Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[QuikSilver]

I did, followed instructions, installed & started. But can't see the suricata.log unfortunatelly to verify it is healthy...

Any conversation regarding "suricata" needs to be done in the appropriate forum. Don't need to clutter the unbound thread with another project.

 

[joe scian]

Have you tried whitelisting 'goo.gl'?

e.g. I had to......using 'unbound_manager' for Ad block

e  = Exit Script [?]

A:Option ==> ew

Hi Martineau

does whitelisting actually change adservers from this

local-zone: "goo.gl" always_nxdomain

to this?

#local-zone: "goo.gl" always_nxdomain

Because this is the only way that whitelisting actually works for me. I can add goo.gl to permlist and I can add goo.gl to allowhost
but neither work until I actually comment out

#local-zone: "goo.gl" always_nxdomain

in adservers and then issue rl

 

[Martineau]

Hi Martineau

does whitelisting actually change adservers from this

local-zone: "goo.gl" always_nxdomain

to this?

#local-zone: "goo.gl" always_nxdomain

Because this is the only way that whitelisting actually works for me. I can add goo.gl to permlist and I can add goo.gl to allowhost
but neither work until I actually comment out

#local-zone: "goo.gl" always_nxdomain

in adservers and then issue rl

@juched provides the 'gen_adblock.sh' script that manages the entries in 'adblock/adservers'

 

[Martineau]

I am getting a weird thing going on when i enable dnsmasq as the primary dns.... i get a warning every time

    ***ERROR Unable to verify Github version...check DNS/Internet access!

but i don't see this error after making unbound primary...
i did add a couple of guest networks to test the interfaces conversion...could that be making dnsmasq a bit slow to come up?...timing issue?

I'll take a look, but I did reduce the cURL timeout/retry values in v3.16

EDIT: @tomsk Pushed v3.16 Hotfix.

Perhaps the v3.16 reduced 3 second timeout (Retry=1,Timeout=1) was too ambitious/optimistic for a busy GitHub etc., so reverted back to Retry=3,Timeout=3 which should be approx. 17 secconds!

 

[joe scian]

@juched provides the 'gen_adblock.sh' script that manages the entries in 'adblock/adservers'

I understand how it works now :-
it removes the whole line in adservers - for example the whole line below is removed from adservers when it finds the host "goo.gl" in allowhost. The key to make it stick is to run adblock from either menu which executes the gen_adblock.sh script to confirm the changes in allowhost. No need to execute rl.

local-zone: "goo.gl" always_nxdomain

Simarly blacklist operates by entering domain in blockhost eg goo.gl and a line is added to adservers similar to above. Once you execute adblock the blacklisted host sticks.

 

[Amwjujo]

Click the 'Full Screen icon' on the bottom Right corner before playing the video!
https://vimeo.com/422203527

That video was something like ... Daaa
For sure it was something wrong with me yesterday ... I was doing it the other way around ... Select "Yes" instead of "No" which was already selected ... and I did that for all 3 routers and then I proceed with Unbound update
Thank you for pointing that out. All works as it should now.
Cheers.

 

[heysoundude]

Any conversation regarding "suricata" needs to be done in the appropriate forum. Don't need to clutter the unbound thread with another project.

true, but it will go together with unbound like peas and carrots eventually, like diversion and SkyNet do now.
suricata doesn't seem to be as well formed for Merlin just yet from what I can tell...but there are alpha testers working with devs. Standby!
the great contest between the two of them should have some parameters defined now while we wait, wouldn't you agree?

 

[heysoundude]

I haven't been through all 120+ pages of this thread to try and answer my own question, but I'm hoping someone will be kind enough to help me:
in the unbound stats, I'm seeing various calls to various ntp servers other than the one I've got running in Merlin in "today's DNS replies" - how do I track those clients/devices down to point them at a closer time source?

 

[QuikSilver]

true, but it will go together with unbound like peas and carrots eventually, like diversion and SkyNet do now.
suricata doesn't seem to be as well formed for Merlin just yet from what I can tell...but there are alpha testers working with devs. Standby!
the great contest between the two of them should have some parameters defined now while we wait, wouldn't you agree?

I'm not seeing the correlation between unbound and Suritica but I may not know the details of those projects enough to make a educated opinion.

 

[heysoundude]

I'm not seeing the correlation between unbound and Suritica but I may not know the details of those projects enough to make a educated opinion.

Suricata (kinda) functions like a firewall, (ie SkyNet), as I understand it, but does it differently, and possibly more efficiently.

 

[tomsk]

I have a question about the dnsmasq interface | nointerface option..... it seems that the commands can be invoked with dnsmasq still in operation as the primary DNS (where they don't have any effect), however when the bypass operation occurs, the interfaces are copied anyway.
Im not sure of your main idea behind these settings.... but if the idea is to do the bypass with the option to have interfaces disabled, then it might be good idea to make the setting stick across the bypass, rather than having to apply it again later when unbound is primary ( which works fine). But if its a setting purely for unbound as primary DNS then perhaps disable the setting when dnsmasq is primary.

 

[tomsk]

I haven't been through all 120+ pages of this thread to try and answer my own question, but I'm hoping someone will be kind enough to help me:
in the unbound stats, I'm seeing various calls to various ntp servers other than the one I've got running in Merlin in "today's DNS replies" - how do I track those clients/devices down to point them at a closer time source?

If you make unbound primary DNS then the client IP address will show instead of dnsmasq address

 

[heysoundude]

If you make unbound primary DNS then the client IP address will show instead of dnsmasq address

You mean my WAN IP should be the primary dns...where though?
And what about when my ISP reallocates? Can I use DDNS?


Sent from my iPhone using Tapatalk

 

[tomsk]

You mean my WAN IP should be the primary dns...where though?
And what about when my ISP reallocates? Can I use DDNS?


Sent from my iPhone using Tapatalk

you switch unbound as your primary DNS by using the dnsmasq disable command in the unbound manager.
Then your client machines will make their DNS requests directly to unbound rather than going via dnsmasq.
you will see in your unbound log that each device request will now show its IP rather than every request coming from dnsmasq on 127.0.0.1. You don't need to change you WAN DNS settings

 

[Martineau]

Suricata (kinda) functions like a firewall, (ie SkyNet), as I understand it, but does it differently, and possibly more efficiently.

So concurring with @QuikSilver, as per this thread's unambiguous title, a script that manages the implementation of a DNS service has nothing to do with an IPS/IDS tool, so rather than posting here, Suricata queries/topics would surely benefit from being posted in say the like-minded Skynet firewall thread .........if the official Suricata thread isn't deemed appropriate - wouldn't you agree?
​

 

[heysoundude]

you switch unbound as your primary DNS by using the dns disable command in the unbound manager.

Thank you! I’ll get on that when I get back home


Sent from my iPhone using Tapatalk

 

[heysoundude]

Ok- in unbound manager, option 3 is Advanced Tools. The only thing I can see is the dnsmasq disable. Is that what I’m looking for, and do I have to stop unbound, make this change, and then restart unbound? And then possibly reboot the router?


Sent from my iPhone using Tapatalk

 

[tomsk]

Ok- in unbound manager, option 3 is Advanced Tools. The only thing I can see is the dnsmasq disable. Is that what I’m looking for, and do I have to stop unbound, make this change, and then restart unbound? And then possibly reboot the router?


Sent from my iPhone using Tapatalk

yes thats the one you want.... unbound will restart on its own.... no need to reboot

 

[Twiglets]

I'll take a look, but I did reduce the cURL timeout/retry values in v3.16

EDIT: @tomsk Pushed v3.16 Hotfix.

Perhaps the v3.16 reduced 3 second timeout (Retry=1,Timeout=1) was too ambitious/optimistic for a busy GitHub etc., so reverted back to Retry=3,Timeout=3 which should be approx. 17 secconds!

Getting the same error message on the latest 3.16 version.

This has just started to happen, possibly GitHub is the problem ???!!!

 Version=3.16  (Change Log: https://github.com/MartineauUK/Unbound-Asuswrt-Merlin/commits/master/unbound_manager.sh)
 Local                                    md5=4f8cfe846cd233adf7252e2cc693da40
 Github                                   md5=
 /jffs/addons/unbound/unbound_manager.md5 md5=4f8cfe846cd233adf7252e2cc693da40

 

[juched]

I understand how it works now :-
it removes the whole line in adservers - for example the whole line below is removed from adservers when it finds the host "goo.gl" in allowhost. The key to make it stick is to run adblock from either menu which executes the gen_adblock.sh script to confirm the changes in allowhost. No need to execute rl.

local-zone: "goo.gl" always_nxdomain

Simarly blacklist operates by entering domain in blockhost eg goo.gl and a line is added to adservers similar to above. Once you execute adblock the blacklisted host sticks.

Yes, you got it. If you use allowhosts or blockhosts in the share folder it ensure it is or isn’t in the adserver file.

Unsure what issue you are having?