Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[Milan]

i am getting >90 % in one hour ...

 

[Ubimo]

I think something is wrong with my unbound/unbound_manager installation.
I can't overcome 1-2% cache hit success.
I think something stays behind on my router when I remove unbound_manager.
I reinstalled unbound_manager four times, the result is always the same.
This wasn't happening three weeks ago.
I'm considering a nuclear reset.

Edit:
"rs nocache" isn't working. unbound_manager says invalid option.

Edit2:
I resinstalled unbound_manager one more time and reloaded one website 8 times.
Statistics say, 8 queries, 8 cache misses, 0% cache hit. See screenshot: https://imgur.com/a/0cgX4qL
Something is foul, but I can't figure it out... Please help.

 

[Milan]

are u using unbound as a primary DNS on LAN ?

 

[Ubimo]

Yes, DNS Filter (global filter mode = Router) is on.
Why does "rs nocache" not work in unbound manager?

 

[tomsk]

Yes, DNS Filter (global filter mode = Router) is on.
Why does "rs nocache" not work in unbound manager?

you're not including the quotes i hope?

 

[Martineau]

Why does "rs nocache" not work in unbound manager?

Because it is not a valid command in 'Easy' menu mode.

 

[Ubimo]

Yes, of course without the quotes. :-D
How can I enter advanced menu mode?
Edit:
I figured out how to start unbound manager in advanced mode.
rs nocache did work.
Testing....

Edit2:
I reloaded a website 12 times.
12 cache misses, 0% cache hits.
https://imgur.com/QxwBMII
:-(

Log:

Jun 08 19:38:48 unbound[5482:0] notice: init module 2: iterator
Jun 08 19:38:48 unbound[5482:0] info: start of service (unbound 1.10.0).
Jun 08 19:38:49 unbound[5482:0] info: generate keytag query _ta-4f66. NULL IN
Jun 08 19:38:55 unbound_manager: '--':  =================================================================================== Auto-Stopped Post-Install
Jun 08 19:41:05 unbound[5482:0] info: service stopped (unbound 1.10.0).
Jun 08 19:41:08 unbound[7995:0] info: start of service (unbound 1.10.0).
Jun 08 19:53:48 unbound[7995:0] error: SERVFAIL <193.42.244.104.in-addr.arpa. PTR IN>: all servers for this domain failed, at zone 42.244.104.in-addr.arpa.
Jun 08 20:09:50 unbound[7995:0] info: service stopped (unbound 1.10.0).
Jun 08 20:09:54 unbound[23517:0] info: start of service (unbound 1.10.0).
Jun 08 20:13:45 unbound_manager: 'lo':  =================================================================================== Started Loglevel=1

 

[Martineau]

Yes, of course without the quotes. :-D
How can I enter advanced menu mode?
Edit:
I figured out how to start unbound manager in advanced mode.
rs nocache did work.
Testing....

Edit2:
I reloaded a website 12 times.
12 cache misses, 0% cache hits.
https://imgur.com/QxwBMII
:-(

You will need to post 'unbound.conf' ......preferably as a text file.

 

[Ubimo]

Here is my unbound.cfg.
Edit:
Wrong file

 

[tomsk]

Here is my unbound.cfg.

your unbound.conf file is at /opt/var/lib/unbound/unbound.conf

 

[Ubimo]

Ah, thanks, so here is the file.

Edit:
And here is a part of the log.
I see, there is one error.

Spoiler

Jun 08 19:38:48 unbound[5482:0] notice: init module 0: respip
Jun 08 19:38:48 unbound[5482:0] notice: init module 1: validator
Jun 08 19:38:48 unbound[5482:0] notice: init module 2: iterator
Jun 08 19:38:48 unbound[5482:0] info: start of service (unbound 1.10.0).
Jun 08 19:38:49 unbound[5482:0] info: generate keytag query _ta-4f66. NULL IN
Jun 08 19:38:55 unbound_manager: '--': =================================================================================== Auto-Stopped Post-Install
Jun 08 19:41:05 unbound[5482:0] info: service stopped (unbound 1.10.0).
Jun 08 19:41:08 unbound[7995:0] info: start of service (unbound 1.10.0).
Jun 08 19:53:48 unbound[7995:0] error: SERVFAIL <193.42.244.104.in-addr.arpa. PTR IN>: all servers for this domain failed, at zone 42.244.104.in-addr.arpa.
Jun 08 20:09:50 unbound[7995:0] info: service stopped (unbound 1.10.0).
Jun 08 20:09:54 unbound[23517:0] info: start of service (unbound 1.10.0).
Jun 08 20:13:45 unbound_manager: 'lo': =================================================================================== Started Loglevel=1
Jun 08 20:15:44 unbound[23517:0] info: service stopped (unbound 1.10.0).
Jun 08 20:15:44 unbound[23517:0] info: server stats for thread 0: 19 queries, 0 answers from cache, 19 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Jun 08 20:15:44 unbound[23517:0] info: server stats for thread 0: requestlist max 3 avg 1.42105 exceeded 0 jostled 0
Jun 08 20:15:44 unbound[23517:0] info: average recursion processing time 0.134187 sec
Jun 08 20:15:44 unbound[23517:0] info: histogram of recursion processing times
Jun 08 20:15:44 unbound[23517:0] info: [25%]=0.0550034 median[50%]=0.086016 [75%]=0.124928
Jun 08 20:15:44 unbound[23517:0] info: lower(secs) upper(secs) recursions
Jun 08 20:15:44 unbound[23517:0] info: 0.032768 0.065536 7
Jun 08 20:15:44 unbound[23517:0] info: 0.065536 0.131072 8
Jun 08 20:15:44 unbound[23517:0] info: 0.131072 0.262144 1
Jun 08 20:15:44 unbound[23517:0] info: 0.262144 0.524288 2
Jun 08 20:15:44 unbound[23517:0] info: 0.524288 1.000000 1
Jun 08 20:15:47 unbound[29210:0] notice: init module 0: respip
Jun 08 20:15:47 unbound[29210:0] notice: init module 1: validator
Jun 08 20:15:47 unbound[29210:0] notice: init module 2: iterator
Jun 08 20:15:48 unbound[29210:0] info: start of service (unbound 1.10.0).
Jun 08 20:15:55 unbound_manager: '++': =================================================================================== Started User-Install
Jun 08 20:16:51 unbound[29210:0] query: 127.0.0.1 de.ioam.de. A IN
Jun 08 20:16:51 unbound[29210:0] query: 127.0.0.1 www.google-analytics.com. A IN
Jun 08 20:16:51 unbound[29210:0] query: 127.0.0.1 ib.adnxs.com. A IN
Jun 08 20:16:51 unbound[29210:0] query: 127.0.0.1 de.ioam.de. A IN
Jun 08 20:16:51 unbound[29210:0] query: 127.0.0.1 www.google-analytics.com. A IN
Jun 08 20:16:51 unbound[29210:0] info: generate keytag query _ta-4f66. NULL IN
Jun 08 20:16:52 unbound[29210:0] query: 127.0.0.1 ib.adnxs.com. A IN
Jun 08 20:16:54 unbound[29210:0] query: 127.0.0.1 65.103.215.91.in-addr.arpa. PTR IN
Jun 08 20:16:54 unbound[29210:0] query: 127.0.0.1 14.221.33.185.in-addr.arpa. PTR IN
Jun 08 20:16:54 unbound[29210:0] query: 127.0.0.1 14.221.33.185.in-addr.arpa. PTR IN
Jun 08 20:16:54 unbound[29210:0] query: 127.0.0.1 65.103.215.91.in-addr.arpa. PTR IN
Jun 08 20:17:00 unbound[29210:0] query: 127.0.0.1 www.ebay.at. A IN
Jun 08 20:17:00 unbound[29210:0] query: 127.0.0.1 rover.ebay.at. A IN
Jun 08 20:17:00 unbound[29210:0] query: 127.0.0.1 www.ebay.at. A IN

 

[Slawek P]

The only non-standard stuff I have are IPv6 interfaces

interface: ::1
interface: 2a02:dead:beef::1

I can comment it out before next reboot and see what happens. Do you think there could be some issue with S80pixelserv-tls overtaking S61unbound and locking it out from br0 configuration?

So commenting out these interfaces did not help. I do not think unbound is the issue here. It is more
S61unbound not executed at all or hanging during restart. Strangely this is the only daemon that logs nothing. I have added extra checkpoint logging, but can't reboot this evening (family!)
Reboot took time at 1am and there's no sign of S61unbound in either unbound.log or System Messages
Finally adblock generation service restart wakes it up after 5...

un  7 01:00:01 asus unbound: [2966:0] info: service stopped (unbound 1.10.0).
Jun  7 01:57:00 asus (unbound_log.sh): 3119 Processed 0 reply_domains...
Jun  7 02:57:01 asus (unbound_log.sh): 30920 Processed 0 reply_domains...
Jun  7 03:57:00 asus (unbound_log.sh): 26470 Processed 0 reply_domains...
Jun  7 04:57:00 asus (unbound_log.sh): 22111 Processed 0 reply_domains...
Jun  7 05:00:00 asus (gen_adblock.sh): 28193 @juched - v1.0.8 - Thanks to @SomeWhereOverTheRainBow
Jun  7 05:00:04 asus (gen_adblock.sh): 28193 Number of adblocked hosts: 57132
Jun  7 05:00:04 asus (gen_adblock.sh): 28193 Warning unbound NOT running!
Jun  7 05:15:00 asus (unbound-pixel.sh): 1803 Converting nxdomain to Pixelserv format.
Jun  7 05:15:01 asus (unbound-pixel.sh): 1803 Unbound adblocker adservers file has been updated.
Jun  7 05:15:01 asus (unbound_manager): 1957 Starting Script Execution (restart)
Jun  7 05:15:03 asus S61unbound: restart Unbound DNS server (bypass dnsmasq) /opt/etc/init.d/S61unbound

 

[Martineau]

So commenting out these interfaces did not help. I do not think unbound is the issue here. It is more
S61unbound not executed at all or hanging during restart. Strangely this is the only daemon that logs nothing. I have added extra checkpoint logging, but can't reboot this evening (family!)
Reboot took time at 1am and there's no sign of S61unbound in either unbound.log or System Messages
Finally adblock generation service restart wakes it up after 5...

un  7 01:00:01 asus unbound: [2966:0] info: service stopped (unbound 1.10.0).
Jun  7 01:57:00 asus (unbound_log.sh): 3119 Processed 0 reply_domains...
Jun  7 02:57:01 asus (unbound_log.sh): 30920 Processed 0 reply_domains...
Jun  7 03:57:00 asus (unbound_log.sh): 26470 Processed 0 reply_domains...
Jun  7 04:57:00 asus (unbound_log.sh): 22111 Processed 0 reply_domains...
Jun  7 05:00:00 asus (gen_adblock.sh): 28193 @juched - v1.0.8 - Thanks to @SomeWhereOverTheRainBow
Jun  7 05:00:04 asus (gen_adblock.sh): 28193 Number of adblocked hosts: 57132
Jun  7 05:00:04 asus (gen_adblock.sh): 28193 Warning unbound NOT running!
Jun  7 05:15:00 asus (unbound-pixel.sh): 1803 Converting nxdomain to Pixelserv format.
Jun  7 05:15:01 asus (unbound-pixel.sh): 1803 Unbound adblocker adservers file has been updated.
Jun  7 05:15:01 asus (unbound_manager): 1957 Starting Script Execution (restart)
Jun  7 05:15:03 asus S61unbound: restart Unbound DNS server (bypass dnsmasq) /opt/etc/init.d/S61unbound

Adding the following to 'unbound.conf'

server:
ip-freebind:   yes

should eliminate any 'interface:' induced failures.

If you say there are no S61unbound messages in Syslog, have you checked post-mount?

 

[Martineau]

are u using unbound as a primary DNS on LAN ?

@Ubimo If

Yes, DNS Filter (global filter mode = Router) is on.

is supposed to be your answer to the question posed by @Milan, then you have not understood the query as clearly you are not using unbound as the Primary (i.e. only) DNS for the LAN clients.

i.e. Your LAN clients are actually still (by default) using dnsmasq as their Primary DNS, and dnsmasq is forwarding its DNS requests upstream to unbound.

 

[Slawek P]

Adding the following to 'unbound.conf'

server:
ip-freebind:   yes

should eliminate any 'interface:' induced failures.

If you say there are no S61unbound messages in Syslog, have you checked post-mount?

Post mount is healthy to me

#!/bin/sh
swapon /tmp/mnt/lexar/myswap.swp # Swap file created by amtm
. /jffs/addons/diversion/mount-entware.div # Added by Diversion
cru a logrotate "5 0 * * * /opt/sbin/logrotate /opt/etc/logrotate.conf >> /opt/tmp/logrotate.daily 2>&1" # added by scribe
. /jffs/addons/unbound/unbound_stats.sh startup # Unbound_Stats.sh

Just added more logging to rc.unslung and S61unbound to see what is really going on.
Will check tomorrow morning.
BTW - what calls /jffs/scripts/init-start at start up - I can't see /jffs/addons/unbound/stuning loggging its presence.

EDIT: added also ip-freebind just in case

 

[martinr]

Thanks, will try.
What's "rs nocache"?

https://www.snbforums.com/threads/r...ecursive-dns-server.61669/page-26#post-551363

 

[Ubimo]

May I ask how to set unbound as my primary (only) DNS?
I thought DNS filter on, forces all clients to use my router as DNS? And as I just have installed unbound manager, I thought unbound now takes care of DNS? (instead of dnsmasq)?
What else is there to do?

 

[tomsk]

May I ask how to set unbound as my primary (only) DNS?
I thought DNS filter on, forces all clients to use my router as DNS? And as I just have installed unbound manager, I thought unbound now takes care of DNS? (instead of dnsmasq)?
What else is there to do?

When you use unbound manager to install unbound on your router, it will initially configure dnsmasq to forward its dns queries to unbound instead of an upstream DNS such as your ISP. So dnsmasq is still the primary dns ( i.e dnsmasq is listening to and replying to queries from your clients) although it will not answer any queries from its own cache as this is disabled. Unbound will now send the dns queries directly to the root servers or answer from its own cache.
To run unbound as the primary dns you need to use the "dnsmasq disable" command and this will reconfigure dnsmasq dns to be disabled and unbound will directly listen and reply to your clients.

 

[Milan]

When you use unbound manager to install unbound on your router, it will initially configure dnsmasq to forward its dns queries to unbound instead of an upstream DNS such as your ISP. So dnsmasq is still the primary dns ( i.e dnsmasq is listening to and replying to queries from your clients) although it will not answer any queries from its own cache as this is disabled. Unbound will now send the dns queries directly to the root servers or answer from its own cache.
To run unbound as the primary dns you need to use the "dnsmasq disable" command and this will reconfigure dnsmasq dns to be disabled and unbound will directly listen and reply to your clients.

@Ubimo: before disabling dnsmasq please dont forget to set domain name LAN->LAN IP configuration ...

 

[SomeWhereOverTheRainBow]

Due to 'unbound_manager' development, I'm always restarting unbound, but ...WTF!!! I get 91% in <20 hours...why?

e  = Exit Script [?]

A:Option ==> s

total.num.queries=48996             total.num.expired=9226              total.requestlist.exceeded=0            total.tcpusage=0
total.num.queries_ip_ratelimited=0  total.num.recursivereplies=4183     total.requestlist.current.all=0         msg.cache.count=3546
total.num.cachehits=44813           total.requestlist.avg=0.623203      total.requestlist.current.user=0        rrset.cache.count=8911
total.num.cachemiss=4183            total.requestlist.max=24            total.recursion.time.avg=0.106537       infra.cache.count=3717
total.num.prefetch=13901            total.requestlist.overwritten=0     total.recursion.time.median=0.0430505   key.cache.count=469

Summary: Cache Hits success=91.00%

unbound (pid 9268) is running... uptime: 0 Days, 19:49:01 version: 1.10.0 # rgnldo Github Version=v1.10 Martineau update (Date Loaded by unbound_manager Sun Jun 7 19:05:33 DST 2020)
CODE]

That is due to all your responses being cached properly and being used properly(hopefully). the question is, do you have any stale cache getting used?

total.num.expired=9226