What's new

Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I did, followed instructions, installed & started. But can't see the suricata.log unfortunatelly to verify it is healthy...
Any conversation regarding "suricata" needs to be done in the appropriate forum. Don't need to clutter the unbound thread with another project.
 
Have you tried whitelisting 'goo.gl'?

e.g. I had to......using 'unbound_manager' for Ad block
Code:
e  = Exit Script [?]

A:Option ==> ew

Hi Martineau

does whitelisting actually change adservers from this
Code:
local-zone: "goo.gl" always_nxdomain
to this?
Code:
#local-zone: "goo.gl" always_nxdomain

Because this is the only way that whitelisting actually works for me. I can add goo.gl to permlist and I can add goo.gl to allowhost
but neither work until I actually comment out
Code:
#local-zone: "goo.gl" always_nxdomain
in adservers and then issue rl
 
Hi Martineau

does whitelisting actually change adservers from this
Code:
local-zone: "goo.gl" always_nxdomain
to this?
Code:
#local-zone: "goo.gl" always_nxdomain

Because this is the only way that whitelisting actually works for me. I can add goo.gl to permlist and I can add goo.gl to allowhost
but neither work until I actually comment out
Code:
#local-zone: "goo.gl" always_nxdomain
in adservers and then issue rl
@juched provides the 'gen_adblock.sh' script that manages the entries in 'adblock/adservers'
 
I am getting a weird thing going on when i enable dnsmasq as the primary dns.... i get a warning every time
Code:
    ***ERROR Unable to verify Github version...check DNS/Internet access!
but i don't see this error after making unbound primary...
i did add a couple of guest networks to test the interfaces conversion...could that be making dnsmasq a bit slow to come up?...timing issue?
I'll take a look, but I did reduce the cURL timeout/retry values in v3.16 :rolleyes:

EDIT: @tomsk Pushed v3.16 Hotfix.

Perhaps the v3.16 reduced 3 second timeout (Retry=1,Timeout=1) was too ambitious/optimistic for a busy GitHub etc., so reverted back to Retry=3,Timeout=3 which should be approx. 17 secconds!
 
Last edited:
@juched provides the 'gen_adblock.sh' script that manages the entries in 'adblock/adservers'

I understand how it works now :-
it removes the whole line in adservers - for example the whole line below is removed from adservers when it finds the host "goo.gl" in allowhost. The key to make it stick is to run adblock from either menu which executes the gen_adblock.sh script to confirm the changes in allowhost. No need to execute rl.

Code:
local-zone: "goo.gl" always_nxdomain

Simarly blacklist operates by entering domain in blockhost eg goo.gl and a line is added to adservers similar to above. Once you execute adblock the blacklisted host sticks.
 
Last edited:
Click the 'Full Screen icon' on the bottom Right corner before playing the video! ;)
https://vimeo.com/422203527
That video was something like ... Daaa :rolleyes:
For sure it was something wrong with me yesterday ... I was doing it the other way around :D ... Select "Yes" instead of "No" which was already selected ... and I did that for all 3 routers and then I proceed with Unbound update :)
Thank you for pointing that out. All works as it should now.
Cheers.
 
Any conversation regarding "suricata" needs to be done in the appropriate forum. Don't need to clutter the unbound thread with another project.

true, but it will go together with unbound like peas and carrots eventually, like diversion and SkyNet do now.
suricata doesn't seem to be as well formed for Merlin just yet from what I can tell...but there are alpha testers working with devs. Standby!
the great contest between the two of them should have some parameters defined now while we wait, wouldn't you agree?
 
I haven't been through all 120+ pages of this thread to try and answer my own question, but I'm hoping someone will be kind enough to help me:
in the unbound stats, I'm seeing various calls to various ntp servers other than the one I've got running in Merlin in "today's DNS replies" - how do I track those clients/devices down to point them at a closer time source?
 
true, but it will go together with unbound like peas and carrots eventually, like diversion and SkyNet do now.
suricata doesn't seem to be as well formed for Merlin just yet from what I can tell...but there are alpha testers working with devs. Standby!
the great contest between the two of them should have some parameters defined now while we wait, wouldn't you agree?
I'm not seeing the correlation between unbound and Suritica but I may not know the details of those projects enough to make a educated opinion.
 
I have a question about the dnsmasq interface | nointerface option..... it seems that the commands can be invoked with dnsmasq still in operation as the primary DNS (where they don't have any effect), however when the bypass operation occurs, the interfaces are copied anyway.
Im not sure of your main idea behind these settings.... but if the idea is to do the bypass with the option to have interfaces disabled, then it might be good idea to make the setting stick across the bypass, rather than having to apply it again later when unbound is primary ( which works fine). But if its a setting purely for unbound as primary DNS then perhaps disable the setting when dnsmasq is primary.
 
Last edited:
I haven't been through all 120+ pages of this thread to try and answer my own question, but I'm hoping someone will be kind enough to help me:
in the unbound stats, I'm seeing various calls to various ntp servers other than the one I've got running in Merlin in "today's DNS replies" - how do I track those clients/devices down to point them at a closer time source?
If you make unbound primary DNS then the client IP address will show instead of dnsmasq address
 
If you make unbound primary DNS then the client IP address will show instead of dnsmasq address

You mean my WAN IP should be the primary dns...where though?
And what about when my ISP reallocates? Can I use DDNS?


Sent from my iPhone using Tapatalk
 
You mean my WAN IP should be the primary dns...where though?
And what about when my ISP reallocates? Can I use DDNS?


Sent from my iPhone using Tapatalk
you switch unbound as your primary DNS by using the dnsmasq disable command in the unbound manager.
Then your client machines will make their DNS requests directly to unbound rather than going via dnsmasq.
you will see in your unbound log that each device request will now show its IP rather than every request coming from dnsmasq on 127.0.0.1. You don't need to change you WAN DNS settings
 
Last edited:
Suricata (kinda) functions like a firewall, (ie SkyNet), as I understand it, but does it differently, and possibly more efficiently.
So concurring with @QuikSilver, as per this thread's unambiguous title, a script that manages the implementation of a DNS service has nothing to do with an IPS/IDS tool, so rather than posting here, Suricata queries/topics would surely benefit from being posted in say the like-minded Skynet firewall thread .........if the official Suricata thread isn't deemed appropriate - wouldn't you agree?
 
Ok- in unbound manager, option 3 is Advanced Tools. The only thing I can see is the dnsmasq disable. Is that what I’m looking for, and do I have to stop unbound, make this change, and then restart unbound? And then possibly reboot the router?


Sent from my iPhone using Tapatalk
 
Ok- in unbound manager, option 3 is Advanced Tools. The only thing I can see is the dnsmasq disable. Is that what I’m looking for, and do I have to stop unbound, make this change, and then restart unbound? And then possibly reboot the router?


Sent from my iPhone using Tapatalk
yes thats the one you want.... unbound will restart on its own.... no need to reboot
 
I'll take a look, but I did reduce the cURL timeout/retry values in v3.16 :rolleyes:

EDIT: @tomsk Pushed v3.16 Hotfix.

Perhaps the v3.16 reduced 3 second timeout (Retry=1,Timeout=1) was too ambitious/optimistic for a busy GitHub etc., so reverted back to Retry=3,Timeout=3 which should be approx. 17 secconds!
Getting the same error message on the latest 3.16 version.

This has just started to happen, possibly GitHub is the problem ???!!!

Code:
 Version=3.16  (Change Log: https://github.com/MartineauUK/Unbound-Asuswrt-Merlin/commits/master/unbound_manager.sh)
 Local                                    md5=4f8cfe846cd233adf7252e2cc693da40
 Github                                   md5=
 /jffs/addons/unbound/unbound_manager.md5 md5=4f8cfe846cd233adf7252e2cc693da40
 
I understand how it works now :-
it removes the whole line in adservers - for example the whole line below is removed from adservers when it finds the host "goo.gl" in allowhost. The key to make it stick is to run adblock from either menu which executes the gen_adblock.sh script to confirm the changes in allowhost. No need to execute rl.

Code:
local-zone: "goo.gl" always_nxdomain

Simarly blacklist operates by entering domain in blockhost eg goo.gl and a line is added to adservers similar to above. Once you execute adblock the blacklisted host sticks.

Yes, you got it. If you use allowhosts or blockhosts in the share folder it ensure it is or isn’t in the adserver file.

Unsure what issue you are having?
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top