What's new

Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server) - General questions / discussion thread 2

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

JaimeZX

Senior Member
ORIGINAL THREAD: https://www.snbforums.com/threads/u...tility-for-unbound-recursive-dns-server.61669

I apologize for being so bold as to create a second "general" thread but it seems perhaps more logical than a million tiny ones.
-----------------------------------------------------------------------

Sorry for a possibly basic question. Didn't see it addressed in the first few pages of the original thread, which I can't reply to because it's annoyingly more than six months old, and anyway the keywords are too common to make a thread search useful.

Just installed unbound and I look forward to seeing how it works on my (very basic) network. I suppose it subjectively feels faster, but I didn't do any before-and-after timing.

ANYWAY.

On install it suggested I needed to disable DNS Rebind Protection, and ditto for DNSSEC. Why is this?

Additionally, I got the warning that Skynet Country Blocks may reduce performance and block websites. Isn't that... the point? (At least the last bit.) Is there something I'm missing? I assume this is because Authoritative servers for .CN are presumably located inside China and therefore I'm not going to be able to resolve any .CN domains... (FWIW - Ban: cn ir kp ru tw ua )
 
On install it suggested I needed to disable DNS Rebind Protection, and ditto for DNSSEC. Why is this?
Unbound is doing DNSSEC validation, so it’s not necessary for dnsmasq to also do DNSSEC validation. But it would be good for dnsmasq to have proxy-dnssec to let the validation flag carry back to the client. I can’t think of a reason to disable Rebind protection unless Unbound is doing ad-blocking with a private IP, but I think it just uses nxdomain today.
Additionally, I got the warning that Skynet Country Blocks may reduce performance and block websites. Isn't that... the point? (At least the last bit.) Is there something I'm missing? I assume this is because Authoritative servers for .CN are presumably located inside China and therefore I'm not going to be able to resolve any .CN domains... (FWIW - Ban: cn ir kp ru tw ua )
It doesn’t have to be country-specific domains (e.g. .cn) that end up with authoritative name servers in a banned IP range. You will have to judge if the blocking prevents you from resolving domains for sites you don’t intend to be blocked.
 
That's interesting. I should do some digging on the interaction between dnsmasq and Unbound.

@Martineau - can you weigh in on why the installer suggests disabling Rebind Protection?
 
A dns resolver usually communicates on UDP port 53 and little has been evolved in terms of security. DNS resolvers also depend on the end user's settings to make it suitable and secure.
A good DNS Resolver should contain, recursively, DNSSEC, DoT with multiplus forwarding servers, level 1 logs (only operational, without navigation logs) and without using DNS ad blocking with DNSSEC enabled, not recommend to tamper with DNS that way.

You can choose to adopt unbound only as a cache and validator, in conjunction with FW Merlin's dnsmasq.
 
@Martineau - can you weigh in on why the installer suggests disabling Rebind Protection?
The original thread
contains posts discussing the pros and cons of the GUI setting and my records indicate that it was formally added to the installation pre-req recommendations prompt back in Jan. 9 2020 with release unbound_manager v1.18 on request by the SME:

NOTE: unbound_manager honours the GUI settings as set by the user, to ensure that if unbound fails to start (or is manually suspended) that dnsmasq executes as configured/expected.
 
The original thread

contains posts discussing the pros and cons of the GUI setting and my records indicate that it was formally added to the installation pre-req recommendations prompt back in Jan. 9 2020 with release unbound_manager v1.18 on request by the SME:


NOTE: unbound_manager honours the GUI settings as set by the user, to ensure that if unbound fails to start (or is manually suspended) that dnsmasq executes as configured/expected.
That's true, and I searched through the original thread before asking the question. The problem is if I search for "rebind" there are two pages of results, the vast majority of which are either lists of the options/recommendations, or a reminder that DNS Rebind should be disabled. It's certainly possible I overlooked one. (Just searched the thread a second time before this post.)
I was unable to find a post that explains why it should be disabled. I am happy to accept that Unbound works better with it disabled, but understanding the "why" is more intellectually satisfying. :)
 
I am running 386.1 Alpha's on my AX88U (Alpha 2) and AX58u's (Alpha3). I have AiMesh enabled.

I noticed a new route in my AX88U routing table - 239.0.0.0
This is a Multicast group address range - I suspect AiMesh is using it.

If so, should we add 239.0.0.0 to the private-address section of unbound.conf?
 
I was unable to find a post that explains why it should be disabled. I am happy to accept that Unbound works better with it disabled, but understanding the "why" is more intellectually satisfying.
Dnsmasq or Unbound have DNS Rebind functionality. If you want this function for dnsmasq, but edit the unbound.conf file and comment out the lines related to DNS Rebind.
 
Aaah - so Unbound has the Rebind protection, hence disabling it for DNSMasq in the GUI. Okay, that makes sense. :)
 
just for information:
I've changed ntpmerlin to chrony and since then manager shows
[✖] Warning Entware NTP Server 'S77ntpd' installed but not running?
during start
 
just for information:
I've changed ntpmerlin to chrony and since then manager shows
[✖] Warning Entware NTP Server 'S77ntpd' installed but not running?
during start
 
Hey guys... so when I first installed unbound it worked fine, but these days it seems like every time I SSH into the router, then 7, I get

Warning unbound not running!! - Config last loaded info: # Version=v1.11 Martineau update (Date Loaded by unbound_manager Sat Dec 19 11:43:10 GMT 2020)


So then if I E:Option ===> debug

One thing that jumps out is:
Dec 19 02:45:56 unbound[12951:0] debug: increased limit(open files) from 1024 to 1684
Dec 19 02:45:56 unbound[12951:0] debug: creating udp4 socket 127.0.0.1 53535
Dec 19 02:45:56 unbound[12951:0] debug: creating tcp4 socket 127.0.0.1 53535
Dec 19 02:45:56 unbound[12951:0] error: Setting TCP Fast Open as server failed: Protocol not available
Dec 19 02:45:56 unbound[12951:0] debug: creating tcp4 socket 127.0.0.1 953
Dec 19 02:45:56 unbound[12951:0] error: Setting TCP Fast Open as server failed: Protocol not available


You think that's the source of my woes? What to do?

Related question - when unbound WAS working, it seemed like my cache hit % was around 95%; but when I connect to the router at my in-laws and check their stats, it's consistently at like, 73%. Any thoughts there?

Thanks much.
 
Hey guys... so when I first installed unbound it worked fine, but these days it seems like every time I SSH into the router, then 7, I get

Warning unbound not running!! - Config last loaded info: # Version=v1.11 Martineau update (Date Loaded by unbound_manager Sat Dec 19 11:43:10 GMT 2020)

So then if I E:Option ===> debug

One thing that jumps out is:
Dec 19 02:45:56 unbound[12951:0] debug: increased limit(open files) from 1024 to 1684
Dec 19 02:45:56 unbound[12951:0] debug: creating udp4 socket 127.0.0.1 53535
Dec 19 02:45:56 unbound[12951:0] debug: creating tcp4 socket 127.0.0.1 53535
Dec 19 02:45:56 unbound[12951:0] error: Setting TCP Fast Open as server failed: Protocol not available
Dec 19 02:45:56 unbound[12951:0] debug: creating tcp4 socket 127.0.0.1 953
Dec 19 02:45:56 unbound[12951:0] error: Setting TCP Fast Open as server failed: Protocol not available


You think that's the source of my woes? What to do?
Have you tried reinstalling?
 
Does anyone else have an issue with printers when Unbound is running?

I've been running Unbound on my RT-AC68U and noticed nothing on my network can print to my Brother HL-3170CDW printer. As soon as I removed Unbound everything could print to it again.

On my linux systems I get "No suitable destination host found by cups-browsed" as an error. Oddly, I can add the printer and it sets up fine but once I try to print it can't be seen. I've seen some references to CUPS and DNS-SD printing but I'm not sure if that is looking in the right direction...

Any suggestions?
 
Have you tried reinstalling?
Well, I have now. But usually I try to troubleshoot before reinstalling software. :)

Currently "up" for 45 seconds. We'll see how it goes.
 
Does Unbound have the same Performance as Diversion in terms of online gaming. Should i rather deinstall diversion for performance and use unbounds Ad and Tracker blocker because i already use the dns service of it.

Or just install diversion for low latency and deinstall the ad tracker blocker in unbound?
 
Does Unbound have the same Performance as Diversion in terms of online gaming. Should i rather deinstall diversion for performance and use unbounds Ad and Tracker blocker because i already use the dns service of it.

Or just install diversion for low latency and deinstall the ad tracker blocker in unbound?
dns solutions will have practically 0 impact on gaming performance. unless your game happens to do a DNS lookup every time you fire a bullet :D
 
yea but the blocking of ads with diversion dont help gaming performance maybe ?

just wanted to know if it ts good to use the ad blocking service in unbound or to use diversion ? do they both do the same job, same good ?
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top