Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[bluepoint]

I don't think you understood me, specifically? With the option set to 'Yes' and with unbound 'stopped/paused', do you still have internet then?

I think the answer will be 'no'.

Yes, because when unbound stopped or paused the failover is to go back to dnsmasq for DNS. I saw this scenario discussed before which I cannot locate now. Anyway, @Martineau should be able to answer if I'm wrong.
One thing I'm sure internet still works when I uninstall unbound so in this instance dnsmasq took over.

 

[L&LD]

Yes, because when unbound stopped or paused the failover is to go back to dnsmasq for DNS. I saw this scenario discussed before which I cannot locate now. Anyway, @Martineau should be able to answer if I'm wrong.

So what I'm understanding is that you didn't actually test this then, in your set up?

I do remember that 'failover to dnsmasq' discussion too, but it is an easy test for you to be sure. Many changes and upgrades since then.

 

[bluepoint]

So what I'm understanding is that you didn't actually test this then, in your set up?

What test do you want? I've set it to no/yes and there's no problem for both. Remember I'm using the builtin firmware NTP.

I do remember that 'failover to dnsmasq' discussion too, but it is an easy test for you to be sure. Many changes and upgrades since then.

True, many changes and upgrade but it's not like I wasn't here. Why don't you test it then tell us the problem?

 

[L&LD]

@bluepoint, you're missing the point.

Re-read the above posts if you want. Everything is there.

 

[bluepoint]

There's plenty of post above so why don't you just link it specifically so I understand what you're trying to tell me? Are you having problem with that WAN options and why? Tell us.

 

[Martineau]

Yes, because when unbound stopped or paused the failover is to go back to dnsmasq for DNS. I saw this scenario discussed before which I cannot locate now. Anyway, @Martineau should be able to answer if I'm wrong.
One thing I'm sure internet still works when I uninstall unbound so in this instance dnsmasq took over.

If you uninstall unbound using unbound_manager:

z  = Remove unbound/unbound_manager Installation

then dnsmasq resumes its normal duties to allow Internet access.

If you stop unbound using unbound_manager:

x  = Stop unbound

then dnsmasq resumes its normal duties to allow Internet access.
(NOTE: It wasn't always like this... changed in v2.09 as a 'sensible' decision as the user may not want the hassle of reinstalling unbound etc. so could simply use unbound_manager command 'rs' to start unbound at a later date - but in the interim obviously may need to browse SNB Forums etc.)

However, if you use

sh /opt/etc/init.d/S61unbound stop

then Internet access is BROKEN until you either issue

sh /opt/etc/init.d/S61unbound start

or

service restart_dnsmasq

assuming of course that neither configuration has been incorrectly modified.

 

[bluepoint]

So what I'm understanding is that you didn't actually test this then, in your set up?

I'm posting this after stopping unbound.

As you can see dnsmasq was restarted after unbound stopped. Is this the test you want? Now you owe me my unbound cache.

 

[Martineau]

Now you owe me my unbound cache.

Erm.. 'x' command in v2.11 should auto save the cache for auto restore with the 'rs' command

 

[L&LD]

I'm posting this after stopping unbound.
View attachment 21512
As you can see dnsmasq was restarted after unbound stopped. Is this the test you want? Now you owe me my unbound cache.

See @Martineau's post above yours.

See if you have internet access then.

BTW, no issues on my end. 'No' is the correct option I'm using.

 

[bluepoint]

Erm.. 'x' command in v2.11 should auto save the cache for auto restore with the 'rs' command

View attachment 21513

That's my understanding that's why the smile, although the stats were erased.

 

[Martineau]

That's my understanding that's why the smile, although the stats were erased.

Phew! - thought I'd screwed up (again)

 

[Treadler]

I will try to go back to the history of how "WAN: Use local caching DNS server as system resolver" come about.
Sometime before the introduction of DOT, this option's defaults to "yes" but was changed to "no" when many are having problem syncing their time with the NTP servers. Close accuracy time is very important for stubby, skynet, diversion and even now with unbound. Although, this is happening "not" all were affected by the NTP bug even up to now. This is the reason you'll see some including me choose to set the WAN option to leave it to "yes". You might ask why? Simply because NTP works even if I choose the option and when diagnosing routing problems the router uses the same resolver as the clients.

Lately, since 384.15, as of my observation my rt-ax88u starts the WAN connection very early in the boot process that makes NTP syncs very reliably before all entware addons starts. I'm sure RMerlin tweaked the WAN section for the bahaviour to act like this. Setting up my WAN DHCP query frequency to "aggressive mode" might have help to acquire WAN IP quicker at boot time but I doubt since I had that before firmware .15.

Re NTP, quite a while back I put IP addresses in as my primary & secondary NTP servers (Cloudflare time).
For me, that made a huge reduction in boot time errors, both with “Use Local Caching DNS Server” set to “yes”, or “no”.
My theory, DNS resolution no longer required for NTP to do its work?

 

[Xentrk]

The only issue is unbound can't resolve the IP address of one of my VPN provider's server on the left coast. An nslookup, drill or dig command DO NOT yield the IP address associated with the VPN server. I can't connect to the VPN server using the GUI. All other VPN server domain names work. I was looking at the drill command usage and was only able to resolve the VPN server when adding the -T directive to the drill command.

drill -T www.example.com
    Do a trace (-T) from the rootservers down to www.example.com.

I've experimented with some of the suggested firmware settings (enabling, disabling) and no change in behavior. So I wonder if it is an unbound configuration issue. I reviewed them and can't find one that may help. Any ideas?

 

[dave14305]

The only issue is unbound can't resolve the IP address of one of my VPN provider's server on the left coast. An nslookup, drill or dig command DO NOT yield the IP address associated with the VPN server. I can't connect to the VPN server using the GUI. All other VPN server domain names work. I was looking at the drill command usage and was only able to resolve the VPN server when adding the -T directive to the drill command.

drill -T www.example.com
    Do a trace (-T) from the rootservers down to www.example.com.

I've experimented with some of the suggested firmware settings (enabling, disabling) and no change in behavior. So I wonder if it is an unbound configuration issue. I reviewed them and can't find one that may help. Any ideas?

What's the DNS name?

 

[Deleted member 62525]

Re NTP, quite a while back I put IP addresses in as my primary & secondary NTP servers (Cloudflare time).
For me, that made a huge reduction in boot time errors, both with “Use Local Caching DNS Server” set to “yes”, or “no”.
My theory, DNS resolution no longer required for NTP to do its work?

I would keep NTP server untouched and do this in your unbound.conf and add.

Code:

domain-insecure: "north-america.pool.ntp.org"

 

[Deleted member 62525]

My objective is to run Unbound as an authorative DNS server and dnsmasq providing local lookup. All clients DNS queries must go to Unbound for processing. I don't have Diversion installed. After installing Unbound I have noticed that my dnsmasq.postconf is blank so I wonder how is my dnsmasq reconfigured during Unbound installation process.

Some forum posts I have see examples of Unbound dnsmasq.postconf as below

#!/bin/sh
# Commented out here in case others do not use Diversion
#. /opt/share/diversion/file/post-conf.div # Added by Diversion

CONFIG=$1
. /usr/sbin/helper.sh

if [ -n "$(pidof unbound)" ]; then
UNBOUNDLISTENADDR=$(netstat -nlup | grep unbound$ | grep "^udp " | grep " 127\.0" | head -1 | awk ' { print $4 } ' | tr ':' '#')
if [ -n "$UNBOUNDLISTENADDR" ]; then
pc_delete "servers-file" "$CONFIG"
pc_delete "no-negcache" "$CONFIG"
pc_delete "trust-anchor=" "$CONFIG"
pc_delete "dnssec" "$CONFIG"
pc_replace "cache-size=1500" "cache-size=0" "$CONFIG"
pc_append "server=$UNBOUNDLISTENADDR" "$CONFIG"
pc_append "proxy-dnssec" "$CONFIG"
fi
fi

 

[dave14305]

My objective is to run Unbound as an authorative DNS server and dnsmasq providing local lookup. All clients DNS queries must go to Unbound for processing. I don't have Diversion installed. After installing Unbound I have noticed that my dnsmasq.postconf is blank so I wonder how is my dnsmasq reconfigured during Unbound installation process.

Some forum posts I have see examples of Unbound dnsmasq.postconf as below

#!/bin/sh
# Commented out here in case others do not use Diversion
#. /opt/share/diversion/file/post-conf.div # Added by Diversion

CONFIG=$1
. /usr/sbin/helper.sh

if [ -n "$(pidof unbound)" ]; then
UNBOUNDLISTENADDR=$(netstat -nlup | grep unbound$ | grep "^udp " | grep " 127\.0" | head -1 | awk ' { print $4 } ' | tr ':' '#')
if [ -n "$UNBOUNDLISTENADDR" ]; then
pc_delete "servers-file" "$CONFIG"
pc_delete "no-negcache" "$CONFIG"
pc_delete "trust-anchor=" "$CONFIG"
pc_delete "dnssec" "$CONFIG"
pc_replace "cache-size=1500" "cache-size=0" "$CONFIG"
pc_append "server=$UNBOUNDLISTENADDR" "$CONFIG"
pc_append "proxy-dnssec" "$CONFIG"
fi
fi

There should be a line in dnsmasq.postconf referring to unbound.postconf. The lines similar to what you post above should be in unbound.postconf.

 

[bluepoint]

Re NTP, quite a while back I put IP addresses in as my primary & secondary NTP servers (Cloudflare time).
For me, that made a huge reduction in boot time errors, both with “Use Local Caching DNS Server” set to “yes”, or “no”.
My theory, DNS resolution no longer required for NTP to do its work?

Yes, since the IP is already known it will not rely for a resolution. Early days or even now, hardcoding IP is not recommended as domain names changes ip frequently but lately not much. Just be conscious that if you hardcoded the IP that someday it will not work.

 

[Deleted member 62525]

There should be a line in dnsmasq.postconf referring to unbound.postconf. The lines similar to what you post above should be in unbound.postconf.

Unfortunately standard most recent version of Unbound does not create any of that. I believe that cause of that some of us have issues.
I just did a brand new install and still nothing. How do I fix it? Any suggestions would be appreciated.

 

[dave14305]

Unfortunately standard most recent version of Unbound does not create any of that. I believe that cause of that some of us have issues.
I just did a brand new install and still nothing. How do I fix it? Any suggestions would be appreciated.

Unbound or unbound_manager.sh? Only the unbound_manager.sh script in post #1 will create this.