What's new

Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I tried to give a shot for unbound, but some reason it still uses my isp dns servers (dig confirmed) I get all checkmarks during install, that would indicate that it should work.

Statistics show zero on every collumn. No adblock or any other optional has been installed. No other scripts installed. I can't fiqure whats wrong.

Router AC88U with 384.17
 
I tried to give a shot for unbound, but some reason it still uses my isp dns servers (dig confirmed) I get all checkmarks during install, that would indicate that it should work.

Statistics show zero on every collumn. No adblock or any other optional has been installed. No other scripts installed. I can't fiqure whats wrong.

Router AC88U with 384.17
You could try
Code:
e  = Exit Script [?]

E:Option ==> debug
then exit from 'unbound_manager' and issue at the command prompt:
Code:
grep -E -m 1 -A 5 "^port:" /opt/var/lib/unbound/unbound.conf
and post the results.

NOTE: Usually a 'stop/start' of unbound should provide additional clues.
 
I tried to give a shot for unbound, but some reason it still uses my isp dns servers (dig confirmed) I get all checkmarks during install, that would indicate that it should work.

Statistics show zero on every collumn. No adblock or any other optional has been installed. No other scripts installed. I can't fiqure whats wrong.

Router AC88U with 384.17


If you didnt choose to integrate TLS over DNS or Stubby then your IP address when doing the standard DNSleaktest at https://www.dnsleaktest.com/ should be your Public IP address from your provider since you are your own recursive-authoritative-caching DNS Server. It should NOT be your ISP DNS Server address. Do you have LAN DNS Filter set to ROUTER. Go to unbound_manager advanced - press ? and post your output.
 
Last edited:
Sure, thats what i got.

Code:
kasper@RT-AC88U-C440:/tmp/home/root# grep -E -m 1 -A 5 "^port:" /opt/var/lib/unbound/unbound.conf
port: 53535                                 # v1.08 If 53, requires 'port=0' in '/etc/dnsmasq.conf' to 'disable' dnsmasq to answer queries direct from LAN clients
interface: 127.0.0.1@53535                  # v1.01 As per @dave14305 minimal config; Will be overwritten by $(nvram get lan_ipaddr_rt) if dnsmasq 'disabled'
#interface: 127.0.0.1@53                    # v1.10 Required by router if dnsmasq 'disabled'
#access-control: 0.0.0.0/0 allow            # v1.10 Will be overwritten by LAN subnet "${lan_ip_addr_rt}/24" if 'dnsmasq disabled' aka bypassed
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 
If you didnt choose to integrate TLS over DNS or Stubby then your IP address when doing the standard DNSleaktest at https://www.dnsleaktest.com/ should be your Public IP address from your provider since you are your own recursive-authoritative-caching DNS Server It should NOT be your ISP DNS Server address. Do you have LAN DNS Filter set to ROUTER. Go to unbound_manager advanced - press ? and post your output.

I didn't and it doesn't show my public ip. Even dig does show my ISP dns.
 
I didn't and it doesn't show my public ip. Even dig does show my ISP dns.

stop start unbound and post ? also as Martineau suggests - debug from within unbound prompt.
When I issue DIG command it shows comparison between ISP DNS - ie 220.233.0.4#53 and localhost 127.0.0.1#53

Code:
A:Option ==> dig ir.com


; <<>> DiG 9.14.8 <<>> txt ir.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40208
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ir.com.                                IN      TXT

;; ANSWER SECTION:
ir.com.                 0       IN      TXT     "MS=ms41121745"
ir.com.                 0       IN      TXT     "ciscocidomainverification=c3787ad4d93c3d17f6db9441f1588e46672a74b079cc3f5510c56594cd2b8f3"
ir.com.                 0       IN      TXT     "xk1Z+QstYmjX3b1WKvnGMgJ0o7Umf8jSnCTCqmIdja4J524XpPhsJh4btdhEQyOPznrZCmGKpsGbxbNhT4hSrw=="
ir.com.                 0       IN      TXT     "v=spf1 ip4:207.250.237.29 ip4:206.128.94.77 ip4:216.85.144.82 ip4:61.88.162.198 ip4:65.122.22.86 include:spf.messagelabs.com include:mail.zendesk.com include:spf.protection.outlook.com include:_spf.salesforce.com ~all"
ir.com.                 0       IN      TXT     "logmein-verification-code=e95b3928-65f5-4308-88ba-52da2b018127"

;; Query time: 14 msec
;; SERVER: 220.233.0.4#53(220.233.0.4)
;; WHEN: Sun May 10 23:24:44 UTC 2020
;; MSG SIZE  rcvd: 569


; <<>> DiG 9.14.8 <<>> ir.com @127.0.0.1 -p 53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3276
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
;; QUESTION SECTION:
;ir.com.                                IN      A

;; ANSWER SECTION:
ir.com.                 1025    IN      A       64.68.200.48

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun May 10 23:24:44 UTC 2020
;; MSG SIZE  rcvd: 51
 
Last edited:
stop start unbound and post ? also as Martineau suggests - debug from within unbound prompt

Code:
02:20:56 Checking 'unbound.conf' for syntax errors.....
02:20:56 Requesting unbound (S61unbound) restart.....
 Starting unbound...              done.
02:20:56 Checking status, please wait.....
02:20:58 Restoring unbound cache from '/opt/share/unbound/configs/cache.txt' (2020-05-11 02:20:41)
02:20:58 unbound OK
 
okay, debug does show something, it just slams me straight to amtm tho so can't copy text as fast - heres photo.
 

Attachments

  • unb.png
    unb.png
    137.3 KB · Views: 133
@juched

FYI,,,
Code:
 _____   _ _   _         _  
|  _  |_| | |_| |___ ___| |_
|     | . | . | | . |  _| '_|
|__|__|___|___|_|___|___|_,_|
(gen_adblock.sh): 28116 @juched - v1.0.6 - Thanks to @SomeWhereOverTheRainBow

Removing possible temporary files..
Downloading list(s) from block site(s) configured...
Attempting to Download 1 of 4 from https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts.
######################################################################## 100.0%
Attempting to Download 4 of 4 from https://raw.githubusercontent.com/llacb47/mischosts/master/tiktok-hosts.
######################################################################## 100.0%
Attempting to Download 7 of 4 from https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites/master/hacked-domains.list.
######################################################################## 100.0%
Attempting to Download 8 of 4 from https://blocklist.cyberthreatcoalition.org/vetted/domain.txt.
######################################################################## 100.0%
Downloading list(s) from allow site(s) configured...
should be
Code:
Removing possible temporary files..
Downloading list(s) from block site(s) configured...
Attempting to Download 1 of 4 from https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts.
######################################################################## 100.0%
Attempting to Download 2 of 4 from https://raw.githubusercontent.com/llacb47/mischosts/master/tiktok-hosts.
######################################################################## 100.0%
Attempting to Download 3 of 4 from https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites/master/hacked-domains.list.
######################################################################## 100.0%
Attempting to Download 4 of 4 from https://blocklist.cyberthreatcoalition.org/vetted/domain.txt.
######################################################################## 100.0%
'gen_adblock.sh' needs a minor tweak
Code:
    for url in $(echo $line); do
      [ "${url:0:1}" == "#" ] && continue # skip commented out lines - Thanks @Martineau
      echo "Attempting to Download $count of $(awk 'NF && !/^[:space:]*#/' $sites | wc -l) from $url."
      curl --progress-bar $url | grep -o '^[^#]*' | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $NF}' | grep -o '^[^\\]*' | grep -o '^[^\\$]*' | sort >> $list
      dos2unix $list
      count=$((count + 1))  
    done
 
dig on the router will use WAN DNS which might be your ISP. Where are you running dig?
I forgot port from dig.. too tired. yes this works and unbound stats confirm that. But still clients use ISP dns.
dig @127.0.0.1 -p 53535 google.fi
 
I forgot port from dig.. too tired. yes this works and unbound stats confirm that. But still clients use ISP dns.
dig @127.0.0.1 -p 53535 google.fi
What about this?
Code:
grep "^server" /etc/dnsmasq.conf
 
I just had a look at my unbound.conf just now ... With dnsmasq enabled shouldn't the unbound interface on 127.0.0.1 for port 53 be commented out?
Code:
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
port: 53535                                 # v1.08 If 53, requires 'port=0' in '/etc/dnsmasq.conf' to 'disable' dnsmasq to answer queries direct from LAN clients
interface: 127.0.0.1@53535                  # v1.01 As per @dave14305 minimal config; Will be overwritten by $(nvram get lan_ipaddr_rt) if dnsmasq 'disabled'
interface: 127.0.0.1@53                    # v1.10 Required by router if dnsmasq 'disabled'
#access-control: 0.0.0.0/0 allow            # v1.10 Will be overwritten by LAN subnet "${lan_ip_addr_rt}/24" if 'dnsmasq disabled' aka bypassed
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 
servers-file=/tmp/resolv.dnsmasq
and in that file there is both of isp dns servers.
So unbound manager hasn’t modified dnsmasq.conf yet.
Try
Code:
service restart_dnsmasq
If that doesn’t work, restart unbound.
 
I just had a look at my unbound.conf just now ... With dnsmasq enabled shouldn't the unbound interface on 127.0.0.1 for port 53 be commented out?
Code:
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
port: 53535                                 # v1.08 If 53, requires 'port=0' in '/etc/dnsmasq.conf' to 'disable' dnsmasq to answer queries direct from LAN clients
interface: 127.0.0.1@53535                  # v1.01 As per @dave14305 minimal config; Will be overwritten by $(nvram get lan_ipaddr_rt) if dnsmasq 'disabled'
interface: 127.0.0.1@53                    # v1.10 Required by router if dnsmasq 'disabled'
#access-control: 0.0.0.0/0 allow            # v1.10 Will be overwritten by LAN subnet "${lan_ip_addr_rt}/24" if 'dnsmasq disabled' aka bypassed
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


yes it should be perhaps an introduced "feature" since last hotfix.
Also noted that
Code:
# log-local-actions - yes
remains commented out during adblock installation when going back and forth enabling Dnsmasq and subsequently choosing Dnsmasq disable and Adblock install. Had to manually uncomment this.
 
Last edited:
I just had a look at my unbound.conf just now ... With dnsmasq enabled shouldn't the unbound interface on 127.0.0.1 for port 53 be commented out?
Code:
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
port: 53535                                 # v1.08 If 53, requires 'port=0' in '/etc/dnsmasq.conf' to 'disable' dnsmasq to answer queries direct from LAN clients
interface: 127.0.0.1@53535                  # v1.01 As per @dave14305 minimal config; Will be overwritten by $(nvram get lan_ipaddr_rt) if dnsmasq 'disabled'
interface: 127.0.0.1@53                    # v1.10 Required by router if dnsmasq 'disabled'
#access-control: 0.0.0.0/0 allow            # v1.10 Will be overwritten by LAN subnet "${lan_ip_addr_rt}/24" if 'dnsmasq disabled' aka bypassed
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
I bet there’s a sed issue that doesn't differentiate @53 from @53535 when uncommenting,
 
Code:
cat /jffs/scripts/dnsmasq.postconf
cat /jffs/addons/unbound/unbound.postconf

Code:
kasper@RT-AC88U-C440:/tmp# cat /jffs/scripts/dnsmasq.postconf
sh /jffs/addons/unbound/unbound.postconf "$1"           # unbound_manager

Code:
kasper@RT-AC88U-C440:/tmp# cat /jffs/addons/unbound/unbound.postconf
#!/bin/sh

CONFIG=$1
source /usr/sbin/helper.sh

######################################################################
#####            DO NOT EDIT THIS FILE MANUALLY                #######
#####             You are probably looking for                 #######
#####               your customising script                    #######
#####     '/opt/share/unbound/configs/unbound.postconf'        #######
######################################################################
logger -t "(dnsmasq.postconf)" "Updating $CONFIG for unbound....."                      # unbound_manager

ROUTER="$(nvram get lan_ipaddr_rt)"

if [ -n "$(pidof unbound)" ];then
   if [ -n "$(grep -E "^port: 53535" /opt/var/lib/unbound/unbound.conf)" ];then   # Forward dnsmasq DNS requests to unbound
        pc_delete "servers-file" $CONFIG
        # By design, if GUI DNSSEC ENABLED then attempt to modify 'cache-size=0' results in dnsmasq start-up fail loop
        #       dnsmasq[15203]: cannot reduce cache size from default when DNSSEC enabled
        #       dnsmasq[15203]: FAILED to start up
        if [ -n "$(grep "^dnssec" $CONFIG)" ];then
           pc_delete "dnssec" $CONFIG
           logger -t "(dnsmasq.postconf)" "**Warning: Removing 'dnssec' directive from 'dnsmasq' to allow DISABLE cache (set 'cache-size=0')"
        fi

        pc_replace "cache-size=1500" "cache-size=0" $CONFIG
        UNBOUNDLISTENADDR="127.0.0.1#53535"
        #UNBOUNDLISTENADDR="$(netstat -nlup | awk '/unbound/ { print $4 } ' | tr ':' '#')"   # unbound_manager
        pc_append "server=$UNBOUNDLISTENADDR" $CONFIG
        if [ "$(uname -o)" == "ASUSWRT-Merlin-LTS" ];then   # Requested by @dave14305
            pc_delete "resolv-file" $CONFIG
            pc_append "no-resolv" $CONFIG
        fi
    else
        logger -t "(dnsmasq.postconf)" "dnsmasq DNS bypassed. unbound will be the primary DNS for ALL LAN Clients."

        [ -z "$(grep -F "port=0" $CONFIG)" ] && pc_append "port=0" $CONFIG          # Disable dnsmasq DNS resolver function
        [ -z "$(grep -F "dhcp-option=lan,6,$ROUTER" $CONFIG)" ] && pc_append "dhcp-option=lan,6,$ROUTER" $CONFIG
        pc_delete "servers-file" $CONFIG
        pc_delete "no-negcache" $CONFIG
        pc_delete "domain-needed" $CONFIG
        pc_replace "cache-size=1500" "cache-size=0" $CONFIG
    fi
else
   sed -i '/port=0/d' $CONFIG
   pc_delete "dhcp-option=lan,6,$ROUTER" $CONFIG
fi
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top