Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[Slawek P]

I've uploaded a revised version of v3.16b2 on GitHub dev.

It doesn't cater for all possible dnsmasq syntax, but hopefully it should now work for your use case? (famous last words )

Great. Does it also fix ?

forward-zone:
       name: "127.0.0.1#53535"
       forward-addr:
       forward-first: yes

I think this somehow contributed to the fact that I could not easily enable back dnsmasq...

I am quite happy that I have got 3.15 now stable, but I will test host conversion, just a bit later.

 

[Martineau]

Great. Does it also fix ?

forward-zone:
       name: "127.0.0.1#53535"
       forward-addr:
       forward-first: yes

I think this somehow contributed to the fact that I could not easily enable back dnsmasq…

Yes, hopefully - as it doesn't make any sense to convert it....

I am quite happy that I have got 3.15 now stable, but I will test host conversion, just a bit later.

I completely understand and I suggest you fully enjoy your now stable environment rather than test my shoddy coding.

Many thanks for your helpful feedback and patience!

 

[TCoreX]

Your unbound log shows successfully blocked domains.

However, there is at least one device on your LAN that is repeatedly hammering a couple of blocked domains...

e.g. 'secure-eu.imrworldwide.com'

e  = Exit Script [?]

A:Option ==> dig http://secure-eu.imrworldwide.com

; <<>> DiG 9.14.8 <<>> txt http://secure-eu.imrworldwide.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18824
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;http://secure-eu.imrworldwide.com. IN TXT
;; AUTHORITY SECTION:
imrworldwide.com. 3600 IN SOA dns1.p03.nsone.net. hostmaster.nsone.net. 1590087427 300 300 3600 3600
;; Query time: 55 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri May 22 13:38:56 UTC 2020
;; MSG SIZE  rcvd: 127

; <<>> DiG 9.14.8 <<>> http://secure-eu.imrworldwide.com @127.0.0.1 -p 53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10120
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;http://secure-eu.imrworldwide.com. IN A
;; AUTHORITY SECTION:
imrworldwide.com. 3600 IN SOA dns1.p03.nsone.net. hostmaster.nsone.net. 1590087427 300 300 3600 3600
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri May 22 13:38:56 UTC 2020
;; MSG SIZE  rcvd: 127

and will now not open in a browser.

It all depends on which URL you are getting ads.
NOTE: SNB Forums is exempted from Ad Blocking as a courtesy.

what I found out is that amazon fire TV wants to reach this address all the time

It is clear to me that the forum is excluded, but other sites sometimes display advertisements and not. But if you say he works, it's good. Ads appear on YouTube TV or does this block only count to the YouTube web browser? thank you

 

[Martineau]

what I found out is that amazon fire TV wants to reach this address all the time

It is clear to me that the forum is excluded, but other sites sometimes display advertisements and not. But if you say he works, it's good. Ads appear on YouTube TV or does this block only count to the YouTube web browser? thank you

Unfortunately there is not a "one-size-fits-all" solution to the problem of ensuring the 'Blacklist/Whitelist' combo is invariably perfect.

Advertisers are extremely adept in deploying ingenious methods to circumvent Ad Blocking, hence 'free' tools are inevitably always playing catch-up - so too are the paid for subscriptions - to a lesser degree as they can deploy smarter (that's why users handover their hard-earned cash isn't it? ) methods to detect the Ads.

 

[TCoreX]

Ok, I understand you Thank you

 

[heysoundude]

Yes, by default I configure unbound to always report SERVFAILs (blame @dave14305 ) so there is an issue with 'ctldl.windowsupdate.com' but not sure what it means

I downgraded to 3.15 master, changed to AAAA for IPv6 records, corrected still mistranslated pixelserv dns entries and have unbound with dnsmasq disabled for both LAN and server use. Happy days.

Will investigate some of how to have nicers stats over the weekend...
https://nlnetlabs.nl/documentation/unbound/howto-statistics/

Nicer stats - Here's how using unbound has affected my internet connection: I called the pic smooooth for a reason; speed variations have gotten narrower.

needless to say, I'm very much looking forward to an upcoming release from @RMerlin with Asus' improved QoS. (assuming that can smooth it out even more over what I have going on now...)

and to get back to the cache hit % discussion - I've got my unbound configured for 2 threads, one for each of the 2 processor cores in my AC86u. If the graphing in the unbound GUI can be equated with just how hard my router is working, It's one seriously capable machine

 

[Slawek P]

Nicer stats - Here's how using unbound has affected my internet connection: I called the pic smooooth for a reason; speed variations have gotten narrower.

I was not that lucky - have a look how unbound badly impacted my download speeds...

It is actually between modem and ISP, so can't blame unbound really.
My ISP (Zen) decide to penalise me for not accessing DNS and throttle my connection..
The truth is I have no idea, emailed their support, but no sensible response. Perhaps my fibre modem got spooked and reduced my connection speed, but it has been fine for years.
And apologies for diversion from the main forum topic.

 

[Slawek P]

Yes, hopefully - as it doesn't make any sense to convert it....

View attachment 23636


I completely understand and I suggest you fully enjoy your now stable environment rather than test my shoddy coding.

Many thanks for your helpful feedback and patience!

I will give it a over the weekend, to many evenings burned on my Asus router already.
We can't keep this beta version forever, can we?

 

[Slawek P]

Not sure why ASUS decide to have .local suffixes defined in hosts in first place.
I am tempted to remove from my unbound.conf as it is a bit inconstant.
But maybe it will have side effects as router.asus.com in Mesh etc.

This will behave consistently when executed from my router and Windows command line

ping -4 myrouter.mydomain
ping -6 myrouter.mydomain
ping -4 myrouter.local
ping -6 myrouter.local
ping -4 myrouter.
ping -6 myrouter.

But guess what happens if do instead

ping -4 myprinter.mydomain
ping -6 myprinter.mydomain
ping -4 myprinter.local
ping -6 myprinter.local
ping -4 myprinter.
ping -6 myprinter.

Well on my Windows workstation on the LAN all of them work perfectly.
So it must be bypassing my router's unbound - need to double check network traffic.
While on router, only the first cmd works because unbound_manager converting hosts.dnsmasq only created just myprinter.mydomain IPv4 entry. Pretty sure dnsmasq was able to cope with skipped domain and generate IPv6 response too (not sure what issues prevent DNS64 from unbound.conf - read threads, but no real evidence).

EDIT:
Tested the latter section on with dnsmasq enabled and the extra one that works on the router is
ping -4 myprinter. Not sure why with unbound takign care of DNS it does not.

PS. Why do not we have Merlin IPv6 thread (we have one for static IPv6)?

 

[heysoundude]

View attachment 23642
It is actually between modem and ISP, so can't blame unbound really.
<snip>
Perhaps my fibre modem got spooked and reduced my connection speed, but it has been fine for years.

Can I surmise that the package you pay for from your ISP is for speeds of 75-80/20?
Is it possible to bridge your “modem” so that it functions as a true gateway? The way I got (slightly above) my promised speeds was to do that - get all the stuff in the “modem” firmware out of the way so it just translated my network-speak to the bare bones of what the WAN needs.
For me, it was more a matter of how to deal with the ISP’s tech support person on the other end of the phone line to get them to do what I needed on their end so I could get what I wanted on my end of the line without making them feel inferior or undertrained.


Sent from my iPhone using Tapatalk

 

[heysoundude]

Why do not we have Merlin IPv6 thread?

Please go to www.he.net and register and dive into their IPv6 “Certification” training course. The 2hrs I spent there completing 2 levels have proven invaluable. It’s free! And gives you knowledge and tools to help you sort some of this out, with luck. (You May need level 3...)
EDIT: 2hrs levelling up and applying it to my network, to be clear.
Also, thanks for the likes, folks!

Sent from my iPhone using Tapatalk

 

[AntonK]

Hi,

I am not fluent in networking, as you can tell. Nevertheless, I've been using Unbound for a bit according to the setup instructions. If I enable IPV6 with the settings as you see attached, are they correct? The 2 ipv6 ip's are Quad9.

Thanks.

 

[Slawek P]

Yes, hopefully - as it doesn't make any sense to convert it....

View attachment 23636


I completely understand and I suggest you fully enjoy your now stable environment rather than test my shoddy coding.

Many thanks for your helpful feedback and patience!

Just tested latest beta and the good news is nothing fails when disabling dnsmasq and enabling it back - no more red errors reported by unbound or unbound-checkconf. Other observations below.

• Further plus side is the forward clause relating to unbound setup has disappeared.
• Wrt IPv6 records, they do are no longer auto-generated - I will keep my previous version with AAAA
• I noticed new behaviour in the conversion - some of my LAN clients now appear twice, I understand underlying reason, but not sure where unbound_manager picks that up. Basically all clients have lowercase naming on the static list on my router and in etc, but on device settings some have mixed case. And those started appearing twice in unbound.conf.localhosts - with lowercase and mixedcase.
• dnsmasq disable changes behaviour of ping -4 on the roturer cmd line to any client without my lan domain specified - with dnsmasq it works, once dnsmasq is off it does not

One more separate thing, which I personally find a bit annoying, is the lack of ability to easily disable Firefox DoH block. I can comment it out in unbound.conf #/opt/var/lib/unbound/adblock/firefox_DOH, but it still remains in dnsmasq.conf and therefore migrates to unbound.conf.localhosts

 

[Zastoff]

Came across this:
https://www.reddit.com/r/dnscrypt/comments/gncd29/nxnsattack/
Dont know what version of unbound the script installs

 

[Treadler]

Hi,

I am not fluent in networking, as you can tell. Nevertheless, I've been using Unbound for a bit according to the setup instructions. If I enable IPV6 with the settings as you see attached, are they correct? The 2 ipv6 ip's are Quad9.

View attachment 23650
Thanks.

My settings when trying Unbound were the same as yours.
Worked fine.

 

[Centrifuge]

Came across this:
https://www.reddit.com/r/dnscrypt/comments/gncd29/nxnsattack/
Dont know what version of unbound the script installs

Currently its at 1.10.0.

 

[tomsk]

One more separate thing, which I personally find a bit annoying, is the lack of ability to easily disable Firefox DoH block. I can comment it out in unbound.conf #/opt/var/lib/unbound/adblock/firefox_DOH, but it still remains in dnsmasq.conf and therefore migrates to unbound.conf.localhosts

If you turn off the "prevent client auto DoH" in the WAN internet connection tab in the GUI, then it wont appear in the dnsmasq.conf and therefore wont migrate.

 

[Slawek P]

If you turn off the "prevent client auto DoH" in the WAN internet connection tab in the GUI, then it wont appear in the dnsmasq.conf and therefore wont migrate.

Thanks, a flick from from Auto to No - did the trick.

 

[Slawek P]

Next puzzle...
So, I am running now unbound for DNS and now left dnsmasq for DHCP only. However, I setup YazFi, so it enforces the use of local DNS and that worked with dnsmasq enabled just fine.
But in the new setup it does not work anymore. Temporarily I switched the guest network to quad recursive DNS, but I need some extra magic lines for unbound.conf to make guest network work with unbound.
There's a bonus question too, what do with pixelserv redirection as its IP is in the main network.
I could of course enable guest network to see the main network (YazFi setting), but that's cheating and contradicts the point of guest network to an extent.

 

[tomsk]

Next puzzle...
So, I am running now unbound for DNS and now left dnsmasq for DHCP only. However, I setup YazFi, so it enforces the use of local DNS and that worked with dnsmasq enabled just fine.
But in the new setup it does not work anymore. Temporarily I switched the guest network to quad recursive DNS, but I need some extra magic lines for unbound.conf to make guest network work with unbound.

When you add a guest network dnsmasq.conf has the interface added to it

### Start of script-generated configuration for interface wl0.1 ###
interface=wl0.1
dhcp-range=wl0.1,10.10.11.2,10.10.11.254,255.255.255.0,43200s
dhcp-option=wl0.1,3,10.10.11.1
dhcp-option=wl0.1,6,10.10.10.1,1.1.1.1
### End of script-generated configuration for interface wl0.1 ###

so you need to make an additional interface statement for unbound. I guess you could grab the ip for conversion to unbound format with a grep from ifconfig?

wl0.1     Link encap:Ethernet  HWaddr AC:9E:17:7E:46:91
          inet addr:10.10.11.1  Bcast:10.10.11.255  Mask:255.255.255.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1

interface: 10.10.11.1@53