Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)
- Thread starter Martineau
- Start date
Martineau
Part of the Furniture
@Kingp1n @JemTheWire
Yes, clearly my new code addition for checking if the Entware NTP Server version is installed is broken - but as I don't use it I'm not surprised.
Thanks for the feedback.
HardCat
Regular Contributor
First time install. All went well however I did get the following:
and using the built-in ntpd
Kudos @Martineau, I have been following this for a while and am pleased at how well it works. -Thank You once again..
Code:
Router Configuration recommended pre-reqs status:
[✔] Swapfile=1048572 kB
[✔] DNS Filter=ON
[✔] DNS Filter=ROUTER
[✔] WAN: Use local caching DNS server as system resolver=NO
/jffs/addons/unbound/unbound_manager.sh: line 2403: /opt/etc/init.d/S77ntpd: not found
[✔] Entware NTP server is running
[✔] Enable DNS Rebind protection=NO
[✔] Enable DNSSEC support=NO
Code:
hardcat@RT-AX88U:/tmp/home/root# which ntpd
/usr/sbin/ntpdKudos @Martineau, I have been following this for a while and am pleased at how well it works. -Thank You once again..
bluepoint
Very Senior Member
Is the cpu/memory tweak reversible if one decide that he doesn't need it? It seems to be forced now with the upgrade not like before where you are asked. And another question please, how do I start from scratch, it seems uninstall unbound/unbound_manager doesn't work right now.I've uploaded v2.07
Fix: Analyse diversion 'ad' command for diversion lists...it failed if Ad Block isn't ENABLED! - doh!
Add: Allow variable name filter to be specifed on 's'/'sa' commands
e.g. ensure 's+' Enhanced Statistics is ENABLED; then 's thread' will cause 'thread*' variable stats to be also displayed.Change: The URLs displayed (to assist in setting the pre-reqs) will now honour HTTP/HTTPS and HTTP/HTTPS Custom Port @kfahoo
Change: amtm starts unbound_manger by default in 'easy' mode, if you prefer 'advanced' mode then issue 'adv' (or 'advanced') and unbound_manager (amtm) will 'remember' your preferred mode. @L&LD / @kernol
Change: The NTP Server pre-req will now accept either the native RMerlin NTP Server or the Entware NTP Server, but at least one must be ACTIVE.
Change: Easy mode still retains the two Install/Update options (1 & 2), but I have now decided the original SME brain-dead design should be changed, so option 2 will now only install logging and the simple Performance tweak, as they are now proven to work without fuss or drama.
Change: I have made the option Stubby-Integration refer to @dave14305's excellent synopsis of the need for Stubby-Integration.
i.e. a clickable link allows the user to read it and should
View attachment 21318
(Not sure if this redundant option should eventually be removed?)
At one point in time, many arguments ago, there used to be a check in S61unbound to verify NTP was synced (waiting 5 mins). Then a different time check and delay was moved to a separate S00netwait startup script. But I don't see that script being downloaded by the unbound_manager code, so it's more likely that Unbound could start before the clock is synced.
I've sent a pull request to @Jack Yaz to add an NTP check to S61unbound, which would wait for up to 60 seconds for NTP to sync before starting Unbound.
https://github.com/jackyaz/Unbound-Asuswrt-Merlin/pull/1
I've sent a pull request to @Jack Yaz to add an NTP check to S61unbound, which would wait for up to 60 seconds for NTP to sync before starting Unbound.
https://github.com/jackyaz/Unbound-Asuswrt-Merlin/pull/1
JemTheWire
Senior Member
Yep, sorted. Thanks.
Local ntpd: Yes.
Local ntpd: Yes.
Martineau
Part of the Furniture
Sorry, been busy hacking the v2.07 release but yes, unbound started 4 lines before the NTP sync'd message in Syslog, so it doesn't always happen.
Yes I do recall the rejection "conversations" that the time check/spin-loop was appropriate.
I think @SomeWhereOverTheRainBow also proposed some similar code for the 'dnsmasq.postconf' script?
Last edited:
Martineau
Part of the Furniture
Many thanks.
Treadler
Very Senior Member
My opinion is that Stubby integration is not recommended and not required for Unbound as a recursive resolver (its main purpose). If you want DoT, stick with dnsmasq and Stubby in the firmware. That's just my opinion, and your needs may be different than mine.
+1
If one has the amtm disk check script enabled, the internal NTP sync happens well before entware starts up. With my 86U, NTP starts 11 seconds into the boot, the time is synced 13 seconds into the boot, the disk check starts and finishes 2 second later, syslog-ng starts, and unbound starts 4 seconds after that.
I’ve got my prototype of a script to generate unbound.conf based on custom values stored in the new Addon API config file if they exist, like Martineau has done with the easy/advanced menu mode sticky setting.
Now I need to persuade @Martineau to create a menu driven configuration system, or @Jack Yaz to create a UI to populate these settings via the API. Or both.
Derived from OpenWRT UCI here (I prepended unbound_ for the custom API namespace): https://github.com/openwrt/packages/tree/master/net/unbound/files#complete-list-of-uci-options
Code:
UB_D_CONTROL=$(am_settings_get unbound_control); [ -z "$UB_D_CONTROL" ] && UB_D_CONTROL=1
UB_B_DNSSEC=$(am_settings_get unbound_validator); [ -z "$UB_B_DNSSEC" ] && UB_B_DNSSEC=1
UB_N_THREADS=$(am_settings_get unbound_num_threads); [ -z "$UB_N_THREADS" ] && UB_N_THREADS=1
UB_D_VERBOSE=$(am_settings_get unbound_verbosity); [ -z "$UB_D_VERBOSE" ] && UB_D_VERBOSE=1
UB_B_EXT_STATS=$(am_settings_get unbound_extended_stats); [ -z "$UB_B_EXT_STATS" ] && UB_B_EXT_STATS=1
UB_D_PROTOCOL=$(am_settings_get unbound_protocol); [ -z "$UB_D_PROTOCOL" ] && UB_D_PROTOCOL=ip4_only
UB_N_EDNS_SIZE=$(am_settings_get unbound_edns_size); [ -z "$UB_N_EDNS_SIZE" ] && UB_N_EDNS_SIZE=1280
UB_N_RX_PORT=$(am_settings_get unbound_listen_port); [ -z "$UB_N_RX_PORT" ] && UB_N_RX_PORT=53535
UB_D_RESOURCE=$(am_settings_get unbound_resource); [ -z "$UB_D_RESOURCE" ] && UB_D_RESOURCE=default
UB_B_DNS64=$(am_settings_get unbound_dns64); [ -z "$UB_B_DNS64" ] && UB_B_DNS64=0
UB_IP_DNS64=$(am_settings_get unbound_dns64_prefix); [ -z "$UB_IP_DNS64" ] && UB_IP_DNS64=64:ff9b::/96
UB_D_RECURSION=$(am_settings_get unbound_recursion); [ -z "$UB_D_RECURSION" ] && UB_D_RECURSION=passive
UB_B_QUERY_MIN=$(am_settings_get unbound_query_minimize); [ -z "$UB_B_QUERY_MIN" ] && UB_B_QUERY_MIN=1
UB_B_QRY_MINST=$(am_settings_get unbound_query_min_strict); [ -z "$UB_B_QRY_MINST" ] && UB_B_QRY_MINST=0
UB_B_HIDE_BIND=$(am_settings_get unbound_hide_binddata); [ -z "$UB_B_HIDE_BIND" ] && UB_B_HIDE_BIND=1
UB_TTL_MIN=$(am_settings_get unbound_ttl_min); [ -z "$UB_TTL_MIN" ] && UB_TTL_MIN=120
UB_D_PRIV_BLCK=$(am_settings_get unbound_rebind_protection); [ -z "$UB_D_PRIV_BLCK" ] && UB_D_PRIV_BLCK=1
UB_B_LOCL_BLCK=$(am_settings_get unbound_rebind_localhost); [ -z "$UB_B_LOCL_BLCK" ] && UB_B_LOCL_BLCK=1
UB_B_LOCL_SERV=$(am_settings_get unbound_localservice); [ -z "$UB_B_LOCL_SERV" ] && UB_B_LOCL_SERV=1
UB_LIST_INSECURE=$(am_settings_get unbound_domain_insecure)
UB_B_NTP_BOOT=$(am_settings_get unbound_validator_ntp); [ -z "$UB_B_NTP_BOOT" ] && UB_B_NTP_BOOT=1
kernol
Very Senior Member
I’ve got my prototype of a script to generate unbound.conf based on custom values stored in the new Addon API config file if they exist, like Martineau has done with the easy/advanced menu mode sticky setting.
Now I need to persuade @Martineau to create a menu driven configuration system, or @Jack Yaz to create a UI to populate these settings via the API. Or both.
Derived from OpenWRT UCI here (I prepended unbound_ for the custom API namespace): https://github.com/openwrt/packages/tree/master/net/unbound/files#complete-list-of-uci-options
Code:UB_D_CONTROL=$(am_settings_get unbound_control); [ -z "$UB_D_CONTROL" ] && UB_D_CONTROL=1 UB_B_DNSSEC=$(am_settings_get unbound_validator); [ -z "$UB_B_DNSSEC" ] && UB_B_DNSSEC=1 UB_N_THREADS=$(am_settings_get unbound_num_threads); [ -z "$UB_N_THREADS" ] && UB_N_THREADS=1 UB_D_VERBOSE=$(am_settings_get unbound_verbosity); [ -z "$UB_D_VERBOSE" ] && UB_D_VERBOSE=1 UB_B_EXT_STATS=$(am_settings_get unbound_extended_stats); [ -z "$UB_B_EXT_STATS" ] && UB_B_EXT_STATS=1 UB_D_PROTOCOL=$(am_settings_get unbound_protocol); [ -z "$UB_D_PROTOCOL" ] && UB_D_PROTOCOL=ip4_only UB_N_EDNS_SIZE=$(am_settings_get unbound_edns_size); [ -z "$UB_N_EDNS_SIZE" ] && UB_N_EDNS_SIZE=1280 UB_N_RX_PORT=$(am_settings_get unbound_listen_port); [ -z "$UB_N_RX_PORT" ] && UB_N_RX_PORT=53535 UB_D_RESOURCE=$(am_settings_get unbound_resource); [ -z "$UB_D_RESOURCE" ] && UB_D_RESOURCE=default UB_B_DNS64=$(am_settings_get unbound_dns64); [ -z "$UB_B_DNS64" ] && UB_B_DNS64=0 UB_IP_DNS64=$(am_settings_get unbound_dns64_prefix); [ -z "$UB_IP_DNS64" ] && UB_IP_DNS64=64:ff9b::/96 UB_D_RECURSION=$(am_settings_get unbound_recursion); [ -z "$UB_D_RECURSION" ] && UB_D_RECURSION=passive UB_B_QUERY_MIN=$(am_settings_get unbound_query_minimize); [ -z "$UB_B_QUERY_MIN" ] && UB_B_QUERY_MIN=1 UB_B_QRY_MINST=$(am_settings_get unbound_query_min_strict); [ -z "$UB_B_QRY_MINST" ] && UB_B_QRY_MINST=0 UB_B_HIDE_BIND=$(am_settings_get unbound_hide_binddata); [ -z "$UB_B_HIDE_BIND" ] && UB_B_HIDE_BIND=1 UB_TTL_MIN=$(am_settings_get unbound_ttl_min); [ -z "$UB_TTL_MIN" ] && UB_TTL_MIN=120 UB_D_PRIV_BLCK=$(am_settings_get unbound_rebind_protection); [ -z "$UB_D_PRIV_BLCK" ] && UB_D_PRIV_BLCK=1 UB_B_LOCL_BLCK=$(am_settings_get unbound_rebind_localhost); [ -z "$UB_B_LOCL_BLCK" ] && UB_B_LOCL_BLCK=1 UB_B_LOCL_SERV=$(am_settings_get unbound_localservice); [ -z "$UB_B_LOCL_SERV" ] && UB_B_LOCL_SERV=1 UB_LIST_INSECURE=$(am_settings_get unbound_domain_insecure) UB_B_NTP_BOOT=$(am_settings_get unbound_validator_ntp); [ -z "$UB_B_NTP_BOOT" ] && UB_B_NTP_BOOT=1
+1 ...
especially if the script can recognise the router model it is being installed on and use optimal performance settings for that router by default.
kernol
Very Senior Member
@Martineau - personal thanks for v2.07 update - I'm sure that many others will find this useful if they can figure out how to find it .
I have just one remaining "issue" - which may or may not be something you can assist with?
Sadly - down South here in RSA - we have acute power generation problems ... so frequently suffer "load shedding" where electricity supply is terminated by designated geographic areas for 2 hours usually twice in a 24 hour period.
@thelonelycoder many moons ago rectified an issue with Diversion in response to a similar request.
The issue is the webUI "Eject USB Disk" function which - prior to install of unbound - was working fine with a complete and correct umount.
Diversion added some lines to unmount script in /jffs/scripts to fix the Eject function back then.
Does something similar need to be added to unmount script for unbound to let go of the USB?
When the power goes off - my APC UPS kicks in - but can't last the full 2 hours - so issues commands to gracefully shutdown powered devices.
In the case of the RT-AC86U - it simply sends an unmount command so my USB does not get corrupted when power supply terminates.
.I have just one remaining "issue" - which may or may not be something you can assist with?
Sadly - down South here in RSA - we have acute power generation problems ... so frequently suffer "load shedding" where electricity supply is terminated by designated geographic areas for 2 hours usually twice in a 24 hour period.
@thelonelycoder many moons ago rectified an issue with Diversion in response to a similar request.
The issue is the webUI "Eject USB Disk" function which - prior to install of unbound - was working fine with a complete and correct umount.
Diversion added some lines to unmount script in /jffs/scripts to fix the Eject function back then.
Does something similar need to be added to unmount script for unbound to let go of the USB?
When the power goes off - my APC UPS kicks in - but can't last the full 2 hours - so issues commands to gracefully shutdown powered devices.
In the case of the RT-AC86U - it simply sends an unmount command so my USB does not get corrupted when power supply terminates.
SomeWhereOverTheRainBow
Part of the Furniture
Time... Who needs time.... Stay tuned... I will give you my newEST improved suggestions later....
SomeWhereOverTheRainBow
Part of the Furniture
Code:
start_monitor () {
trap "" 1
while [ `nvram get ntp_ready` -eq 0 ]; do sleep 1; done
local NW_STATE
local RES_STATE
while true; do
ping 1.1.1.1 -c1 -W2 >/dev/null 2>&1
NW_STATE=$?
nslookup google.com >/dev/null 2>&1
RES_STATE=$?
if [ -f /opt/etc/init.d/S61unbound ]; then
if [ -z "`pidof unbound`" ]; then
logger "Warning: unbound is dead"
/opt/etc/init.d/S61unbound start
elif [ $NW_STATE -eq 0 ] && [ $RES_STATE -ne 0 ]; then
logger "Warning: unbound is not responding"
/opt/etc/init.d/S61unbound start
fi
fi
sleep 10
done
}A monitor triggered by an init-start script, technically it can be called once unbound starts as well.
Last edited:
Xentrk
Part of the Furniture
I awoke early this morning to upgrade a remote site to 384.15. I was not able to connect to the router's OpenVPN server when using unbound. I saw a message that OpenVPN was unable to resolve the hostname. Once I uninstalled unbound, I was able to make the connection. I'll do some more testing as I believe I was successful the day before connecting to two sites when I had unbound installed over an OpenVPN connection.
I still can't connect to my providers OpenVPN server in LA. Unable to resolve the hostname. So far, that is the only location I have an issue with.
I still can't connect to my providers OpenVPN server in LA. Unable to resolve the hostname. So far, that is the only location I have an issue with.
Martineau
Part of the Furniture
Many thanks, clearly this has fixed the incorrect unbound 'uptime' reported after the REBOOT.
Martineau
Part of the Furniture
In 'easy' mode (the default when invoked from amtm), you are never prompted - see post #157, so to remove undesired options that are no longer deemed appropriate you have to uninstall unbound, and reinstall unbound with the desired options (or none).
???Command
Code:
z = Remove Existing unbound/unbound_manager InstallationThe only minor uninstall issue (I'm aware of) - fixed in the (as yet unrelased) v2.08 release is the annoying dependency error that was introduced with the inclusion of 'unbound-checkconf' reinstated as an available package in the recent unbound v1.9.6 release
Code:
Existing unbound package found. Removing unbound
Removing package unbound-control-setup from root...
Removing package unbound-control from root...
Removing package unbound-anchor from root...
Removing package unbound-checkconf from root...
Collected errors:
* print_dependents_warning: Package unbound-daemon is depended upon by packages:
* print_dependents_warning: unbound-checkconf
* print_dependents_warning: These might cease to work if package unbound-daemon is removed.
* print_dependents_warning: Force removal of this package with --force-depends.
* print_dependents_warning: Force removal of this package and its dependents
* print_dependents_warning: with --force-removal-of-dependent-packages.
***Error occurred when removing unboundSimilar threads
Similar threads
Similar threads
-
Unbound Force all DNS requests through Unbound using iptables?- Started by muffintastic
- Replies: 14
-
-
-
-
-
-
Is it possible to use nord dns with unbound or any way to add it?- Started by Jack-Sparr0w
- Replies: 9
-
-
Unbound Use unbound/router as default DNS server
- Started by BeachGuy
- Replies: 2
-