What's new

Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server) - General questions / discussion thread 2

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

The steps outlined are still relevant, ask additional questions if you must, but it's a start, even if the post is that old.

Don't enable the same/similar features on different scripts. You know better than that, right. ;)
 
The steps outlined are still relevant, ask additional questions if you must, but it's a start, even if the post is that old.

Don't enable the same/similar features on different scripts. You know better than that, right. ;)
The thing is that I do not know which script is better :) All I can understand that Unbound is like mini server itself. So if someone understands Unbound logic and configuration it might could work the same as Diversion+Skynet. Because if script features are same/similar why not to put everything in one place? And I mentioned about DNS leaks using Unbound so this is as a sign to configure it correctly.
 
There is no one-size-fits-all here. This isn't Apple land.

We live in a wonderful world of choices and have the ability to determine for ourselves what works best for us.

Try one, test it yourself, if you find anything missing, try another. Rinse and repeat until you've got the magic combination that works for you.

Nobody is going to be able to do that for you. At least, not via a post or even a whole thread.

Jump in, get your feet wet, and discover how deep you like to go. :)
 
While I don't disagree with @L&LD, there is core functionality for each of the scripts:

Unbound: DNS server
Skynet: firewall
Diversion: ad blocker

Yes, there is overlap since at some level they all can block traffic based on different criteria, but you should start by deciding what functionality you want/need.

If your primary need is to block ads, then start with Diversion. If you have some ports open to the internet, then consider Skynet. And if you want to run your own DNS server, then consider Unbound.
 
is anyone working on an update to "our" unbound to bring it in-line with v1.14, if that's possible?
I popped over to the nlnetlabs website to look something up in the manpages, and I'm seeing things not found in our unbound.conf that might be helpful like so-reuseport (now that I think more people are using IPv6) and possibly outgoing-range
@Martineau ?
 
is anyone working on an update to "our" unbound to bring it in-line with v1.14, if that's possible?
Entware will pickup OpenWrt’s bump to 1.15.0 next time they do a release. Available options sometimes depend on how Entware chooses to compile Unbound, and which architecture/kernel you’re running it on.
 
Entware will pickup OpenWrt’s bump to 1.15.0 next time they do a release. Available options sometimes depend on how Entware chooses to compile Unbound, and which architecture/kernel you’re running it on.
Easiest thing I ever did was compile it myself. This gives the user the most power.
 
This is probably a noob question, but is it normal to get these errors when updating unbound? IPV6 is not enabled on my router (AX86U):

[1645651142] libunbound[29314:0] error: udp connect failed: Cannot assign requested address for 2001:500:12::d0d port 53
[1645651142] libunbound[29314:0] error: udp connect failed: Cannot assign requested address for 2001:500:2::c port 53
[1645651142] libunbound[29314:0] error: udp connect failed: Cannot assign requested address for 2001:503:c27::2:30 port 53
[1645651142] libunbound[29314:0] error: udp connect failed: Cannot assign requested address for 2001:7fe::53 port 53
[1645651143] libunbound[29314:0] error: udp connect failed: Cannot assign requested address for 2001:500:a8::e port 53
[1645651143] libunbound[29314:0] error: udp connect failed: Cannot assign requested address for 2001:503:ba3e::2:30 port 53
[1645651143] libunbound[29314:0] error: udp connect failed: Cannot assign requested address for 2001:500:a8::e port 53
[1645651143] libunbound[29314:0] error: udp connect failed: Cannot assign requested address for 2001:7fd::1 port 53
[1645651143] libunbound[29314:0] error: udp connect failed: Cannot assign requested address for 2001:500:1::53 port 53
 
do-ipv6 is set to no. I don't remember seeing these errors before, but maybe I overlooked it.
Autumn 2021, NL Labs decided to always assume IPv6 should be attempted when generating the 'root key' using their utility '/opt/sbin/unbound-anchor'

Since this was cosmetic, back in Nov 2021 I patched unbound_manager Beta v3.23bB

You can try the Beta version by issuing:

Code:
e  = Exit Script [?]

A:Option ==> uf dev
 
Autumn 2021, NL Labs decided to always assume IPv6 should be attempted when generating the 'root key' using their utility '/opt/sbin/unbound-anchor'

Since this was cosmetic, back in Nov 2021 I patched unbound_manager Beta v3.23bB

You can try the Beta version by issuing:

Code:
e  = Exit Script [?]

A:Option ==> uf dev

Thanks! That explains it. I thought maybe I had messed things up... ;)
 
Can you help with some very basic questions on this.

I have updated vpnclient5-route-up and vpnclient5-route-pre-down as noted above and created /jffs/addons/unbound/unbound_DNS_via_OVPN.sh and x3mrouting was already installed (previously used with setting VPN 5 from unbound_manager advanced).

How do I get this to run?

If I run
Code:
 /jffs/addons/unbound/unbound_DNS_via_OVPN.sh 5 start
via ssh then I get
Code:
(unbound_DNS_via_OVPN.sh): 11079 Starting Script Execution 5 start
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
PING 9.9.9.9 (9.9.9.9): 56 data bytes
64 bytes from 9.9.9.9: seq=0 ttl=60 time=17.950 ms

--- 9.9.9.9 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 17.950/17.950/17.950 ms
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
PING 9.9.9.9 (9.9.9.9): 56 data bytes
64 bytes from 9.9.9.9: seq=0 ttl=60 time=653.335 ms

--- 9.9.9.9 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 653.335/653.335/653.335 ms
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
PING 9.9.9.9 (9.9.9.9): 56 data bytes
until I Cntrl-C and run
Code:
 /jffs/addons/unbound/unbound_DNS_via_OVPN.sh 5 stop
which sets everything back

1. Does it matter if vpnclient5-route-up and vpnclient5-route-pre-down are in /jffs/scripts or in /jfffs/scripts/x3mrouting?
2. If I want the script to run automatically (at start-up) do I leave it in /jffs/addons/unbound/ or move it to /jffs/scripts or do something else?
3. How can I check to see if the requests are being sent to the VPN provider?
Anyone still running this script with unbound? I upgraded to the latest firmware and now that script wont run...maybe I'm doing something wrong?
Code:
ASUSWRT-Merlin GT-AX11000 386.5_0 Wed Mar  2 16:36:59 UTC 2022
admin@GT-AX11000-xxxx:/tmp/home/root# /jffs/addons/unbound/unbound_DNS_via_OVPN.sh 1 start
(unbound_DNS_via_OVPN.sh): 19828 Starting Script Execution 1 start
ping: bad address 'tun11'
ping: bad address 'tun11'
ping: bad address 'tun11'
 
Anyone still running this script with unbound? I upgraded to the latest firmware and now that script wont run...maybe I'm doing something wrong?
Code:
ASUSWRT-Merlin GT-AX11000 386.5_0 Wed Mar  2 16:36:59 UTC 2022
admin@GT-AX11000-xxxx:/tmp/home/root# /jffs/addons/unbound/unbound_DNS_via_OVPN.sh 1 start
(unbound_DNS_via_OVPN.sh): 19828 Starting Script Execution 1 start
ping: bad address 'tun11'
ping: bad address 'tun11'
ping: bad address 'tun11'
I am running Martineau's unbound_DNS_via_OVPN script currently on ac86u running Merlin 386.5. It is working the same as with earlier versions of firmware for me.
 
Anyone still running this script with unbound? I upgraded to the latest firmware and now that script wont run...maybe I'm doing something wrong?
Code:
ASUSWRT-Merlin GT-AX11000 386.5_0 Wed Mar  2 16:36:59 UTC 2022
admin@GT-AX11000-xxxx:/tmp/home/root# /jffs/addons/unbound/unbound_DNS_via_OVPN.sh 1 start
(unbound_DNS_via_OVPN.sh): 19828 Starting Script Execution 1 start
ping: bad address 'tun11'
ping: bad address 'tun11'
ping: bad address 'tun11'
Execute debugging to look for clues
Code:
sh -x /jffs/addons/unbound/unbound_DNS_via_OVPN.sh 1 start
or rename the old script (don't delete) then create a fresh script to see if there is possible corruption.
 
I appreciate the information. I'll give another go and provide any feedback!!!
 
Anyone still running this script with unbound? I upgraded to the latest firmware and now that script wont run...maybe I'm doing something wrong?
Code:
ASUSWRT-Merlin GT-AX11000 386.5_0 Wed Mar  2 16:36:59 UTC 2022
admin@GT-AX11000-xxxx:/tmp/home/root# /jffs/addons/unbound/unbound_DNS_via_OVPN.sh 1 start
(unbound_DNS_via_OVPN.sh): 19828 Starting Script Execution 1 start
ping: bad address 'tun11'
ping: bad address 'tun11'
ping: bad address 'tun11'
I don’t have such issue. I used the version from Martineau and bind unbound to wireguard.

Getting bad address ‘tun11’ seems something is wrong in the ping command in the script.
Code:
admin@RT-AC86U-DBA8:/# ping tun11
ping: bad address 'tun11'
admin@RT-AC86U-DBA8:/# 
admin@RT-AC86U-DBA8:/# ping -qc1 -w1 -I tun11 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes

--- 1.1.1.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 56.266/56.266/56.266 ms
admin@RT-AC86U-DBA8:/#
 
Did a search but nothing turned up - when enabling the adblocking on unbound, is there a way to allow a specific IP to bypass the blocklist? (EG, I've got a computer that needs access to some ad servers). I'm thinking it could be done with views but my attempts so far have all been futile.
 
Hi. I have configured unbound with adguardhome for its youtube ads blocking feature on AC68u. I have used tcp://127.0.0.1:53535 (unbound) inside adguardhome upstreams DNS servers:

Screenshot 2022-03-20 124823.jpeg


As I understand, unbound uses the ISP DNS servers to perform DNS operations. Since my ISP DNS servers are notorious for instability, I want to use cloudflare & google dns-over-tls servers inside unbound as fall back servers, or act as parallel, in case my isp dns servers are not available. I don't care about the additional latency as I just want to block youtube ads.

What is the best way forward?

In following post, it has been suggested to use DoT option:


But I can't see this option in my unbound manager:

Screenshot 2022-03-20 125302.jpeg
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top