Yes, that's the whole purpose of Unbound as a recursive resolver. It does the same work that Quad9 or Cloudflare would do with your queries. But the difference is that it isn't your ISP's DNS servers you're seeing; it should be your own WAN IP address (from your ISP) that shows up as the detected DNS server. Big but subtle difference.Now that I'm using Unbound, my previous choice of DNS servers (Quad9, Cloudflare), though still configured in the router GUI, are not longer the servers I'm reaching. do a "what's my DNS server" type test shows me as using my ISP's DNS servers now. Is that normal?
Thanks.
Yes! I see that now. Thanks for the explanation.Yes, that's the whole purpose of Unbound as a recursive resolver. It does the same work that Quad9 or Cloudflare would do with your queries. But the difference is that it isn't your ISP's DNS servers you're seeing; it should be your own WAN IP address (from your ISP) that shows up as the detected DNS server. Big but subtle difference.
Baby steps etc. i.e. how widespread is the use of unbound as the Primary DNS for the LAN?
In the interim, I suggest you place your custom mods in 'unbound.conf.add', rather than 'unbound.conf.localhosts' as when switching between unbound/dnsmasq, 'unbound.conf.localhosts' will get flushed/rebuilt, but the contents of 'unbound.conf.add' will not be altered but will be added on every unbound startup.
P.S. You're welcome to provide examples (or write the code and submit a pull request!)
You can add a CNAME entry in local-data, however as Unbound isn't an Authoritative resolver it won't expand it. If a client makes a query for an A record they won't receive the CNAME in response.
This thread is for the discussion topic : unbound_manager script.
As per the GitHub Hints/Tips: Differences between the operational modes
'Easy' mode - you have limited Install options:
i.e. Advanced Options
'Advanced' mode - you can fully customise the choice of options implemented.are not available
- Stubby Integration
- DoT installs
'Advanced' mode
View attachment 22680
'Easy' mode (This is the default when invoked from amtm)
View attachment 22679
INSTALLATIONNOTE: If you wish to manually install unbound (or understand the necessary steps) see the instructions here
Pre-reqs:
- Asus Router running the RMerlin firmware (see AsusWRT-Merlin)
- Entware must be installed (Many popular 3rd Party scripts now require Entware e.g. amtm)
Recommended unbound compatible Router Settings pre-reqs:
[✔] Swapfile=262140 kB (min 256 MB)
[✔] DNS Filter=ON
[✔] DNS Filter=ROUTER
[✔] WAN: Use local caching DNS server as system resolver=NO
[✔] Enable local NTP server=YES
[✔] Enable DNS Rebind protection=NO
[✔] Enable DNSSEC support=NO
If the router settings do not match the above, a hyperlink will be shown to assist
e.g.
[] ***ERROR WAN: Use local caching DNS server as system resolver=YES
see http://192.168.1.1/Tools_OtherSettings.asp ->Advanced Tweaks and Hacks
Manual installation of unbound - like most tasks - is easy once you know how, but for non-techies, why spend time frustratingly typing in cryptic directives/commands into the router when you could simply let someone else facilitate the task, who will remain accountable when it goes wrong!
The goal of unbound_manager is to seamlessly integrate unbound with the inherent dnsmasq but to ensure that unbound_manager can always be used to instantly remove unbound in seconds, i.e. a REBOOT (whilst recommended) isn't mandatory during the installation, nor for an uninstall.
Furthermore, the script provides useful features via simple menu options, that do not intimidate non-techies, but allows then to investigate (and for the adventurous) tweak the unbound configuration without any drama.
If you are running amtm >v3.1.2
View attachment 22673
then use item '7', otherwise see the one-line command unbound_manager Manual Installation
The unbound_manager.sh script is hosted on GitHub, and you can follow the development history here.
@Slawek PI took a plunge and switched over to unbound ad-blocking and blacklisting. Option ad shows some diffs, but have not found yet the script to synchronise lists yet. Left pixelserv alone for time being. Not sure why its future is in doubt? Returning one pixel was always meant to be faster... But to be fair, do not miss it just yet
I switched off dnsmasq from the menu as per below and have observed that aliases of my router that worked with dnsmasq will now work with unbound without dnsmasq. Presumably by choice, but worth checking... So I have as follows:
These names are all fine
myasus
myasus.local
RT-AX88U-6D88
RT-AX88U-6D88.local
These two do not work anymore, while all local hosts work ok with mydomain - in my view it is inconsistent, any reason?
myasus.mydomain
RT-AX88U-6D88.mydomain
These three do not resolve anymore to my local router as they did before. One can wonder why ASUS put them in first place, perhaps there's some internal logic. Maybe Mesh will stop working (I am not using it) or something else from the closed code.
router.asus.com
www.asusnetwork.net
www.asusrouter.com
Views?
e = Exit Script [?]
A:Option ==> dnsmasq disable
If you currently use or rely on dnsmasq features such as Diversion/x3mRouting etc., then re-consider.
Do you still want to DISABLE dnsmasq?
Reply 'y' or press [Enter] to skip
y
13:31:16 Configuring unbound to be the primary DNS for ALL LAN Clients.....
13:31:16 Converting '/etc /hosts.dnsmasq' local hosts to 'unbound'.....
13:31:20 Converting '/etc /hosts' local hosts to 'unbound'.....
13:31:21 Converting dnsmasq 'address=/' and 'server=/' directives to 'unbound'.....
<snip>
No problem - just wanted useful real-world feedback regarding the possible combinations of potentially complex dnsmasq directives that need to be parsed into their unbound equivalents.Saw your previous note. Got busy with work-work.
The feature should work... if the 'include:' directive appears in 'unbound.conf' ?1. I tried unbound.conf.add and it was not read. No biggy.
I've uploaded v3.15b beta to GitHub dev branch.3. Been testing with combinations of local-zone and local-data for the records migration thus far...
e = Exit Script [?]
A:Option ==> dnsmasq disable
If you currently use or rely on dnsmasq features such as Diversion/x3mRouting etc., then re-consider.
Do you still want to DISABLE dnsmasq?
Reply 'y' or press [Enter] to skip
y
13:31:16 Configuring unbound to be the primary DNS for ALL LAN Clients.....
13:31:16 Converting '/et c /hosts.dnsmasq' local hosts to 'unbound'.....
13:31:20 Converting '/et c /hosts' local hosts to 'unbound'.....
13:31:21 Converting dnsmasq 'address=/' and 'server=/' directives to 'unbound'.....
<snip>
/opt/share/unbound/configs/unbound.conf.localhosts:67: error: unknown keyword 'yes'
read /opt/var/lib/unbound/unbound.conf failed: 1 errors in configuration file
***ERROR requested re(Start) of unbound ABORTed! - use option 'vx' to correct 'unbound.conf' or 'rl' to load a valid configuration file
tOmsK@RT-AC68U-4690:/tmp/home/root# unbound -dv
[1589807558] unbound[14561:0] notice: Start of unbound 1.10.0.
/opt/share/unbound/configs/unbound.conf.localhosts:67: error: unknown keyword 'yes'
read /opt/var/lib/unbound/unbound.conf failed: 1 errors in configuration file
[1589807558] unbound[14561:0] fatal error: Could not read config file: /opt/var/lib/unbound/unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf
# Replicate 'address=/ directives
local-zone: "use-application-dns.net A " static
# Replicate 'server=/ directives
forward-zone:
name: ""
forward-addr:
forward-first: yes
IMO the AX88U has enough resources to run Unbound + Diversion; I would go for that. Diversion still offers you the most customization for ad-blocking and Unbound does an excellent job as a recursive DNS server. At least that's what I'm running successfully now for several months.Looking for some advice here...
Which one is better suited to run on AX88U?
TBH, I haven't been able to figure out the main difference between DNSCrypt & Unbound (and that is the core of my confusion).
- DNSCrypt + Diversion
- Unbound + Diversion
- Unbound + Unbound-Adblocking
- DNSCrypt (anonymised relays) + Diversion
I guess once that I can get that bit sorted, the next question of which ad-blocking may become easier to resolve.
Any direct answers, links to forum posts or independent reading would be much appreciated.
Why not post what the syntax error actually is?With V 3.15B
Code:tOmsK@RT-AC68U-4690:/tmp/home/root# unbound -dv [1589807558] unbound[14561:0] notice: Start of unbound 1.10.0. /opt/share/unbound/configs/unbound.conf.localhosts:67: error: unknown keyword 'yes' read /opt/var/lib/unbound/unbound.conf failed: 1 errors in configuration file [1589807558] unbound[14561:0] fatal error: Could not read config file: /opt/var/lib/unbound/unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf
Because i'm not sure how to do that..... sorry if im not being helpful... i'll wind my neck inWhy not post what the syntax error actually is?
# Replicate 'server=/ directives
forward-zone:
name: ""
forward-addr:
forward-first: yes
You will need to provide diagnostic output of your custom dnsmasq directivesWith V 3.15B
Code:tOmsK@RT-AC68U-4690:/tmp/home/root# unbound -dv [1589807558] unbound[14561:0] notice: Start of unbound 1.10.0. /opt/share/unbound/configs/unbound.conf.localhosts:67: error: unknown keyword 'yes' read /opt/var/lib/unbound/unbound.conf failed: 1 errors in configuration file [1589807558] unbound[14561:0] fatal error: Could not read config file: /opt/var/lib/unbound/unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf
Code:# Replicate 'address=/ directives local-zone: "use-application-dns.net A " static # Replicate 'server=/ directives forward-zone: name: "" forward-addr: forward-first: yes
awk '/^server/ || /^address/ {print $0}' /e tc/hosts/dnsmasq.conf
server=/pool.ntp.org/1.1.1.1
address=/sitex.com/127.0.0.1
# Replicate 'address=/ directives
local-zone: "sitex.com A 127.0.0.1" static
# Replicate 'server=/ directives
forward-zone:
name: "pool.ntp.org"
forward-addr: 1.1.1.1
forward-first: yes
I don't have any server directives... but i do have a strange looking address in thereYou will need to provide diagnostic output of your custom dnsmasq directives
e.g. the following two dnsmasq directives
should be converted to unbound formatCode:awk '/^server/ || /^address/ {print $0}' /e tc/hosts/dnsmasq.conf server=/pool.ntp.org/1.1.1.1 address=/sitex.com/127.0.0.1
Code:# Replicate 'address=/ directives local-zone: "sitex.com A 127.0.0.1" static # Replicate 'server=/ directives forward-zone: name: "pool.ntp.org" forward-addr: 1.1.1.1 forward-first: yes
address=/use-application-dns.net/
OK thanks.I don't have any server directives... but i do have a strange looking address in there
Code:address=/use-application-dns.net/
Ah ok ... sorry i'm not really helpful in that case... but better to trip over that one now i guess before your intended OP says .. "its all good" and later you get my scenario.OK thanks.
v3.15b was intended for the OP with apparently multiple 'address=/' and 'server=/' directives, so I suspect v3.15b blindly assumes both are always present.
I've updated v3.15b, so hopefully it should no longer attempt to migrate non-existent 'server=/' directives, but I personally hadn't noticedAh ok ... sorry i'm not really helpful in that case... but better to trip over that one now i guess before your intended OP says .. "its all good" and later you get my scenario.
address=/use-application-dns.net/
local-zone: "use-application-dns.net" always_nxdomain
You probably want to be mindful of "incomplete" but "valid" server or address directives that do not contain an IP after the domain name, which is used as a way to force an NXDOMAIN for a domain within dnsmasq, such as the Firefox DoH example in your post.I've updated v3.15b, so hopefully it should no longer attempt to migrate non-existent 'server=/' directives, but I personally hadn't noticed
so I suspect the unbound directive generated for the above is also garbage but non fatal, but not sure why it is thereCode:address=/use-application-dns.net/
You probably want to be mindful of "incomplete" but "valid" server or address directives that do not contain an IP after the domain name, which is used as a way to force an NXDOMAIN for a domain within dnsmasq, such as the Firefox DoH example in your post.
As you wish. Barenaked Lady it is, then.It does, but it changes unbound from a recursive resolver to just another forwarder like stubby.
EDIT: with this my 2,000th post, I am now part of the furniture. Please remember me as I was, not as a nice Chesterfield or an ottoman.
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!