Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[Torson]

The install and uninstall is very light. I don’t see the harm in uninstalling and reinstalling. Have you had any issues?

I haven't tried the uninstall / reinstall so, no problem, neither am I looking for one . I then prefer to stick to commenting out that 1 line when and if necessary...

 

[Martineau]

Views would work something like this for same scenario?

# Client 10.88.8.111 is blocked from accessing YouTube, but all other LAN clients' DNS requests for YouTube are allowed as normal.

# Create the view clause to reject requests to www.youtube.com with rcode REFUSED

view:
    name: "NoYouTube"
    local-zone: "www.youtube.com" refuse
 
# Associate the client(s) with the view clause (NoYouTube)

access-control-view: 10.88.8.111/32 "NoYouTube"

# Alternatively redirect the blocked YouTube client to a custom polite internal block page

view:
    name: "NoYouTube"
    local-zone: "www.youtube.com" redirect
    local-data: "www.youtube.com IN A 10.88.8.xxx"

You mean like the beta version in GitHub dev?

Unlike for managing 'tags:', unbound-control makes several 'views:' related commands available:

unbound-control --help

<snip>

view_list_local_zones        view             list local-zones in view
view_list_local_data         view             list local-data RRs in view
view_local_zone              view name type   add local-zone in view
view_local_zone_remove       view name        remove local-zone in view
view_local_data              view RR...       add local-data in view
view_local_datas             view             add list of local-data to view
                                              one entry per line read from stdin
view_local_data_remove       view name        remove local-data in view
view_local_datas_remove      view             remove list of local-data from view
                                              one entry per line read from stdin

although one to actually list the names of ALL the configured 'views:' seems to be missing?

 

[tomsk]

You mean like the beta version in GitHub dev?

Unlike for managing 'tags:', unbound-control makes several 'views:' related commands available:

unbound-control --help

<snip>

view_list_local_zones        view             list local-zones in view
view_list_local_data         view             list local-data RRs in view
view_local_zone              view name type   add local-zone in view
view_local_zone_remove       view name        remove local-zone in view
view_local_data              view RR...       add local-data in view
view_local_datas             view             add list of local-data to view
                                              one entry per line read from stdin
view_local_data_remove       view name        remove local-data in view
view_local_datas_remove      view             remove list of local-data from view
                                              one entry per line read from stdin

although one to actually list the names of ALL the configured 'views:' seems to be missing?

Nicely done sir.... as always ahead of the game, although trying to add an IP address to a view threw an arithmetic error for me until i remembered i had to add the CIDR notation....maybe adding a test for "dumbass" entries would be useful down the road. Advanced user in my case only means advanced in years.....

 

[Slawek P]

What is the meaning of BIND WAN options? disable / debug / debug show?
Do not quite understand

 

[Martineau]

Nicely done sir.... as always ahead of the game, although trying to add an IP address to a view threw an arithmetic error for me until i remembered i had to add the CIDR notation....maybe adding a test for "dumbass" entries would be useful down the road. Advanced user in my case only means advanced in years.....

I've now added auto-CIDR to the latest beta, so if a single LAN device 192.168.1.55 is to be added to 'view:' "NoYouTube"

e.g. if you "forget" to add the CIDR suffix for the single IP Address

views NoYouTube 192.168.1.55

auto-converted to

views NoYouTube 192.168.1.55/32

 

[Martineau]

What is the meaning of BIND WAN options? disable / debug / debug show?
Do not quite understand

unbound normally listens on ALL interfaces, so if you only have one outgoing interface available i.e. WAN, then the 'bind' command is irrelevant.

However, for those that have one or more VPN Client tunnels, then they may wish to bind unbound's outbound requests to the Root DNS to a specific VPN Client tunnel, or they may wish to force unbound to use the fastest interface which is usually the WAN.

The optional 'debug/show' options are simply provided to prove if the bind has been applied to the desired outbound interface.

 

[Torson]

unbound normally listens on ALL interfaces, so if you only have one outgoing interface available i.e. WAN, then the 'bind' command is irrelevant.

However, for those that have one or more VPN Client tunnels, then they may wish to bind unbound's outbound requests to the Root DNS to a specific VPN Client tunnel, or they may wish to force unbound to use the fastest interface which is usually the WAN.

The optional 'debug/show' options are simply provided to prove if the bind has been applied to the desired outbound interface.

That begs the question why 2 commands? Wouldn't it be simpler to have one bind command with WAN, VPN 1-5 as parameters?
And on a related topic: would it be acceptable and possible to group the advanced menu items by topics? i.e the DNS related commands as DisableFirefoxDoH, DOT, stubby, dnsmasq on one side of the isle? Then adblock, youtube, ew commands grouped together etc. The same layout as the creator intended with a scent of grouping; that's all...

 

[Deleted member 62525]

https://www.snbforums.com/threads/r...cursive-dns-server.61669/page-123#post-588242

My understanding about Split DNS is that when you have a resource on your internal network and you want to be able to configure DNS to respond to DNS queries giving different answers (IP) based on where the original DNS request is coming from. So, for example you have an internal server called host1. The Spilt DNS configuration would allow you return host1 IP of 192.168.22.1 to internal clients but for external clients DNS would return IP 34.50.22.1

I don't think that Unbound (out of the box) supports such thing. I have seen some python modules that would allow you to do that but nothing I could find in Unbound documentation that this is build into the product.

 

[Slawek P]

That begs the question why 2 commands? Wouldn't it be simpler to have one bind command with WAN, VPN 1-5 as parameters?
And on a related topic: would it be acceptable and possible to group the advanced menu items by topics? i.e the DNS related commands as DisableFirefoxDoH, DOT, stubby, dnsmasq on one side of the isle? Then adblock, youtube, ew commands grouped together etc. The same layout as the creator intended with a scent of grouping; that's all...

I thought it is related to BIND VPN, but then why seperate option. Yes grouping makes sense. +1
On my screen bind show debug does nothing, but so is sd. I still have some issues at startup (suspecting unbound), but will investigate over the weekend.

 

[tomsk]

I've now added auto-CIDR to the latest beta, so if a single LAN device 192.168.1.55 is to be added to 'view:' "NoYouTube"

e.g. if you "forget" to add the CIDR suffix for the single IP Address

views NoYouTube 192.168.1.55

auto-converted to

views NoYouTube 192.168.1.55/32

A:Option ==> views NoYouTube 10.10.11.25
grep: /opt/share/unbound/configs/unbound.conf.views: No such file or directory
sed: /opt/share/unbound/configs/unbound.conf.views: No such file or directory

    View: 'NoYouTube' added 10.10.11.25/32

 

[Seij]

Anyone notice memory creep with the recent changes? My free memory on my AC-5300 has never been below ~100MB and after a few days of uptime it was down to ~50MB free for the first time. *top* command confirmed that unbound was the culprit. Not requesting a change--just curious to see if anyone else is experiencing the same thing.

RT-AC5300 (armv7l) FW-384.17
Other scripts: Skynet, scribe, uiScribe, connmon, ntpMerlin

Output of '?':

Version=3.16 (Change Log: https://github.com/MartineauUK/Unbound-Asuswrt-Merlin/commits/master/unbound_manager.sh)
Local md5=5dce81880f662a81b709567f38371d75
Github md5=5dce81880f662a81b709567f38371d75
/jffs/addons/unbound/unbound_manager.md5 md5=5dce81880f662a81b709567f38371d75

Router Configuration recommended pre-reqs status:

[✔] Swapfile=2097148 kB
[✔] DNS Filter=ON
[✔] DNS Filter=ROUTER
[✔] WAN: Use local caching DNS server as system resolver=NO
[✔] Entware NTP server is running
[✔] Enable DNS Rebind protection=NO
[✔] Enable DNSSEC support=NO

Options: Auto Reply='y' for User Selectable Options ('3 4') Ad Block,Performance Tweaks

[✔] Ad and Tracker Blocking (No. of Adblock domains=56887,Blocked Hosts=0,Whitelist=19)
[✔] unbound CPU/Memory Performance tweaks
[✔] Router Graphical GUI statistics TAB installed
[✔] unbound-control FAST response ENABLED
[✔] DNS Firewall ENABLED
[✔] Unbound is the Primary DNS for ALL LAN Clients (dnsmaq DNS features DISABLED e.g. IPSET auto-populate)
[✔] YouTube Ad Blocking (Forcing to use YT IP 173.194.191.169, No. of YouTube Video Ad domains=111)​

I also ran the 'scribe' command and then commented out "log-queries" from my .conf file. Otherwise it's the default conf file

 

[Martineau]

A:Option ==> views NoYouTube 10.10.11.25
grep: /opt/share/unbound/configs/unbound.conf.views: No such file or directory
sed: /opt/share/unbound/configs/unbound.conf.views: No such file or directory

    View: 'NoYouTube' added 10.10.11.25/32

Can you issue

head -n4 /jffs/addons/unbound/unbound_manager.sh

The script should check if the file exists before checking for existing duplicate 'view:' name....
However I suspect you have misinterpreted the command syntax...

e  = Exit Script [?]

A:Option ==> views

     Options syntax: [ { uninstall | viewname { '?' | 'uninstall' } ] | {viewname url [ ip_address] } | {viewname ip_address ['del']} ]

So you have not supplied the blocked domain/URL to be associated with the 'view'

I suggest you start again

e  = Exit Script [?]

A:Option ==> views uninstall

then

views NoYouTube www.youtube.com 10.10.11.25

To add another client to the view then use the following syntax

views NoYouTube 10.10.11.xxx

Check the 'view:' blocking rule

views NoYouTube  ?

or view/edit the file using

viewsv

or

viewsx

 

[tomsk]

Can you issue

head -n4 /jffs/addons/unbound/unbound_manager.sh

The script should check if the file exists before checking for existing duplicate 'view:' name....
However I suspect you have misinterpreted the command syntax...

e  = Exit Script [?]

A:Option ==> views

     Options syntax: [ { uninstall | viewname { '?' | 'uninstall' } ] | {viewname url [ ip_address] } | {viewname ip_address ['del']} ]

So you have not supplied the blocked domain/URL to be associated with the 'view'

I suggest you start again

e  = Exit Script [?]

A:Option ==> views uninstall

then

views NoYouTube www.youtube.com 10.10.11.25

To add another client to the view then use the following syntax

views NoYouTube 10.10.11.xxx

Check the 'view:' blocking rule

views NoYouTube  ?

or view/edit the file using

viewsv

or

viewsx

#!/bin/sh
# shellcheck disable=SC2086,SC2068,SC1087,SC2039,SC2155,SC2124,SC2027,SC2046
VERSION="3.17b"
#============================================================================================ © 2019-2020 Martineau v3.17b8

# View: NoYouTube Clients
access-control-view: 10.10.11.25/32 "NoYouTube"
access-control-view: 10.10.11.1/32 "NoYouTube"
view:
    name: "NoYouTube"
    view-first: yes
    local-zone: "www.youtube.com." refuse
# EndView: NoYouTube

Seems to be working now.... i think its the missing domain issue as you said ... the view i created previously was in a file called unbound.conf.addViews which i assume is redundant now? The new views file is unbound.conf.views

There was no unbound.conf custom server directive last time so in put my own ( which i can remove now)

include: "/opt/share/unbound/configs/unbound.conf.addViews"

but see its auto created now

include: "/opt/share/unbound/configs/unbound.conf.views"

 

[Martineau]

#!/bin/sh
# shellcheck disable=SC2086,SC2068,SC1087,SC2039,SC2155,SC2124,SC2027,SC2046
VERSION="3.17b"
#============================================================================================ © 2019-2020 Martineau v3.17b8

# View: NoYouTube Clients
access-control-view: 10.10.11.25/32 "NoYouTube"
access-control-view: 10.10.11.1/32 "NoYouTube"
view:
    name: "NoYouTube"
    view-first: yes
    local-zone: "www.youtube.com." refuse
# EndView: NoYouTube

the view i created previously was in a file called unbound.conf.addViews which i assume is redundant now? The new views file is unbound.conf.views

Yes 'unbound.conf.addViews' is obsolete.

Seems to be working now.... i think its the missing domain issue as you said …

I try to make the syntax 'logical' but also flexible without forcing the user to explicitly prefix the parameters e.g. domain/url value i.e. 'url=www.you.tube.com'

I haven't used the unbound-control commands to bulk load the IP Adresses etc., but the main question is does it work ?

e.g. Excerpt from my log as LAN client device 10.88.8.114 subsequently attempted to access 'www.youtube.com' along with two other LAN client devices

May 27 16:44:11 unbound[2185:0] query: 10.88.8.114 www.youtube.com. A IN
May 27 16:44:11 unbound[2185:0] info: www.youtube.com. refuse 10.88.8.114@52185 www.youtube.com. A IN
May 27 16:44:11 unbound[2185:0] info: www.youtube.com. refuse 10.88.8.114@52185 www.youtube.com. A IN
May 27 16:44:11 unbound[2185:0] query: 10.88.8.114 www.youtube.com. A IN
May 27 16:44:11 unbound[2185:0] info: www.youtube.com. refuse 10.88.8.114@65060 www.youtube.com. A IN
May 27 16:44:11 unbound[2185:0] info: www.youtube.com. refuse 10.88.8.114@65060 www.youtube.com. A IN
May 27 16:44:40 unbound[2185:0] query: 10.88.8.114 www.youtube.com. A IN
May 27 16:44:40 unbound[2185:0] info: www.youtube.com. refuse 10.88.8.114@52043 www.youtube.com. A IN
May 27 16:44:40 unbound[2185:0] info: www.youtube.com. refuse 10.88.8.114@52043 www.youtube.com. A IN
May 27 16:44:40 unbound[2185:0] query: 10.88.8.114 www.youtube.com. A IN
May 27 16:44:40 unbound[2185:0] info: www.youtube.com. refuse 10.88.8.114@53064 www.youtube.com. A IN
May 27 16:44:40 unbound[2185:0] info: www.youtube.com. refuse 10.88.8.114@53064 www.youtube.com. A IN
May 27 16:44:40 unbound[2185:0] query: 10.88.8.114 www.youtube.com. A IN
May 27 16:44:40 unbound[2185:0] info: www.youtube.com. refuse 10.88.8.114@53644 www.youtube.com. A IN
May 27 16:44:40 unbound[2185:0] info: www.youtube.com. refuse 10.88.8.114@53644 www.youtube.com. A IN
May 27 16:44:41 unbound[2185:0] query: 10.88.8.114 www.youtube.com. A IN
May 27 16:44:41 unbound[2185:0] info: www.youtube.com. refuse 10.88.8.114@56079 www.youtube.com. A IN
May 27 16:44:41 unbound[2185:0] info: www.youtube.com. refuse 10.88.8.114@56079 www.youtube.com. A IN
May 27 16:44:41 unbound[2185:0] query: 10.88.8.114 www.youtube.com. A IN
May 27 16:44:41 unbound[2185:0] info: www.youtube.com. refuse 10.88.8.114@58237 www.youtube.com. A IN
May 27 16:44:41 unbound[2185:0] info: www.youtube.com. refuse 10.88.8.114@58237 www.youtube.com. A IN
May 27 16:44:42 unbound[2185:0] query: 10.88.8.92 www.youtube.com. A IN
May 27 16:44:42 unbound[2185:0] reply: 10.88.8.92 www.youtube.com. A IN NOERROR 0.062516 0 291
May 27 16:44:42 unbound[2185:0] query: 10.88.8.111 www.youtube.com. A IN
May 27 16:44:52 unbound[2185:0] reply: 10.88.8.111 www.youtube.com. A IN NOERROR 0.000000 1 291

 

[tomsk]

I try to make the syntax 'logical' but also flexible without forcing the user to explicitly prefix the parameters e.g. domain/url value i.e. 'url=www.you.tube.com'

Adding 10.10.11.0 to include the whole subnet without adding the /24 CIDR notation auto generates 10.10.11.0/32

Could the script cater for the whole subnet scenario?

 

[Martineau]

Adding 10.10.11.0 to include the whole subnet without adding the /24 CIDR notation auto generates 10.10.11.0/32

Could the script cater for the whole subnet scenario?

So if the last octet of the IP Address is 0 you want the script to always assume/append subnet mask CIDR notation '/24' ?

 

[tomsk]

So if the last octet of the IP Address is 0 you want the script to always assume/append subnet mask CIDR notation '/24' ?

No i didn't mean that..... I was just thinking that if the last octet is zero thats a reserved address so the intention was most likely to include the whole subnet. I guess there is no way to help in that regard because theres no way to infer the CIDR from the rest of the address.

I can see the CIDR of the subnet if i use ip route ... would that be a good place to grab it?

tOmsK@RT-AC68U-4690:/tmp/home/root# ip route
192.168.0.1 dev eth0  proto kernel  scope link
10.11.12.0/24 dev wl1.1  proto kernel  scope link  src 10.11.12.1
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.164
10.10.10.0/24 dev br0  proto kernel  scope link  src 10.10.10.1
10.10.11.0/24 dev wl0.1  proto kernel  scope link  src 10.10.11.1
127.0.0.0/8 dev lo  scope link
default via 192.168.0.1 dev eth0

 

[Martineau]

No i didn't mean that..... I was just thinking that if the last octet is zero thats a reserved address so the intention was most likely to include the whole subnet. I guess there is no way to help in that regard because theres no way to infer the CIDR from the rest of the address.

I can see the CIDR of the subnet if i use ip route ... would that be a good place to grab it?

tOmsK@RT-AC68U-4690:/tmp/home/root# ip route
192.168.0.1 dev eth0  proto kernel  scope link
10.11.12.0/24 dev wl1.1  proto kernel  scope link  src 10.11.12.1
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.164
10.10.10.0/24 dev br0  proto kernel  scope link  src 10.10.10.1
10.10.11.0/24 dev wl0.1  proto kernel  scope link  src 10.10.11.1
127.0.0.0/8 dev lo  scope link
default via 192.168.0.1 dev eth0

Sorry I may be dense, but although adding the '/32' suffix to a single IP Address is effectively redundant in most cases (but I did add this auto-CIDR for your convenience as it made sense), the last octet when specifying the '/24' suffix is invariably almost always '0' - as evidenced in your output above.

Not quite sure why you can't explicitly specify the subnet mask in CIDR notation i.e. you may actually wish to use only the first 7 (technically 8) IP Addresses

e.g.

10.10.11.0/29

in which the script would get it wrong.

Anyway all of this discussion is moot unless you can confirm that the unbound 'NoYouTube' 'view:' does allow you to alter the DNS response based on the source IP address - in this block access to YouTube for any LAN device defined to the 'NoYouTube' 'view:'

 

[tomsk]

Sorry I may be dense, but although adding the '/32' suffix to a single IP Address is effectively redundant in most cases (but I did add this auto-CIDR for your convenience as it made sense), the last octet when specifying the '/24' suffix is invariably almost always '0' - as evidenced in your output above.

Not quite sure why you can't explicitly specify the subnet mask in CIDR notation i.e. you may actually wish to use only the first 7 (technically 8) IP Addresses

e.g.

10.10.11.0/29

in which the script would get it wrong.

Anyway all of this discussion is moot unless you can confirm that the unbound 'NoYouTube' 'view:' does allow you to alter the DNS response based on the source IP address - in this block access to YouTube for any LAN device defined to the 'NoYouTube' 'view:'

Seems to work

# View: NoYouTube Clients
access-control-view: 10.11.12.0/24 "NoYouTube"
view:
    name: "NoYouTube"
    view-first: yes
    local-zone: "youtube.com." refuse
# EndView: NoYouTube

May 28 14:27:58 RT-AC68U-4690 unbound: [9527:0] query: 10.11.12.168 m.youtube.com. A IN
May 28 14:27:58 RT-AC68U-4690 unbound: [9527:0] info: youtube.com. refuse 10.11.12.168@59565 m.youtube.com. A IN
May 28 14:27:58 RT-AC68U-4690 unbound: [9527:0] reply: 10.11.12.168 m.youtube.com. A IN REFUSED 0.000000 1 31
May 28 14:28:14 RT-AC68U-4690 unbound: [9527:0] query: 10.11.12.196 m.youtube.com. A IN
May 28 14:28:14 RT-AC68U-4690 unbound: [9527:0] info: youtube.com. refuse 10.11.12.196@62508 m.youtube.com. A IN
May 28 14:28:14 RT-AC68U-4690 unbound: [9527:0] reply: 10.11.12.196 m.youtube.com. A IN REFUSED 0.000000 1 31

 

[Martineau]

Seems to work

# View: NoYouTube Clients
access-control-view: 10.11.12.0/24 "NoYouTube"
view:
    name: "NoYouTube"
    view-first: yes
    local-zone: "youtube.com." refuse
# EndView: NoYouTube

May 28 14:27:58 RT-AC68U-4690 unbound: [9527:0] query: 10.11.12.168 m.youtube.com. A IN
May 28 14:27:58 RT-AC68U-4690 unbound: [9527:0] info: youtube.com. refuse 10.11.12.168@59565 m.youtube.com. A IN
May 28 14:27:58 RT-AC68U-4690 unbound: [9527:0] reply: 10.11.12.168 m.youtube.com. A IN REFUSED 0.000000 1 31
May 28 14:28:14 RT-AC68U-4690 unbound: [9527:0] query: 10.11.12.196 m.youtube.com. A IN
May 28 14:28:14 RT-AC68U-4690 unbound: [9527:0] info: youtube.com. refuse 10.11.12.196@62508 m.youtube.com. A IN
May 28 14:28:14 RT-AC68U-4690 unbound: [9527:0] reply: 10.11.12.196 m.youtube.com. A IN REFUSED 0.000000 1 31

Brilliant! -thanks for the feedback.....although seemingly no one in your home is allowed to access YouTube if they are on that subnet? - seems a bit harsh