Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server) - General questions / discussion thread 2

[Zim]

Whilst I do not wish to offend @Swinson, in light of his current ongoing forum absence since June 2021, I have created a generic version of his original script that should allow you to designate any VPN client without the need to edit/hack the script.

You can download/test it from

Unbound-Asuswrt-Merlin/unbound_DNS_via_OVPN.sh at dev · MartineauUK/Unbound-Asuswrt-Merlin

Install and manage unbound (Recursive DNS) on Asus routers - MartineauUK/Unbound-Asuswrt-Merlin

github.com

Clearly your previous statement [the script] 'did not provide a reliable solution' needs to be made clearer... i.e. are you absolutely sure that the DNS Leak test is always 100% accurate?

IMHO, x3mrouting shouldn't be necessary just for your DNS routing requirement? - see below

If not using x3mrouting then you need to implement the RPDB fwmark rules manually...
see '/jffs/scripts/nat-start'
Policy based Port routing (manual method) · RMerl/asuswrt-merlin.ng Wiki · GitHub
to ensure that the RPDB fwmark rules are always available should the firewall be rebuilt whilst the VPN Client is UP.
(x3mrouting dynamically adds/deletes the RPDB fwmark rules only when the VPN Client is actually started/stopped!)

EDIT:
If you decide to test my generic '/jffs/addons/unbound/unbound_DNS_via_OVPN.sh' script then you should ensure ALL of the 'vpnclientX-route-*' event scripts contain the appropriate call

e.g. VPN Client 5

'/jffs/scripts/vpnclient5-route-up'

VPN_ID=${dev:4:1}
[ -z "$VPN_ID" ] && { SCR=$(basename $0); VPN_ID=${SCR:9:1}; }    # Allow manual debugging from commandline

if [ -n "$(which unbound-control)" ] && [ -n "$(unbound-control status | grep -E "unbound.*running")" ];then
    Say "Unbound DNS requests via VPN Client $VPN_ID requested....."
    /jffs/addons/unbound/unbound_DNS_via_OVPN.sh "$VPN_ID" start &
fi

and

'/jffs/scripts/vpnclient5-route-pre-down'

VPN_ID=${dev:4:1}
[ -z "$VPN_ID" ] && { SCR=$(basename $0); VPN_ID=${SCR:9:1}; }    # Allow manual debugging from commandline

if [ -n "$(which unbound-control)" ] && [ -n "$(unbound-control status | grep -E "unbound.*running")" ];then
    Say "Unbound DNS requests via VPN Client $VPN_ID terminating....."
    /jffs/addons/unbound/unbound_DNS_via_OVPN.sh "$VPN_ID" stop
fi

This is amazing @Martineau. Thanks for taking the time to write this. Greatly appreciated!!!

I see a few people have successfully tried this with x3mrouting installed. I'm trying this without x3mrouting. Here is what I have done.


1.) Copy+pasted and added your script unbound_DNS_via_OVPN.sh in /jffs/addons/unbound/

2.) In the script above, changed this: VPN_ID=$1 to VPN_ID=4 (want DNS queries tunneled through VPN4)

3.) Under /jffs/scripts/ modified the following files:

• for init-start added:

  • modprobe xt_comment

• for nat-start added:

  • #!/bin/sh
    sleep 10 # During the boot process nat-start may run multiple times so this is required
    
    # Ensure duplicate rules are not created
    for VPN_ID in 0 1 2 3 4 5
    do
    ip rule del prio 999$VPN_ID 2>/dev/null
    done
    
    # Create the RPDB rules
    ip rule add from 0/0 fwmark "0x8000/0x8000" table main prio 9990 # WAN fwmark
    ip rule add from 0/0 fwmark "0x7000/0x7000" table ovpnc4 prio 9991 # VPN 4 fwmark

• for vpnclient4-route-up added:

  • #!/bin/sh
    logger -t $(basename $0) "OpenVPN Client 4 coming up ..."
    
    ip rule add from 0/0 fwmark "0x7000/0x7000" table ovpnc4 prio 9991 # VPN 4 fwmark
    
    VPN_ID=${dev:4:1}
    [ -z "$VPN_ID" ] && { SCR=$(basename $0); VPN_ID=${SCR:9:1}; } # Allow manual debugging from commandline
    if [ -n "$(which unbound-control)" ] && [ -n "$(unbound-control status | grep -E "unbound.*running")" ];then
    Say "Unbound DNS requests via VPN Client $VPN_ID requested....."
    /jffs/addons/unbound/unbound_DNS_via_OVPN.sh "$VPN_ID" start &
    fi

• for vpnclient4-route-pre-down added:

  • #!/bin/sh
    logger -t $(basename $0) "OpenVPN Client 4 going down ..."
    
    ip rule add from 0/0 fwmark "0x8000/0x8000" table main prio 9990 # WAN fwmark
    
    VPN_ID=${dev:4:1}
    [ -z "$VPN_ID" ] && { SCR=$(basename $0); VPN_ID=${SCR:9:1}; } # Allow manual debugging from commandline
    
    if [ -n "$(which unbound-control)" ] && [ -n "$(unbound-control status | grep -E "unbound.*running")" ];then
    Say "Unbound DNS requests via VPN Client $VPN_ID terminating....."
    /jffs/addons/unbound/unbound_DNS_via_OVPN.sh "$VPN_ID" stop
    fi

After doing all this, I reboot the router. When I run ip rule, I can see entries for 0x8000/0x8000 and 0x7000/0x7000, but for some reason, the DNS queries are going through VPN1. Oddly, when I go through a few reboot cycles, sometimes the DNS queries are going through VPN1/VPN3/VPN4.

Questions:

1.) Are the steps listed above, correct?​

​

2.) Why are the DNS queries not consistently going through VPN4? Anything I need to add/remove to get this to work?​

​

3.) With this setup, what happens if theVPN4 goes down, does the DNS query go to the next available tunnel, or does it now leak my IP?​

​

4.) The script doesn't appear to run by itself on reboot. Or if it is, the VPN tunnel is not up by that time and need to delay the start of the script.​

​

a.) For this script to startup at reboot, do I need to add this code to services-start​

/jffs/addons/unbound/unbound_DNS_via_OVPN.sh 4 start

​

b.) For adding more delay for the script to run at startup, in unbound_DNS_via_OVPN.sh, should I change:​

[ -z "$3" ] && MAX_WAIT=150 || MAX_WAIT=$3

to​

[ -z "$3" ] && MAX_WAIT=300 || MAX_WAIT=$3

to have a 5 minute delay?​

​

5.) Lastly, is it possible to have all devices connected to a VPN have that VPN's IP address for DNS? For example:​

• Devices A/B/C are connected to VPN1; their DNS IP should be that of VPN1
• Devices D/E/F are connected to VPN2; their DNS IP should be that of VPN2
• Devices G/H/I are connected to VPN3; their DNS IP should be that of VPN3
• ...and so on.

Once I get everything sorted, I'll update this post and hope it will serve as a step-by-step guide for future/present visitors (until someone can create an installer).

Appreciate the help, @Martineau and all!

 

[chongnt]

This is amazing @Martineau. Thanks for taking the time to write this. Greatly appreciated!!!

I see a few people have successfully tried this with x3mrouting installed. I'm trying this without x3mrouting. Here is what I have done.


1.) Copy+pasted and added your script unbound_DNS_via_OVPN.sh in /jffs/addons/unbound/

2.) In the script above, changed this: VPN_ID=$1 to VPN_ID=4 (want DNS queries tunneled through VPN4)

3.) Under /jffs/scripts/ modified the following files:

• for init-start added:

  • modprobe xt_comment

• for nat-startadded:

  • #!/bin/sh
    sleep 10 # During the boot process nat-start may run multiple times so this is required
    
    # Ensure duplicate rules are not created
    for VPN_ID in 0 1 2 3 4 5
    do
    ip rule del prio 999$VPN_ID 2>/dev/null
    done
    
    # Create the RPDB rules
    ip rule add from 0/0 fwmark "0x8000/0x8000" table main prio 9990 # WAN fwmark
    ip rule add from 0/0 fwmark "0x7000/0x7000" table ovpnc4 prio 9991 # VPN 4 fwmark

• for vpnclient4-route-up added:

  • #!/bin/sh
    logger -t $(basename $0) "OpenVPN Client 4 coming up ..."
    
    ip rule add from 0/0 fwmark "0x7000/0x7000" table ovpnc4 prio 9991 # VPN 4 fwmark
    
    VPN_ID=${dev:4:1}
    [ -z "$VPN_ID" ] && { SCR=$(basename $0); VPN_ID=${SCR:9:1}; } # Allow manual debugging from commandline
    if [ -n "$(which unbound-control)" ] && [ -n "$(unbound-control status | grep -E "unbound.*running")" ];then
    Say "Unbound DNS requests via VPN Client $VPN_ID requested....."
    /jffs/addons/unbound/unbound_DNS_via_OVPN.sh "$VPN_ID" start &
    fi

• for vpnclient4-route-pre-downadded:

  • #!/bin/sh
    logger -t $(basename $0) "OpenVPN Client 4 going down ..."
    
    ip rule add from 0/0 fwmark "0x8000/0x8000" table main prio 9990 # WAN fwmark
    
    VPN_ID=${dev:4:1}
    [ -z "$VPN_ID" ] && { SCR=$(basename $0); VPN_ID=${SCR:9:1}; } # Allow manual debugging from commandline
    
    if [ -n "$(which unbound-control)" ] && [ -n "$(unbound-control status | grep -E "unbound.*running")" ];then
    Say "Unbound DNS requests via VPN Client $VPN_ID terminating....."
    /jffs/addons/unbound/unbound_DNS_via_OVPN.sh "$VPN_ID" stop
    fi

After doing all this, I reboot the router. When I run ip rule, I can see entries for 0x8000/0x8000 and 0x7000/0x7000, but for some reason, the DNS queries are going through VPN1. Oddly, when I go through a few reboot cycles, sometimes the DNS queries are going through VPN1/VPN3/VPN4.

Questions:

1.) Are the steps listed above, correct?​

​

2.) Why are the DNS queries not consistently going through VPN4? Anything I need to add/remove to get this to work?​

​

3.) With this setup, what happens if theVPN4 goes down, does the DNS query go to the next available tunnel, or does it now leak my IP?​

​

4.) The script doesn't appear to run by itself on reboot. Or if it is, the VPN tunnel is not up by that time and need to delay the start of the script.​

​

a.) For this script to startup at reboot, do I need to add this code to services-start​

/jffs/addons/unbound/unbound_DNS_via_OVPN.sh 4 start

​

b.) For adding more delay for the script to run at startup, in unbound_DNS_via_OVPN.sh, should I change:​

[ -z "$3" ] && MAX_WAIT=150 || MAX_WAIT=$3

to​

[ -z "$3" ] && MAX_WAIT=300 || MAX_WAIT=$3

to have a 5 minute delay?​

​

5.) Lastly, is it possible to have all devices connected to a VPN have that VPN's IP address for DNS? For example:​

• Devices A/B/C are connected to VPN1; their DNS IP should be that of VPN1
• Devices D/E/F are connected to VPN2; their DNS IP should be that of VPN2
• Devices G/H/I are connected to VPN3; their DNS IP should be that of VPN3
• ...and so on.

Once I get everything sorted, I'll update this post and hope it will serve as a step-by-step guide for future/present visitors (until someone can create an installer).

Appreciate the help, @Martineau and all!

Martineau’s script is written in such a way that we don’t need to edit it. We just need to put it in the specific vpnclient-route-up that we want DNS to go through. Don’t put it in every vpnclient-route-up script.

So basically step 2 is not required. You already have it in your step 3 vpnclient4-route-up script.

By right it should only go through vpn client 4 unless you put his script in other vpnclient-route-up script. To verify you can run iptables -nvL OUTPUT -t mangle --line.

With this setup, when vpn client 4 goes down, DNS resolution will go back to WAN.

Since you have already put it in vpnclient4-route-up, it will only run when vpn client 4 comes up. If you have configure vpn client 4 to automatic start at boot that should cover it. There is no need to put it explicitly in services start.

For your last question, it seems not possible with unbound. How about set accept DNS configuration in VPN Client GUI to exclusive?

Edit: I think it is possible to route DNS to other vpn client when vpn client 4 goes down. Say your priority is via vpn client 4, you want to have vpn client 3, 2 and 1 as backup before last resort back to WAN. Something like this in vpnclient4-route-down script probably can do it. By the way, I have been using x3mRouting for some time, not sure if these state files are created by x3mRouting or by Merlin though.

if [ -f /tmp/vpnclient3_state ] && [ "$(cat /tmp/vpnclient3_state)" = "vpnclient3-route-up" ];then
    /jffs/addons/unbound/unbound_DNS_via_OVPN.sh 3 start &
elif [ -f /tmp/vpnclient2_state ] && [ "$(cat /tmp/vpnclient2_state)" = "vpnclient2-route-up" ];then
   /jffs/addons/unbound/unbound_DNS_via_OVPN.sh 2 start &
elif [ -f /tmp/vpnclient1_state ] && [ "$(cat /tmp/vpnclient1_state)" = "vpnclient1-route-up" ];then
   /jffs/addons/unbound/unbound_DNS_via_OVPN.sh 1 start &
fi

You may also look into another script by Martineau and see if it fit your requirement.

GitHub - MartineauUK/VPN-Failover: ASUS Router Monitor VPN Client connection status/throughput performance and switch or restart VPN Client

ASUS Router Monitor VPN Client connection status/throughput performance and switch or restart VPN Client - MartineauUK/VPN-Failover

github.com

 

[gjf]

Does anybody expect issues in resolving monster.com by Unbound?
In my case all DNS requests are timed out. Have to connect via VPN to open the website.
Weird because Google/Cloudflare DNS are also timed out for this host.

Monster has restriction on IPs?

 

[Kingp1n]

Does anybody expect issues in resolving monster.com by Unbound?
In my case all DNS requests are timed out. Have to connect via VPN to open the website.
Weird because Google/Cloudflare DNS are also timed out for this host.

Monster has restriction on IPs?

No issues here. Do you diversion or Skynet? That could be another possibility.

 

[iTyPsIDg]

e.g. VPN Client 5

'/jffs/scripts/vpnclient5-route-up'

VPN_ID=${dev:4:1}
[ -z "$VPN_ID" ] && { SCR=$(basename $0); VPN_ID=${SCR:9:1}; }    # Allow manual debugging from commandline

if [ -n "$(which unbound-control)" ] && [ -n "$(unbound-control status | grep -E "unbound.*running")" ];then
    Say "Unbound DNS requests via VPN Client $VPN_ID requested....."
    /jffs/addons/unbound/unbound_DNS_via_OVPN.sh "$VPN_ID" start &
fi

and

'/jffs/scripts/vpnclient5-route-pre-down'

VPN_ID=${dev:4:1}
[ -z "$VPN_ID" ] && { SCR=$(basename $0); VPN_ID=${SCR:9:1}; }    # Allow manual debugging from commandline

if [ -n "$(which unbound-control)" ] && [ -n "$(unbound-control status | grep -E "unbound.*running")" ];then
    Say "Unbound DNS requests via VPN Client $VPN_ID terminating....."
    /jffs/addons/unbound/unbound_DNS_via_OVPN.sh "$VPN_ID" stop
fi

What is the purpose of "Say?" I'm getting

./vpnclient1-route-up: line 7: Say: not found

when I run the scripts.

 

[Martineau]

What is the purpose of "Say?" I'm getting

./vpnclient1-route-up: line 7: Say: not found

when I run the scripts.

Apologies, Say is an alias/shortcut function that replaces 'logger -s'

 

[iTyPsIDg]

Apologies, Say is an alias/shortcut function that replaces 'logger -s'

That helps, thank you.

Just in case anyone else has this problem, my openvpn-event file disappeared from /jffs/scripts/x3mRouting after I did an update. You may have to reinstall it if that happens because the file seems necessary to make these scripts run EDIT:***automatically***.

 

[Kingp1n]

Whilst I do not wish to offend @Swinson, in light of his current ongoing forum absence since June 2021, I have created a generic version of his original script that should allow you to designate any VPN client without the need to edit/hack the script.

You can download/test it from

Unbound-Asuswrt-Merlin/unbound_DNS_via_OVPN.sh at dev · MartineauUK/Unbound-Asuswrt-Merlin

Install and manage unbound (Recursive DNS) on Asus routers - MartineauUK/Unbound-Asuswrt-Merlin

github.com

Clearly your previous statement [the script] 'did not provide a reliable solution' needs to be made clearer... i.e. are you absolutely sure that the DNS Leak test is always 100% accurate?

Anyone here still using the modified swinson script?

I have an issue which use to happen with the original script as well but I can't identify what's causing my issue.

It seems to randomly switch to the ISP DNS every now and then, it will stay on the VPN IP for a couple of days solid then it'll automatically switch to the ISP DNS within an hour after manually restarting the script. It seems the syslogs doesnt show much info.

Once I manually run the command below it starts working again:

/jffs/addons/unbound/unbound_DNS_via_OVPN.sh 1 start

Has anyone else had this issue?

I have double checked everything and I do have the following rules below:

recently added this rule under "services-start" to see if it may help:

sleep 30 && sh /jffs/addons/unbound/unbound_DNS_via_OVPN.sh "$VPN_ID" start

"services-start"

#!/bin/sh
cru a root_servers  "12 4 * * * curl -o \/opt\/var\/lib\/unbound\/root\.hints https://www.internic.net/domain/named.cache"    # unbound_manager
/jffs/addons/unbound/unbound_rpz.sh startup # Unbound_RPZ.sh

"init-start"

#!/bin/sh
sh /jffs/addons/unbound/stuning start            # unbound_manager
modprobe xt_comment

I have both the vpnclient1 up and down rules:
"vpnclient1-route-up"

#!/bin/sh
logger -t $(basename $0) "OpenVPN Client 1 coming up ..."

VPN_ID=${dev:4:1}
[ -z "$VPN_ID" ] && { SCR=$(basename $0); VPN_ID=${SCR:9:1}; }    # Allow manual debugging from commandline

if [ -n "$(which unbound-control)" ] && [ -n "$(unbound-control status | grep -E "unbound.*running")" ];then
    Say "Unbound DNS requests via VPN Client $VPN_ID requested....."
/jffs/addons/unbound/unbound_DNS_via_OVPN.sh "$VPN_ID" start &

fi

"vpnclient1-route-pre-down":

#!/bin/sh
logger -t $(basename $0) "OpenVPN Client 1 going down ..."

VPN_ID=${dev:4:1}
[ -z "$VPN_ID" ] && { SCR=$(basename $0); VPN_ID=${SCR:9:1}; }    # Allow manual debugging from commandline

if [ -n "$(which unbound-control)" ] && [ -n "$(unbound-control status | grep -E "unbound.*running")" ];then
    Say "Unbound DNS requests via VPN Client $VPN_ID terminating....."
/jffs/addons/unbound/unbound_DNS_via_OVPN.sh "$VPN_ID" stop

fi

 

[iTyPsIDg]

Anyone here still using the modified swinson script?

I have an issue which use to happen with the original script as well but I can't identify what's causing my issue.

It seems to randomly switch to the ISP DNS every now and then, it will stay on the VPN IP for a couple of days solid then it'll automatically switch to the ISP DNS within an hour after manually restarting the script. It seems the syslogs doesnt show much info.

Once I manually run the command below it starts working again:

/jffs/addons/unbound/unbound_DNS_via_OVPN.sh 1 start

Has anyone else had this issue?

I have double checked everything and I do have the following rules below:

recently added this rule under "services-start" to see if it may help:

sleep 30 && sh /jffs/addons/unbound/unbound_DNS_via_OVPN.sh "$VPN_ID" start

"services-start"

#!/bin/sh
cru a root_servers  "12 4 * * * curl -o \/opt\/var\/lib\/unbound\/root\.hints https://www.internic.net/domain/named.cache"    # unbound_manager
/jffs/addons/unbound/unbound_rpz.sh startup # Unbound_RPZ.sh

"init-start"

#!/bin/sh
sh /jffs/addons/unbound/stuning start            # unbound_manager
modprobe xt_comment

I have both the vpnclient1 up and down rules:
"vpnclient1-route-up"

#!/bin/sh
logger -t $(basename $0) "OpenVPN Client 1 coming up ..."

VPN_ID=${dev:4:1}
[ -z "$VPN_ID" ] && { SCR=$(basename $0); VPN_ID=${SCR:9:1}; }    # Allow manual debugging from commandline

if [ -n "$(which unbound-control)" ] && [ -n "$(unbound-control status | grep -E "unbound.*running")" ];then
    Say "Unbound DNS requests via VPN Client $VPN_ID requested....."
/jffs/addons/unbound/unbound_DNS_via_OVPN.sh "$VPN_ID" start &

fi

"vpnclient1-route-pre-down":

#!/bin/sh
logger -t $(basename $0) "OpenVPN Client 1 going down ..."

VPN_ID=${dev:4:1}
[ -z "$VPN_ID" ] && { SCR=$(basename $0); VPN_ID=${SCR:9:1}; }    # Allow manual debugging from commandline

if [ -n "$(which unbound-control)" ] && [ -n "$(unbound-control status | grep -E "unbound.*running")" ];then
    Say "Unbound DNS requests via VPN Client $VPN_ID terminating....."
/jffs/addons/unbound/unbound_DNS_via_OVPN.sh "$VPN_ID" stop

fi

I'm using the modified script. I hadn't checked previously, but my DNS is leaking right now.

 

[iTyPsIDg]

I'm using the modified script. I hadn't checked previously, but my DNS is leaking right now.

My issue could be related to my unique situation though. I also haven't been able to ping from the router for the past 11 hours. That coincides with a reboot of the DSL router earlier today when my Internet went out. I did not reboot the Asus router.

I leave Rome in a few days, then I won't use the router again until I get to Uruguay. Here's hoping that I don't have to double-NAT because of a DSL modem router in the mix.

 

[chongnt]

Anyone here still using the modified swinson script?

I have an issue which use to happen with the original script as well but I can't identify what's causing my issue.

It seems to randomly switch to the ISP DNS every now and then, it will stay on the VPN IP for a couple of days solid then it'll automatically switch to the ISP DNS within an hour after manually restarting the script. It seems the syslogs doesnt show much info.

Once I manually run the command below it starts working again:

/jffs/addons/unbound/unbound_DNS_via_OVPN.sh 1 start

Has anyone else had this issue?

I have double checked everything and I do have the following rules below:

recently added this rule under "services-start" to see if it may help:

sleep 30 && sh /jffs/addons/unbound/unbound_DNS_via_OVPN.sh "$VPN_ID" start

"services-start"

#!/bin/sh
cru a root_servers  "12 4 * * * curl -o \/opt\/var\/lib\/unbound\/root\.hints https://www.internic.net/domain/named.cache"    # unbound_manager
/jffs/addons/unbound/unbound_rpz.sh startup # Unbound_RPZ.sh

"init-start"

#!/bin/sh
sh /jffs/addons/unbound/stuning start            # unbound_manager
modprobe xt_comment

I have both the vpnclient1 up and down rules:
"vpnclient1-route-up"

#!/bin/sh
logger -t $(basename $0) "OpenVPN Client 1 coming up ..."

VPN_ID=${dev:4:1}
[ -z "$VPN_ID" ] && { SCR=$(basename $0); VPN_ID=${SCR:9:1}; }    # Allow manual debugging from commandline

if [ -n "$(which unbound-control)" ] && [ -n "$(unbound-control status | grep -E "unbound.*running")" ];then
    Say "Unbound DNS requests via VPN Client $VPN_ID requested....."
/jffs/addons/unbound/unbound_DNS_via_OVPN.sh "$VPN_ID" start &

fi

"vpnclient1-route-pre-down":

#!/bin/sh
logger -t $(basename $0) "OpenVPN Client 1 going down ..."

VPN_ID=${dev:4:1}iptables -nvL POSTROUTING -t nat --line
[ -z "$VPN_ID" ] && { SCR=$(basename $0); VPN_ID=${SCR:9:1}; }    # Allow manual debugging from commandline

if [ -n "$(which unbound-control)" ] && [ -n "$(unbound-control status | grep -E "unbound.*running")" ];then
    Say "Unbound DNS requests via VPN Client $VPN_ID terminating....."
/jffs/addons/unbound/unbound_DNS_via_OVPN.sh "$VPN_ID" stop

fi

I have been using the modified script and have no issue. The only change I make is instead of route to openvpn client, I route it to wireguard vpn client. Otherwise everything is the same.

A few commands are useful to check. One is if the vpn client state is up by using ping, for example tun11 is for vpn client 1 ping -c1 -w1 -I tun11 1.1.1.1. Next is to check if the iptables has been created by this script after vpn client is up iptables -nvL POSTROUTING -t nat --line. Last is to do a dig to check if DNS resolution is indeed going through the vpn client dig @127.0.0.1 google.com. You can check back the second command to make sure the pkts counter for rule mark with openvpn client increases whenever we run the dig command. For the case of vpn client 1, we check the pkts count for the row with rule mark with 0x1000.

Edit: One more ip rule to make sure the fwmark is in place. For example, we should have something like this for vpn client 1: [9995: from all fwmark 0x1000/0x1000 lookup ovpnc1.[/CODE]

 

[iTyPsIDg]

My issue could be related to my unique situation though. I also haven't been able to ping from the router for the past 11 hours. That coincides with a reboot of the DSL router earlier today when my Internet went out. I did not reboot the Asus router.

I leave Rome in a few days, then I won't use the router again until I get to Uruguay. Here's hoping that I don't have to double-NAT because of a DSL modem router in the mix.

I rebooted the Asus router and I started getting pings again. It also fixed my DNS leak. The DSL router keeps changing my "WAN IP" often. Unfortunately, this Airbnb host changed the default password to their router, so I can't log in and give myself a reserved IP with DMZ access. I seem to run into issues when the IP changes.

 

[Ubimo]

I see this error, when I install unbound_manager:

https://imgur.com/a/gzNPMxg

Edit:
Trying to re-install, I get this error:

https://imgur.com/a/JQqozlb

 

[Martineau]

I see this error, when I install unbound_manager:

https://imgur.com/a/gzNPMxg

Edit:
Trying to re-install, I get this error:

https://imgur.com/a/JQqozlb

Presumably unbound still works?

I see this error, when I install unbound_manager:

https://imgur.com/a/gzNPMxg

Edit:
Trying to re-install, I get this error:

https://imgur.com/a/JQqozlb

i.e. neither message negatively impacts the unbound installation process.

getopts utility is not part of the firmware and has been like this since unbound v1.11?

One of the recent unbound-anchor updates now verbosely enforces the IPv6 resolution attempt, even if IPv6 is not ENABLED.
I have uploaded unbound_manager v3.23bB to the Github dev branch which executes unbound-anchor in IPv4 ONLY mode if appropriate.

 

[Khadanja]

Is there a way to test if DNS firewall is working? It is enabled and if I pick a url form the list I can browse to it for e.g. http://zaitia.com/ which appears in the rpz.urlhaus.abuse.ch.zone file. Also another example is aayom.biz aayom.co.in, these redirect to https://aayom.com/

 

[Martineau]

Is there a way to test if DNS firewall is working? It is enabled and if I pick a url form the list I can browse to it for e.g. http://zaitia.com/ which appears in the rpz.urlhaus.abuse.ch.zone file. Also another example is aayom.biz aayom.co.in, these redirect to https://aayom.com/

The dig request should show 'NXDOMAIN'

e  = Exit Script [?]

A:Option ==> dig zaitia.com


; <<>> DiG 9.17.13 <<>> txt zaitia.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 25358
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;zaitia.com.            IN    TXT

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Sun Nov 21 10:45:36 UTC 2021
;; MSG SIZE  rcvd: 39


; <<>> DiG 9.17.13 <<>> zaitia.com @127.0.0.1 -p 53535
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 25465
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;zaitia.com.            IN    A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53535(127.0.0.1) (UDP)
;; WHEN: Sun Nov 21 10:45:37 UTC 2021
;; MSG SIZE  rcvd: 39

If you have @juched's GUI stats enabled then you should see it in the graph?

and the unbound log (if ENABLED) will show the blocking DNS RPZ zone 'rpz.urlhaus.abuse.ch'

e  = Exit Script [?]

A:Option ==> l

/opt/var/lib/unbound/unbound.log        Press CTRL-C to stop


Nov 21 10:45:36 unbound[12977:0] info: RPZ applied [rpz.urlhaus.abuse.ch] zaitia.com. nxdomain 127.0.0.1@28484 zaitia.com. TXT IN
Nov 21 10:45:37 unbound[12977:0] info: RPZ applied [rpz.urlhaus.abuse.ch] zaitia.com. nxdomain 127.0.0.1@57487 zaitia.com. A IN

 

[Khadanja]

The dig request should show 'NXDOMAIN'

e  = Exit Script [?]

A:Option ==> dig zaitia.com


; <<>> DiG 9.17.13 <<>> txt zaitia.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 25358
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;zaitia.com.            IN    TXT

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Sun Nov 21 10:45:36 UTC 2021
;; MSG SIZE  rcvd: 39


; <<>> DiG 9.17.13 <<>> zaitia.com @127.0.0.1 -p 53535
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 25465
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;zaitia.com.            IN    A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53535(127.0.0.1) (UDP)
;; WHEN: Sun Nov 21 10:45:37 UTC 2021
;; MSG SIZE  rcvd: 39

If you have @juched's GUI stats enabled then you should see it in the graph?

and the unbound log (if ENABLED) will show the blocking DNS RPZ zone 'rpz.urlhaus.abuse.ch'

e  = Exit Script [?]

A:Option ==> l

/opt/var/lib/unbound/unbound.log        Press CTRL-C to stop


Nov 21 10:45:36 unbound[12977:0] info: RPZ applied [rpz.urlhaus.abuse.ch] zaitia.com. nxdomain 127.0.0.1@28484 zaitia.com. TXT IN
Nov 21 10:45:37 unbound[12977:0] info: RPZ applied [rpz.urlhaus.abuse.ch] zaitia.com. nxdomain 127.0.0.1@57487 zaitia.com. A IN

View attachment 37446

I get the red screen but I thought that was because of Google Safe Browsing, not DNS firewall. Logs don't show blocked, maybe domain is in another list I'm using?

Nov 22 09:02:24 RT-AC68U-20E0 unbound: [1410:0] query: 192.168.1.8 zaitia.com. A IN
Nov 22 09:02:24 RT-AC68U-20E0 unbound: [1410:0] info: zaitia.com. always_nxdomain 192.168.1.8@55448 zaitia.com. A IN
Nov 22 09:02:24 RT-AC68U-20E0 unbound: [1410:0] reply: 192.168.1.8 zaitia.com. A IN NXDOMAIN 0.000000 1 28
Also, what about aayom.biz aayom.co.in, how come these redirect to https://aayom.com/ & don't get blocked?
even the test url doesn't show up as blocked in logs
Nov 22 09:08:22 RT-AC68U-20E0 unbound: [1410:0] query: 192.168.1.8 testentry.rpz.urlhaus.abuse.ch. A IN
Nov 22 09:08:22 RT-AC68U-20E0 unbound: [1410:0] reply: 192.168.1.8 testentry.rpz.urlhaus.abuse.ch. A IN NXDOMAIN 0.000000 0 111

Another one which is in the file but I can browse to it & this is what dig shows -
dig alatieq.com
; <<>> DiG 9.16.1-Ubuntu <<>> alatieq.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4629
;; flags: qr rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;alatieq.com. IN A
;; ANSWER SECTION:
alatieq.com. 0 IN A 192.185.78.170
;; Query time: 0 msec
;; SERVER: 172.25.176.1#53(172.25.176.1)
;; WHEN: Mon Nov 22 09:13:35 NZDT 2021
;; MSG SIZE rcvd: 56

 

[Khadanja]

Noticed the firewall code is all hashed out in unbound.conf so enabled firewall again(logs below), checked unbond.conf again after enabling, still hashed.

A:Option ==> firewall
Do you want to enable DNS Firewall?
        Reply 'y' or press [Enter]  to skip
y
        unbound_rpz.sh downloaded successfully
Custom '/opt/share/unbound/configs/rpzsites' already exists - 'rpzsites' download skipped
Creating new unbound.conf.firewall file.
(unbound_rpz.sh): 31380 Attempting to Download 1 of 1 from https://urlhaus.abuse.ch/downloads/rpz/.
######################################################################## 100.0%
Adding zone rpz.urlhaus.abuse.ch to unbound.conf.firewall.
Installed.
Adding 'include: "/opt/share/unbound/configs/unbound.conf.firewall" to '/opt/var/lib/unbound/unbound.conf'
        unbound DNS Firewall ENABLED
09:29:19 Checking 'unbound.conf' etc. for valid Syntax.....
        Non-Fatal:  unbound-checkconf[31438:0] warning: duplicate local-zone www.google.com.?A?216.239.38.120. unbound-checkconf[31438:0] warning: duplicate local-zone www.google.com.au.?A?216.239.38.120. unbound-checkconf[31438:0] warning: duplicate local-zone www.google.co.nz.?A?216.239.38.120. - no errors in /opt/var/lib/unbound/unbound.conf
09:29:33 Saving unbound cache to '/opt/share/unbound/configs/cache.txt' msg.cache=21323/1081 rrset.cache=31340/4689
09:29:33 Requesting unbound (S61unbound) restart.....
Done.
 Shutting down unbound...              failed.
 Starting unbound...              already running.

 

[Martineau]

Noticed the firewall code is all hashed out in unbound.conf so enabled firewall again(logs below), checked unbond.conf again after enabling, still hashed.

A:Option ==> firewall
Do you want to enable DNS Firewall?
        Reply 'y' or press [Enter]  to skip
y
        unbound_rpz.sh downloaded successfully
Custom '/opt/share/unbound/configs/rpzsites' already exists - 'rpzsites' download skipped
Creating new unbound.conf.firewall file.
(unbound_rpz.sh): 31380 Attempting to Download 1 of 1 from https://urlhaus.abuse.ch/downloads/rpz/.
######################################################################## 100.0%
Adding zone rpz.urlhaus.abuse.ch to unbound.conf.firewall.
Installed.
Adding 'include: "/opt/share/unbound/configs/unbound.conf.firewall" to '/opt/var/lib/unbound/unbound.conf'
        unbound DNS Firewall ENABLED
09:29:19 Checking 'unbound.conf' etc. for valid Syntax.....
        Non-Fatal:  unbound-checkconf[31438:0] warning: duplicate local-zone www.google.com.?A?216.239.38.120. unbound-checkconf[31438:0] warning: duplicate local-zone www.google.com.au.?A?216.239.38.120. unbound-checkconf[31438:0] warning: duplicate local-zone www.google.co.nz.?A?216.239.38.120. - no errors in /opt/var/lib/unbound/unbound.conf
09:29:33 Saving unbound cache to '/opt/share/unbound/configs/cache.txt' msg.cache=21323/1081 rrset.cache=31340/4689
09:29:33 Requesting unbound (S61unbound) restart.....
Done.
Shutting down unbound...              failed.
Starting unbound...              already running.

Have you checked the RPZ zone configuration file referred to in the 'include' message rather than 'unbound.conf'?

 

[Khadanja]

Have you checked the RPZ zone configuration file referred to in the 'include' message rather than 'unbound.conf'? What do you get for dig alatieq.com?

Here are the contents of that file -

rpz:
name: rpz.urlhaus.abuse.ch
#url: "https://urlhaus.abuse.ch/downloads/rpz/"
zonefile: /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone
rpz-log: yes
rpz-log-name: "rpz.urlhaus.abuse.ch"
rpz-action-override: nxdomain