Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[dave14305]

When you add a guest network dnsmasq.conf has the interface added to it

### Start of script-generated configuration for interface wl0.1 ###
interface=wl0.1
dhcp-range=wl0.1,10.10.11.2,10.10.11.254,255.255.255.0,43200s
dhcp-option=wl0.1,3,10.10.11.1
dhcp-option=wl0.1,6,10.10.10.1,1.1.1.1
### End of script-generated configuration for interface wl0.1 ###

so you need to make an additional interface statement for unbound. I guess you could grab the ip for conversion to unbound format with a grep from ifconfig?

wl0.1     Link encap:Ethernet  HWaddr AC:9E:17:7E:46:91
          inet addr:10.10.11.1  Bcast:10.10.11.255  Mask:255.255.255.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1

interface: 10.10.11.1@53

And make sure an access-control: statement allows the CIDR of the guest network.

 

[Zastoff]

Currently its at 1.10.0.

Hopefully the unbound update with the fix will be available soon then (1.10.1.)

 

[Slawek P]

When you add a guest network dnsmasq.conf has the interface added to it

### Start of script-generated configuration for interface wl0.1 ###
interface=wl0.1
dhcp-range=wl0.1,10.10.11.2,10.10.11.254,255.255.255.0,43200s
dhcp-option=wl0.1,3,10.10.11.1
dhcp-option=wl0.1,6,10.10.10.1,1.1.1.1
### End of script-generated configuration for interface wl0.1 ###

so you need to make an additional interface statement for unbound. I guess you could grab the ip for conversion to unbound format with a grep from ifconfig?

wl0.1     Link encap:Ethernet  HWaddr AC:9E:17:7E:46:91
          inet addr:10.10.11.1  Bcast:10.10.11.255  Mask:255.255.255.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1

interface: 10.10.11.1@53

Thanks, yes that easy indeed. No just a mapping to pixelserv..

 

[AntonK]

My settings when trying Unbound were the same as yours.
Worked fine.

Thank you!

 

[dave14305]

To further demonstrate my lack of a life, I was curious about the respip module and the urlhaus RPZ. Of the approximately 780 entries in it, only 134 of those are NOT in the pervasive StevenBlack hosts file. So it seems just another way to do ad-blocking, but using a more universal BIND-compatible format. Also interesting that abuse.ch provides the same list in hosts format at https://urlhaus.abuse.ch/api/

When there is overlap between ad-blocking local-zone and rpz, which takes priority? Use bepgroup.com.hk as an example.

Not trying to pee in anyone’s punch bowl, just wanting to further our collective understanding of unbound, starting with my own.

 

[Slawek P]

To further demonstrate my lack of a life, I was curious about the respip module and the urlhaus RPZ. Of the approximately 780 entries in it, only 134 of those are NOT in the pervasive StevenBlack hosts file. So it seems just another way to do ad-blocking, but using a more universal BIND-compatible format. Also interesting that abuse.ch provides the same list in hosts format at https://urlhaus.abuse.ch/api/

When there is overlap between ad-blocking local-zone and rpz, which takes priority? Use bepgroup.com.hk as an example.

Not trying to pee in anyone’s punch bowl, just wanting to further our collective understanding of unbound, starting with my own.

The second link does not work for me. I could see benefit of this DNS firewall and switched it off, but happy to find out

 

[Slawek P]

I noticed this coming from Apple watch after latest update. I noticed this question was posted twice in 2019 on other Merlin threads, but nobody answered. Any hints what tools to use to trouble shoot. It may well be apple after WatchOS upgrade
May 24 09:29:28 asus kernel: 00:01:02:03:04:05 not mesh client, can't update it's ip
May 24 09:29:28 asus kernel: 00:01:02:03:04:05 already exist in UDB, can't add it

 

[Slawek P]

Running unbound in dnsmasq disabled and I observed that occasionally it does not start after the router reboot. Subsequent unbound_manager restart gives it a kick.
I could not see anything obvious in the logs, perhaps sequence of events...
Reverted a few recent changes just in case.

 

[Martineau]

I've uploaded v3.16

Version=3.16
Github md5=4f8cfe846cd233adf7252e2cc693da40​

use 'u' to update when prompted on screen

Use of the 'i = Update unbound Installation' ** not required **

CHANGE:  Main focus is on using the 'dnsmasq disable' command aka dnsmasq bypass feature - namely the conversion of dnsmasq directives to unbound format.
         (For most this upgrade will be transparent if the feature is not ENABLED)
CHANGE:  Enhance diagnostics if unbound doesn't start say following a reboot.
CHANGE:  'Disable Firefox DoH' is no longer a user option/prompt during the install. Instead the setting is applied based on the firmware's 'DNS Privacy' GUI setting.
ADD:     'Advanced' menu 'DisableFirefoxDoH [yes | no]' command to manually complement the above change in the installation implementation @ Slawek P

 

[Amwjujo]

Is it just me or the script asks you twice if you want to disable Firefox DoH?
Also, not sure it was discussed before: The checks list keeps warning me to use local DNS as system resolver. I did changed that option in the router setting - rebooted the router as well - but keeps saying that. Any ideas?
Thank you.

Edit: After the minor update it doesn't ask anymore.
Still have the warning about Local DNS system resolver

 

[heysoundude]

FYI [mention]thelonelycoder [/mention]- amtm didn’t recognize that I updated unbound when I checked for other script updates; running the update routine again corrected the version number/update checker


Sent from my iPhone using Tapatalk

 

[tomsk]

I've uploaded v3.16

Version=3.16
Github md5=0db4216e1933569a68f2cd26c8079e09​

use 'u' to update when prompted on screen

Use of the 'i = Update unbound Installation' ** not required **

CHANGE:  Main focus is on using the 'dnsmasq disable' command aka dnsmasq bypass feature - namely the conversion of dnsmasq directives to unbound format.
         (For most this upgrade will be transparent if the feature is not ENABLED)
CHANGE:  Enhance diagnostics if unbound doesn't start say following a reboot.
CHANGE:  'Disable Firefox DoH' is no longer a user option/prompt during the install. Instead the setting is applied based on the firmware's 'DNS Privacy' GUI setting.
ADD:     'Advanced' menu 'DisableFirefoxDoH [yes | no]' command to manually complement the above change in the installation implementation @ Slawek P

I saw several commits on the dev branch so i know you have been working hard on this... everything seems to be working as planned.
Thinking back to @dave14305 comments about the access-control statements for the CIDR range, there is a set of statements built in covering the reserved ip ranges

access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/8 allow
access-control: 172.16.0.0/12 allow         # v1.10 Martineau  Fix CIDR 16->12
access-control: 192.168.0.0/16 allow        # v1.10 @dave14305 Fix CIDR 24->16

but you also code in an overwrite of the routers lan range

access-control: 10.10.10.1/24 allow            # v1.10 Will be overwritten by LAN subnet "${lan_ip_addr_rt}/24" if 'dnsmasq disabled' aka bypassed

so does this access-control statement override the wider allowed range in the earlier statement, and do i need access-control statements for the subnets added added by the guest wireless?

# Replicate dnsmasq 'interface=' directives

server:
interface: 10.10.11.1        # wl0.1
interface: 10.11.12.1        # wl1.1

On the Firefox DoH blocker... i can see the script commenting and uncommenting the include statement in the unbound.conf but the local-zone: "use-application-dns.net." always_nxdomain statement in the unbound.localhosts.conf seems unscathed.... so wont DoH always be disabled irrespective if it was enabled in the GUI?

 

[Martineau]

Is it just me or the script asks you twice if you want to disable Firefox DoH?
Also, not sure it was discussed before: The checks list keeps warning me to use local DNS as system resolver. I did changed that option in the router setting - rebooted the router as well - but keeps saying that. Any ideas?
Thank you.

Edit: After the minor update it doesn't ask anymore.
Still have the warning about Local DNS system resolver

Yes, the latest Hotfix should have fixed the duplicate prompt, but bizarrely I cannot explain why the function 'Option_Disable_Firefox_DoH()' could ever be called twice!!

Still have the warning about Local DNS system resolver

Sorry, I can't replicate this.

So without rebooting, does the alert still appear, or does the alert only reappear after a reboot?

 

[dave14305]

Yes, the latest Hotfix should have fixed the duplicate prompt, but bizarrely I cannot explain why the function 'Option_Disable_Firefox_DoH()' could ever be called twice!!

If the first call to Option_Disable_Firefox_DoH returned a non-zero return code, the || would cause it to run the second time perhaps? Using && and || can be unpredictable if the && statement might “fail”.

 

[rgnldo]

Option_Disable_Firefox_DoH

I am implementing the attempt to bypass the DNS which ignores this option.

When there is overlap between ad-blocking local-zone and rpz, which takes priority? Use bepgroup.com.hk as an example.

He had checked. However, this option is very efficient in Suricata, which avoids DNS bypass
I'm managing to block ads on youtube free account with the lists from mypdns.org using cname

 

[Martineau]

On the Firefox DoH blocker... i can see the script commenting and uncommenting the include statement in the unbound.conf but the local-zone: "use-application-dns.net." always_nxdomain statement in the unbound.localhosts.conf seems unscathed.... so wont DoH always be disabled irrespective if it was enabled in the GUI?

The rewrite is supposed to now honour the GUI setting, so during the initial unbound install, or using the bypass dnsmasq feature, 'unbound.conf' should always reflect the GUI DNS Privacy setting.

However there is nothing to prevent the user from then changing his mind and alter the GUI setting, but now the 'unbound.conf' contents relating to the Disable Firefox DoH GUI setting will now be incorrect.

Hence now there is the new 'Advanced' menu 'DisableFirefoxDoH [yes | no] command, ….this may encourage making the change always within 'unbound_manager'

Do i need access-control statements for the subnets added added by the guest wireless?

….Thinking back to @dave14305 comments about the access-control statements for the CIDR range, there is a set of statements built in covering the reserved ip ranges

access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/8 allow
access-control: 172.16.0.0/12 allow         # v1.10 Martineau  Fix CIDR 16->12
access-control: 192.168.0.0/16 allow        # v1.10 @dave14305 Fix CIDR 24->16

No, in your case as you use the 10.xxx.xxx.xxx range then your Guest Wireless should already be covered by the static default access-control directives.

but you also code in an overwrite of the routers lan range

No I don't.

i.e. rather than enforce everyone to upgrade to unbound.conf' v1.10, I wanted to save everyone the hassle and quietly correct the default CIDR range typo for those expecting to use the standard access-control 192.168.xxx.xxx range.

 

[Martineau]

If the first call to Option_Disable_Firefox_DoH returned a non-zero return code, the || would cause it to run the second time perhaps? Using && and || can be unpredictable if the && statement might “fail”.

So are saying an intended binary 'if-then-else' statement using shorthand notation

e.g.

[ condition ] && echo "True" || echo "False"

could conceivably result in both echo commands being executed with two lines being printed

True
False

if the statement "echo True" fails ?

i.e. the only reliable method is for me to revert to the unambiguous longhand clause

if [ condition ];then
   echo "True"
else
   echo "False"
fi

 

[Slawek P]

So are saying an intended binary 'if-then-else' statement using shorthand notation

e.g.

[ condition ] && echo "True" || echo "False"

could conceivably result in both echo commands being executed with two lines being printed

True
False

if the statement "echo True" fails ?

i.e. the only reliable method is for me to revert to the unambiguous longhand clause

if [ condition ];then
   echo "True"
else
   echo "False"
fi

Schrödinger's cat

 

[Amwjujo]

Sorry, I can't replicate this.

So without rebooting, does the alert still appear, or does the alert only reappear after a reboot?[/QUOTE]
Yeah. I tick the option on the router and before and after reboot o have the same outcome... outbound says is not enabled. Tried already on all 3 routers that I have ...

 

[Slawek P]

I am implementing the attempt to bypass the DNS which ignores this option.

He had checked. However, this option is very efficient in Suricata, which avoids DNS bypass
I'm managing to block ads on youtube free account with the lists from mypdns.org using cname

Hi, I have seen that Suricata have been your next pet project. Would you care to share more details?