What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

I did not wanted to post this question as a separate thread but here is goes. How would one make Unbound DNS a primary DNS? What I mean by that is when Unbound is down one would loose access to the internet, sort of like a kill switch in VPN. I understand that this would be possible when Unbound DNS replaces DNSMASQ DNS.
But, can something be done or configured when using Unbound with dnsmasq?
This is already taken care of in the script .... If unbound exits, the primary DNS will failsafe back to dnsmasq
 
Last edited:
This is already taken care of in the script .... If unbound exits, the primary DNS will failsafe back to dnsmasq

Yes, but this is the opposite to what I am asking. When Unbound exits I would want to have all DNS queries to fail.
 
What if you left both WAN DNS Server options blank? But would there be unintended consequences?

You need DNS during boot time so NTP can start and then Unbound. Makes me wonder if somehow DNSFilter can be configured to use Unbound IP and Port, but I dont know if this is possible.
 
Yes, but this is the opposite to what I am asking. When Unbound exits I would want to have all DNS queries to fail.
Anything is possible with a bit of nifty scripting, but i can't understand why you would want to hobble the router like that?..... I get the point of a VPN kill switch because you don't want to leak your IP, but are you so worried about your DNS queries being temporarily routed to your ISP/Cloudflare/Google /etc rather than to the root servers until you can reinstate unbound, that you would rather have no DNS resolution at all for your clients?
The only downside i can see is that you would temporarily lose any "split horizon" that you had created with views, and RR/domain manipulation you might have done through local-data/zone entries
Unbound as a primary DNS has been rock solid for me , only failing when i did something stupid to it myself, but i love having the reassurance of the fallback to dnsmasq in the event anything goes awry.
 
Anything is possible with a bit of nifty scripting, but i can't understand why you would want to hobble the router like that?.....

I too am completely mystified :confused: , and have absolutely no idea if the OP is trying to impress by playing devil's advocate with a hypothetical "what-if?", but quite clearly (without resorting to 'nifty scripting') the default behaviour for DNS resolution is to FAIL if unbound isn't UP in either scenario:

i.e unbound is the only Primary DNS or unbound is the Primary upstream DNS for dnsmasq (unbound+dnsmasq)

surely the OP could grasp this very simple concept? :rolleyes:

However, giving the OP the benefit of the doubt, it actually depends on the interpretation of the OP's ambiguous phrase "When Unbound exits"

Perhaps the OP is referring to this post where I confess that I explicitly endeavour to ensure 'unbound_manager' doesn't disable all LAN DNS resolution when using the '3'/'x' stop manual command in standard unbound+dnsmasq configurations?
 
Last edited:
I have never had unbound fail on me as a running process, only when i do something stupid, so agreed the what-ifs are unlikely in the normal run of things. I cant even make unbound deliberately die with the reload command now the the maestro has patched it
Code:
A:Option ==> rl

Reloading 'unbound.conf' status=17:20:33 Saving unbound cache to '/opt/share/unbound/configs/cache.txt'
ok
[1591536034] unbound-control[30174:0] error: connect: Connection refused for 127.0.0.1 port 953
    ***ERROR unbound NOT running! - option unavailable
17:20:34 Checking 'unbound.conf' for syntax errors.....
17:20:34 Requesting unbound (S61unbound) restart.....
 Starting unbound...              done.
17:20:36 Checking status, please wait.....
17:20:38 Restoring unbound cache from '/opt/share/unbound/configs/cache.txt' (2020-06-07 17:20:34)
17:20:40 unbound OK
Typical failsafe experience for me lately is experimenting with the views by directly editing the unbound.conf.view file and restarting unbound via "rs" to take effect ( and before that , it was messing directly with the unbound.conf file)
Unbound will fail to restart with a bad config and due to the service dnsmasq_restart issued because of "rs" the unbound.postconf will re re-read, and because unbound is not running will enable dnsmasq to revert to DNS duties.... i really like this behaviour..at least there is still DNS resolution until i can undo my follies.
Fortunately for me with @Martineau additional zone types handling, i can do most editing from the unbound_manager views commands now, where happily unbound-checkconf catches my screw ups and the restart is rejected.
Looking at this post seeing as S61unbound now has the POSTCMD="service restart_dnsmasq" entry, wouldn't
dnsmasq be returned to DNS duty even when
Code:
sh /opt/etc/init.d/S61unbound stop
was issued now?
 
Last edited:
I don't like the idea of restarting two services. I use it like this for some time.

on /jffs/scripts/post-mount
Code:
if [ -n "$(pidof unbound)" ];then
   service restart_dnsmasq
fi

For unbound without dnsmasq, set

on /jffs/scripts/dnsmasq.postconf
Code:
sleep 2s
echo nameserver 127.0.0.1 > /etc/resolv.conf
 
Last edited:
Looking at this post seeing as S61unbound now has the POSTCMD="service restart_dnsmasq" entry, wouldn't dnsmasq be returned to DNS duty even when
Code:
sh /opt/etc/init.d/S61unbound stop
was issued now?
S61unbound executes
Code:
. /opt/etc/init.d/rc.func
to physically apply the desired action to the task.

So for the 'stop' action, 'rc.func' doesn't execute the 'start()' function containing the $POSTCMD command....
Code:
start() {

    [ "$CRITICAL" != "yes" -a "$CALLER" = "cron" ] && return 7
        [ "$ENABLED" != "yes" ] && return 8
    echo -e -n "$ansi_white Starting $DESC... $ansi_std"
    if [ -n "`pidof $PROC`" ]; then
        echo -e "            $ansi_yellow already running. $ansi_std"
        return 0
    fi
    $PRECMD > /dev/null 2>&1
    $PREARGS $PROC $ARGS > /dev/null 2>&1 &
    #echo $PREARGS $PROC $ARGS
    COUNTER=0
    LIMIT=10
    while [ -z "`pidof $PROC`" -a "$COUNTER" -le "$LIMIT" ]; do
        sleep 1;
        COUNTER=`expr $COUNTER + 1`
    done
    $POSTCMD > /dev/null 2>&1

<snip>
 
S61unbound executes
Code:
. /opt/etc/init.d/rc.func
to physically apply the desired action to the task.

So for the 'stop' action, 'rc.func' doesn't execute the 'start()' function containing the $POSTCMD command....
Code:
start() {

    [ "$CRITICAL" != "yes" -a "$CALLER" = "cron" ] && return 7
        [ "$ENABLED" != "yes" ] && return 8
    echo -e -n "$ansi_white Starting $DESC... $ansi_std"
    if [ -n "`pidof $PROC`" ]; then
        echo -e "            $ansi_yellow already running. $ansi_std"
        return 0
    fi
    $PRECMD > /dev/null 2>&1
    $PREARGS $PROC $ARGS > /dev/null 2>&1 &
    #echo $PREARGS $PROC $ARGS
    COUNTER=0
    LIMIT=10
    while [ -z "`pidof $PROC`" -a "$COUNTER" -le "$LIMIT" ]; do
        sleep 1;
        COUNTER=`expr $COUNTER + 1`
    done
    $POSTCMD > /dev/null 2>&1

<snip>
Got it thanks... so for restart youre also invoking the POSTCMD because you are actually issuing an stop then start function?
Code:
for PROC in $PROCS; do
    case $ACTION in
        start)
            start
            ;;
        stop | kill )
            check && stop
            ;;
        restart)
            check > /dev/null && stop
            start
            ;;
Sorry to drag the thread a bit off topic with entware stuff.. but good to know
 
I too am completely mystified :confused: , and have absolutely no idea if the OP is trying to impress by playing devil's advocate with a hypothetical "what-if?", but quite clearly (without resorting to 'nifty scripting') the default behaviour for DNS resolution is to FAIL if unbound isn't UP in either scenario:

i.e unbound is the only Primary DNS or unbound is the Primary upstream DNS for dnsmasq (unbound+dnsmasq)

surely the OP could grasp this very simple concept? :rolleyes:

However, giving the OP the benefit of the doubt, it actually depends on the interpretation of the OP's ambiguous phrase "When Unbound exits"

Perhaps the OP is referring to this post where I confess that I explicitly endeavour to ensure 'unbound_manager' doesn't disable all LAN DNS resolution when using the '3'/'x' stop manual command in standard unbound+dnsmasq configurations?


Chill out guys and don't jump to conclusions so easily. Simply asking a question is not a sin and patronizing someone for that is just not professional. If someone decides that they want to use or explore the option to have Unbound as the primary DNS without ability to fall down to other DNS servers it is the choice the person may want for a reason.
 
So? Explain that reason then.
 
So? Explain that reason then.
Simple, really. Unbound DNS is on premise DNS resolver. One may want to have/force to use only on premise DNS without falling back to off premise DNS like Google or others. It is easy to configure this scenario/requirement just by removing DNS entries in WAN section and configuring router NTP to use IP address for ntp server - I use both Cloudflare NTP IP addresses. That may not be the best practice for NTP server configuration (since IP addresses may change) when using ntp pool but with Cloudflare and others releasing NTP servers one may use these as an alternative and use IP addresses directly for NTP service.

Configuring NTP IP and removing WAN DNS servers will guarantee that your local on premise Unbound DNS is truly the primary and only DNS server that your local LAN be using.
When you configure this, you have to be aware that if Unbound crashes or stop working for whatever reason all DNS queries will fail. This is the simplest option to set it up. In my setup I am still using dnsmasq as dhcp and forwarding dns queries from dnsmasq to Unbound. Unbound DNS has been very stable for me without any issues so I am not afraid to use it as the only local resolver. For my purpose, what I wanted is to have only on premise DNS that will not fall back to outside/off premise DNS.

Although we are mostly home users, you would not have a business that runs Unbound on-premise DNS to fall back to off-premise DNS - would you? Anyway, I hope people would fine this interesting and as another option if they choose to do so and have on-premise DNS only. I don't see this as bad thing and I always appreciate and value others opinions.
 
For adblock unbound:

Code:
2mdn.net
adocean.pl
criteo.com
gemius.pl
npttech.com
onet.hit.gemius.pl
pro.hit.gemius.pl
 
Both solutions, dnsmasq and unbound have stability. For unbound it has some advantages for being modular, scalable, adding functions. Promises the next version of unbound. TCP TLS, DNS-over-HTTPS.
 
1% cache hit success:
https://imgur.com/Zp4eAEE

After one week without unbound, I gave it a try, again.
But, what's wrong with it? Only 1% cache hit success.
I opened my browser with 42 tabs twice. 1% is the result. Why?
 
1% cache hit success:
https://imgur.com/Zp4eAEE

After one week without unbound, I gave it a try, again.
But, what's wrong with it? Only 1% cache hit success.
I opened my browser with 42 tabs twice. 1% is the result. Why?

try to do 'rs nocache'. it helped in my case - i had 69 % cache hit, after doing this i have 95
 
start unbound_manager, then type 'rs nocache'. this will restart unbound
 
1% cache hit success:
https://imgur.com/Zp4eAEE

After one week without unbound, I gave it a try, again.
But, what's wrong with it? Only 1% cache hit success.
I opened my browser with 42 tabs twice. 1% is the result. Why?

Due to 'unbound_manager' development, I'm always restarting unbound, but ...WTF!!! I get 91% in <20 hours...why? :rolleyes:

Code:
e  = Exit Script [?]

A:Option ==> s

total.num.queries=48996             total.num.expired=9226              total.requestlist.exceeded=0            total.tcpusage=0
total.num.queries_ip_ratelimited=0  total.num.recursivereplies=4183     total.requestlist.current.all=0         msg.cache.count=3546
total.num.cachehits=44813           total.requestlist.avg=0.623203      total.requestlist.current.user=0        rrset.cache.count=8911
total.num.cachemiss=4183            total.requestlist.max=24            total.recursion.time.avg=0.106537       infra.cache.count=3717
total.num.prefetch=13901            total.requestlist.overwritten=0     total.recursion.time.median=0.0430505   key.cache.count=469

Summary: Cache Hits success=91.00%

unbound (pid 9268) is running... uptime: 0 Days, 19:49:01 version: 1.10.0 # rgnldo Github Version=v1.10 Martineau update (Date Loaded by unbound_manager Sun Jun 7 19:05:33 DST 2020)
CODE]
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Back
Top