Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[tomsk]

Sounds like a good use of resources, but as I don't run Diversion you will need to submit a pull-request if you want to allow 'unbound_manager' to accommodate the scenario.

Yes understood..... I can count the number of times i have used the fast switch feature on one hand and have never used the alternate blocking list personally .... it just occurred to to me that users on the main blocking list would having recursive dns requests done for them by unbound but users on the alternate list would be using what ever upstream DNS was configured. The server directive in the alternate dnsmasq.conf points at /tmp/resolv.dnsmasq.conf

/opt/share/diversion/.conf/alternate-bf.conf has this content:

 START FILE, --- lines are not part of file
 ---------------------------------------------------
 ### DO NOT EDIT THIS FILE ###
 
 pid-file=/var/run/alternate_bf_dnsmasq.pid
 user=nobody
 bind-dynamic
 interface=br0
 no-dhcp-interface=pptp*
 listen-address=10.10.10.5
 localise-queries
 no-resolv
 dhcp-option=lan,3,10.10.10.1
 dhcp-authoritative
 servers-file=/tmp/resolv.dnsmasq
 
 # /jffs/configs/dnsmasq.conf.add directives #
 
 
 # start of Diversion directives #
 ptr-record=3.10.10.10.in-addr.arpa,10.10.10.3
 addn-hosts=/opt/share/diversion/list/blacklist
 addn-hosts=/opt/share/diversion/list/blockinglist_fs
 log-async
 log-queries
 log-facility=/opt/var/log/dnsmasq.log3
 # end of Diversion directives #
 ---------------------------------------------------
 END FILE

/tmp/resolv.dnsmasq shows

nameserver 1.1.1.1
nameserver 1.0.0.1
nameserver 127.0.1.1

Doing a pull request would draw on several skills i currently don't possess ( and some i'm very unlikely to ) ...but i'm never one to shy away... so ill have a go, learning along the way, but don't hold your breath

 

[heysoundude]

Uh, could someone tell me what to do here, please? I just checked for updates in amt and hit u and bazinga, something's not right or broken.
I'm not sure where to issue these commands - inside unbound, inside amtm, or ???

 

[martinr]

I keep reading this over and over to see if I can detect sarcasm.

Video below for those interested and to make it related to forum, play it on youtube and see if it blocks ads.

Thanks. The good news: no YT ads; the bad news: not my cup of tea, at all.

 

[tomsk]

Uh, could someone tell me what to do here, please? I just checked for updates in amt and hit u and bazinga, something's not right or broken.
I'm not sure where to issue these commands - inside unbound, inside amtm, or ???

View attachment 23610

the vx or rl commands you type at the unbound manager prompt ... the unbound -dv command you have to exit the menu and type at the command prompt.
The config file is probably ok ... somehow there doesn't seem to have been an adservers file created by the adblocking script.

you could try creating an empty folder and try again

touch /opt/var/lib/unbound/adblock/adservers

 

[heysoundude]

the vx or rl commands you type at the unbound manager prompt ... the unbound -dv command you have to exit the menu and type at the command prompt.
The config file is probably ok ... somehow there doesn't seem to have been an adservers file created by the adblocking script.

you could try creating an empty folder and try again

touch /opt/var/lib/unbound/adblock/adservers

Thank YOU! That worked.


Sent from my iPhone using Tapatalk

 

[Martineau]

I just checked for updates in amt and hit u and bazinga, something's not right or broken.

Updating the 'unbound_manager' script should not affect the contents of 'unbound.conf', i.e. no files are ever deleted.

I'm not sure where to issue these commands - inside unbound, inside amtm, or ???

So 'unbound.conf' cannot find the external Ad Block related file.

Several recovery options are available:

Temporary emergency hack...Create an empty missing file and stop/start unbound (EDIT: Thanks @tomsk)
or
use either of the 'unbound_manager' 'vx' or 'rl' commands

i.e.

rl reset

or
manually EDIT 'unbound.conf' and comment out the line that refers to the missing file.

vx

or
'e' exit unbound_manager, then issue the command

unbound_manager -h

unbound_manager recovery

However, the question remains, do you expect to use unbound+Ad Block?, if true, did you check Syslog to see if the daily update job failed when it attempted to refresh the file's contents and possibly deleted it in error?

NOTE: An empty Ad block isn't going to block many Ads is it?

If you do expect to use unbound Ad Blocking then I suggest you recreate the file using the script.

/opt/var/lib/unbound/adblock/gen_adblock.sh

 

[heysoundude]

Updating the 'unbound_manager' script should not affect the contents of 'unbound.conf', i.e. no files are ever deleted.

So 'unbound.conf' cannot find the external Ad Block related file.

Several recovery options are available:

Temporary emergency hack...Create an empty missing file and stop/start unbound (EDIT: Thanks @tomsk)
or
use either of the 'unbound_manager' 'vx' or 'rl' commands

i.e.

rl reset

or
manually EDIT 'unbound.conf' and comment out the line that refers to the missing file.

vx

or
'e' exit unbound_manager, then issue the command

unbound_manager -h

unbound_manager recovery

However, the question remains, do you expect to use unbound+Ad Block?, if true, did you check Syslog to see if the daily update job failed when it attempted to refresh the file's contents and possibly deleted it in error?

NOTE: An empty Ad block isn't going to block many Ads is it?

If you do expect to use unbound Ad Blocking then I suggest you recreate the file using the script.

/opt/var/lib/unbound/adblock/gen_adblock.sh

I see what's happening: in turning on logging from the update (Option 1), i also turn on unbound's blocking IN ADDITION TO LOGGING.
If I turn it off by pressing 5, do I still populate the GUI graphs? (mmm, pretty pictures...)

 

[Martineau]

I see what's happening: in turning on logging from the update (Option 1), i also turn on unbound's blocking IN ADDITION TO LOGGING.
If I turn it off by pressing 5, do I still populate the GUI graphs? (mmm, pretty pictures...)

Installing/Uninstalling simply uncomments/comments the directive in 'unbound.conf'

At no point does the script explicitly delete the file.

I can only assume that there are no messages in Syslog,

grep "Number of adblocked hosts" /tmp/syslog.log

/opt/var/lib/unbound/adblock/gen_adblock.sh

grep "Number of adblocked hosts" /tmp/syslog.log

 

[TCoreX]

Hello, I have the following problem with the entware server, how can I start it permanently? what am I doing wrong? unfortunately my ads are not blocked, despite successful installation Please help

 

[Slawek P]

@Slawek P

I've uploaded v3.15b beta to GitHub dev branch.

If you have time could you please test it to see if it correctly migrates your '/etc /hosts' to unbound format 'opt/share/unbound/configs/unbound.conf'.

e  = Exit Script [?]

A:Option ==> dnsmasq disable

    If you currently use or rely on dnsmasq features such as Diversion/x3mRouting etc., then re-consider.

    Do you still want to DISABLE dnsmasq?

    Reply 'y' or press [Enter]  to skip
y

13:31:16 Configuring unbound to be the primary DNS for ALL LAN Clients.....


13:31:16 Converting '/etc /hosts.dnsmasq' local hosts to 'unbound'.....
13:31:20 Converting '/etc /hosts' local hosts to 'unbound'.....

13:31:21 Converting dnsmasq 'address=/' and 'server=/' directives to 'unbound'.....

<snip>

Real work took me of off the SNB grid for a few days, need to catch up, so many new posts.

Unbound 3.15 appears now released, so I will give it a thorough test tomorrow to see if my hosts and hosts.dnsmasq migrate correctly, and shall report back. Let's see if it handles IPv6 entries and what is going to do with funny Asus names that according to different Merlin posts are very much needed. Presumably this also takes care of /jffs/configs/dnsmasq.conf.add - we shall see.... If not easy enough to fix manually.

Anyway, I had a little diversion from unbound blocking as my family prefers pixelserv to brutal cut off of advertisements unbound style. User experience (including look and page loading speed) very much depends on the browser - so I was quite happy with PC and Brave. But less so when using Chrome or latest Edge. iPhone / Samsung is another story...

So, just finished setting my Unbound without diversion using a separate pixelserv instance. Thanks to Martineau for magic awk command including dave14305 TTL suggestion! Have added a new pixelserv start-up script and cron entry. So tomorrow will try dnsmasq disable option.

 

[dave14305]

Hello, I have the following problem with the entware server, how can I start it permanently? what am I doing wrong? unfortunately my ads are not blocked, despite successful installation Please help

If you are referring to the Entware NTP server (your screenshots are small), I would not worry about it at all. It is an unnecessary prerequisite/warning for running Unbound in my experience.

 

[SomeWhereOverTheRainBow]

It could be months before OpenWRT/Entware makes it available. I decided to get "wild" (relative to my usual excitement level) and compiled unbound 1.10.1 from source on an idle Raspberry Pi. Super easy.

You could have just downloaded it from raspbian/bullseye debs if it is listed as available @dave14305 that is how I got version 1.10 on raspbian buster.

 

[dave14305]

You could have just downloaded it from raspbian/bullseye debs if it is listed as available @dave14305 that is how I got version 1.10 on raspbian buster.

I only saw 1.9.0 but I’m very new to Pi.

 

[SomeWhereOverTheRainBow]

Instructions if you want Raspbian bullseye version which is only 1.10.0-1

I only saw 1.9.0 but I’m very new to Pi.

root@raspberrypi:~# apt list unbound* -a
Listing... Done
unbound-anchor/unstable 1.10.1-1 armhf
unbound-anchor/testing,now 1.10.0-1 armhf [installed]
unbound-anchor/stable 1.9.0-2+deb10u1 armhf

unbound-host/unstable 1.10.1-1 armhf
unbound-host/testing,now 1.10.0-1 armhf [installed]
unbound-host/stable 1.9.0-2+deb10u1 armhf

unbound/unstable 1.10.1-1 armhf
unbound/testing,now 1.10.0-1 armhf [installed]
unbound/stable 1.9.0-2+deb10u1 armhf

Note you wont be able to see the list above until you add extensions below and run sudo apt update
OPTION 1

echo "deb http://raspbian.raspberrypi.org/raspbian/ bullseye main" | $SUDO tee /etc/apt/sources.list.d/bullseye.list
printf 'Package: *\nPin: release n=bullseye\nPin-Priority: -1\n\nPackage: unbound unbound-anchor unbound-host \nPin: release n=bullseye\nPin-Priority: 100\n' | $SUDO tee /etc/apt/preferences.d/limit-bullseye
sudo apt update
sudo apt install unbound*/testing
or
sudo apt upgrade unbound*/testing

it is the 1.10.1 version is available with SID unstable. here is directions for it
OPTION2

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7638D0442B90D010
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC
echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
sudo apt update
sudo apt install unbound*/unstable
or
sudo apt upgrade unbound*/unstable

stop rasbpian from updating unbound after installing this way above

printf 'Package: unbound*\nPin: release *\nPin-Priority: -1\n' > /etc/apt/preferences.d/prevent-update
sudo apt update

root@raspberrypi:/etc/apt/preferences.d# sudo apt upgrade unbound*/unstable
Reading package lists... Done
Building dependency tree
Reading state information... Done
Note, selecting 'unbound-host' for glob 'unbound*'
Note, selecting 'unbound' for glob 'unbound*'
Note, selecting 'unbound-anchor' for glob 'unbound*'
Selected version '1.10.1-1' (Debian:unstable [armhf]) for 'unbound'
Selected version '1.10.1-1' (Debian:unstable [armhf]) for 'unbound-anchor'
Selected version '1.10.1-1' (Debian:unstable [armhf]) for 'unbound-host'
Calculating upgrade... Done
The following package was automatically installed and is no longer required:
  bc
Use 'sudo apt autoremove' to remove it.
The following packages will be upgraded:
  bind9-host dnsutils libbind9-161 libdns-export1104 libdns1104 libirs161 libisc-export1100 libisc1100 libisccc161 libisccfg163 liblwres161 unbound
  unbound-anchor unbound-host
14 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
Need to get 1,037 kB/5,611 kB of archives.
After this operation, 812 kB disk space will be freed.
Do you want to continue? [Y/n] Y
Get:1 http://deb.debian.org/debian unstable/main armhf unbound-anchor armhf 1.10.1-1 [157 kB]
Get:2 http://deb.debian.org/debian unstable/main armhf unbound armhf 1.10.1-1 [713 kB]
Get:3 http://deb.debian.org/debian unstable/main armhf unbound-host armhf 1.10.1-1 [167 kB]
Fetched 1,037 kB in 1s (741 kB/s)
Reading changelogs... Done

testing it out now...

root@raspberrypi:/etc/apt/preferences.d# unbound -V
Version 1.10.1

Configure line: --build=arm-linux-gnueabihf --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=${prefix}/lib/arm-linux-gnueabihf --libexecdir=${prefix}/lib/arm-linux-gnueabihf --disable-maintainer-mode --disable-dependency-tracking --disable-rpath --with-pidfile=/run/unbound.pid --with-rootkey-file=/var/lib/unbound/root.key --with-libevent --with-pythonmodule --enable-subnet --enable-dnstap --enable-systemd --with-chroot-dir= --with-dnstap-socket-path=/run/dnstap.sock --libdir=/usr/lib --disable-flto
Linked libs: libevent 2.1.11-stable (it uses epoll), OpenSSL 1.1.1d  10 Sep 2019
Linked modules: dns64 python subnetcache respip validator iterator

BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues

Edited instructions for unstable, please adjust for proper parameters on blocking unstable.

 

[dave14305]

Instructions if you want Raspbian bullseye version which is only 1.10.0-1

root@raspberrypi:~# apt list unbound* -a
Listing... Done
unbound-anchor/unstable 1.10.1-1 armhf
unbound-anchor/testing,now 1.10.0-1 armhf [installed]
unbound-anchor/stable 1.9.0-2+deb10u1 armhf

unbound-host/unstable 1.10.1-1 armhf
unbound-host/testing,now 1.10.0-1 armhf [installed]
unbound-host/stable 1.9.0-2+deb10u1 armhf

unbound/unstable 1.10.1-1 armhf
unbound/testing,now 1.10.0-1 armhf [installed]
unbound/stable 1.9.0-2+deb10u1 armhf

Note you wont be able to see the list above until you add extensions below and run sudo apt update
OPTION 1

echo "deb http://raspbian.raspberrypi.org/raspbian/ bullseye main" | $SUDO tee /etc/apt/sources.list.d/bullseye.list
printf 'Package: *\nPin: release n=bullseye\nPin-Priority: -1\n\nPackage: unbound unbound-anchor unbound-host \nPin: release n=bullseye\nPin-Priority: 100\n' | $SUDO tee /etc/apt/preferences.d/limit-bullseye
sudo apt update
sudo apt install unbound*/testing
or
sudo apt upgrade unbound*/testing

it is the 1.10.1 version is available with SID unstable. here is directions for it
OPTION2

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7638D0442B90D010
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC
echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
printf 'Package: *\nPin: release n=unstable\nPin-Priority: -1\n\nPackage: unbound unbound-anchor unbound-host \nPin: release n=unstable\nPin-Priority: 100\n' | $SUDO tee /etc/apt/preferences.d/limit-unstable
sudo apt update
sudo apt install unbound*/unstable
or
sudo apt upgrade unbound*/unstable

stop rasbpian from updating unbound after installing this way above

printf 'Package: unbound*\nPin: release *\nPin-Priority: -1\n' > /etc/apt/preferences.d/prevent-update
sudo apt update

root@raspberrypi:/etc/apt/preferences.d# sudo apt upgrade unbound*/unstable
Reading package lists... Done
Building dependency tree
Reading state information... Done
Note, selecting 'unbound-host' for glob 'unbound*'
Note, selecting 'unbound' for glob 'unbound*'
Note, selecting 'unbound-anchor' for glob 'unbound*'
Selected version '1.10.1-1' (Debian:unstable [armhf]) for 'unbound'
Selected version '1.10.1-1' (Debian:unstable [armhf]) for 'unbound-anchor'
Selected version '1.10.1-1' (Debian:unstable [armhf]) for 'unbound-host'
Calculating upgrade... Done
The following package was automatically installed and is no longer required:
  bc
Use 'sudo apt autoremove' to remove it.
The following packages will be upgraded:
  bind9-host dnsutils libbind9-161 libdns-export1104 libdns1104 libirs161 libisc-export1100 libisc1100 libisccc161 libisccfg163 liblwres161 unbound
  unbound-anchor unbound-host
14 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
Need to get 1,037 kB/5,611 kB of archives.
After this operation, 812 kB disk space will be freed.
Do you want to continue? [Y/n] Y
Get:1 http://deb.debian.org/debian unstable/main armhf unbound-anchor armhf 1.10.1-1 [157 kB]
Get:2 http://deb.debian.org/debian unstable/main armhf unbound armhf 1.10.1-1 [713 kB]
Get:3 http://deb.debian.org/debian unstable/main armhf unbound-host armhf 1.10.1-1 [167 kB]
Fetched 1,037 kB in 1s (741 kB/s)
Reading changelogs... Done

testing it out now...

root@raspberrypi:/etc/apt/preferences.d# unbound -V
Version 1.10.1

Configure line: --build=arm-linux-gnueabihf --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=${prefix}/lib/arm-linux-gnueabihf --libexecdir=${prefix}/lib/arm-linux-gnueabihf --disable-maintainer-mode --disable-dependency-tracking --disable-rpath --with-pidfile=/run/unbound.pid --with-rootkey-file=/var/lib/unbound/root.key --with-libevent --with-pythonmodule --enable-subnet --enable-dnstap --enable-systemd --with-chroot-dir= --with-dnstap-socket-path=/run/dnstap.sock --libdir=/usr/lib --disable-flto
Linked libs: libevent 2.1.11-stable (it uses epoll), OpenSSL 1.1.1d  10 Sep 2019
Linked modules: dns64 python subnetcache respip validator iterator

BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues

Edited instructions for unstable, please adjust for proper parameters on blocking unstable.

Somehow I found it easier (and more empowering) to download and compile the source. I can add any options/modules I want now.

 

[SomeWhereOverTheRainBow]

Somehow I found it easier (and more empowering) to download and compile the source. I can add any options/modules I want now.

the problem with compiling is it places the files in strange locations that don't really match proper paths, (unless you used appropriate paths in the configure)

 

[AntonK]

Can I assume that, because I'm seeing that irritating "itsolar" battery pack Ad every time I watch a YouTube video over the past 4 days now, that my YouTube blocking is not working?

 

[heysoundude]

Installing/Uninstalling simply uncomments/comments the directive in 'unbound.conf'

At no point does the script explicitly delete the file.

I can only assume that there are no messages in Syslog,

grep "Number of adblocked hosts" /tmp/syslog.log

/opt/var/lib/unbound/adblock/gen_adblock.sh

grep "Number of adblocked hosts" /tmp/syslog.log

The first grep returned no results.
the second command returned "-sh: /opt/var/lib/unbound/adblock/gen_adblock.sh: not found"
the next grep also returned no results.

I take this to mean that unbound isn't blocking anything, which is fine since Diversion is working as usual.

 

[Slawek P]

Real work took me of off the SNB grid for a few days, need to catch up, so many new posts.

Unbound 3.15 appears now released, so I will give it a thorough test tomorrow to see if my hosts and hosts.dnsmasq migrate correctly, and shall report back. Let's see if it handles IPv6 entries and what is going to do with funny Asus names that according to different Merlin posts are very much needed. Presumably this also takes care of /jffs/configs/dnsmasq.conf.add - we shall see.... If not easy enough to fix manually.

Anyway, I had a little diversion from unbound blocking as my family prefers pixelserv to brutal cut off of advertisements unbound style. User experience (including look and page loading speed) very much depends on the browser - so I was quite happy with PC and Brave. But less so when using Chrome or latest Edge. iPhone / Samsung is another story...

So, just finished setting my Unbound without diversion using a separate pixelserv instance. Thanks to Martineau for magic awk command including dave14305 TTL suggestion! Have added a new pixelserv start-up script and cron entry. So tomorrow will try dnsmasq disable option.

Yes auto-conversion after "dnsmasq disable" is really good , but could benefit from further additional tweaks in all three areas. Over the weekend, I will try to find this script and suggest/test something, need to read unbound documentation. Enabled dnsmasq back for time being. In my case

• Hosts IPv6 records converted from - now prevent unbound_manager from starting
• Strange asus names like www.asusnetwork.net and router.asus.com ended up with extra suffix for my local domain
• address=/pixelserv/pixelserv.<homedomain>/<ip> from dnsmasq.conf.add did not quite convert either

 

[Martineau]

Yes auto-conversion after "dnsmasq disable" is really good , but could benefit from further additional tweaks in all three areas. Over the weekend, I will try to find this script and suggest/test something, need to read unbound documentation. Enabled dnsmasq back for time being. In my case

• Hosts IPv6 records converted from - now prevent unbound_manager from starting
• Strange asus names like www.asusnetwork.net and router.asus.com ended up with extra suffix for my local domain
• address=/pixelserv/pixelserv.<homedomain>/<ip> from dnsmasq.conf.add did not quite convert either

address=/pixelserv/pixelserv.<homedomain>/<ip> from dnsmasq.conf.add did not quite convert either

I have not written a complete equivalent parser for either the 'address=/' or 'server=/' dnsmasq directives, so lazily only 'expect' simple tripartite clauses.

Hosts IPv6 records converted from - now prevent unbound_manager from starting

Actually you meant to say 'unbound' rather than 'unbound_manager' - huge difference

I don't use IPv6 but for the purposes of generating say the 'forward-addr:' pair, then it's a simple text substitution of the static third column...not sure what your specific IPv6 unbound error message is?

Strange asus names like www.asusnetwork.net and router.asus.com ended up with extra suffix for my local domain

Yes, sadly stupidity on my part...shouldn't blindly copy'n'paste existing code and not actually review the output.
P.S. Use of 'tab' delimiters rather than 'spaces' in '/etc /hosts' will also cause unexpected output.