Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server) - General questions / discussion thread 2

[L&LD]

The steps outlined are still relevant, ask additional questions if you must, but it's a start, even if the post is that old.

Don't enable the same/similar features on different scripts. You know better than that, right.

 

[unrealliving]

The steps outlined are still relevant, ask additional questions if you must, but it's a start, even if the post is that old.

Don't enable the same/similar features on different scripts. You know better than that, right.

The thing is that I do not know which script is better All I can understand that Unbound is like mini server itself. So if someone understands Unbound logic and configuration it might could work the same as Diversion+Skynet. Because if script features are same/similar why not to put everything in one place? And I mentioned about DNS leaks using Unbound so this is as a sign to configure it correctly.

 

[L&LD]

There is no one-size-fits-all here. This isn't Apple land.

We live in a wonderful world of choices and have the ability to determine for ourselves what works best for us.

Try one, test it yourself, if you find anything missing, try another. Rinse and repeat until you've got the magic combination that works for you.

Nobody is going to be able to do that for you. At least, not via a post or even a whole thread.

Jump in, get your feet wet, and discover how deep you like to go.

 

[pdc]

While I don't disagree with @L&LD, there is core functionality for each of the scripts:

Unbound: DNS server
Skynet: firewall
Diversion: ad blocker

Yes, there is overlap since at some level they all can block traffic based on different criteria, but you should start by deciding what functionality you want/need.

If your primary need is to block ads, then start with Diversion. If you have some ports open to the internet, then consider Skynet. And if you want to run your own DNS server, then consider Unbound.

 

[heysoundude]

is anyone working on an update to "our" unbound to bring it in-line with v1.14, if that's possible?
I popped over to the nlnetlabs website to look something up in the manpages, and I'm seeing things not found in our unbound.conf that might be helpful like so-reuseport (now that I think more people are using IPv6) and possibly outgoing-range
@Martineau ?

 

[dave14305]

is anyone working on an update to "our" unbound to bring it in-line with v1.14, if that's possible?

Entware will pickup OpenWrt’s bump to 1.15.0 next time they do a release. Available options sometimes depend on how Entware chooses to compile Unbound, and which architecture/kernel you’re running it on.

 

[SomeWhereOverTheRainBow]

Entware will pickup OpenWrt’s bump to 1.15.0 next time they do a release. Available options sometimes depend on how Entware chooses to compile Unbound, and which architecture/kernel you’re running it on.

Easiest thing I ever did was compile it myself. This gives the user the most power.

 

[rlw6534]

This is probably a noob question, but is it normal to get these errors when updating unbound? IPV6 is not enabled on my router (AX86U):

[1645651142] libunbound[29314:0] error: udp connect failed: Cannot assign requested address for 2001:500:12::d0d port 53
[1645651142] libunbound[29314:0] error: udp connect failed: Cannot assign requested address for 2001:500:2::c port 53
[1645651142] libunbound[29314:0] error: udp connect failed: Cannot assign requested address for 2001:503:c27::2:30 port 53
[1645651142] libunbound[29314:0] error: udp connect failed: Cannot assign requested address for 2001:7fe::53 port 53
[1645651143] libunbound[29314:0] error: udp connect failed: Cannot assign requested address for 2001:500:a8::e port 53
[1645651143] libunbound[29314:0] error: udp connect failed: Cannot assign requested address for 2001:503:ba3e::2:30 port 53
[1645651143] libunbound[29314:0] error: udp connect failed: Cannot assign requested address for 2001:500:a8::e port 53
[1645651143] libunbound[29314:0] error: udp connect failed: Cannot assign requested address for 2001:7fd::1 port 53
[1645651143] libunbound[29314:0] error: udp connect failed: Cannot assign requested address for 2001:500:1::53 port 53

 

[rlw6534]

Is it enabled on your openvpn server site tunnels?

I'm not using openvpn. I have ntpmerlin, scmerlin and unbound installed, otherwise stock Merlin.

 

[rlw6534]

Looks to me like unbound is failing to connect to root servers over ipv6. As long as unbound is working, that shouldn't matter. Just make sure your unbound.conf has do-ipv6 set to no

do-ipv6 is set to no. I don't remember seeing these errors before, but maybe I overlooked it.

 

[Martineau]

do-ipv6 is set to no. I don't remember seeing these errors before, but maybe I overlooked it.

Autumn 2021, NL Labs decided to always assume IPv6 should be attempted when generating the 'root key' using their utility '/opt/sbin/unbound-anchor'

Since this was cosmetic, back in Nov 2021 I patched unbound_manager Beta v3.23bB

Update unbound_manager.sh · MartineauUK/Unbound-Asuswrt-Merlin@3d1e95b

FIX: Suppress IPv6 messages issued by unbound-anchor if IPv6 is not ENABLED.

github.com

You can try the Beta version by issuing:

e  = Exit Script [?]

A:Option ==> uf dev

 

[rlw6534]

Autumn 2021, NL Labs decided to always assume IPv6 should be attempted when generating the 'root key' using their utility '/opt/sbin/unbound-anchor'

Since this was cosmetic, back in Nov 2021 I patched unbound_manager Beta v3.23bB

Update unbound_manager.sh · MartineauUK/Unbound-Asuswrt-Merlin@3d1e95b

FIX: Suppress IPv6 messages issued by unbound-anchor if IPv6 is not ENABLED.

github.com

You can try the Beta version by issuing:

e  = Exit Script [?]

A:Option ==> uf dev

Thanks! That explains it. I thought maybe I had messed things up...

 

[Kingp1n]

Can you help with some very basic questions on this.

I have updated vpnclient5-route-up and vpnclient5-route-pre-down as noted above and created /jffs/addons/unbound/unbound_DNS_via_OVPN.sh and x3mrouting was already installed (previously used with setting VPN 5 from unbound_manager advanced).

How do I get this to run?

If I run

 /jffs/addons/unbound/unbound_DNS_via_OVPN.sh 5 start

via ssh then I get

(unbound_DNS_via_OVPN.sh): 11079 Starting Script Execution 5 start
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
PING 9.9.9.9 (9.9.9.9): 56 data bytes
64 bytes from 9.9.9.9: seq=0 ttl=60 time=17.950 ms

--- 9.9.9.9 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 17.950/17.950/17.950 ms
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
PING 9.9.9.9 (9.9.9.9): 56 data bytes
64 bytes from 9.9.9.9: seq=0 ttl=60 time=653.335 ms

--- 9.9.9.9 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 653.335/653.335/653.335 ms
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
PING 9.9.9.9 (9.9.9.9): 56 data bytes

until I Cntrl-C and run

 /jffs/addons/unbound/unbound_DNS_via_OVPN.sh 5 stop

which sets everything back

1. Does it matter if vpnclient5-route-up and vpnclient5-route-pre-down are in /jffs/scripts or in /jfffs/scripts/x3mrouting?
2. If I want the script to run automatically (at start-up) do I leave it in /jffs/addons/unbound/ or move it to /jffs/scripts or do something else?
3. How can I check to see if the requests are being sent to the VPN provider?

Anyone still running this script with unbound? I upgraded to the latest firmware and now that script wont run...maybe I'm doing something wrong?

ASUSWRT-Merlin GT-AX11000 386.5_0 Wed Mar  2 16:36:59 UTC 2022
admin@GT-AX11000-xxxx:/tmp/home/root# /jffs/addons/unbound/unbound_DNS_via_OVPN.sh 1 start
(unbound_DNS_via_OVPN.sh): 19828 Starting Script Execution 1 start
ping: bad address 'tun11'
ping: bad address 'tun11'
ping: bad address 'tun11'

 

[Rippo]

Anyone still running this script with unbound? I upgraded to the latest firmware and now that script wont run...maybe I'm doing something wrong?

ASUSWRT-Merlin GT-AX11000 386.5_0 Wed Mar  2 16:36:59 UTC 2022
admin@GT-AX11000-xxxx:/tmp/home/root# /jffs/addons/unbound/unbound_DNS_via_OVPN.sh 1 start
(unbound_DNS_via_OVPN.sh): 19828 Starting Script Execution 1 start
ping: bad address 'tun11'
ping: bad address 'tun11'
ping: bad address 'tun11'

I am running Martineau's unbound_DNS_via_OVPN script currently on ac86u running Merlin 386.5. It is working the same as with earlier versions of firmware for me.

 

[Martineau]

Anyone still running this script with unbound? I upgraded to the latest firmware and now that script wont run...maybe I'm doing something wrong?

ASUSWRT-Merlin GT-AX11000 386.5_0 Wed Mar  2 16:36:59 UTC 2022
admin@GT-AX11000-xxxx:/tmp/home/root# /jffs/addons/unbound/unbound_DNS_via_OVPN.sh 1 start
(unbound_DNS_via_OVPN.sh): 19828 Starting Script Execution 1 start
ping: bad address 'tun11'
ping: bad address 'tun11'
ping: bad address 'tun11'

Execute debugging to look for clues

sh -x /jffs/addons/unbound/unbound_DNS_via_OVPN.sh 1 start

or rename the old script (don't delete) then create a fresh script to see if there is possible corruption.

 

[Kingp1n]

I appreciate the information. I'll give another go and provide any feedback!!!

 

[chongnt]

Anyone still running this script with unbound? I upgraded to the latest firmware and now that script wont run...maybe I'm doing something wrong?

ASUSWRT-Merlin GT-AX11000 386.5_0 Wed Mar  2 16:36:59 UTC 2022
admin@GT-AX11000-xxxx:/tmp/home/root# /jffs/addons/unbound/unbound_DNS_via_OVPN.sh 1 start
(unbound_DNS_via_OVPN.sh): 19828 Starting Script Execution 1 start
ping: bad address 'tun11'
ping: bad address 'tun11'
ping: bad address 'tun11'

I don’t have such issue. I used the version from Martineau and bind unbound to wireguard.

Getting bad address ‘tun11’ seems something is wrong in the ping command in the script.

admin@RT-AC86U-DBA8:/# ping tun11
ping: bad address 'tun11'
admin@RT-AC86U-DBA8:/# 
admin@RT-AC86U-DBA8:/# ping -qc1 -w1 -I tun11 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes

--- 1.1.1.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 56.266/56.266/56.266 ms
admin@RT-AC86U-DBA8:/#

 

[Skywise]

Did a search but nothing turned up - when enabling the adblocking on unbound, is there a way to allow a specific IP to bypass the blocklist? (EG, I've got a computer that needs access to some ad servers). I'm thinking it could be done with views but my attempts so far have all been futile.

 

[birdie]

Hi. I have configured unbound with adguardhome for its youtube ads blocking feature on AC68u. I have used tcp://127.0.0.1:53535 (unbound) inside adguardhome upstreams DNS servers:

As I understand, unbound uses the ISP DNS servers to perform DNS operations. Since my ISP DNS servers are notorious for instability, I want to use cloudflare & google dns-over-tls servers inside unbound as fall back servers, or act as parallel, in case my isp dns servers are not available. I don't care about the additional latency as I just want to block youtube ads.

What is the best way forward?

In following post, it has been suggested to use DoT option:

Unbound - How can I get DoT Cloudflare by Editing the .conf file?

How do I get this to work with Cloudflare DNS in the .conf file? This is my current setting without it installed:

www.snbforums.com

But I can't see this option in my unbound manager:

 

[Andrew-E]

Hi!
How to make sure that the cache (and statistics) are saved when the router is rebooted?
Thanks!