Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[dave14305]

There is? How?
I thought DoT was impossible?

You end up configuring Unbound as a forwarder instead of a recursor. You can do forwarding DoT to public DoT servers, but not recursive DoT to authoritative nameservers.

 

[tomsk]

I've uploaded v3.15

Version=3.15
Github md5=9a52be66b295224028ce282f7defd9bf​

use 'u' to update when prompted on screen

Use of the 'i = Update unbound Installation' ** not required **

FIX:     '8 -Install YouTube Video Ad blocker' generates error 'Ad Block' related message if the install is actually ABORTed/declined
ADD::    'dnsmasq disable' bypass dnsmasq now migrates '/etc /hosts' and both 'dnsmasq.conf' 'server=/' and 'address=/' directives
ADD:     'dnsmasq' revert to Primary LAN DNS now reinstates Diversion if available
CHANGE:  'Easy' menu mode now visually separates (by column) optional features and colour codes them to enhance at-a-glance status.

1  = Update unbound files and configuration                     5  = Uninstall Ad and Tracker blocker (Ad Block)
2  = Remove unbound/unbound_manager                             6  = Uninstall Graphical Statistics GUI Add-on TAB
3  = Stop unbound                                               7  = Enable    DNS Firewall
4  = Show unbound statistics                                    8  = Uninstall YouTube Ad blocker

?  = About Configuration               
v  = View ('/opt/var/lib/unbound/'unbound.conf)
 
e  = Exit Script [?]

E:Option ==>

3.15 runs ok for me but i don't see the address=/use-application-dns.net/ converted to unbound format local-zone: "use-application-dns.net" always_nxdomain in unbound.conf.localhosts ..... should it be there or would it be taken care of by
#include: /opt/var/lib/unbound/adblock/firefox_DOH if it is enabled?

 

[Ubimo]

You end up configuring Unbound as a forwarder instead of a recursor. You can do forwarding DoT to public DoT servers, but not recursive DoT to authoritative nameservers.

Ah, ok.
I thought I can use unbound as recursor and DoT.... *sad*

 

[ttgapers]

Ah, ok.
I thought I can use unbound as recursor and DoT.... *sad*

In dave's example above, yes you do send it as it's forwarding and therefore no recursion.

It seems you are in that thread as well (now closed), so we can consolidate, but this was being discussed by dave and co also.

Sidenote from there, DoH coming to unbound: https://github.com/NLnetLabs/unbound/commit/8dae5d9f81a179bdbb5fdcc730df4e8875f85cd2

Also seem you located something in this post: https://www.snbforums.com/threads/u...-caching-dns-server.58967/page-71#post-580717 and that talks about listening on 853 for DoT. Has anyone investigated a configuration using Unbound for DoT, like https://dnsprivacy.org/wiki/display/DP/Using+Unbound+as+a+DNS+Privacy+server

Seems like a Let's Encrypt cert would also work (as per the link)...Depending on how your certificate is issued you may to add the intermediate certificate to your certificate file for clients to be able to validate. For example, if you use Let's encrypt to create your certificate you will need to add the intermediate certificate (found in the /etc/letsencrypt/certs/000<N>_chain.pem file) to the cert file.

 

[Martineau]

3.15 runs ok for me but i don't see the address=/use-application-dns.net/ converted to unbound format local-zone: "use-application-dns.net" always_nxdomain in unbound.conf.localhosts ..... should it be there or would it be taken care of by
#include: /opt/var/lib/unbound/adblock/firefox_DOH if it is enabled?

Yes, the script will delete duplicates, i.e. the Firefox DoH directive should be there (if Prevent client auto DoH=Auto/Yes in GUI)….if I didn't immediately delete it!

v3.15 Hotfix commit

Many thanks.

 

[Martineau]

Ah, ok.
I thought I can use unbound as recursor and DoT.... *sad*

@netware5 highlighted the native DoT proposal aka ADoT. see thread Dot & DNSSEC vs Unbound?, but who knows when/if it will be ratified/implemented.

 

[Martin_D]

Update: Looks like all this is coming diversion still looking into this

Update (2): So disabled diversion the problems go and NTP will start & unbound_manager starts working

Update (3): Yep its diversion no Idea how to fix

Am back still having ntp problems but the problem today is unbound_manager starts working at the same time its not very odd

Standard Statistics
 --------------------------------------------------------

 Number of DNS queries: 0
 Number of queries that were successfully answered using cache lookup (ie. cache hit): 0
 Number of queries that needed recursive lookup (ie. cache miss): 0
 Number of queries dropped because request list was full: 0
 Average number of requests in list for recursive processing: 0

 Extended Statistics
 --------------------------------------------------------

 RRset cache usage in bytes: 33048
 Message cache usage in bytes: 33048

 Cache hit success percent: 0

 

[martinr]

Only took 100 days for anyone to notice that. If I had a $1,000,000...

I sent you a PM on 8 Feb congratulating you on your promotion. I know it’s not like getting a telegram from the Queen.

 

[dave14305]

I sent you a PM on 8 Feb congratulating you on your promotion. I know it’s not like getting a telegram from the Queen.

Of course, and I appreciated your thoughtfulness. I was referring to the song allusion ("a nice Chesterfield or an ottoman") from the Barenaked Ladies' song "If I Had a $1,000,000".

 

[martinr]

Of course, and I appreciated your thoughtfulness. I was referring to the song allusion ("a nice Chesterfield or an ottoman") from the Barenaked Ladies' song "If I Had a $1,000,000".

Sorry: never heard of it.

 

[tomsk]

Nice touch..... looks like its been there a few versions of the script but never noticed it before... I tried opting not to install adblock during dnsmasq disable, but then added it separately later ... was just checking to see if the script warned or offered to disable diversion for you.

    [✔] Ad and Tracker Blocking (No. of Adblock domains=82611,Blocked Hosts=0,Whitelist=19, - Warning Diversion is also ACTIVE)

 

[Martineau]

Am back still having ntp problems but the problem today is unbound_manager starts working at the same time its not very odd

Standard Statistics
 --------------------------------------------------------

 Number of DNS queries: 0
 Number of queries that were successfully answered using cache lookup (ie. cache hit): 0
 Number of queries that needed recursive lookup (ie. cache miss): 0
 Number of queries dropped because request list was full: 0
 Average number of requests in list for recursive processing: 0

 Extended Statistics
 --------------------------------------------------------

 RRset cache usage in bytes: 33048
 Message cache usage in bytes: 33048

 Cache hit success percent: 0

Not sure of the reason you have posted in this thread?

Your edited post previously contained excerpts from the 'unbound.log' that clearly showed the 5 successful unbound start-up messages with correct timestamps.

Basically, during the boot process, 'S61unbound' simply waits on the NTPD spinlock semaphore, which evidently eventually allows unbound to initialise.

EDIT: Ah I see you have withdrawn your tenuous accusation!

 

[QuikSilver]

Sorry: never heard of it.

I keep reading this over and over to see if I can detect sarcasm.

Video below for those interested and to make it related to forum, play it on youtube and see if it blocks ads.

 

[heysoundude]

I keep reading this over and over to see if I can detect sarcasm.

Video below for those interested and to make it related to forum, play it on youtube and see if it blocks ads.

(Someone had to do it. Glad it wasn’t me. )
Have had the pleasure of working with half of the Ladies. They’re good folk.

Now put down the Dijon ketchup and get back to coding?


Sent from my iPhone using Tapatalk

 

[Kingp1n]

I'm trying to test "VPN show debug" and I keep seeing the message below (***ERROR Invalid argument 'show' VPN must be numeric '1-5' or 'disable') , any ideas what might be happening:

A:Option ==> vpn 1 debug

Do you want to route unbound requests through VPN Client '1' tunnel?
Reply 'y' or press [Enter] to skip
y
unbound requests via VPN Client 1 (10.14.15.6) tunnel ENABLED
01:46:58 Checking 'unbound.conf' for syntax errors.....
01:46:58 Saving unbound cache to '/opt/share/unbound/configs/cache.txt'
01:46:59 Requesting unbound (S61unbound) restart.....
Shutting down unbound... done.
Starting unbound... done.
01:47:00 Checking status, please wait.....
01:47:02 Restoring unbound cache from '/opt/share/unbound/configs/cache.txt' (2020-05-20 01:46:59)
01:47:02 unbound OK

Next step:

A:Option ==> vpn show debug

Do you want to route unbound requests through VPN Client 'show' tunnel?
Reply 'y' or press [Enter] to skip
y
***ERROR Invalid argument 'show' VPN must be numeric '1-5' or 'disable'
01:44:11 Checking 'unbound.conf' for syntax errors.....
01:44:11 Saving unbound cache to '/opt/share/unbound/configs/cache.txt'
01:44:11 Requesting unbound (S61unbound) restart.....
Shutting down unbound... done.
Starting unbound... done.
01:44:12 Checking status, please wait.....
01:44:14 Restoring unbound cache from '/opt/share/unbound/configs/cache.txt' (2020-05-20 01:44:11)
01:44:15 unbound OK

Update: Oops, guess I had the code flipped, should be "vpn debug show", so is the following normal?

A:Option ==> debug
'unbound.conf'
port: 53535 # v1.08 If 53, requires 'port=0' in '/etc/dnsmasq.conf' to 'disable' dnsmasq to answer queries direct from LAN clients
interface: 127.0.0.1@53535 # v1.01 As per @dave14305 minimal config; Will be overwritten by $(nvram get lan_ipaddr_rt) if dnsmasq 'disabled'
#interface: 127.0.0.1@53 # v1.10 Required by router if dnsmasq 'disabled'
#access-control: 0.0.0.0/0 allow # v1.10 Will be overwritten by LAN subnet "${lan_ip_addr_rt}/24" if 'dnsmasq disabled' aka bypassed
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

'/etc/dnsmasq.conf'
n/a
netstat LISTEN Ports
tcp 0 0 0.0.0.0 3394 0.0.0.0:* LISTEN 1507/u2ec
tcp 0 0 0.0.0.0 3702 0.0.0.0:* LISTEN 15332/wsdd2
tcp 0 0 0.0.0.0 5473 0.0.0.0:* LISTEN 1507/u2ec
tcp 0 0 0.0.0.0 7788 0.0.0.0:* LISTEN 1227/cfg_server
tcp 0 0 0.0.0.0 18017 0.0.0.0:* LISTEN 1045/wanduck
tcp 0 0 0.0.0.0 34390 0.0.0.0:* LISTEN 12584/miniupnpd
tcp 0 0 127.0.0.1 53 0.0.0.0:* LISTEN 25232/dnsmasq
tcp 0 0 127.0.0.1 80 0.0.0.0:* LISTEN 1151/httpd
tcp 0 0 127.0.0.1 953 0.0.0.0:* LISTEN 20140/unbound
tcp 0 0 127.0.0.1 8443 0.0.0.0:* LISTEN 1150/httpds
tcp 0 0 127.0.0.1 8888 0.0.0.0:* LISTEN 1182/vis-dcon
tcp 0 0 127.0.0.1 47753 0.0.0.0:* LISTEN 12556/mcpd
tcp 0 0 127.0.0.1 53535 0.0.0.0:* LISTEN 20140/unbound
tcp 0 0 127.0.0.1 55000 0.0.0.0:* LISTEN 1116/ceventd
tcp 0 0 192.168.1.1 22 0.0.0.0:* LISTEN 1085/dropbear
tcp 0 0 192.168.1.1 53 0.0.0.0:* LISTEN 25232/dnsmasq
tcp 0 0 192.168.1.1 80 0.0.0.0:* LISTEN 1151/httpd
tcp 0 0 192.168.1.6 80 0.0.0.0:* LISTEN 4430/pixelserv-tls
tcp 0 0 192.168.1.1 139 0.0.0.0:* LISTEN 15349/smbd
tcp 0 0 192.168.1.6 443 0.0.0.0:* LISTEN 4430/pixelserv-tls
tcp 0 0 192.168.1.1 445 0.0.0.0:* LISTEN 15349/smbd
tcp 0 0 192.168.1.1 515 0.0.0.0:* LISTEN 1508/lpd
tcp 0 0 192.168.1.1 3838 0.0.0.0:* LISTEN 1508/lpd
tcp 0 0 192.168.1.1 8443 0.0.0.0:* LISTEN 1150/httpds
tcp 0 0 192.168.1.1 9100 0.0.0.0:* LISTEN 1508/lpd
tcp 0 0 192.168.1.1 49152 0.0.0.0:* LISTEN 1100/hostapd
tcp 0 0 192.168.1.1 49152 0.0.0.0:* LISTEN 1103/hostapd
Warning unbound is running so 'unbound -dv' may show sockets already in use by unbound

[1589955313] unbound[1295:0] notice: Start of unbound 1.10.0.
May 20 02:15:13 unbound[1295:0] error: can't bind socket: Address already in use for 127.0.0.1 port 953
May 20 02:15:13 unbound[1295:0] error: cannot open control interface 127.0.0.1 953
May 20 02:15:13 unbound[1295:0] fatal error: could not open ports

 

[joe scian]

I'm trying to test "VPN show debug" and I keep seeing the message below (***ERROR Invalid argument 'show' VPN must be numeric '1-5' or 'disable') , any ideas what might be happening:




Next step:



Update: Oops, guess I had the code flipped, should be "vpn debug show", so is the following normal?

yes totally normal
unbound requests via VPN Client 1 (10.14.15.6) tunnel ENABLED

 

[ICDeadPpl]

Version 1.10.1 of Unbound was released yesterday, it fixes two security issues:
https://nlnetlabs.nl/downloads/unbound/CVE-2020-12662_2020-12663.txt

 

[Martineau]

Version 1.10.1 of Unbound was released yesterday, it fixes two security issues:
https://nlnetlabs.nl/downloads/unbound/CVE-2020-12662_2020-12663.txt

see already reported

 

[tomsk]

I noticed there was some activity in the Diversion thread regarding use of the alternate blocklist and the methodology to do this was to start a 2nd dnsmasq instance ..... i'm not sure how many ppl actually take advantage of this but wouldn't unbound need to be configured to listen to that too ( and presumably modify its related .conf file ?)

 

[Martineau]

I noticed there was some activity in the Diversion thread regarding use of the alternate blocklist and the methodology to do this was to start a 2nd dnsmasq instance ..... i'm not sure how many ppl actually take advantage of this but wouldn't unbound need to be configured to listen to that too ( and presumably modify its related .conf file ?)

Sounds like a good use of resources, but as I don't run Diversion you will need to submit a pull-request if you want to allow 'unbound_manager' to accommodate the scenario.