development' branch
unbound Manager UPDATE Complete! 6b4a500c071bcbb3f4a6e9596a178d43
Checking haveged... alive.
Shutting down haveged... done.
+======================================================================+
| Welcome to the unbound Manager/Installation script (Asuswrt-Merlin) |
| |
| Version 3.23bB by Martineau |
| |
+======================================================================+Martineau
Part of the Furniture
All Beta v3.23* commits can be reviewed using
unbound_manager command ?, then clicking (if your SSH Clients allows URL Hotspots) on the Change Log: URLe.g.
Code:
+======================================================================+
| Welcome to the unbound Manager/Installation script (Asuswrt-Merlin) |
| |
| Version 3.23bB by Martineau |
| |
+======================================================================+
unbound (pid 1704) is running... uptime: 9 days 12:02:21 version: 1.13.2 # Version=v1.13 Martineau update (Date Loaded by unbound_manager Sun Sep 5 22:12:49 DST 2021)
i = Update unbound and configuration ('/opt/var/lib/unbound/') l = Show unbound log entries (lo=Enable FULL Logging [log_level])
z = Remove unbound/unbound_manager v = View ('/opt/var/lib/unbound/') unbound Configuration (vx=Edit;vh=help)
3 = Advanced Tools rl = Reload Configuration (Doesn't halt unbound) e.g. 'rl test1[.conf]' (Recovery use 'rl reset/user')
? = About Configuration oq = Query unbound Configuration option e.g 'oq verbosity' (ox=Set) e.g. 'ox log-queries yes'
rs = Restart (or Start) unbound (use 'rs nocache' to flush cache) s = Show unbound Extended statistics (s=Summary Totals; sa=All; http://10.88.8.1:80/user1.asp)
e = Exit Script [?]
A:Option ==> ?
Version=3.23bB (Change Log: https://github.com/MartineauUK/Unbound-Asuswrt-Merlin/commits/dev/unbound_manager.sh)
Local md5=c7a29f5806410ca53da61910981ea6a3
Github md5=6b4a500c071bcbb3f4a6e9596a178d43
/jffs/addons/unbound/unbound_manager.md5 md5=c7a29f5806410ca53da61910981ea6a3
Router Configuration recommended pre-reqs status:
[✔] Swapfile=1048572 kB
[✔] DNS Filter=ON
[✔] DNS Filter=ROUTER
[✖] Warning WAN: Use local caching DNS server as system resolver=YES see http://10.88.8.1:80/Tools_OtherSettings.asp ->Advanced Tweaks and Hacks
[✔] Entware NTP server 'S77chronyd' is running
[✔] Enable DNS Rebind protection=NO
[✔] Enable DNSSEC support=NO
<snip>P.S. Not all commits have an accompanying description, e.g. trivial typo/column alignment corrections etc., but bug fixes and esoteric new features for Advanced Users should be documented.
immi803
Senior Member
@Martineau
I messed up my already optimized unbound.conf set by you
Can you please share conf file so i can replace and make my mess fixed
It would be great help
Thank you
I messed up my already optimized unbound.conf set by you
Can you please share conf file so i can replace and make my mess fixed
It would be great help
Thank you
Martineau
Part of the Furniture
If you have taken backups prior to testing custom config tweaks
e.g.
Code:
A:Option ==> vb
Active 'unbound.conf' backed up to '/opt/share/unbound/configs/20211007-071538_unbound.conf'rl commandAlternatively, you can quickly reset 'unbound.conf' to the installation defaults using
Code:
e = Exit Script [?]
A:Option ==> i config
Retrieving Custom unbound configuration
unbound.conf downloaded successfully
07:07:24 Checking 'unbound.conf' etc. for valid Syntax.....
07:07:25 Saving unbound cache to '/opt/share/unbound/configs/cache.txt' msg.cache=745/343 rrset.cache=2561/1761
07:07:25 Requesting unbound (S61unbound) restart.....
Shutting down unbound... done.
Starting unbound... done.
07:07:29 Checking status, please wait.....
07:07:33 Restoring unbound cache from '/opt/share/unbound/configs/cache.txt' (2021-10-07 07:07:25) msg.cache=14/343 rrset.cache=125/1761
07:07:33 unbound OK
unbound (pid 12140) is running... uptime: 0 Days, 00:00:07 version: 1.13.2 # Version=v1.13 Martineau update (Date Loaded by unbound_manager Thu Oct 7 07:07:29 DST 2021)NOTE: If you used
unbound_manager's addon files to customise unbound , then you will need to rename those files otherwise they will still be reapplied and may still propagate a bad configuration.
Last edited:
Is this because of unbound @Martineau ? That's my WAN IP appearing in top 10 blocked devices outbound in Skynet Gui
Martineau
Part of the Furniture
Sorry no idea as I don't use it
Apologies if this has been answered somewhere, search did not turn up any results that would help resolve.
I would like to have all Unbound traffic going through the VPN (VPN2 to VPN5, doesn't matter). I've tried a script from another thread, while that worked well for VPN1, my attempts to modify it to work with other VPN clients did not provide a reliable solution.
1.) I have enabled bind unbound through VPN5.
- The tunnel is active.
2.) In /jffs/scripts/vpnclient5-down, I have added
/jffs/addons/unbound/unbound_manager.sh vpn=disable
3.) In /jffs/scripts/vpnclient5-up, I have added
/jffs/addons/unbound/unbound_manager.sh vpn=5
4.) In /jffs/scripts/post-mount, I have added
logger "Checking unbound VPN bind....."
[ -n "$(which unbound_manager)" ] && { sh /jffs/addons/unbound/unbound_manager.sh vpn=disable; logger "unbound VPN routing DISABLED"; }
But I'm still seeing my ISP IP address in DNS leak test. Do I need to do anything else? Do I need to setup something through x3mrouting?
A setp by step walkthrough would be greatly appreciated.
BTW, when I run ip rule, I do not see (I think this may have something to do with it)
9991: from all fwmark 0x3000/0x3000 lookup ovpnc5
Thanks for the help.
Martineau
Part of the Furniture
Whilst I do not wish to offend @Swinson, in light of his current ongoing forum absence since June 2021, I have created a generic version of his original script that should allow you to designate any VPN client without the need to edit/hack the script.
You can download/test it from
Unbound-Asuswrt-Merlin/unbound_DNS_via_OVPN.sh at dev · MartineauUK/Unbound-Asuswrt-Merlin
Install and manage unbound (Recursive DNS) on Asus routers - MartineauUK/Unbound-Asuswrt-Merlin
github.com
Clearly your previous statement [the script] 'did not provide a reliable solution' needs to be made clearer... i.e. are you absolutely sure that the DNS Leak test is always 100% accurate?
IMHO,
x3mrouting shouldn't be necessary just for your DNS routing requirement? - see belowIf not using
x3mrouting then you need to implement the RPDB fwmark rules manually...see '/jffs/scripts/nat-start'
Policy based Port routing (manual method) · RMerl/asuswrt-merlin.ng Wiki · GitHub
to ensure that the RPDB fwmark rules are always available should the firewall be rebuilt whilst the VPN Client is UP.
(
x3mrouting dynamically adds/deletes the RPDB fwmark rules only when the VPN Client is actually started/stopped!)EDIT:
If you decide to test my generic '/jffs/addons/unbound/unbound_DNS_via_OVPN.sh' script then you should ensure ALL of the 'vpnclientX-route-*' event scripts contain the appropriate call
e.g. VPN Client 5
'/jffs/scripts/vpnclient5-route-up'
Code:
VPN_ID=${dev:4:1}
[ -z "$VPN_ID" ] && { SCR=$(basename $0); VPN_ID=${SCR:9:1}; } # Allow manual debugging from commandline
if [ -n "$(which unbound-control)" ] && [ -n "$(unbound-control status | grep -E "unbound.*running")" ];then
Say "Unbound DNS requests via VPN Client $VPN_ID requested....."
/jffs/addons/unbound/unbound_DNS_via_OVPN.sh "$VPN_ID" start &
fi'/jffs/scripts/vpnclient5-route-pre-down'
Code:
VPN_ID=${dev:4:1}
[ -z "$VPN_ID" ] && { SCR=$(basename $0); VPN_ID=${SCR:9:1}; } # Allow manual debugging from commandline
if [ -n "$(which unbound-control)" ] && [ -n "$(unbound-control status | grep -E "unbound.*running")" ];then
Say "Unbound DNS requests via VPN Client $VPN_ID terminating....."
/jffs/addons/unbound/unbound_DNS_via_OVPN.sh "$VPN_ID" stop
fi
Last edited:
Thanks @Martineau, this is very nice and complete. I am using @Swinson script to bind unbound to wireguard. Will definitely use your enhanced version for it.Whilst I do not wish to offend @Swinson, in light of his current ongoing forum absence since June 2021, I have created a generic version of his original script that should allow you to designate any VPN client without the need to edit/hack the script.
You can download/test it from
Unbound-Asuswrt-Merlin/unbound_DNS_via_OVPN.sh at dev · MartineauUK/Unbound-Asuswrt-Merlin
Install and manage unbound (Recursive DNS) on Asus routers - MartineauUK/Unbound-Asuswrt-Merlin
Clearly your previous statement [the script] 'did not provide a reliable solution' needs to be made clearer... i.e. are you absolutely sure that the DNS Leak test is always 100% accurate?
IMHO,x3mroutingshouldn't be necessary just for your DNS routing requirement? - see below
If not usingx3mroutingthen you need to implement the RPDB fwmark rules manually...
see '/jffs/scripts/nat-start'
Policy based Port routing (manual method) · RMerl/asuswrt-merlin.ng Wiki · GitHub
to ensure that the RPDB fwmark rules are always available should the firewall be rebuilt whilst the VPN Client is UP.
(x3mroutingdynamically adds/deletes the RPDB fwmark rules only when the VPN Client is actually started/stopped!)
EDIT:
If you decide to test my generic '/jffs/addons/unbound/unbound_DNS_via_OVPN.sh' script then you should ensure ALL of the 'vpnclientX-route-*' event scripts contain the appropriate call
e.g. VPN Client 5
'/jffs/scripts/vpnclient5-route-up'
andCode:VPN_ID=${dev:4:1} [ -z "$VPN_ID" ] && { SCR=$(basename $0); VPN_ID=${SCR:9:1}; } # Allow manual debugging from commandline if [ -n "$(which unbound-control)" ] && [ -n "$(unbound-control status | grep -E "unbound.*running")" ];then Say "Unbound DNS requests via VPN Client $VPN_ID requested....." /jffs/addons/unbound/unbound_DNS_via_OVPN.sh "$VPN_ID" start & fi
'/jffs/scripts/vpnclient5-route-pre-down'
Code:VPN_ID=${dev:4:1} [ -z "$VPN_ID" ] && { SCR=$(basename $0); VPN_ID=${SCR:9:1}; } # Allow manual debugging from commandline if [ -n "$(which unbound-control)" ] && [ -n "$(unbound-control status | grep -E "unbound.*running")" ];then Say "Unbound DNS requests via VPN Client $VPN_ID terminating....." /jffs/addons/unbound/unbound_DNS_via_OVPN.sh "$VPN_ID" stop fi
For line 39, I noticed it will take anything that contains number 1-5. Say 16 is valid. I edit a bit and seems now it will only take 1-5.
Code:
[ -z $(echo "$VPN_ID" | grep -E "[1-5]") ] --> ! [ "$VPN_ID" -ge 1 ] || ! [ "$VPN_ID" -le 5 ]Similar threads
Similar threads
Similar threads
-
Unbound Force all DNS requests through Unbound using iptables?- Started by muffintastic
- Replies: 14
-
-
-
-
-
-
Is it possible to use nord dns with unbound or any way to add it?- Started by Jack-Sparr0w
- Replies: 9
-
-
Unbound Use unbound/router as default DNS server
- Started by BeachGuy
- Replies: 2
-