Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[Deleted member 62525]

What are your normal (non-DoT) WAN DNS Settings? You should not need DoT enabled for the router to resolve names.

What does this look like on your router? Fields must be filled in if No.
View attachment 21576

See below

 

[Deleted member 62525]

Whatever. Leave the WAN like everything automatic and standard. Install the Unbound script and be happy. It's carnival in Brazil.

Lol

 

[dave14305]

Exactly as yours. I have a fresh install Skynet, Unbound and Scribe.

If I specify NTP as pool.ntp.org when Unbound boots with S61unbound script it waits for NTP. I see message in the unbound log waiting for NTP.

If all my setting s in WAN tab are empty/disabled it will not work. I am thinking it is happening because pool.ntp.org cannot resolve since there is not DNS specified. I had to enable DoT and have DoT DNS server entries. Then it would work.

Once I switch NTP from pool.ntp.org to IP address on Administration/System tab and disabled all WAN settings as in attached image everything is working.

Then yes, you would expect a lot of problems if your WAN DNS is not set to Automatic and you erase the 2 fields. Populate those fields or change it back to Automatic. Unbound manager will take care of “disconnecting” dnsmasq from these values once Unbound is up and running.

You must have gone through nvram to erase those since the GUI won’t allow it.

 

[Deleted member 62525]

Then yes, you would expect a lot of problems if your WAN DNS is not set to Automatic and you erase the 2 fields. Populate those fields or change it back to Automatic. Unbound manager will take care of “disconnecting” dnsmasq from these values once Unbound is up and running.

You must have gone through nvram to erase those since the GUI won’t allow it.

You are correct. Lol. I did nvram dns_probe resets long time ago. My experiments and your help gave me a good insite how Unbound works. Very much appreciated. Got everything figured out and working. Thanks again.

 

[juched]

If using unbound for ad-block (instead of diversion), then how does one add whitelist or blacklist items? Do we need to use diversion to add them?

Thank you.

--- edit ---

I found the permlist and blocklist here:
/opt/var/lib/unbound/adblock/


Do we just edit that file manually? Seems simple.

--- edit 2 ----

And then run gen_adblock.sh to update.
This does cause the entire download to happen again, but it seems pretty quick.

 

[Lurkmaster]

If using unbound for ad-block (instead of diversion), then how does one add whitelist or blacklist items? Do we need to use diversion to add them?

Thank you.

--- edit ---

I found the permlist and blocklist here:
/opt/var/lib/unbound/adblock/


Do we just edit that file manually? Seems simple.

--- edit 2 ----

And then run gen_adblock.sh to update.
This does cause the entire download to happen again, but it seems pretty quick.

@juched You may have done this already. If not make sure you add the include line for the blockhost file in unbound.conf prior to running gen_adblock.sh so the contents of blockhost get included in the generated adservers file. I also ran 'rl' in unbound_manager after adding that include line. You could also just wait for the cron to kick off gen_adblock.sh too.

#########################################
# Adblock blacklist
include: /opt/var/lib/unbound/adblock/adservers
include: /opt/var/lib/unbound/adblock/firefox_DOH
include: /opt/var/lib/unbound/adblock/blockhost
#########################################

 

[Treadler]

If using the native Unbound Adblock, can I/how can I, change the default blocking list?

To this for example,

• https://hosts.oisd.nl/

 

[dave14305]

If not make sure you add the include line for the blockhost file in unbound.conf prior to running gen_adblock.sh so the contents of blockhost get included in the generated adservers file.

That’s not necessary or desirable based on how the Adblock script works. What are you putting in your blockhost file? local-zone: syntax or hostnames?

 

[dave14305]

If using the native Unbound Adblock, can I/how can I, change the default blocking list?

To this for example,

• https://hosts.oisd.nl/

You would need to modify the Adblock script to replace the curl commands with one for the oisd.nl file. But it’s 20x larger and would require 20x the memory.

https://github.com/jackyaz/Unbound-Asuswrt-Merlin/blob/master/adblock/gen_adblock.sh#L14

 

[juched]

@juched You may have done this already. If not make sure you add the include line for the blockhost file in unbound.conf prior to running gen_adblock.sh so the contents of blockhost get included in the generated adservers file. I also ran 'rl' in unbound_manager after adding that include line. You could also just wait for the cron to kick off gen_adblock.sh too.

#########################################
# Adblock blacklist
include: /opt/var/lib/unbound/adblock/adservers
include: /opt/var/lib/unbound/adblock/firefox_DOH
include: /opt/var/lib/unbound/adblock/blockhost
#########################################

You don’t need to do that since the gen_adblock.sh merges it into Adblock and then removes any whitelist items.

 

[Lurkmaster]

That’s not necessary or desirable based on how the Adblock script works. What are you putting in your blockhost file? local-zone: syntax or hostnames?

@dave14305 - I'm using local-zone: syntax to add something I want blocked without editing the adservers file that gets regenerated daily. This method works, as shown below, but if it isn't how it should be done then how can we add something similar to how one adds to Diversion's wildcard blacklist? It would be great to know the accepted procedure. Just because I got this to work doesn't mean it's right. I'd love to know the right way. Thanks!

I have some IoT devices that spew requests I don't want. By adding the include for this file in unbound.conf it brings in the lines in the blockhost file when the adservers file gets gen'd. I'm all ears for a better way

My blockhost file:

local-zone: "us.ntp.org.cn" refuse
local-zone: "www.amazon.cn" refuse

Excerpt from my unbound.log:

Feb 23 21:22:56 unbound[11015:0] query: 127.0.0.1 us.ntp.org.cn. A IN
Feb 23 21:22:56 unbound[11015:0] reply: 127.0.0.1 us.ntp.org.cn. A IN REFUSED 0.000000 1 31
Feb 23 21:22:56 unbound[11015:0] query: 127.0.0.1 us.ntp.org.cn. A IN
Feb 23 21:22:56 unbound[11015:0] reply: 127.0.0.1 us.ntp.org.cn. A IN REFUSED 0.000000 1 31
Feb 23 21:23:07 unbound[11015:0] query: 127.0.0.1 us.ntp.org.cn. A IN
Feb 23 21:23:07 unbound[11015:0] reply: 127.0.0.1 us.ntp.org.cn. A IN REFUSED 0.000000 1 31
Feb 23 21:23:07 unbound[11015:0] query: 127.0.0.1 us.ntp.org.cn. A IN
Feb 23 21:23:07 unbound[11015:0] reply: 127.0.0.1 us.ntp.org.cn. A IN REFUSED 0.000000 1 31
Feb 23 21:23:07 unbound[11015:0] query: 127.0.0.1 us.ntp.org.cn. A IN
Feb 23 21:23:07 unbound[11015:0] reply: 127.0.0.1 us.ntp.org.cn. A IN REFUSED 0.000000 1 31

 

[kernol]

@Martineau - can I ask you to take a look at this thread - and the one immediately above it?
https://www.snbforums.com/threads/amtm-the-asuswrt-merlin-terminal-menu.42415/page-93#post-554761

Since updating unbound to ver 2.12 - and subsequently updating amtm to 3.1.4 FW - I have issues running "u" in amtm menu - "update errors" on most of the menu items. As soon as I stop unbound [option "x"] - the "u" update query runs fine. Bring unbound back up - and they fail.

And yes - I have full cleared the unbound cache [rs nocache] twice and confirmed with s+ option.
Still comes up with errors - immediately and 10 minutes after unbound back up again.

 

[dave14305]

I'm all ears for a better way

Diversion.

 

[dave14305]

@Martineau - can I ask you to take a look at this thread - and the one immediately above it?
https://www.snbforums.com/threads/amtm-the-asuswrt-merlin-terminal-menu.42415/page-93#post-554761

Since updating unbound to ver 2.12 - and subsequently updating amtm to 3.1.4 FW - I have issues running "u" in amtm menu - "update errors" on most of the menu items. As soon as I stop unbound [option "x"] - the "u" update query runs fine. Bring unbound back up - and they fail.

And yes - I have full cleared the unbound cache [rs nocache] twice and confirmed with s+ option.
Still comes up with errors - immediately and 10 minutes after unbound back up again.

What are your WAN DNS settings and Tools / Other Settings page “Wan: Use local caching DNS server as system resolver (default: No)”? Unbound should not even come into play for amtm unless you’ve changed this setting. So it doesn’t make sense yet to blame unbound without clarifying your normal WAN DNS settings.

 

[rgnldo]

If using unbound for ad-block (instead of diversion), then how does one add whitelist or blacklist items? Do we need to use diversion to add them?

Thank you.

--- edit ---

I found the permlist and blocklist here:
/opt/var/lib/unbound/adblock/


Do we just edit that file manually? Seems simple.

--- edit 2 ----

And then run gen_adblock.sh to update.
This does cause the entire download to happen again, but it seems pretty quick.

Add the domain to be allowed in the permlist file. Add the domain to be blocked in the blockhost file. Restart the unbound. Adblock hosts are enough to block ads. The always_nxdomain method tries to block as many domains and subdomains as possible. I recommend using only the unbound adblock and Skynet to get the best out of Unbound. It's efficient. I'm almost done with my new ad tracker script and with a lot more functions.

 

[kernol]

What are your WAN DNS settings and Tools / Other Settings page “Wan: Use local caching DNS server as system resolver (default: No)”? Unbound should not even come into play for amtm unless you’ve changed this setting. So it doesn’t make sense yet to blame unbound without clarifying your normal WAN DNS settings.

Hi @dave14305 - thanks for your response. My WAN settings unchanged - before and after updates described above.

I have however tried changed to Quad9 for both settings [Router and DoT] - but no improvement.

Please note - was NOT seeking to "blame" any one or any script - was just seeking help on a peculiar issue not experienced before.

I am now beginning to wonder if it may be a timing issue within latest amtm - so going back there for help.

 

[Kingp1n]

Hi @dave14305 - thanks for your response. My WAN settings unchanged - before and after updates described above.
View attachment 21587

I have however tried changed to Quad9 for both settings [Router and DoT] - but no improvement.

Please note - was NOT seeking to "blame" any one or any script - was just seeking help on a peculiar issue not experienced before.

I am now beginning to wonder if it may be a timing issue within latest amtm - so going back there for help.

DNS privacy protocol should be set to "None".

 

[dave14305]

Hi @dave14305 - thanks for your response. My WAN settings unchanged - before and after updates described above.
View attachment 21587

I have however tried changed to Quad9 for both settings [Router and DoT] - but no improvement.

Please note - was NOT seeking to "blame" any one or any script - was just seeking help on a peculiar issue not experienced before.

I am now beginning to wonder if it may be a timing issue within latest amtm - so going back there for help.

I love a good mystery. I’m guessing your /etc/resolv.conf contains 1.1.1.1, 1.0.0.1 and 127.0.1.1. If you run

nslookup diversion.ch
nslookup fwupdate.asuswrt-merlin.net
nslookup raw.githubusercontent.com

Do they all work? Share the output please.

 

[Martineau]

@Martineau - can I ask you to take a look at this thread - and the one immediately above it?
https://www.snbforums.com/threads/amtm-the-asuswrt-merlin-terminal-menu.42415/page-93#post-554761

Since updating unbound to ver 2.12 - and subsequently updating amtm to 3.1.4 FW - I have issues running "u" in amtm menu - "update errors" on most of the menu items. As soon as I stop unbound [option "x"] - the "u" update query runs fine. Bring unbound back up - and they fail.

And yes - I have full cleared the unbound cache [rs nocache] twice and confirmed with s+ option.
Still comes up with errors - immediately and 10 minutes after unbound back up again.

Whilst I take full responsibility for any bugs/misunderstamdings introduced by my manky unbound_manager script, given the title of this thread, I suggest that you post your query in the official unbound support thread together with the requested supporting documentation.

However, despite you being the third person to have experienced difficulty with unbound, I notice that there is never any useful feedback/assistance from the resident SME for issues similar to yours.

So, although I have included the unbound 'lookup' feature in the unbound_manager menu, I think you may need to manually delve into the external 'dig' and 'tcpdump' utilities to investigate why unbound seemingly fails, but dnsmasq doesn't.

i.e. you should be able to provide tangible data metrics as a comparison when the utilities are used when unbound fails vs. dnsmasq success for the appropriate domains(s) 'diversion.ch' etc.
P.S. I think I saw a post where unbound vs bind resulted in a similar situation and 'dig +trace' / 'tcpdump port 53' on the WAN interface proved useful.
(NOTE: I think in this instance, the underlying issue was something to do with the remote load-balancing servers' response?)

EDIT: Forget the above @dave14305 has taken an interest!

 

[kernol]

Whilst I take full responsibility for any bugs/misunderstamdings introduced by my manky unbound_manager script, given the title of this thread, I suggest that you post your query in the official unbound support thread together with the requested supporting documentation.

View attachment 21590

However, despite you being the third person to have experienced difficulty with unbound, I notice that there is never any useful feedback/assistance from the resident SME for issues similar to yours.

So, although I have included the unbound 'lookup' feature in the unbound_manager menu, I think you may need to manually delve into the external 'dig' and 'tcpdump' utilities to investigate why unbound seemingly fails fails, but dnsmasq doesn't.

i.e. you should be able to provide tangible data metrics as a comparison when the utilities are used when unbound fails vs. dnsmasq success for the appropriate domains(s) 'diversion.ch' etc.
P.S. I think I saw a post where unbound vs bind resulted in a similar situation and 'dig +trace' / 'tcpdump port 53' on the WAN interface proved useful.
(NOTE: I think in this instance, the underlying issue was something to do with the remote load-balancing servers' response?)

EDIT: Forget the above @dave14305 has taken an interest!

Thanks @Martineau - if I had the slightest clue what you were suggesting - "dig" "tcdump" etc I would most certainly oblige - but I am not a coder by any stretch of anyone's imagination. I sit back, appreciate and FULLY enjoy the marvels that you coders weave for us non-coders.

Occasionally I hit a hiccup which I can't fathom - and then request help from the Guru's ... understanding that I may well have screwed something up along that way which experienced eyes will likely spot long before I possibly could. VERY occasionally my post may identify a bug in the code - which is usually corrected at warp speed [a fact in a volunteer community that never ceases to amaze me].

No worries - I have not done a FULL reset for sometime - so travelling the trusted @L&LD full factory reset route.
That routine 9 times out of 10 will cure aberrations such as the one recently suffered.