I haven't tried the uninstall / reinstall so, no problem, neither am I looking for one
. I then prefer to stick to commenting out that 1 line when and if necessary...Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)
- Thread starter Martineau
- Start date
. I then prefer to stick to commenting out that 1 line when and if necessary...
Martineau
Part of the Furniture
You mean like the beta version in GitHub dev?
Unlike for managing 'tags:', unbound-control makes several 'views:' related commands available:
Code:
unbound-control --help
<snip>
view_list_local_zones view list local-zones in view
view_list_local_data view list local-data RRs in view
view_local_zone view name type add local-zone in view
view_local_zone_remove view name remove local-zone in view
view_local_data view RR... add local-data in view
view_local_datas view add list of local-data to view
one entry per line read from stdin
view_local_data_remove view name remove local-data in view
view_local_datas_remove view remove list of local-data from view
one entry per line read from stdin
tomsk
Very Senior Member
Nicely done sir.... as always ahead of the game, although trying to add an IP address to a view threw an arithmetic error for me until i remembered i had to add the CIDR notation....maybe adding a test for "dumbass" entries would be useful down the road. Advanced user in my case only means advanced in years.....You mean like the beta version in GitHub dev?
Unlike for managing 'tags:', unbound-control makes several 'views:' related commands available:
although one to actually list the names of ALL the configured 'views:' seems to be missing?Code:unbound-control --help <snip> view_list_local_zones view list local-zones in view view_list_local_data view list local-data RRs in view view_local_zone view name type add local-zone in view view_local_zone_remove view name remove local-zone in view view_local_data view RR... add local-data in view view_local_datas view add list of local-data to view one entry per line read from stdin view_local_data_remove view name remove local-data in view view_local_datas_remove view remove list of local-data from view one entry per line read from stdin
Martineau
Part of the Furniture
I've now added auto-CIDR to the latest beta, so if a single LAN device 192.168.1.55 is to be added to 'view:' "NoYouTube"
e.g. if you "forget" to add the CIDR suffix for the single IP Address
Code:
views NoYouTube 192.168.1.55
auto-converted to
views NoYouTube 192.168.1.55/32
Last edited:
Martineau
Part of the Furniture
unbound normally listens on ALL interfaces, so if you only have one outgoing interface available i.e. WAN, then the 'bind' command is irrelevant.What is the meaning of BIND WAN options? disable / debug / debug show?
Do not quite understand
However, for those that have one or more VPN Client tunnels, then they may wish to bind unbound's outbound requests to the Root DNS to a specific VPN Client tunnel, or they may wish to force unbound to use the fastest interface which is usually the WAN.
The optional 'debug/show' options are simply provided to prove if the bind has been applied to the desired outbound interface.
That begs the question why 2 commands? Wouldn't it be simpler to have one bind command with WAN, VPN 1-5 as parameters?
And on a related topic: would it be acceptable and possible to group the advanced menu items by topics? i.e the DNS related commands as DisableFirefoxDoH, DOT, stubby, dnsmasq on one side of the isle? Then adblock, youtube, ew commands grouped together etc. The same layout as the creator intended with a scent of grouping; that's all...
D
Deleted member 62525
Guest
My understanding about Split DNS is that when you have a resource on your internal network and you want to be able to configure DNS to respond to DNS queries giving different answers (IP) based on where the original DNS request is coming from. So, for example you have an internal server called host1. The Spilt DNS configuration would allow you return host1 IP of 192.168.22.1 to internal clients but for external clients DNS would return IP 34.50.22.1
I don't think that Unbound (out of the box) supports such thing. I have seen some python modules that would allow you to do that but nothing I could find in Unbound documentation that this is build into the product.
Slawek P
Senior Member
I thought it is related to BIND VPN, but then why seperate option. Yes grouping makes sense. +1
On my screen bind show debug does nothing, but so is sd. I still have some issues at startup (suspecting unbound), but will investigate over the weekend.
tomsk
Very Senior Member
Code:
A:Option ==> views NoYouTube 10.10.11.25
grep: /opt/share/unbound/configs/unbound.conf.views: No such file or directory
sed: /opt/share/unbound/configs/unbound.conf.views: No such file or directory
View: 'NoYouTube' added 10.10.11.25/32Anyone notice memory creep with the recent changes? My free memory on my AC-5300 has never been below ~100MB and after a few days of uptime it was down to ~50MB free for the first time. *top* command confirmed that unbound was the culprit. Not requesting a change--just curious to see if anyone else is experiencing the same thing.
RT-AC5300 (armv7l) FW-384.17
Other scripts: Skynet, scribe, uiScribe, connmon, ntpMerlin
Output of '?':
I also ran the 'scribe' command and then commented out "log-queries" from my .conf file. Otherwise it's the default conf file
RT-AC5300 (armv7l) FW-384.17
Other scripts: Skynet, scribe, uiScribe, connmon, ntpMerlin
Output of '?':
Version=3.16 (Change Log: https://github.com/MartineauUK/Unbound-Asuswrt-Merlin/commits/master/unbound_manager.sh)
Local md5=5dce81880f662a81b709567f38371d75
Github md5=5dce81880f662a81b709567f38371d75
/jffs/addons/unbound/unbound_manager.md5 md5=5dce81880f662a81b709567f38371d75
Router Configuration recommended pre-reqs status:
[✔] Swapfile=2097148 kB
[✔] DNS Filter=ON
[✔] DNS Filter=ROUTER
[✔] WAN: Use local caching DNS server as system resolver=NO
[✔] Entware NTP server is running
[✔] Enable DNS Rebind protection=NO
[✔] Enable DNSSEC support=NO
Options: Auto Reply='y' for User Selectable Options ('3 4') Ad Block,Performance Tweaks
[✔] Ad and Tracker Blocking (No. of Adblock domains=56887,Blocked Hosts=0,Whitelist=19)
[✔] unbound CPU/Memory Performance tweaks
[✔] Router Graphical GUI statistics TAB installed
[✔] unbound-control FAST response ENABLED
[✔] DNS Firewall ENABLED
[✔] Unbound is the Primary DNS for ALL LAN Clients (dnsmaq DNS features DISABLED e.g. IPSET auto-populate)
[✔] YouTube Ad Blocking (Forcing to use YT IP 173.194.191.169, No. of YouTube Video Ad domains=111)
Local md5=5dce81880f662a81b709567f38371d75
Github md5=5dce81880f662a81b709567f38371d75
/jffs/addons/unbound/unbound_manager.md5 md5=5dce81880f662a81b709567f38371d75
Router Configuration recommended pre-reqs status:
[✔] Swapfile=2097148 kB
[✔] DNS Filter=ON
[✔] DNS Filter=ROUTER
[✔] WAN: Use local caching DNS server as system resolver=NO
[✔] Entware NTP server is running
[✔] Enable DNS Rebind protection=NO
[✔] Enable DNSSEC support=NO
Options: Auto Reply='y' for User Selectable Options ('3 4') Ad Block,Performance Tweaks
[✔] Ad and Tracker Blocking (No. of Adblock domains=56887,Blocked Hosts=0,Whitelist=19)
[✔] unbound CPU/Memory Performance tweaks
[✔] Router Graphical GUI statistics TAB installed
[✔] unbound-control FAST response ENABLED
[✔] DNS Firewall ENABLED
[✔] Unbound is the Primary DNS for ALL LAN Clients (dnsmaq DNS features DISABLED e.g. IPSET auto-populate)
[✔] YouTube Ad Blocking (Forcing to use YT IP 173.194.191.169, No. of YouTube Video Ad domains=111)
I also ran the 'scribe' command and then commented out "log-queries" from my .conf file. Otherwise it's the default conf file
Martineau
Part of the Furniture
Can you issue
Code:
head -n4 /jffs/addons/unbound/unbound_manager.shHowever I suspect you have misinterpreted the command syntax...
Code:
e = Exit Script [?]
A:Option ==> views
Options syntax: [ { uninstall | viewname { '?' | 'uninstall' } ] | {viewname url [ ip_address] } | {viewname ip_address ['del']} ]I suggest you start again
Code:
e = Exit Script [?]
A:Option ==> views uninstall
Code:
views NoYouTube www.youtube.com 10.10.11.25
Code:
views NoYouTube 10.10.11.xxx
Code:
views NoYouTube ?
Code:
viewsv
or
viewsxtomsk
Very Senior Member
Can you issue
The script should check if the file exists before checking for existing duplicate 'view:' name....Code:head -n4 /jffs/addons/unbound/unbound_manager.sh
However I suspect you have misinterpreted the command syntax...
So you have not supplied the blocked domain/URL to be associated with the 'view'Code:e = Exit Script [?] A:Option ==> views Options syntax: [ { uninstall | viewname { '?' | 'uninstall' } ] | {viewname url [ ip_address] } | {viewname ip_address ['del']} ]
I suggest you start again
thenCode:e = Exit Script [?] A:Option ==> views uninstall
To add another client to the view then use the following syntaxCode:views NoYouTube www.youtube.com 10.10.11.25
Check the 'view:' blocking ruleCode:views NoYouTube 10.10.11.xxx
or view/edit the file usingCode:views NoYouTube ?
Code:viewsv or viewsx
Code:
#!/bin/sh
# shellcheck disable=SC2086,SC2068,SC1087,SC2039,SC2155,SC2124,SC2027,SC2046
VERSION="3.17b"
#============================================================================================ © 2019-2020 Martineau v3.17b8
Code:
# View: NoYouTube Clients
access-control-view: 10.10.11.25/32 "NoYouTube"
access-control-view: 10.10.11.1/32 "NoYouTube"
view:
name: "NoYouTube"
view-first: yes
local-zone: "www.youtube.com." refuse
# EndView: NoYouTubeSeems to be working now.... i think its the missing domain issue as you said ... the view i created previously was in a file called unbound.conf.addViews which i assume is redundant now? The new views file is unbound.conf.views
There was no unbound.conf custom server directive last time so in put my own ( which i can remove now)
Code:
include: "/opt/share/unbound/configs/unbound.conf.addViews"
Code:
include: "/opt/share/unbound/configs/unbound.conf.views"
Last edited:
Martineau
Part of the Furniture
Yes 'unbound.conf.addViews' is obsolete.
I try to make the syntax 'logical' but also flexible without forcing the user to explicitly prefix the parameters e.g. domain/url value i.e. 'url=www.you.tube.com'
I haven't used the unbound-control commands to bulk load the IP Adresses etc., but the main question is does it work ?
e.g. Excerpt from my log as LAN client device 10.88.8.114 subsequently attempted to access 'www.youtube.com' along with two other LAN client devices
Code:
May 27 16:44:11 unbound[2185:0] query: 10.88.8.114 www.youtube.com. A IN
May 27 16:44:11 unbound[2185:0] info: www.youtube.com. refuse 10.88.8.114@52185 www.youtube.com. A IN
May 27 16:44:11 unbound[2185:0] info: www.youtube.com. refuse 10.88.8.114@52185 www.youtube.com. A IN
May 27 16:44:11 unbound[2185:0] query: 10.88.8.114 www.youtube.com. A IN
May 27 16:44:11 unbound[2185:0] info: www.youtube.com. refuse 10.88.8.114@65060 www.youtube.com. A IN
May 27 16:44:11 unbound[2185:0] info: www.youtube.com. refuse 10.88.8.114@65060 www.youtube.com. A IN
May 27 16:44:40 unbound[2185:0] query: 10.88.8.114 www.youtube.com. A IN
May 27 16:44:40 unbound[2185:0] info: www.youtube.com. refuse 10.88.8.114@52043 www.youtube.com. A IN
May 27 16:44:40 unbound[2185:0] info: www.youtube.com. refuse 10.88.8.114@52043 www.youtube.com. A IN
May 27 16:44:40 unbound[2185:0] query: 10.88.8.114 www.youtube.com. A IN
May 27 16:44:40 unbound[2185:0] info: www.youtube.com. refuse 10.88.8.114@53064 www.youtube.com. A IN
May 27 16:44:40 unbound[2185:0] info: www.youtube.com. refuse 10.88.8.114@53064 www.youtube.com. A IN
May 27 16:44:40 unbound[2185:0] query: 10.88.8.114 www.youtube.com. A IN
May 27 16:44:40 unbound[2185:0] info: www.youtube.com. refuse 10.88.8.114@53644 www.youtube.com. A IN
May 27 16:44:40 unbound[2185:0] info: www.youtube.com. refuse 10.88.8.114@53644 www.youtube.com. A IN
May 27 16:44:41 unbound[2185:0] query: 10.88.8.114 www.youtube.com. A IN
May 27 16:44:41 unbound[2185:0] info: www.youtube.com. refuse 10.88.8.114@56079 www.youtube.com. A IN
May 27 16:44:41 unbound[2185:0] info: www.youtube.com. refuse 10.88.8.114@56079 www.youtube.com. A IN
May 27 16:44:41 unbound[2185:0] query: 10.88.8.114 www.youtube.com. A IN
May 27 16:44:41 unbound[2185:0] info: www.youtube.com. refuse 10.88.8.114@58237 www.youtube.com. A IN
May 27 16:44:41 unbound[2185:0] info: www.youtube.com. refuse 10.88.8.114@58237 www.youtube.com. A IN
May 27 16:44:42 unbound[2185:0] query: 10.88.8.92 www.youtube.com. A IN
May 27 16:44:42 unbound[2185:0] reply: 10.88.8.92 www.youtube.com. A IN NOERROR 0.062516 0 291
May 27 16:44:42 unbound[2185:0] query: 10.88.8.111 www.youtube.com. A IN
May 27 16:44:52 unbound[2185:0] reply: 10.88.8.111 www.youtube.com. A IN NOERROR 0.000000 1 291Martineau
Part of the Furniture
So if the last octet of the IP Address is 0 you want the script to always assume/append subnet mask CIDR notation '/24' ?
tomsk
Very Senior Member
No i didn't mean that..... I was just thinking that if the last octet is zero thats a reserved address so the intention was most likely to include the whole subnet. I guess there is no way to help in that regard because theres no way to infer the CIDR from the rest of the address.
I can see the CIDR of the subnet if i use ip route ... would that be a good place to grab it?
Code:
tOmsK@RT-AC68U-4690:/tmp/home/root# ip route
192.168.0.1 dev eth0 proto kernel scope link
10.11.12.0/24 dev wl1.1 proto kernel scope link src 10.11.12.1
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.164
10.10.10.0/24 dev br0 proto kernel scope link src 10.10.10.1
10.10.11.0/24 dev wl0.1 proto kernel scope link src 10.10.11.1
127.0.0.0/8 dev lo scope link
default via 192.168.0.1 dev eth0
Last edited:
Martineau
Part of the Furniture
Sorry I may be dense, but although adding the '/32' suffix to a single IP Address is effectively redundant in most cases (but I did add this auto-CIDR for your convenience as it made sense), the last octet when specifying the '/24' suffix is invariably almost always '0' - as evidenced in your output above.
Not quite sure why you can't explicitly specify the subnet mask in CIDR notation i.e. you may actually wish to use only the first 7 (technically 8) IP Addresses
e.g.
Code:
10.10.11.0/29Anyway all of this discussion is moot unless you can confirm that the unbound 'NoYouTube' 'view:' does allow you to alter the DNS response based on the source IP address - in this block access to YouTube for any LAN device defined to the 'NoYouTube' 'view:'
Last edited:
tomsk
Very Senior Member
Seems to work
Code:
# View: NoYouTube Clients
access-control-view: 10.11.12.0/24 "NoYouTube"
view:
name: "NoYouTube"
view-first: yes
local-zone: "youtube.com." refuse
# EndView: NoYouTube
Code:
May 28 14:27:58 RT-AC68U-4690 unbound: [9527:0] query: 10.11.12.168 m.youtube.com. A IN
May 28 14:27:58 RT-AC68U-4690 unbound: [9527:0] info: youtube.com. refuse 10.11.12.168@59565 m.youtube.com. A IN
May 28 14:27:58 RT-AC68U-4690 unbound: [9527:0] reply: 10.11.12.168 m.youtube.com. A IN REFUSED 0.000000 1 31
May 28 14:28:14 RT-AC68U-4690 unbound: [9527:0] query: 10.11.12.196 m.youtube.com. A IN
May 28 14:28:14 RT-AC68U-4690 unbound: [9527:0] info: youtube.com. refuse 10.11.12.196@62508 m.youtube.com. A IN
May 28 14:28:14 RT-AC68U-4690 unbound: [9527:0] reply: 10.11.12.196 m.youtube.com. A IN REFUSED 0.000000 1 31Martineau
Part of the Furniture
Brilliant!
-thanks for the feedback.....although seemingly no one in your home is allowed to access YouTube if they are on that subnet? - seems a bit harshSimilar threads
Similar threads
Similar threads
-
Unbound Force all DNS requests through Unbound using iptables?- Started by muffintastic
- Replies: 14
-
-
-
-
-
-
Is it possible to use nord dns with unbound or any way to add it?- Started by Jack-Sparr0w
- Replies: 9
-
-
Unbound Use unbound/router as default DNS server
- Started by BeachGuy
- Replies: 2
-