Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[Martineau]

Potential conflict with Diversion email functions if you’ve installed Unbound.

Diversion - the Router Ad-Blocker

Great detective work, but Entware is what it is with its package control.

I will try and push a Hotfix later to remove the two unbound related packages (as per your recommendation) during the unbound Install/Update if this will un-break diversion.

opkg remove unbound-control-setup      # v2.09 - @dave14305
opkg remove openssl-util               # v2.09 - @dave14305

 

[Martineau]

But now, I cannot uninstall Unbound either. Opt Z, then Y and it says Uninstall cancelled. No difference after a reboot either

'z' is lowercase, but you must reply 'Y' UPPERCASE to the confirmation prompt

A:Option ==> z

IMPORTANT: It is recommended to REBOOT in order to complete the removal of unbound

             You will be asked to confirm BEFORE proceeding with the REBOOT

Press Y to REMOVE unbound or press [Enter] to CANCEL

Option ==> Y

Any other response will cancel the uninstall.

 

[dave14305]

(as per your recommendation)

I only want the credit if it works!

 

[Martineau]

I only want the credit if it works!

Too late...starting this thread/maintaing posts #1 and #4 wasn't my idea so I want revenge!

 

[Martineau]

I notice that <Enable local NTP server> keeps reverting back to NO,

any problems with that?

For unbound apparently not, except unbound_manager will nag you!
P.S. Is there any other script that is enforcing 'Enable local NTP server=NO'?

However, if there are LAN devices that need to retrieve the time and you don't want them to use the WAN, then yes it will be a problem unless there is another LAN NTP Server ACTIVE.

And, if I reboot does the unbound cache get cleared, if so anyway to preserve it through reboots?

If you reboot then the router and its tasks/RAM are flushed, I don't believe it is possible for unbound to restore its cache/stats from empty RAM.

 

[skeal]

Just an observation; unbound works better and snappier without any Skynet Country blocks. It (unbound) must be trying to communicate with those dns servers as my log was filling with outbound blocks to these otherwise innocuous IPs.

 

[Mutzli]

Just an observation; unbound works better and snappier without any Skynet Country blocks. It (unbound) must be trying to communicate with those dns servers as my log was filling with outbound blocks to these otherwise innocuous IPs.

Definitely a problem not just performance wise. After yesterdays issues with some website blocks I removed the country blocks from Skynet and Hulu seems to be working again as well. @Martineau Maybe add a warning about country blocks to the unbound install instructions that it can cause issues with authoritative DNS servers.

 

[Martineau]

Definitely a problem not just performance wise. After yesterdays issues with some website blocks I removed the country blocks from Skynet and Hulu seems to be work again as well. @Martineau Maybe add a warning about country blocks to the unbound install instructions that it can cause issues with authoritative DNS servers.

Sure if that is what the community consensus is.

P.S. Any idea how to reliably detect 'country blocks' are configured so I can generate the warning?

 

[Mutzli]

OK - any idea how to reliably detect 'country blocks' are configured so I can generate the warning?

Best if you can connect with @Adamm about that.

 

[dave14305]

Sure if that is what the community consensus is.

P.S. Any idea how to reliably detect 'country blocks' are configured so I can generate the warning?

I think you would want something like this:

if [ -f /jffs/scripts/firewall ]; then
    skynetloc="$(grep -ow "skynetloc=.* # Skynet" /jffs/scripts/firewall-start 2>/dev/null | grep -vE "^#" | awk '{print $1}' | cut -c 11-)"
    skynetcfg="${skynetloc}/skynet.cfg"
    if [ -f "$skynetcfg" ]; then
        . "$skynetcfg"
        [ -n "$countrylist" ] && echo "Banned countries in Skynet could conflict with Unbound recursive queries"
    fi
fi

 

[vesalius]

Yes, because when Unbound is off, you're using a WAN DNS server that isn't residing in a banned country. It's the authoritative DNS server that's banned, not the website.

Ignorant on this topic, but don’t the authoritative name have static IP’s? @Adamm If so, can’t we add all of them to the skynet whitelist? Can’t think of a reason that would be unsafe?

 

[dave14305]

Ignorant on this topic, but don’t the authoritative name have static IP’s? @Adamm If so, can’t we add all of them to the skynet whitelist? Can’t think of a reason that would be unsafe?

It's not unsafe, but I think it's impractical to determine the authoritative nameserver for every domain on the internet. We're not talking about root DNS servers, but the servers underneath the root level and lower.

 

[Adamm]

Just an observation; unbound works better and snappier without any Skynet Country blocks. It (unbound) must be trying to communicate with those dns servers as my log was filling with outbound blocks to these otherwise innocuous IPs.

Definitely a problem not just performance wise. After yesterdays issues with some website blocks I removed the country blocks from Skynet and Hulu seems to be working again as well. @Martineau Maybe add a warning about country blocks to the unbound install instructions that it can cause issues with authoritative DNS servers.

Ignorant on this topic, but don’t the authoritative name have static IP’s? @Adamm If so, can’t we add all of them to the skynet whitelist? Can’t think of a reason that would be unsafe?

It's not unsafe, but I think it's impractical to determine the authoritative nameserver for every domain on the internet. We're not talking about root DNS servers, but the servers underneath the root level and lower.

Can someone clarify if its the root DNS servers being blocked or something else? I added support for automatic whitelisting of those but dave seems to think otherwise?

 

[skeal]

Can someone clarify if its the root DNS servers being blocked or something else? I added support for automatic whitelisting of those but dave seems to think otherwise?

It very well could be the root servers as the location of these servers is largely speculated upon. If a root server was in a banned country, I would say uh oh.

 

[Adamm]

It very well could be the root servers as the location of these servers is largely speculated upon. If a root server was in a banned country, I would say uh oh.

If you post a snippet of those logs we can find out definitively what was being blocked.

 

[Martineau]

It very well could be the root servers as the location of these servers is largely speculated upon. If a root server was in a banned country, I would say uh oh.

New in v2.09 a couple of new URLs in the 'links' menu output

e.g.
Root DNS status

 

[dave14305]

If you post a snippet of those logs we can find out definitively what was being blocked.

The only specific nameserver IP I've seen reported is 185.203.18.38, which is not a root server.

 

[dave14305]

It's a questionable suggestion, but maybe if Skynet detects Unbound installed it adds a rule to the OUTPUT chain to allow port 53? Not my favorite idea, nor my best one.

 

[skeal]

It's a questionable suggestion, but maybe if Skynet detects Unbound installed it adds a rule to the OUTPUT chain to allow port 53? Not my favorite idea, nor my best one.

I recall the outbound blocks were all port 53 in my case.

 

[skeal]

It happens when you have countries blocked and restart unbound.