Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[Martineau]

'/etc/dnsmasq.conf' does not contain a hostname

So until you started using unbound, you have never been able to refer to '192.168.1.112' by name until now?

 

[Martineau]

I could use some help with facebook being blocked. I don't use unbound adblock or the firewall feature. I followed dnsmasq but nothing was being blocked:
The browser returns the server stopped responding error...
So I turned off Diversion, didn't make a difference, so I turned off unbound and I could access facebook again.

unbound+dnsmasq is a stable combination, and if you are not using Ad Block, then I don't see how unbound is seemingly blocking Facebook.

You would need to use 'dig', or enable unbound logging with the following 'unbound.conf' directive enabled:

e  = Exit Script [?]

A:Option ==> ox log-servfail yes

unbound-control set_option 'log-servfail yes' ok

and similarly increase the logging level 'verbosity: X' to debug/verify if/why unbound is failing to resolve the Facebook domains.

 

[glehel]

So until you started using unbound, you have never been able to refer to '192.168.1.112' by name until now?

I haven't tested.
the router etc/hosts.dnsmasq stores the hostname and ip address

 

[Martineau]

I haven't tested.
the router etc/hosts.dnsmasq stores the hostname and ip address

Ah OK, many thanks

P.S. Which router/firmware are you using?

 

[glehel]

Ah OK, many thanks

P.S. Which router/firmware are you using?

AC86U merlin 384.17

 

[juched]

A query for @juched here ..... just doing some reading about local-zone and local data, the documentation says that a local zone contains local data

local-zone: <zone> <type>
              Configure  a  local zone. The type determines the answer to give
              if there is no  match  from  local-data.  The  types  are  deny,
              refuse,  static, transparent, redirect, nodefault, typetranspar-
              ent, inform, inform_deny,  inform_redirect,  always_transparent,
              always_refuse, always_nxdomain, noview, and are explained below.
              After that the default settings are listed. Use  local-data:  to
              enter  data  into  the  local  zone. Answers for local zones are
              authoritative DNS answers. By default the zones are class IN.
local-data: "<resource record string>"
            Configure  local data, which is served in reply to queries for it.
            The query has to match exactly unless you configure the local-zone
            as  redirect.  If  not matched exactly, the local-zone type deter-
            mines further processing. If local-data is configured that is  not
            a  subdomain  of a local-zone, a transparent local-zone is config-
            ured.  For record types such as TXT,  use  single  quotes,  as  in
            local-data: 'example. TXT "text"'.

Would it be better to use a redirect zone for YT ads like the example below, or is it sufficient to just use local data as you have an exact match?

## DnsSpoof of unwanted or restricted sites
local-zone: "doubleclick.net" redirect
local-data: "doubleclick.net A 10.0.0.111"

local-zone: "facebook.com" redirect
local-data: "facebook.com A 10.0.0.111"

Im assuming you can get away with just creating a local zone for the adblocking because there will be no matching local data and the nxdomain will be provided as default zone behaviour.

always_nxdomain
                 Like static, but ignores local data and returns nxdomain  for
                 the query.

local-zone: "000owamail0.000webhostapp.com" always_nxdomain
local-zone: "000tristanprod.free.fr" always_nxdomain
local-zone: "005.free-counter.co.uk" always_nxdomain
local-zone: "006.free-counter.co.uk" always_nxdomain
local-zone: "006.freecounters.co.uk" always_nxdomain
local-zone: "007.free-counter.co.uk" always_nxdomain
local-zone: "007angels.com" always_nxdomain
local-zone: "008.free-counter.co.uk" always_nxdomain
local-zone: "008.free-counters.co.uk" always_nxdomain
local-zone: "00author.com" always_nxdomain
local-zone: "00go.com" always_nxdomain
local-zone: "00it.com" always_nxdomain

For adblocking we need to use a zone as that allows always_nxdomain.

For yt adblocking we want to respond with an answer to an IP, so we need to feed data. We could make a local zone which is transparent which lets unbound answer for specific items we put there.

Redirect would handle sub domains which we do not want, but likely there are no subdomains for this weird setup. Transparent zones are created automatically we I just went with that.

 

[Martineau]

glehel@AC86U-VPN:/tmp/home/root# nslookup Zara-Moto-G.SAFENET-AC86U.
Server: 127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name: Zara-Moto-G.SAFENET-AC86U.
Address 1: 192.168.1.112 Zara-Moto-G

working! I added manual domain line in unbound.conf.localhosts all ip!

Thanks for your assistance.

I've upload Hotfix

Version=3.11
Github md5=a52ec854a6e06e3e8f2383065f6fc236​

'dnsmasq disable' - now correctly identifies IP/Hostname pair when converting dnsmasq localhosts to unbound format

 

[Centrifuge]

unbound+dnsmasq is a stable combination, and if you are not using Ad Block, then I don't see how unbound is seemingly blocking Facebook.

You would need to use 'dig', or enable unbound logging with the following 'unbound.conf' directive enabled:

e  = Exit Script [?]

A:Option ==> ox log-servfail yes

unbound-control set_option 'log-servfail yes' ok

and similarly increase the logging level 'verbosity: X' to debug/verify if/why unbound is failing to resolve the Facebook domains.

Thanks for the suggestions, everything with dig and debug logging level looked clean as far as I can tell, which is not far. I suspected the browser but it occurred on safari and firefox for iphone, firefox desktop.

Spoiler

log level 3 abreviated

May 10 02:08:20 unbound[29542:0] query: 127.0.0.1 www.facebook.com. A IN
May 10 02:08:20 unbound[29542:0] info: respip operate: query www.facebook.com. A IN
May 10 02:08:20 unbound[29542:0] debug: validator[module 1] operate: extstate:module_state_initial event:module_event_pass
May 10 02:08:20 unbound[29542:0] info: validator operate: query www.facebook.com. A IN
May 10 02:08:20 unbound[29542:0] debug: iterator[module 2] operate: extstate:module_state_initial event:module_event_pass
May 10 02:08:20 unbound[29542:0] info: resolving www.facebook.com. A IN
May 10 02:08:20 unbound[29542:0] info: resolving (init part 2): www.facebook.com. A IN
May 10 02:08:20 unbound[29542:0] info: resolving (init part 3): www.facebook.com. A IN
May 10 02:08:20 unbound[29542:0] info: processQueryTargets: www.facebook.com. A IN
May 10 02:08:20 unbound[29542:0] debug: removing 1 labels
May 10 02:08:20 unbound[29542:0] info: sending query: facebook.com. A IN
May 10 02:08:20 unbound[29542:0] debug: sending to target: <com.> 192.12.94.30#53
May 10 02:08:20 unbound[29542:0] debug: iterator[module 2] operate: extstate:module_state_initial event:module_event_pass
May 10 02:08:20 unbound[29542:0] info: iterator operate: query com. DNSKEY IN
May 10 02:08:20 unbound[29542:0] info: resolving com. DNSKEY IN
May 10 02:08:20 unbound[29542:0] info: finishing processing for com. DNSKEY IN
May 10 02:08:20 unbound[29542:0] debug: validator[module 1] operate: extstate:module_state_initial event:module_event_moddone
May 10 02:08:20 unbound[29542:0] info: validator operate: query com. DNSKEY IN
May 10 02:08:20 unbound[29542:0] info: respip operate: query com. DNSKEY IN
May 10 02:08:20 unbound[29542:0] debug: cache memory msg=386638 rrset=1794494 infra=7568 val=35426

May 10 02:08:21 unbound[29542:0] debug: validator[module 1] operate: extstate:module_wait_module event:module_event_moddone
May 10 02:08:21 unbound[29542:0] info: validator operate: query www.facebook.com. AAAA IN
May 10 02:08:21 unbound[29542:0] info: respip operate: query www.facebook.com. AAAA IN
May 10 02:08:21 unbound[29542:0] reply: 127.0.0.1 www.facebook.com. AAAA IN NOERROR 0.428477 0 91

May 10 02:08:57 unbound[29542:0] query: 127.0.0.1 chat-pa.clients6.google.com. A IN
May 10 02:08:57 unbound[29542:0] reply: 127.0.0.1 chat-pa.clients6.google.com. A IN NOERROR 0.000000 1 61
May 10 02:08:57 unbound[29542:0] query: 127.0.0.1 www.archlinux.org. AAAA IN

edit: ended up whitelisting an IP in Skynet, doh.

 

[glehel]

Thanks for your assistance.

I've upload Hotfix

Version=3.11
Github md5=a52ec854a6e06e3e8f2383065f6fc236​

'dnsmasq disable' - now correctly identifies IP/Hostname pair when converting dnsmasq localhosts to unbound format

100% working! No error! Thank You!

 

[Amwjujo]

Hi guys,
Is the YT block supposed to block the adds from the beginning of the video(the ones that you need to click skip add) or just the ones that shows up on the screen during the video? I installed this earlier today but but the ads where you need to click skip ads still shows up and only the overlay ones that shows on the screen are not there - I can still see the frame of the add and the the"x" to close it.
In the log file I can see this:
May 10 17:50:01 RT-AC86U-8F60 (gen_ytadblock.sh): 31673 Number of yt adblocked domains: 46
Is this normal and I need to wait and access youtube more often (not really a youtube user, but kids are and it will be great to remove all those s..ts that are being put into their heads) or is just not working properly at my end?
Thank you for all the great work that you are doing.
Cheers.

 

[tomsk]

Checking the ytadblock file i notice there was a "redirector" domain got in the list... not sure if that's detrimental

EDIT: I think yes... i'm getting video errors ..... maybe some "AwK Fu" required

r6.sn-4wg7ln7e.googlevideo.com. IN A 74.125.167.119
r6.sn-4wg7ln7l.googlevideo.com. IN A 74.125.167.119
redirector.googlevideo.com. IN A 74.125.167.119

 

[dave14305]

Checking the ytadblock file i notice there was a "redirector" domain got in the list... not sure if that's detrimental

EDIT: I think yes... i'm getting video errors ..... maybe some "AwK Fu" required

r6.sn-4wg7ln7e.googlevideo.com. IN A 74.125.167.119
r6.sn-4wg7ln7l.googlevideo.com. IN A 74.125.167.119
redirector.googlevideo.com. IN A 74.125.167.119

Seems @juched omitted the expected dash in the hostname grep.

 

[tomsk]

Seems @juched omitted the expected dash in the hostname grep.

Ah .. grep fu then

 

[Martineau]

Ah .. grep fu then

I think we can forgive this typo, given he was first to get the feature on Asus routers.

You can manually remove the entry and restart unbound, to see if the errors go away.

 

[tomsk]

I think we can forgive this typo, given he was first to get the feature on Asus routers.

You can manually remove the entry and restart unbound, to see if the errors go away.

Yes i removed it and the errors went away.... i wonder if i was the only one affected by this. I clocked up about 50 domains before that got stored. I didn't start unbound, will the fact the local zones are being reloaded every 5 mins take care of that?

 

[Martineau]

Yes i removed it and the errors went away.... i wonder if i was the only one affected by this. I clocked up about 50 domains before that got stored. I didn't start unbound, will the fact the local zones are being reloaded every 5 mins take care of that?

Yes, but if you're impatient to resume your YouTube viewing , plus, can you rely on my script to have created the cron correctly?

 

[tomsk]

Yes, but if you're impatient to resume your YouTube viewing , plus, can you rely on my script to have created the cron correctly?

Who can wait for the next instalment of Peppa Pig? ... I see the cron saga was finally laid to rest the with a killer hotfix ....its great to see folks out in the community happy to pour through the code to to look for tiny errors like that.

 

[martinr]

....its great to see folks out in the community happy to pour through the code to to look for tiny errors like that.

Maybe it’s just more interesting than watching Peppa Pig?

 

[rafagomes]

First I would like to thank the amazing job everyone is doing. Thanks to you all and Martineau script unbound is running perfectly for a week now and even better today when I installed youtube ad blocker.

So much so I would like to use unbound as my private dns on my android devides, but I am not sure on how to proceed.
I wonder if there is a way for unbound to listen to the port 853 on WAN, and using the ssl certificates I got with Let's encrypt?

 

[Twiglets]

First I would like to thank the amazing job everyone is doing. Thanks to you all and Martineau script unbound is running perfectly for a week now and even better today when I installed youtube ad blocker.

So much so I would like to use unbound as my private dns on my android devides, but I am not sure on how to proceed.
I wonder if there is a way for unbound to listen to the port 853 on WAN, and using the ssl certificates I got with Let's encrypt?

On Android you can use 'dnspipe' by Frostnerd.com.
This allows you to use a dns address of your own choice.
[It works by setting up an internal dummy vpn which allows a 'New' dns address to be used.]

I have used it on Android for years and I have not found it to contain any 'Funnies' also no Ads etc.
If your devices are 'rooted' there are other ways such as 'DNS Switcher' that runs under 'Magisk'.