Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[zaxcom]

Click on the Transport circle and it will show that it tested IPv6 lookups.

yes, it all looks good. thanks for the link.

 

[bluzfanmr1]

There is a link in Post #1 to the Github unbound_manager 'Read me', and if you scroll down you can see two methods providing instructions on how to switch between 'Easy' and 'Advanced' menu mode

View attachment 27053

I've never been able to switch to advanced mode using this method. When I type easy I get this:

e  = Exit Script [?]

E:Option ==> easy

Easy Menu mode ENABLED

When I type advanced I get this every time:

e  = Exit Script [?]

E:Option ==> advanced

    Invalid Option "advanced" Please enter a valid option

Am I doing this wrong? I can successfully get to advanced mode via "unbound_manager advanced" from a command line.

 

[Slawek P]

Unbound.conf changes that I made locally - review please?

#########################################
# integration IPV6
#
#do-ip6: no
 do-ip6: yes
 interface: 2a00:2222:6666:8888::1
 access-control: 2a00:2222:6666:8888::/48 allow

 access-control: ::/0 refuse

 access-control: ::1/128 allow
 access-control: fc00::/7 allow
 access-control: fe80::/10 allow

 private-address: ::1/128
 private-address: fc00::/7
 private-address: fe80::/10
#########################################
remote-control:
control-interface: 127.0.0.1
control-interface: ::1

Many calls to ipv6 unbound interface looking at

num.query.ipv6=226

 

[archiel]

If you wish to force all unbound requests via a VPN Client, then you should be using the appropriate openvpn-event triggers

e.g.

'/jffs/scripts/vpnclientX-up'

unbound_manager.sh vpn=X

'/jffs/scripts/vpnclientX-down'

unbound_manager.sh vpn=disable

to modify 'unbound.conf'

Also, as a failsafe during the boot process i.e. before the VPN Client(s) are connected, it is recommended that you also modify

'/jffs/scripts/post-mount'

logger "Checking unbound VPN bind....."
[ -n "$(which unbound_manager)" ] && { sh /jffs/addons/unbound/unbound_manager.sh vpn=disable; logger "unbound VPN routing DISABLED"; } # unbound_manager

Doh! My bad.
I was trying to stop DNS traffic going through the VPN, so I could test IPv6 lookups, but had completely forgotten that I am using x3mRouting (option 3)
with these files in /jffs/scripts/x3mRouting
vpnclient5-route-pre-down (0755)

    #!/bin/sh
    /jffs/addons/unbound/unbound_manager.sh vpn=disable

vpnclient5-up (0755)

     #!/bin/sh
/jffs/addons/unbound/unbound_manager.sh vpn=5 delay=9 &

 

[archiel]

If dnsmasq is still enabled, all queries forwarded from dnsmasq to Unbound will be over the IPv4 loopback interface, so there would be no incoming IPv6 queries from Unbound’s point of view.

Okay my brain hurts but...

I had set it so that all DNS requests (A & AAAA) would be made via a VPN (to obscure the traffic)
As OpenVPN on rMerlin does not support IPv6, I had thought that this would limit DNS requests to using IPv4
But from the above, Unbound will only be requesting over IPv4 anyway (if dnsmasq is enabled - which it is on my router)
As such there is no difference, apart from obscurity (better) and latency (worse) in routing requests via VPN - is this right?

 

[zaxcom]

Okay my brain hurts but...

I had set it so that all DNS requests (A & AAAA) would be made via a VPN (to obscure the traffic)
As OpenVPN on rMerlin does not support IPv6, I had thought that this would limit DNS requests to using IPv4
But from the above, Unbound will only be requesting over IPv4 anyway (if dnsmasq is enabled - which it is on my router)
As such there is no difference, apart from obscurity (better) and latency (worse) in routing requests via VPN - is this right?

To piggyback on your question... I am weighing a question in my mind too. Unbound feels faster to me (could be an illusion) than letting my router connect directly to Cloudflare (or any other DNS), but Cloudflare uses DoT which prevents my snoopy ISP from seeing my requests. As far as I understand, Unbound is not encrypted to the Root servers, so my requests that don't get answered by the local cache are fair game to my ISP.

 

[dave14305]

Okay my brain hurts but...

I had set it so that all DNS requests (A & AAAA) would be made via a VPN (to obscure the traffic)
As OpenVPN on rMerlin does not support IPv6, I had thought that this would limit DNS requests to using IPv4
But from the above, Unbound will only be requesting over IPv4 anyway (if dnsmasq is enabled - which it is on my router)
As such there is no difference, apart from obscurity (better) and latency (worse) in routing requests via VPN - is this right?

My comment is about queries coming into Unbound from the LAN, not queries going outbound to the Internet (or VPN). The stat counter num.query.ipv6 is for queries Unbound receives, not for queries it sends. To ensure Unbound sends no outbound IPv6 queries, make sure do-ip6 is set to no.

As far as I understand, Unbound is not encrypted to the Root servers, so my requests that don't get answered by the local cache are fair game to my ISP.

True.

 

[archiel]

My comment is about queries coming into Unbound from the LAN, not queries going outbound to the Internet (or VPN). The stat counter num.query.ipv6 is for queries Unbound receives, not for queries it sends. To ensure Unbound sends no outbound IPv6 queries, make sure do-ip6 is set to no.

True.

No quite what I was I was trying to understand.

What am am interested in is whether Unbound will try to make AAAA queries via IPv6 - I can already see that will do them via IPv4, and in theory it can make them via IPv6, but if it is receiving all its DNS requests from dnsmasq and this is via IPv4, will it only use IPv4 itself to do the lookups? Is there a stat counter which looks at which service is used for outbound queries?

 

[dave14305]

No quite what I was I was trying to understand.

What am am interested in is whether Unbound will try to make AAAA queries via IPv6 - I can already see that will do them via IPv4, and in theory it can make them via IPv6, but if it is receiving all its DNS requests from dnsmasq and this is via IPv4, will it only use IPv4 itself to do the lookups? Is there a stat counter which looks at which service is used for outbound queries?

The query type (A vs AAAA) doesn't influence which transport (IPv4 or IPv6) Unbound will use. If it's allowed to use IPv6 (do-ip6: yes), then it may or may not be used. If you want to favor IPv4 or IPv6, look into the prefer-ip4 or prefer-ip6 parameters in the Unbound docs. https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/

There isn't a stat I'm aware of for counting outbound queries. You can read through the available stats at the bottom of the unbound-control help page: https://www.nlnetlabs.nl/documentation/unbound/unbound-control/

 

[archiel]

The query type (A vs AAAA) doesn't influence which transport (IPv4 or IPv6) Unbound will use. If it's allowed to use IPv6 (do-ip6: yes), then it may or may not be used. If you want to favor IPv4 or IPv6, look into the prefer-ip4 or prefer-ip6 parameters in the Unbound docs. https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/

There isn't a stat I'm aware of for counting outbound queries. You can read through the available stats at the bottom of the unbound-control help page: https://www.nlnetlabs.nl/documentation/unbound/unbound-control/

I think I will have a look (over the weekend if I have time) at the traffic on port 53 with either wireshark on a PC or tcpdump on the router to see what happens in practice (with and without the prefer-ip6 parameter)
----------------------------------------------------------------------------

 

[archiel]

I think I will have a look (over the weekend if I have time) at the traffic on port 53 with either wireshark on a PC or tcpdump on the router to see what happens in practice (with and without the prefer-ip6 parameter)
----------------------------------------------------------------------------

Update
Ran tcpdump on the router looking for ipv4 and ipv6 traffic

tcpdump -vv port 53 and ip6 -i eth0 -w "/mnt/Router/IPv6_Traffic"
tcpdump -vv port 53 and not ip6 -i eth0 -w "/mnt/Router/IPv4_Traffic"

And the loaded these into Wireshark on a WIn10 PC [Could not use PC directly as it cannot see traffic on the WAN side of the router]
As @dave14305 noted I could see A and AAAA queries and responses on both IPv4 and IPV6.

I then re-enabled routing via VPN 5 and found (as expected) that there was no more IPv6 activity.

What I do not understand is why on tcpdump I still see all the port 53 activity on eth0 and all I see on tun15 is

16:59:28.647404 IP 10.8.3.23.54948 > 103.86.96.100.domain: 2+ A? dns.msftncsi.com. (34)
16:59:28.658204 IP 103.86.96.100.domain > 10.8.3.23.54948: 2 1/13/0 A 131.107.255.255 (261)
16:59:43.668948 IP 10.8.3.23.59764 > 103.86.96.100.domain: 2+ A? dns.msftncsi.com. (34)
16:59:43.679482 IP 103.86.96.100.domain > 10.8.3.23.59764: 2 1/13/0 A 131.107.255.255 (261)
...

repeated over and over.

 

[dave14305]

Update
Ran tcpdump on the router looking for ipv4 and ipv6 traffic

tcpdump -vv port 53 and ip6 -i eth0 -w "/mnt/Router/IPv6_Traffic"
tcpdump -vv port 53 and not ip6 -i eth0 -w "/mnt/Router/IPv4_Traffic"

And the loaded these into Wireshark on a WIn10 PC [Could not use PC directly as it cannot see traffic on the WAN side of the router]
As @dave14305 noted I could see A and AAAA queries and responses on both IPv4 and IPV6.

I then re-enabled routing via VPN 5 and found (as expected) that there was no more IPv6 activity.

What I do not understand is why on tcpdump I still see all the port 53 activity on eth0 and all I see on tun15 is

16:59:28.647404 IP 10.8.3.23.54948 > 103.86.96.100.domain: 2+ A? dns.msftncsi.com. (34)
16:59:28.658204 IP 103.86.96.100.domain > 10.8.3.23.54948: 2 1/13/0 A 131.107.255.255 (261)
16:59:43.668948 IP 10.8.3.23.59764 > 103.86.96.100.domain: 2+ A? dns.msftncsi.com. (34)
16:59:43.679482 IP 103.86.96.100.domain > 10.8.3.23.59764: 2 1/13/0 A 131.107.255.255 (261)
...

repeated over and over.

What is the status of the do-ip6 setting in unbound.conf right now?

 

[Milan]

After long time of using unbound manager :

Is ad command adding something from diversion lists to unbound AdBlock ?

 

[Martineau]

After long time of using unbound manager :

Is ad command adding something from diversion lists to unbound AdBlock ?

The ad command (originally hidden internal development aid) does not alter the AdBlock configuration, but simply analyses and creates three AdBlock compatible files ('/opt/tmp/unbound-*')

e.g. in my current AdBlock (183002 domains) configuration, I have the ubiquitous 'Steven Black' list, together with 6 other custom lists (such as TikTok specific)

e  = Exit Script [?]

A:Option ==> ad

Analyzing, please be patient.....may take 30 seconds

Analysed Diversion file: 'blockinglist'     Type=pixelserv, (Adblock Domains=183002) would add 520 entries
Analysed Diversion file: 'blacklist'        Type=pixelserv, (Adblock Domains=183002) would add 2 entries
Analysed Diversion file: 'whitelist'        Type=URL, (Adblock URLs=19) would add 70 entries

In the example above, there are currently 19 AdBlock allowed URLs, and if required, there are approx 70 additional allowed URLs that could be manually included/migrated from Diversion.

 

[archiel]

What is the status of the do-ip6 setting in unbound.conf right now?

 do-ip6: yes
 edns-buffer-size: 1232                           # v1.11 as per @Linux_Chemist https://www.snbforums.com/threads/unbound_manager-manage> interface: ::0
 access-control: ::0/0 refuse
 access-control: ::1 allow
 private-address: fd00::/8
 private-address: fe80::/10

 

[dave14305]

do-ip6: yes
edns-buffer-size: 1232                           # v1.11 as per @Linux_Chemist https://www.snbforums.com/threads/unbound_manager-manage> interface: ::0
access-control: ::0/0 refuse
access-control: ::1 allow
private-address: fd00::/8
private-address: fe80::/10

Since you’re still allowing IPv6, do you think it’s still sending out over WAN on IPv6 instead of ipv4 over VPN 5? If you set do-ip6 to no, or set prefer-ip4 to yes, does the traffic move to VPN 5?

 

[archiel]

Since you’re still allowing IPv6, do you think it’s still sending out over WAN on IPv6 instead of ipv4 over VPN 5? If you set do-ip6 to no, or set prefer-ip4 to yes, does the traffic move to VPN 5?

Something is happening as a result of routing over VPN,

• No external IPv6 lookups are happening; tcpdump port 53 and ip6 -i eth0 shows no traffic
• Internal IPv6 requests are happening expected; tcpdump port 53 and ip6 -i br0 shows expected traffic between Router / Devices
• Using https://ipv6-test.com/ DNS6 +IP6 = unreachable; it is reachable if unbound is not routed through the VPN
• using https://test-ipv6.com/ Test if your ISP's DNS server uses IPv6 = bad; ok if unbound is not routed through the VPN

All of which is what I would expect as the VPN tunnel does not support IPv6.

However disabling IPv6 in unbound.conf (do-ip6: no) makes no difference to the tcpdump outputs

running tcpdump port 53 -i tun15 just generates the traffic shown above and tcpdump port 53 -i eth0 show the expected DNS traffic
e.g.

12:12:36.210102 IP resolver2.opendns.com.domain > 5e00a2af.bb.sky.com.39910: 17322 1/0/0 PTR f.gtld-servers.net. (75)
12:12:36.210396 IP 5e00a2af.bb.sky.com.43668 > resolver2.opendns.com.domain: 45697+ PTR? 30.94.12.192.in-addr.arpa. (43)
12:12:36.215658 IP ns2-205.azure-dns.net.domain > 5e00a2af.bb.sky.com.10801: 57892*- 1/0/1 CNAME odc-commonafd-emea-meta-geo.onedrive.akadns.net. (100)
12:12:36.215944 IP 5e00a2af.bb.sky.com.41704 > a193-108-88-128.deploy.static.akamaitechnologies.com.domain: 4594% [1au] A? onedrive.akadns.net. (48)
12:12:36.216437 IP resolver2.opendns.com.domain > 5e00a2af.bb.sky.com.43668: 45697 1/0/0 PTR e.gtld-servers.net. (75)
12:12:36.216714 IP 5e00a2af.bb.sky.com.35961 > resolver2.opendns.com.domain: 24058+ PTR? 220.220.67.208.in-addr.arpa. (45)
12:12:36.221485 IP a193-108-88-128.deploy.static.akamaitechnologies.com.domain > 5e00a2af.bb.sky.com.41704: 4594*- 0/1/1 (114)
12:12:36.221521 IP ns4-205.azure-dns.info.domain > 5e00a2af.bb.sky.com.23224: 32496*- 1/0/1 CNAME odc-commonafd-emea-meta-geo.onedrive.akadns.net. (100)
12:12:36.221691 IP 5e00a2af.bb.sky.com.41752 > a95-101-36-128.deploy.static.akamaitechnologies.com.domain: 8455% [1au] A? odc-commonafd-emea-meta-geo.onedrive.akadns.net. (76)
12:12:36.221906 IP 5e00a2af.bb.sky.com.64713 > a23-61-199-131.deploy.static.akamaitechnologies.com.domain: 3671% [1au] A? odc-commonafd-emea-meta-geo.onedrive.akadns.net. (76)
12:12:36.222597 IP resolver2.opendns.com.domain > 5e00a2af.bb.sky.com.35961: 24058 1/0/0 PTR resolver2.opendns.com. (80)
12:12:36.222895 IP 5e00a2af.bb.sky.com.54497 > resolver2.opendns.com.domain: 34002+ PTR? 205.48.4.64.in-addr.arpa. (42)
1

In case it is relevant; the VPN is connected to NordVPN
Accept DNS Configuration: Exclusive
Policy Rules: Strict
In addition to Unbound the tunnel is used by a Ubuntu VM and by a AC87U connected to Lan4 and running in router mode.

Description	Source IP	Destination IP	Iface
UVM	10.xx.xx.150		VPN
AC87U	10.xx.xx.169		VPN

It is is almost as if setting unbound through the tunnel

outgoing-interface: 10.8.3.23        # v1.08 Martineau Use VPN tunnel to hide Root server queries from ISP (or force WAN ONLY)

is just sending the IPv6 traffic though the interface.

 

[Milan]

The ad command (originally hidden internal development aid) does not alter the AdBlock configuration, but simply analyses and creates three AdBlock compatible files ('/opt/tmp/unbound-*')

e.g. in my current AdBlock (183002 domains) configuration, I have the ubiquitous 'Steven Black' list, together with 6 other custom lists (such as TikTok specific)

e  = Exit Script [?]

A:Option ==> ad

Analyzing, please be patient.....may take 30 seconds

Analysed Diversion file: 'blockinglist'     Type=pixelserv, (Adblock Domains=183002) would add 520 entries
Analysed Diversion file: 'blacklist'        Type=pixelserv, (Adblock Domains=183002) would add 2 entries
Analysed Diversion file: 'whitelist'        Type=URL, (Adblock URLs=19) would add 70 entries

In the example above, there are currently 19 AdBlock allowed URLs, and if required, there are approx 70 additional allowed URLs that could be manually included/migrated from Diversion.

Hm, manually. So no way to add them automatically from diversion lists ?

Analysed Diversion file: 'blockinglist'  Type=pixelserv, (Adblock Domains=57167) would add 917597 entries
Analysed Diversion file: 'blacklist'     Type=pixelserv, (Adblock Domains=57167) would add 1 entries
Analysed Diversion file: 'whitelist'     Type=URL, (Adblock URLs=19) would add 0 entries

 

[Martineau]

Hm, manually. So no way to add them automatically from diversion lists ?

Analysed Diversion file: 'blockinglist'  Type=pixelserv, (Adblock Domains=57167) would add 917597 entries
Analysed Diversion file: 'blacklist'     Type=pixelserv, (Adblock Domains=57167) would add 1 entries
Analysed Diversion file: 'whitelist'     Type=URL, (Adblock URLs=19) would add 0 entries

Can't remember if a forum member confirmed that changing unbound_manager.sh lines 4949 and 4950 actually correctly merged the lists.

i.e. change the $ACTION variable to 'Merge' then running unbound_manager command

adblock refresh

I don't know which Diversion pre-defined list you are using, but you could simply add the appropriate Diversion source links to '/opt/share/unbound/blocklists'

NOTE: A very large number of AdBlock definitions ( >500,000 ?) may cause issues as previously posted by others.

 

[heysoundude]

am I mistaken that my ISP can see what my DNS inquiries are when unbound goes looking to auth servers in the case of cache miss?
If not, I think I'd very much like to re-integrate DoT (having used stubby before unbound) as a privacy protection on my network.
Is there anyone here knowledgeable about DNS-over-TLS integration at the Auth servers unbound looks to?
is it possible to set those servers that do support DoT as "preferred" in unbound? Not cloudflare or Google/Alphabet, the Auth servers
also - if I'm setting myself up for potential network issues, I'd like to know about those as well. or whatever I'm missing or not taking into account or understanding...especially if there are other better ways to accomplish what I hope to.