Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[martinr]

Using unbound what should be outcome for

cat /etc/resolv.conf

??

I’m seeing the 2 DNS servers listed on my WAN page (1.1.1.1 and 1.0.0.1)

 

[immi803]

I’m seeing the 2 DNS servers on my WAN page (1.1.1.1 and 1.0.0.1)

Similarly, i see the outcome with dns server set manually on my wan dns settings, i hope this is expected outcome of this command?? Right??

 

[dave14305]

Using unbound what should be outcome for

cat /etc/resolv.conf

??

It should reflect your WAN DNS servers as long as you have left this setting as No:
Tools / Other Settings page “Wan: Use local caching DNS server as system resolver (default: No)”

If you have set that to Yes, it should show 127.0.0.1.

Unbound Manager prevents dnsmasq from forwarding to your WAN DNS servers automatically via dnsmasq,postconf. And if Unbound ever fails to start, it will fallback to the WAN DNS settings to ensure the internet still works.

 

[klingon888]

It should reflect your WAN DNS servers as long as you have left this setting as No:
Tools / Other Settings page “Wan: Use local caching DNS server as system resolver (default: No)”

If you have set that to Yes, it should show 127.0.0.1.

Apologies but I'm getting extremely confused the more I read! My “Wan: Use local caching DNS server as system resolver”, is set to "No" per the install guide, so why is Martineau surprised that my "cat /etc/resolv.conf" came back with the DNS servers from my WAN settings? Isnt this the expected result since I have "use local cashing" set to No? And why is my dig results issued within unbound_manager (not issued from connected client) show the DNS server from my WAN settings?

And when I test using "https://www.dnsleaktest.com/", I do see my local external IP, so can I assume my Unbound is working correctly then even with the "dig" showing the DNS from my WAN?

 

[dave14305]

Apologies but I'm getting extremely confused the more I read! My “Wan: Use local caching DNS server as system resolver”, is set to "No" per the install guide, so why is Martineau surprised that my "cat /etc/resolv.conf" came back with the DNS servers from my WAN settings? Isnt this the expected result since I have "use local cashing" set to No? And why is my dig results issued within unbound_manager (not issued from connected client) show the DNS server from my WAN settings?

And when I test using "https://www.dnsleaktest.com/", I do see my local external IP, so can I assume my Unbound is working correctly then even with the "dig" showing the DNS from my WAN?

You are fine as you are.

 

[joe scian]

So, is my Unbound working correctly then? Just want to make sure I hv not messed anything up! I have AC68 with std config. I have not configured anything for DoT - see attached WAN settings. And my DNSFilter is set to Router.

View attachment 23519



This is strange as I'm in US and nothing in my system connects to Telstra. Time to investigate! Thanks!

when Wan: Use local caching DNS server as system resolver (default: No). The first Dig command goes via ISP DNS Server the second via Unbound.

joescian@RT-AC5300-0680:/tmp/home/root# cat /etc/resolv.conf
nameserver 220.233.0.3
nameserver 220.233.0.4

; <<>> DiG 9.14.8 <<>> txt q-ring.msedge.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3827
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;q-ring.msedge.net.             IN      TXT

;; ANSWER SECTION:
q-ring.msedge.net.      59      IN      CNAME   q-ring.q-9999.q-msedge.net.
q-ring.q-9999.q-msedge.net. 52  IN      CNAME   q-9999.q-msedge.net.

;; AUTHORITY SECTION:
q-msedge.net.           53      IN      SOA     ns1.q-msedge.net. msnhst.microsoft.com. 2018012401 1800 900 2419200 240

;; Query time: 458 msec
;; SERVER: 220.233.0.3#53(220.233.0.3)
;; WHEN: Sun May 17 00:20:10 UTC 2020
;; MSG SIZE  rcvd: 157


; <<>> DiG 9.14.8 <<>> q-ring.msedge.net @127.0.0.1 -p 53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25927
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
;; QUESTION SECTION:
;q-ring.msedge.net.             IN      A

;; ANSWER SECTION:
q-ring.msedge.net.      30      IN      CNAME   q-ring.q-9999.q-msedge.net.
q-ring.q-9999.q-msedge.net. 30  IN      CNAME   q-9999.q-msedge.net.
q-9999.q-msedge.net.    30      IN      A       13.107.49.254

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun May 17 00:20:10 UTC 2020
;; MSG SIZE  rcvd: 113

when Wan: Use local caching DNS server as system resolver (default: YES) - both DIG commands go out via Unbound

joescian@RT-AC5300-0680:/tmp/home/root# cat /etc/resolv.conf
nameserver 127.0.0.1

; <<>> DiG 9.14.8 <<>> txt q-ring.msedge.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62029
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
;; QUESTION SECTION:
;q-ring.msedge.net.             IN      TXT

;; ANSWER SECTION:
q-ring.msedge.net.      933     IN      CNAME   q-ring.q-9999.q-msedge.net.
q-ring.q-9999.q-msedge.net. 933 IN      CNAME   q-9999.q-msedge.net.

;; AUTHORITY SECTION:
q-msedge.net.           30      IN      SOA     ns1.q-msedge.net. msnhst.microsoft.com. 2018012401 1800 900 2419200 240

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun May 17 00:24:38 UTC 2020
;; MSG SIZE  rcvd: 157


; <<>> DiG 9.14.8 <<>> q-ring.msedge.net @127.0.0.1 -p 53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34980
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
;; QUESTION SECTION:
;q-ring.msedge.net.             IN      A

;; ANSWER SECTION:
q-ring.msedge.net.      933     IN      CNAME   q-ring.q-9999.q-msedge.net.
q-ring.q-9999.q-msedge.net. 933 IN      CNAME   q-9999.q-msedge.net.
q-9999.q-msedge.net.    933     IN      A       13.107.49.254

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun May 17 00:24:38 UTC 2020
;; MSG SIZE  rcvd: 113

I never did quite understand why there would need to be a warning
about Wan: Use local caching DNS server as system resolver (default: YES) when installing Unbound.

 

[tomsk]

Is it possible to use unbound for recursive lookup and have them routed to WAN or VPN 1, VPN 2 etc as required.
In a DNS leak test that would give the WAN IP of the router or the endpoint of either tunnel correct?

 

[joe scian]

Is it possible to use unbound for recursive lookup and have them routed to WAN or VPN 1, VPN 2 etc as required.
In a DNS leak test that would give the WAN IP of the router or the endpoint of either tunnel correct?

Yes - unbound_manager advanced
3 - advanced tools

bind or vpn 1 , vpn 2

 

[tomsk]

Yes - unbound_manager advanced
3 - advanced tools

bind or vpn 1 , vpn 2

Yes but wont that bind exclusively to the WAN or whichever VPN client you select?....... maybe a use case example might help...... let's say you have two VPN tunnels up one to UK because you want to watch iplayer on your iPad and one to US because you want to watch US netflix on a laptop...... but you don't want to use the VPN providers DNS on either tunnel .... and any other devices you want them to go through the lan but you want to use unbound to do the lookup too.... doable?​

 

[joe scian]

try it and see

 

[tomsk]

try it and see

It a hypothetical for me.... where i live the ISP is pretty effective at blocking OpenVPN so i can't test it.
Just thinking about the possibilities.

 

[Slawek P]

This is a great setup - I want one of those!!!

Great work on Unbound Manager package everybody - forced me to widen my DNS knowledge, but it is totally worth it.

Took me ages last night to read at least 100 forum pages yesterday, but that did not make me wiser on some topics.
I am still not clear where to start with a switchover from Diversion to Unbound ad-block. My list of questions marks is long.
Some short hints would be greatly appreciated.
1/ Not clear in what order I should do ad-block switch over - activate in Unbound first and the install this will force me to switch off Diversion
2/ Does Unbound update blacklist automatically? Or shares the list with Diversion and relies on its updates running?
3/ Not exactly sure how to keep Pixelserv with Unbound. I have seen changes to pixelserv startup script, just not sure how it will be started when I disable Diversion.. Do I need a manual change?
4/ Unbound is the Primary DNS for ALL LAN Clients (dnsmaq DNS features DISABLED) - Assuming this would be a nice very last unbound_manager step following the ad-block migration (but not earlier). But then I am not clear what to do with dnsmasq.conf.add - will it still be in use including lines with address=xyz or just DHCP part

Have a lovely Sunday.

unbound doesn't loop here, no idea about Diversion as I don't use it.

    Version=3.14
    Local                                       md5=bdb9d03f2cffeba2d9d893f84a55dda9
    Github                                      md5=88e48deea3afb4ef38f3d4399dacae1d
    /jffs/addons/unbound/unbound_manager.md5    md5=88e48deea3afb4ef38f3d4399dacae1d

    Router Configuration recommended pre-reqs status:

    [✔] Swapfile=1048572 kB
    [✔] DNS Filter=ON
    [✔] DNS Filter=ROUTER
    [✖] Warning WAN: Use local caching DNS server as system resolver=YES          see http://10.88.8.1:80/Tools_OtherSettings.asp ->Advanced Tweaks and Hacks
    [✔] Entware NTP server is running
    [✔] Enable DNS Rebind protection=NO
    [✔] Enable DNSSEC support=NO

    Options: Auto Reply='y' for User Selectable Options ('1 4') unbound Logging,Performance Tweaks

    [✔] unbound Logging
    [✔] unbound CPU/Memory Performance tweaks
    [✔] Router Graphical GUI statistics TAB installed
    [✔] unbound-control FAST response ENABLED
    [✔] DNS Firewall ENABLED
    [✔] Unbound is the Primary DNS for ALL LAN Clients (dnsmaq DNS features DISABLED e.g. IPSET auto-populate)
    [✔] YouTube Ad Blocking (Forcing to use YT IP 74.125.166.169, No. of YouTube Video Ad domains=14)

 

[Martineau]

I've uploaded v3.14

Version=3.14
Github md5=37a1160eaaecb2276ae64d6c3977484a​

use 'u' to update when prompted on screen

Use of the 'i = Update unbound Installation' ** not required **

FIX:    Ad Block:  Allow comments and blank lines between entries in custom '/opt/share/unbound/configs/blockhost'
FIX:    If bypass dnsmasq in use, if '2/z Uninstall unbound' is used, explicitly remove 'port=0' from dnsmasq configuration.
FIX:    '2/z - Uninstall' command will now remove YouTube Video Ad blocking cron job from services-start
CHANGE: Allow 'Easy' menu mode users to use 'uf dev'
CHANGE: YouTube install logic for 'Easy' menu option (no longer shown as available if unbound not installed, and no longer requires Ad Block as a pre-req) - Thanks @Huey11
        Option 8 is now a 'toggle' option and will display 'Install/Uninstall' as appropriate.

1  = Begin unbound Installation Process 
2  = Remove unbound/unbound_manager 
3  = n/a Start unbound 
4  = n/a Show unbound statistics 
5  = n/a Install Ad and Tracker blocker (Ad Block) 
6  = n/a Install Graphical Statistics GUI Add-on TAB 
7  = n/a Enable DNS Firewall 
8  = n/a Install YouTube Ad blocker 

?  = About Configuration

 

[Martineau]

Yes but wont that bind exclusively to the WAN or whichever VPN client you select?....... maybe a use case example might help...... let's say you have two VPN tunnels up one to UK because you want to watch iplayer on your iPad and one to US because you want to watch US netflix on a laptop...... but you don't want to use the VPN providers DNS on either tunnel .... and any other devices you want them to go through the lan but you want to use unbound to do the lookup too.... doable?​

Are you asking can unbound be the Primary DNS server for ALL clients? i.e. both LAN and VPN.

 

[tomsk]

Are you asking can unbound be the Primary DNS server for ALL clients? i.e. both LAN and VPN.

No i'm not particularly asking about unbound being the primary DNS... i'm asking if it will assume the IP of whatever tunnel endpoint you are using... ie your WAN IP is A.B.C.D , your VPN1 is E.F.G.H and VPN3 is I.J.K.L.
can you perform recursive queries of clients connected to VPN1 and the DNS will show as E.F.G.H and for clients connected to VPN2 will show as I.J.K.L but clients round through WAN would show as A.B.C.D
Is it as simple as changing the ovpn setting in each VPN client to use the local DNS?

Im thinking about circumventing geoblocking but without having to resort to using the vpn providers own DNS

 

[Martineau]

1/ Not clear in what order I should do ad-block switch over - activate in Unbound first and the install this will force me to switch off Diversion

see Q&A - 3rd entry - essentially you can run Ad Block and Diversion concurrently to allow you to migrate but keep an eye on the memory usage.

2/ Does Unbound update blacklist automatically? Or shares the list with Diversion and relies on its updates running?

Yes, there is a daily Ad Block refresh cron job

cru l | grep adblock

0 5 * * * /opt/var/lib/unbound/adblock/gen_adblock.sh #adblock#

NOTE: You will need to define which custom lists you wish to use in '/opt/share/unbound/configs/blocksites', the default is Steven Black's list.

3/ Not exactly sure how to keep Pixelserv with Unbound. I have seen changes to pixelserv startup script, just not sure how it will be started when I disable Diversion.. Do I need a manual change?

Currently (although Pixelserv's future seems in doubt), you can manually use pixelserv with unbound - not sure if @Twiglets can confirm.

4/ Unbound is the Primary DNS for ALL LAN Clients (dnsmaq DNS features DISABLED) - Assuming this would be a nice very last unbound_manager step following the ad-block migration (but not earlier).
But then I am not clear what to do with dnsmasq.conf.add -

will it still be in use including lines with address=xyz or just DHCP part

Yes, in 'bypass dnsmasq' mode, dnsmasq will be relegated to only DHCP duties.

Currently 'unbound_manager' only migrates the dnsmasq localhosts to unbound format.

The question of fully migrating dnsmasq to unbound should be possible (bar one option that requires the necessary module to be compiled in unbound) was previously raised here and I did request feedback to try and capture a comprehensive list of directives that should be migrated to unbound, but didn't get any reply.

 

[Slawek P]

I took a plunge and switched over to unbound ad-blocking and blacklisting. Option ad shows some diffs, but have not found yet the script to synchronise lists yet. Left pixelserv alone for time being. Not sure why its future is in doubt? Returning one pixel was always meant to be faster... But to be fair, do not miss it just yet

Yes, in 'bypass dnsmasq' mode, dnsmasq will be relegated to only DHCP duties.

Currently 'unbound_manager' only migrates the dnsmasq localhosts to unbound format.

I switched off dnsmasq from the menu as per below and have observed that aliases of my router that worked with dnsmasq will now work with unbound without dnsmasq. Presumably by choice, but worth checking... So I have as follows:

These names are all fine
myasus
myasus.local
RT-AX88U-6D88
RT-AX88U-6D88.local

These two do not work anymore, while all local hosts work ok with mydomain - in my view it is inconsistent, any reason?
myasus.mydomain
RT-AX88U-6D88.mydomain

These three do not resolve anymore to my local router as they did before. One can wonder why ASUS put them in first place, perhaps there's some internal logic. Maybe Mesh will stop working (I am not using it) or something else from the closed code.
router.asus.com
www.asusnetwork.net
www.asusrouter.com

Views?

 

[Slawek P]

These two do not work anymore, while all local hosts work ok with mydomain - in my view it is inconsistent, any reason?
myasus.mydomain
RT-AX88U-6D88.mydomain

These three do not resolve anymore to my local router as they did before. One can wonder why ASUS put them in first place, perhaps there's some internal logic. Maybe Mesh will stop working (I am not using it) or something else from the closed code.
router.asus.com
www.asusnetwork.net
www.asusrouter.com

Going to add the first two to /opt/share/unbound/configs/unbound.conf.localhosts, but it will probably get overdrive if I flick the dnsmasq switch in unbound_manager forth and back. The last three I will research, probably only Merlin knows.
I am going to change Wan: Use local caching DNS server as system resolver (default: No) WebUI flag and observe it for a week.

 

[Martineau]

I took a plunge and switched over to unbound ad-blocking and blacklisting. Option ad shows some diffs, but have not found yet the script to synchronise lists yet. Left pixelserv alone for time being. Not sure why its future is in doubt? Returning one pixel was always meant to be faster... But to be fair, do not miss it just yet



I switched off dnsmasq from the menu as per below and have observed that aliases of my router that worked with dnsmasq will now work with unbound without dnsmasq. Presumably by choice, but worth checking... So I have as follows:

These names are all fine
myasus
myasus.local
RT-AX88U-6D88
RT-AX88U-6D88.local

These two do not work anymore, while all local hosts work ok with mydomain - in my view it is inconsistent, any reason?
myasus.mydomain
RT-AX88U-6D88.mydomain

These three do not resolve anymore to my local router as they did before. One can wonder why ASUS put them in first place, perhaps there's some internal logic. Maybe Mesh will stop working (I am not using it) or something else from the closed code.
router.asus.com
www.asusnetwork.net
www.asusrouter.com

Views?

It depends where the five entities are defined.

myasus.mydomain
RT-AX88U-6D88.mydomain
router.asus.com
www.asusnetwork.net
www.asusrouter.com​

If they are in '/etc /hosts' then they have been missed by the migration to bypass dnsmasq.

 

[Slawek P]

Yes they are