Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[krgck]

I tried to give a shot for unbound, but some reason it still uses my isp dns servers (dig confirmed) I get all checkmarks during install, that would indicate that it should work.

Statistics show zero on every collumn. No adblock or any other optional has been installed. No other scripts installed. I can't fiqure whats wrong.

Router AC88U with 384.17

 

[Martineau]

I tried to give a shot for unbound, but some reason it still uses my isp dns servers (dig confirmed) I get all checkmarks during install, that would indicate that it should work.

Statistics show zero on every collumn. No adblock or any other optional has been installed. No other scripts installed. I can't fiqure whats wrong.

Router AC88U with 384.17

You could try

e  = Exit Script [?]

E:Option ==> debug

then exit from 'unbound_manager' and issue at the command prompt:

grep -E -m 1 -A 5 "^port:" /opt/var/lib/unbound/unbound.conf

and post the results.

NOTE: Usually a 'stop/start' of unbound should provide additional clues.

 

[joe scian]

I tried to give a shot for unbound, but some reason it still uses my isp dns servers (dig confirmed) I get all checkmarks during install, that would indicate that it should work.

Statistics show zero on every collumn. No adblock or any other optional has been installed. No other scripts installed. I can't fiqure whats wrong.

Router AC88U with 384.17

If you didnt choose to integrate TLS over DNS or Stubby then your IP address when doing the standard DNSleaktest at https://www.dnsleaktest.com/ should be your Public IP address from your provider since you are your own recursive-authoritative-caching DNS Server. It should NOT be your ISP DNS Server address. Do you have LAN DNS Filter set to ROUTER. Go to unbound_manager advanced - press ? and post your output.

 

[krgck]

Sure, thats what i got.

kasper@RT-AC88U-C440:/tmp/home/root# grep -E -m 1 -A 5 "^port:" /opt/var/lib/unbound/unbound.conf
port: 53535                                 # v1.08 If 53, requires 'port=0' in '/etc/dnsmasq.conf' to 'disable' dnsmasq to answer queries direct from LAN clients
interface: 127.0.0.1@53535                  # v1.01 As per @dave14305 minimal config; Will be overwritten by $(nvram get lan_ipaddr_rt) if dnsmasq 'disabled'
#interface: 127.0.0.1@53                    # v1.10 Required by router if dnsmasq 'disabled'
#access-control: 0.0.0.0/0 allow            # v1.10 Will be overwritten by LAN subnet "${lan_ip_addr_rt}/24" if 'dnsmasq disabled' aka bypassed
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

 

[krgck]

If you didnt choose to integrate TLS over DNS or Stubby then your IP address when doing the standard DNSleaktest at https://www.dnsleaktest.com/ should be your Public IP address from your provider since you are your own recursive-authoritative-caching DNS Server It should NOT be your ISP DNS Server address. Do you have LAN DNS Filter set to ROUTER. Go to unbound_manager advanced - press ? and post your output.

I didn't and it doesn't show my public ip. Even dig does show my ISP dns.

 

[joe scian]

I didn't and it doesn't show my public ip. Even dig does show my ISP dns.

stop start unbound and post ? also as Martineau suggests - debug from within unbound prompt.
When I issue DIG command it shows comparison between ISP DNS - ie 220.233.0.4#53 and localhost 127.0.0.1#53

A:Option ==> dig ir.com


; <<>> DiG 9.14.8 <<>> txt ir.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40208
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ir.com.                                IN      TXT

;; ANSWER SECTION:
ir.com.                 0       IN      TXT     "MS=ms41121745"
ir.com.                 0       IN      TXT     "ciscocidomainverification=c3787ad4d93c3d17f6db9441f1588e46672a74b079cc3f5510c56594cd2b8f3"
ir.com.                 0       IN      TXT     "xk1Z+QstYmjX3b1WKvnGMgJ0o7Umf8jSnCTCqmIdja4J524XpPhsJh4btdhEQyOPznrZCmGKpsGbxbNhT4hSrw=="
ir.com.                 0       IN      TXT     "v=spf1 ip4:207.250.237.29 ip4:206.128.94.77 ip4:216.85.144.82 ip4:61.88.162.198 ip4:65.122.22.86 include:spf.messagelabs.com include:mail.zendesk.com include:spf.protection.outlook.com include:_spf.salesforce.com ~all"
ir.com.                 0       IN      TXT     "logmein-verification-code=e95b3928-65f5-4308-88ba-52da2b018127"

;; Query time: 14 msec
;; SERVER: 220.233.0.4#53(220.233.0.4)
;; WHEN: Sun May 10 23:24:44 UTC 2020
;; MSG SIZE  rcvd: 569


; <<>> DiG 9.14.8 <<>> ir.com @127.0.0.1 -p 53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3276
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
;; QUESTION SECTION:
;ir.com.                                IN      A

;; ANSWER SECTION:
ir.com.                 1025    IN      A       64.68.200.48

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun May 10 23:24:44 UTC 2020
;; MSG SIZE  rcvd: 51

 

[krgck]

stop start unbound and post ? also as Martineau suggests - debug from within unbound prompt

02:20:56 Checking 'unbound.conf' for syntax errors.....
02:20:56 Requesting unbound (S61unbound) restart.....
 Starting unbound...              done.
02:20:56 Checking status, please wait.....
02:20:58 Restoring unbound cache from '/opt/share/unbound/configs/cache.txt' (2020-05-11 02:20:41)
02:20:58 unbound OK

 

[dave14305]

I didn't and it doesn't show my public ip. Even dig does show my ISP dns.

dig on the router will use WAN DNS which might be your ISP. Where are you running dig?

 

[krgck]

okay, debug does show something, it just slams me straight to amtm tho so can't copy text as fast - heres photo.

 

[Martineau]

@juched

FYI,,,

 _____   _ _   _         _  
|  _  |_| | |_| |___ ___| |_
|     | . | . | | . |  _| '_|
|__|__|___|___|_|___|___|_,_|
(gen_adblock.sh): 28116 @juched - v1.0.6 - Thanks to @SomeWhereOverTheRainBow

Removing possible temporary files..
Downloading list(s) from block site(s) configured...
Attempting to Download 1 of 4 from https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts.
######################################################################## 100.0%
Attempting to Download 4 of 4 from https://raw.githubusercontent.com/llacb47/mischosts/master/tiktok-hosts.
######################################################################## 100.0%
Attempting to Download 7 of 4 from https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites/master/hacked-domains.list.
######################################################################## 100.0%
Attempting to Download 8 of 4 from https://blocklist.cyberthreatcoalition.org/vetted/domain.txt.
######################################################################## 100.0%
Downloading list(s) from allow site(s) configured...

should be

Removing possible temporary files..
Downloading list(s) from block site(s) configured...
Attempting to Download 1 of 4 from https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts.
######################################################################## 100.0%
Attempting to Download 2 of 4 from https://raw.githubusercontent.com/llacb47/mischosts/master/tiktok-hosts.
######################################################################## 100.0%
Attempting to Download 3 of 4 from https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites/master/hacked-domains.list.
######################################################################## 100.0%
Attempting to Download 4 of 4 from https://blocklist.cyberthreatcoalition.org/vetted/domain.txt.
######################################################################## 100.0%

'gen_adblock.sh' needs a minor tweak

    for url in $(echo $line); do
      [ "${url:0:1}" == "#" ] && continue # skip commented out lines - Thanks @Martineau
      echo "Attempting to Download $count of $(awk 'NF && !/^[:space:]*#/' $sites | wc -l) from $url."
      curl --progress-bar $url | grep -o '^[^#]*' | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $NF}' | grep -o '^[^\\]*' | grep -o '^[^\\$]*' | sort >> $list
      dos2unix $list
      count=$((count + 1))  
    done

 

[krgck]

dig on the router will use WAN DNS which might be your ISP. Where are you running dig?

I forgot port from dig.. too tired. yes this works and unbound stats confirm that. But still clients use ISP dns.
dig @127.0.0.1 -p 53535 google.fi

 

[dave14305]

I forgot port from dig.. too tired. yes this works and unbound stats confirm that. But still clients use ISP dns.
dig @127.0.0.1 -p 53535 google.fi

What about this?

grep "^server" /etc/dnsmasq.conf

 

[krgck]

What about this?

grep "^server" /etc/dnsmasq.conf

servers-file=/tmp/resolv.dnsmasq
and in that file there is both of isp dns servers.

 

[tomsk]

I just had a look at my unbound.conf just now ... With dnsmasq enabled shouldn't the unbound interface on 127.0.0.1 for port 53 be commented out?

#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
port: 53535                                 # v1.08 If 53, requires 'port=0' in '/etc/dnsmasq.conf' to 'disable' dnsmasq to answer queries direct from LAN clients
interface: 127.0.0.1@53535                  # v1.01 As per @dave14305 minimal config; Will be overwritten by $(nvram get lan_ipaddr_rt) if dnsmasq 'disabled'
interface: 127.0.0.1@53                    # v1.10 Required by router if dnsmasq 'disabled'
#access-control: 0.0.0.0/0 allow            # v1.10 Will be overwritten by LAN subnet "${lan_ip_addr_rt}/24" if 'dnsmasq disabled' aka bypassed
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

 

[dave14305]

servers-file=/tmp/resolv.dnsmasq
and in that file there is both of isp dns servers.

So unbound manager hasn’t modified dnsmasq.conf yet.
Try

service restart_dnsmasq

If that doesn’t work, restart unbound.

 

[joe scian]

I just had a look at my unbound.conf just now ... With dnsmasq enabled shouldn't the unbound interface on 127.0.0.1 for port 53 be commented out?

#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
port: 53535                                 # v1.08 If 53, requires 'port=0' in '/etc/dnsmasq.conf' to 'disable' dnsmasq to answer queries direct from LAN clients
interface: 127.0.0.1@53535                  # v1.01 As per @dave14305 minimal config; Will be overwritten by $(nvram get lan_ipaddr_rt) if dnsmasq 'disabled'
interface: 127.0.0.1@53                    # v1.10 Required by router if dnsmasq 'disabled'
#access-control: 0.0.0.0/0 allow            # v1.10 Will be overwritten by LAN subnet "${lan_ip_addr_rt}/24" if 'dnsmasq disabled' aka bypassed
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

yes it should be perhaps an introduced "feature" since last hotfix.
Also noted that

# log-local-actions - yes

remains commented out during adblock installation when going back and forth enabling Dnsmasq and subsequently choosing Dnsmasq disable and Adblock install. Had to manually uncomment this.

 

[dave14305]

I just had a look at my unbound.conf just now ... With dnsmasq enabled shouldn't the unbound interface on 127.0.0.1 for port 53 be commented out?

#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
port: 53535                                 # v1.08 If 53, requires 'port=0' in '/etc/dnsmasq.conf' to 'disable' dnsmasq to answer queries direct from LAN clients
interface: 127.0.0.1@53535                  # v1.01 As per @dave14305 minimal config; Will be overwritten by $(nvram get lan_ipaddr_rt) if dnsmasq 'disabled'
interface: 127.0.0.1@53                    # v1.10 Required by router if dnsmasq 'disabled'
#access-control: 0.0.0.0/0 allow            # v1.10 Will be overwritten by LAN subnet "${lan_ip_addr_rt}/24" if 'dnsmasq disabled' aka bypassed
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

I bet there’s a sed issue that doesn't differentiate @53 from @53535 when uncommenting,

 

[krgck]

So unbound manager hasn’t modified dnsmasq.conf yet.
Try

service restart_dnsmasq

If that doesn’t work, restart unbound.

Both restarted, even router restarted. No difference

 

[dave14305]

Both restarted, even router restarted. No difference

cat /jffs/scripts/dnsmasq.postconf
cat /jffs/addons/unbound/unbound.postconf

 

[krgck]

cat /jffs/scripts/dnsmasq.postconf
cat /jffs/addons/unbound/unbound.postconf

kasper@RT-AC88U-C440:/tmp# cat /jffs/scripts/dnsmasq.postconf
sh /jffs/addons/unbound/unbound.postconf "$1"           # unbound_manager

kasper@RT-AC88U-C440:/tmp# cat /jffs/addons/unbound/unbound.postconf
#!/bin/sh

CONFIG=$1
source /usr/sbin/helper.sh

######################################################################
#####            DO NOT EDIT THIS FILE MANUALLY                #######
#####             You are probably looking for                 #######
#####               your customising script                    #######
#####     '/opt/share/unbound/configs/unbound.postconf'        #######
######################################################################
logger -t "(dnsmasq.postconf)" "Updating $CONFIG for unbound....."                      # unbound_manager

ROUTER="$(nvram get lan_ipaddr_rt)"

if [ -n "$(pidof unbound)" ];then
   if [ -n "$(grep -E "^port: 53535" /opt/var/lib/unbound/unbound.conf)" ];then   # Forward dnsmasq DNS requests to unbound
        pc_delete "servers-file" $CONFIG
        # By design, if GUI DNSSEC ENABLED then attempt to modify 'cache-size=0' results in dnsmasq start-up fail loop
        #       dnsmasq[15203]: cannot reduce cache size from default when DNSSEC enabled
        #       dnsmasq[15203]: FAILED to start up
        if [ -n "$(grep "^dnssec" $CONFIG)" ];then
           pc_delete "dnssec" $CONFIG
           logger -t "(dnsmasq.postconf)" "**Warning: Removing 'dnssec' directive from 'dnsmasq' to allow DISABLE cache (set 'cache-size=0')"
        fi

        pc_replace "cache-size=1500" "cache-size=0" $CONFIG
        UNBOUNDLISTENADDR="127.0.0.1#53535"
        #UNBOUNDLISTENADDR="$(netstat -nlup | awk '/unbound/ { print $4 } ' | tr ':' '#')"   # unbound_manager
        pc_append "server=$UNBOUNDLISTENADDR" $CONFIG
        if [ "$(uname -o)" == "ASUSWRT-Merlin-LTS" ];then   # Requested by @dave14305
            pc_delete "resolv-file" $CONFIG
            pc_append "no-resolv" $CONFIG
        fi
    else
        logger -t "(dnsmasq.postconf)" "dnsmasq DNS bypassed. unbound will be the primary DNS for ALL LAN Clients."

        [ -z "$(grep -F "port=0" $CONFIG)" ] && pc_append "port=0" $CONFIG          # Disable dnsmasq DNS resolver function
        [ -z "$(grep -F "dhcp-option=lan,6,$ROUTER" $CONFIG)" ] && pc_append "dhcp-option=lan,6,$ROUTER" $CONFIG
        pc_delete "servers-file" $CONFIG
        pc_delete "no-negcache" $CONFIG
        pc_delete "domain-needed" $CONFIG
        pc_replace "cache-size=1500" "cache-size=0" $CONFIG
    fi
else
   sed -i '/port=0/d' $CONFIG
   pc_delete "dhcp-option=lan,6,$ROUTER" $CONFIG
fi