What's new

Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Only took 100 days for anyone to notice that. If I had a $1,000,000...

You definitely won’t have a problem finding monkeys around here, then. But do you really want to fess up publicly to wanting one?


Sent from my iPhone using Tapatalk
 
On a side note, has anyone tested/quantified the actual negative performance impact of "log-queries:yes" and "log-replies:yes"?

I use the "scribe" integration from the unbound_manager script which uncomments both lines, however the NLnet unbound manual has an ominous warning for both: "Note that it takes time to print these lines which makes the server (significantly) slower." I've tried both commenting/uncommenting these two lines out of my unbound.conf but didn't really notice any difference in speed/responsiveness either way...

I'm happy to help test and report back the results, but I'd need some guidance from this group on the best way to do a true "apples to apples" test between the two configurations.

Edit #1: I'm especially curious now that verbosity defaults to 0 instead of 1
Edit #2: The Unbound UI tab has a section that requires "log-replies:yes" as well, which was the initial impetus for this question
 
Last edited:
I've updated v3.15b, so hopefully it should no longer attempt to migrate non-existent 'server=/' directives, but I personally hadn't noticed
Code:
address=/use-application-dns.net/
so I suspect the unbound directive currently generated for the above is also garbage but non fatal,

EDIT: see Mozilla Canary Domain
I suspect it should be converted to
Code:
local-zone: "use-application-dns.net" always_nxdomain

Yup that's to disable DoH on Firefox. Merlin gave us that tip early out to ensure browsers respect our DNS servers :)
So, might be good to check if unbound has DoH bypass enabled and if the record exists already....
 
You should leave a real DNS server in WAN DNS. Unbound_manager will take care of pointing dns to unbound behind the scenes. I’m afraid your router won’t boot properly with your current WAN DNS settings.

Do these count?
authoritativeNS.png

I suppose I should include the page that starts one down that rabbit hole: dns.he.net
I figure since I'm using their DDNS...
 
Last edited:
Yup that's to disable DoH on Firefox. Merlin gave us that tip early out to ensure browsers respect our DNS servers :)
So, might be good to check if unbound has DoH bypass enabled and if the record exists already....
My surprise is because I don't use Firefox, nor do I reside in the USA.
 
Is there a way to create/add to a Ad Block whitelist via the AMTM-Unbound menu?
 
Is there a way to create/add to a Ad Block whitelist via the AMTM-Unbound menu?
Perhaps my question is, how do I switch to Advanced Mode after installing Unbound via AMTM under the default Easy Mode?
 
Perhaps my question is, how do I switch to Advanced Mode after installing Unbound via AMTM under the default Easy Mode?

See the links on the very first post (Easy and Advanced).


Sent from my iPhone using Tapatalk
 
On a side note, has anyone tested/quantified the actual negative performance impact of "log-queries:yes" and "log-replies:yes"?

I use the "scribe" integration from the unbound_manager script which uncomments both lines, however the NLnet unbound manual has an ominous warning for both: "Note that it takes time to print these lines which makes the server (significantly) slower." I've tried both commenting/uncommenting these two lines out of my unbound.conf but didn't really notice any difference in speed/responsiveness either way...

I'm happy to help test and report back the results, but I'd need some guidance from this group on the best way to do a true "apples to apples" test between the two configurations.

Edit #1: I'm especially curious now that verbosity defaults to 0 instead of 1
Edit #2: The Unbound UI tab has a section that requires "log-replies:yes" as well, which was the initial impetus for this question

set your unbound.conf to below - adblock graphing only requires log-replies set to yes. If you have log queries set to yes as well then unbound.log grows very quickly and will slow your Router Web-GUI response times if you have scribe enabled

"log-queries:no"
"log-replies:yes"
"log-local-actions: yes"
 
Last edited:
I've uploaded v3.15

Version=3.15
Github md5=c7b58580c6cf85a3b070f248abadeea0

use 'u' to update when prompted on screen

Use of the 'i = Update unbound Installation' ** not required **

Code:
FIX:     '8 -Install YouTube Video Ad blocker' generates error 'Ad Block' related message if the install is actually ABORTed/declined
ADD::    'dnsmasq disable' bypass dnsmasq now migrates '/etc /hosts' and both 'dnsmasq.conf' 'server=/' and 'address=/' directives
ADD:     'dnsmasq' revert to Primary LAN DNS now reinstates Diversion if available
CHANGE:  'Easy' menu mode now visually separates (by column) optional features and colour codes them to enhance at-a-glance status.
Code:
1  = Update unbound files and configuration                     5  = Uninstall Ad and Tracker blocker (Ad Block)
2  = Remove unbound/unbound_manager                             6  = Uninstall Graphical Statistics GUI Add-on TAB
3  = Stop unbound                                               7  = Enable    DNS Firewall
4  = Show unbound statistics                                    8  = Uninstall YouTube Ad blocker

?  = About Configuration               
v  = View ('/opt/var/lib/unbound/'unbound.conf)
 
e  = Exit Script [?]

E:Option ==>
 
Last edited:
Unbound 1.10.1. was released.
Source: https://github.com/NLnetLabs/unbound/releases/tag/release-1.10.1

Changelog:
Code:
his release fixes CVE-2020-12662 and CVE-2020-12663.

Bug Fixes:
- CVE-2020-12662 Unbound can be tricked into amplifying an incoming
  query into a large number of queries directed to a target.
- CVE-2020-12663 Malformed answers from upstream name servers can be
  used to make Unbound unresponsive.
 
Unbound 1.10.1. was released.
Source: https://github.com/NLnetLabs/unbound/releases/tag/release-1.10.1

Changelog:
Code:
his release fixes CVE-2020-12662 and CVE-2020-12663.

Bug Fixes:
- CVE-2020-12662 Unbound can be tricked into amplifying an incoming
  query into a large number of queries directed to a target.
- CVE-2020-12663 Malformed answers from upstream name servers can be
  used to make Unbound unresponsive.
It could be months before OpenWRT/Entware makes it available. I decided to get "wild" (relative to my usual excitement level) and compiled unbound 1.10.1 from source on an idle Raspberry Pi. Super easy.
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top