Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[dave14305]

As you wish. Barenaked Lady it is, then.

Only took 100 days for anyone to notice that. If I had a $1,000,000...

 

[heysoundude]

Only took 100 days for anyone to notice that. If I had a $1,000,000...

You definitely won’t have a problem finding monkeys around here, then. But do you really want to fess up publicly to wanting one?


Sent from my iPhone using Tapatalk

 

[Seij]

On a side note, has anyone tested/quantified the actual negative performance impact of "log-queries:yes" and "log-replies:yes"?

I use the "scribe" integration from the unbound_manager script which uncomments both lines, however the NLnet unbound manual has an ominous warning for both: "Note that it takes time to print these lines which makes the server (significantly) slower." I've tried both commenting/uncommenting these two lines out of my unbound.conf but didn't really notice any difference in speed/responsiveness either way...

I'm happy to help test and report back the results, but I'd need some guidance from this group on the best way to do a true "apples to apples" test between the two configurations.

Edit #1: I'm especially curious now that verbosity defaults to 0 instead of 1
Edit #2: The Unbound UI tab has a section that requires "log-replies:yes" as well, which was the initial impetus for this question

 

[ttgapers]

I've updated v3.15b, so hopefully it should no longer attempt to migrate non-existent 'server=/' directives, but I personally hadn't noticed

address=/use-application-dns.net/

so I suspect the unbound directive currently generated for the above is also garbage but non fatal,

EDIT: see Mozilla Canary Domain
I suspect it should be converted to

local-zone: "use-application-dns.net" always_nxdomain

Yup that's to disable DoH on Firefox. Merlin gave us that tip early out to ensure browsers respect our DNS servers
So, might be good to check if unbound has DoH bypass enabled and if the record exists already....

 

[heysoundude]

You should leave a real DNS server in WAN DNS. Unbound_manager will take care of pointing dns to unbound behind the scenes. I’m afraid your router won’t boot properly with your current WAN DNS settings.

Do these count?


I suppose I should include the page that starts one down that rabbit hole: dns.he.net
I figure since I'm using their DDNS...

 

[dave14305]

Do these count?
View attachment 23571

Count for what? That seems to be instructing you how to point your custom domain name to a new authoritative nameserver. Not related to defining a WAN DNS server for the router to use.

Like Magic 8 Ball often says, "Concentrate and ask again."

 

[heysoundude]

we were typing at the same time: I did ask again, sort of...

 

[Martineau]

Yup that's to disable DoH on Firefox. Merlin gave us that tip early out to ensure browsers respect our DNS servers
So, might be good to check if unbound has DoH bypass enabled and if the record exists already....

My surprise is because I don't use Firefox, nor do I reside in the USA.

 

[AntonK]

Is there a way to create/add to a Ad Block whitelist via the AMTM-Unbound menu?

 

[AntonK]

Is there a way to create/add to a Ad Block whitelist via the AMTM-Unbound menu?

Perhaps my question is, how do I switch to Advanced Mode after installing Unbound via AMTM under the default Easy Mode?

 

[Marin]

Perhaps my question is, how do I switch to Advanced Mode after installing Unbound via AMTM under the default Easy Mode?

See the links on the very first post (Easy and Advanced).


Sent from my iPhone using Tapatalk

 

[Marin]

See the links on the very first post (Easy and Advanced).


Sent from my iPhone using Tapatalk

https://github.com/MartineauUK/Unbo...-the-commandline-the-default-is-advanced-mode


Sent from my iPhone using Tapatalk

 

[AntonK]

https://github.com/MartineauUK/Unbo...-the-commandline-the-default-is-advanced-mode


Sent from my iPhone using Tapatalk

Thanks. Not exactly end-user ready, but that's really not the criticism (or bitching) it may seem. I appreciate the many scripts that coders are writing to compliment RMerlin's firmware, and am using many of them.

 

[joe scian]

On a side note, has anyone tested/quantified the actual negative performance impact of "log-queries:yes" and "log-replies:yes"?

I use the "scribe" integration from the unbound_manager script which uncomments both lines, however the NLnet unbound manual has an ominous warning for both: "Note that it takes time to print these lines which makes the server (significantly) slower." I've tried both commenting/uncommenting these two lines out of my unbound.conf but didn't really notice any difference in speed/responsiveness either way...

I'm happy to help test and report back the results, but I'd need some guidance from this group on the best way to do a true "apples to apples" test between the two configurations.

Edit #1: I'm especially curious now that verbosity defaults to 0 instead of 1
Edit #2: The Unbound UI tab has a section that requires "log-replies:yes" as well, which was the initial impetus for this question

set your unbound.conf to below - adblock graphing only requires log-replies set to yes. If you have log queries set to yes as well then unbound.log grows very quickly and will slow your Router Web-GUI response times if you have scribe enabled

"log-queries:no"
"log-replies:yes"
"log-local-actions: yes"

 

[Martineau]

I've uploaded v3.15

Version=3.15
Github md5=c7b58580c6cf85a3b070f248abadeea0
​

use 'u' to update when prompted on screen

Use of the 'i = Update unbound Installation' ** not required **

FIX:     '8 -Install YouTube Video Ad blocker' generates error 'Ad Block' related message if the install is actually ABORTed/declined
ADD::    'dnsmasq disable' bypass dnsmasq now migrates '/etc /hosts' and both 'dnsmasq.conf' 'server=/' and 'address=/' directives
ADD:     'dnsmasq' revert to Primary LAN DNS now reinstates Diversion if available
CHANGE:  'Easy' menu mode now visually separates (by column) optional features and colour codes them to enhance at-a-glance status.

1  = Update unbound files and configuration                     5  = Uninstall Ad and Tracker blocker (Ad Block)
2  = Remove unbound/unbound_manager                             6  = Uninstall Graphical Statistics GUI Add-on TAB
3  = Stop unbound                                               7  = Enable    DNS Firewall
4  = Show unbound statistics                                    8  = Uninstall YouTube Ad blocker

?  = About Configuration               
v  = View ('/opt/var/lib/unbound/'unbound.conf)
 
e  = Exit Script [?]

E:Option ==>

 

[Ubimo]

Unbound 1.10.1. was released.
Source: https://github.com/NLnetLabs/unbound/releases/tag/release-1.10.1

Changelog:

his release fixes CVE-2020-12662 and CVE-2020-12663.

Bug Fixes:
- CVE-2020-12662 Unbound can be tricked into amplifying an incoming
  query into a large number of queries directed to a target.
- CVE-2020-12663 Malformed answers from upstream name servers can be
  used to make Unbound unresponsive.

 

[Ubimo]

Can we configure unbound, so it does DoT? (ISP cannot intercept DNS queries?)
Source: https://openwrt.org/docs/guide-user/services/dns/dot_unbound

 

[dave14305]

Unbound 1.10.1. was released.
Source: https://github.com/NLnetLabs/unbound/releases/tag/release-1.10.1

Changelog:

his release fixes CVE-2020-12662 and CVE-2020-12663.

Bug Fixes:
- CVE-2020-12662 Unbound can be tricked into amplifying an incoming
  query into a large number of queries directed to a target.
- CVE-2020-12663 Malformed answers from upstream name servers can be
  used to make Unbound unresponsive.

It could be months before OpenWRT/Entware makes it available. I decided to get "wild" (relative to my usual excitement level) and compiled unbound 1.10.1 from source on an idle Raspberry Pi. Super easy.

 

[dave14305]

Can we configure unbound, so it does DoT? (ISP cannot intercept DNS queries?)
Source: https://openwrt.org/docs/guide-user/services/dns/dot_unbound

There's an advanced menu option for that.

 

[Ubimo]

There's an advanced menu option for that.

There is? How?
I thought DoT was impossible?

Edit:
Here it says
3 = Advanced Tools
but 3 stopps unbound....