QuikSilver
Very Senior Member
Any conversation regarding "suricata" needs to be done in the appropriate forum. Don't need to clutter the unbound thread with another project.
Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)
- Thread starter Martineau
- Start date
joe scian
Very Senior Member
Hi Martineau
does whitelisting actually change adservers from this
Code:
local-zone: "goo.gl" always_nxdomain
Code:
#local-zone: "goo.gl" always_nxdomainBecause this is the only way that whitelisting actually works for me. I can add goo.gl to permlist and I can add goo.gl to allowhost
but neither work until I actually comment out
Code:
#local-zone: "goo.gl" always_nxdomain
Martineau
Part of the Furniture
I'll take a look, but I did reduce the cURL timeout/retry values in v3.16
EDIT: @tomsk Pushed v3.16 Hotfix.
Perhaps the v3.16 reduced 3 second timeout (Retry=1,Timeout=1) was too ambitious/optimistic for a busy GitHub etc., so reverted back to Retry=3,Timeout=3 which should be approx. 17 secconds!
Last edited:
joe scian
Very Senior Member
I understand how it works now :-
it removes the whole line in adservers - for example the whole line below is removed from adservers when it finds the host "goo.gl" in allowhost. The key to make it stick is to run adblock from either menu which executes the gen_adblock.sh script to confirm the changes in allowhost. No need to execute rl.
Code:
local-zone: "goo.gl" always_nxdomainSimarly blacklist operates by entering domain in blockhost eg goo.gl and a line is added to adservers similar to above. Once you execute adblock the blacklisted host sticks.
Last edited:
That video was something like ... DaaaClick the 'Full Screen icon' on the bottom Right corner before playing the video!
https://vimeo.com/422203527
For sure it was something wrong with me yesterday ... I was doing it the other way around
... Select "Yes" instead of "No" which was already selected ... and I did that for all 3 routers and then I proceed with Unbound update 
Thank you for pointing that out. All works as it should now.
Cheers.
heysoundude
Part of the Furniture
true, but it will go together with unbound like peas and carrots eventually, like diversion and SkyNet do now.
suricata doesn't seem to be as well formed for Merlin just yet from what I can tell...but there are alpha testers working with devs. Standby!
the great contest between the two of them should have some parameters defined now while we wait, wouldn't you agree?
heysoundude
Part of the Furniture
I haven't been through all 120+ pages of this thread to try and answer my own question, but I'm hoping someone will be kind enough to help me:
in the unbound stats, I'm seeing various calls to various ntp servers other than the one I've got running in Merlin in "today's DNS replies" - how do I track those clients/devices down to point them at a closer time source?
in the unbound stats, I'm seeing various calls to various ntp servers other than the one I've got running in Merlin in "today's DNS replies" - how do I track those clients/devices down to point them at a closer time source?
QuikSilver
Very Senior Member
I'm not seeing the correlation between unbound and Suritica but I may not know the details of those projects enough to make a educated opinion.
heysoundude
Part of the Furniture
Suricata (kinda) functions like a firewall, (ie SkyNet), as I understand it, but does it differently, and possibly more efficiently.
tomsk
Very Senior Member
I have a question about the dnsmasq interface | nointerface option..... it seems that the commands can be invoked with dnsmasq still in operation as the primary DNS (where they don't have any effect), however when the bypass operation occurs, the interfaces are copied anyway.
Im not sure of your main idea behind these settings.... but if the idea is to do the bypass with the option to have interfaces disabled, then it might be good idea to make the setting stick across the bypass, rather than having to apply it again later when unbound is primary ( which works fine). But if its a setting purely for unbound as primary DNS then perhaps disable the setting when dnsmasq is primary.
Im not sure of your main idea behind these settings.... but if the idea is to do the bypass with the option to have interfaces disabled, then it might be good idea to make the setting stick across the bypass, rather than having to apply it again later when unbound is primary ( which works fine). But if its a setting purely for unbound as primary DNS then perhaps disable the setting when dnsmasq is primary.
Last edited:
tomsk
Very Senior Member
If you make unbound primary DNS then the client IP address will show instead of dnsmasq address
heysoundude
Part of the Furniture
You mean my WAN IP should be the primary dns...where though?
And what about when my ISP reallocates? Can I use DDNS?
Sent from my iPhone using Tapatalk
tomsk
Very Senior Member
you switch unbound as your primary DNS by using the dnsmasq disable command in the unbound manager.
Then your client machines will make their DNS requests directly to unbound rather than going via dnsmasq.
you will see in your unbound log that each device request will now show its IP rather than every request coming from dnsmasq on 127.0.0.1. You don't need to change you WAN DNS settings
Last edited:
Martineau
Part of the Furniture
So concurring with @QuikSilver, as per this thread's unambiguous title, a script that manages the implementation of a DNS service has nothing to do with an IPS/IDS tool, so rather than posting here, Suricata queries/topics would surely benefit from being posted in say the like-minded Skynet firewall thread .........if the official Suricata thread isn't deemed appropriate - wouldn't you agree?
heysoundude
Part of the Furniture
heysoundude
Part of the Furniture
Ok- in unbound manager, option 3 is Advanced Tools. The only thing I can see is the dnsmasq disable. Is that what I’m looking for, and do I have to stop unbound, make this change, and then restart unbound? And then possibly reboot the router?
Sent from my iPhone using Tapatalk
Sent from my iPhone using Tapatalk
tomsk
Very Senior Member
yes thats the one you want.... unbound will restart on its own.... no need to reboot
Twiglets
Senior Member
Getting the same error message on the latest 3.16 version.I'll take a look, but I did reduce the cURL timeout/retry values in v3.16
EDIT: @tomsk Pushed v3.16 Hotfix.
Perhaps the v3.16 reduced 3 second timeout (Retry=1,Timeout=1) was too ambitious/optimistic for a busy GitHub etc., so reverted back to Retry=3,Timeout=3 which should be approx. 17 secconds!
This has just started to happen, possibly GitHub is the problem ???!!!
Code:
Version=3.16 (Change Log: https://github.com/MartineauUK/Unbound-Asuswrt-Merlin/commits/master/unbound_manager.sh)
Local md5=4f8cfe846cd233adf7252e2cc693da40
Github md5=
/jffs/addons/unbound/unbound_manager.md5 md5=4f8cfe846cd233adf7252e2cc693da40
juched
Very Senior Member
Yes, you got it. If you use allowhosts or blockhosts in the share folder it ensure it is or isn’t in the adserver file.
Unsure what issue you are having?
Similar threads
DomainVPNRouting
Domain VPN Routing v3.2.3 ***Release***
Similar threads
Similar threads
-
How to get Unbound Manager to display logs in Scribe?- Started by Davidncali001
- Replies: 15
-
-
DNS works for clients but not router (in ssh terminal mode) using YazDHCP and Unbound.
- Started by CornfieldWin
- Replies: 12
-
Error with unbound and VPN all default settings set- Started by Jack-Sparr0w
- Replies: 14
-
Unbound CVE-2025-11411 domain hijacking security vulnerability affecting up to v1.24.0- Started by Gen10
- Replies: 1
-
-
-
Unbound Unbound Stats for Asuswrt-Merlin v1.4.4 [2025-Nov-03] Generate Stats for Unbound
- Started by Martinski
- Replies: 8
-
-
Support SNBForums w/ Amazon
If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!
Staff online
-
RMerlinAsuswrt-Merlin dev