What's new

Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Exactly as yours. I have a fresh install Skynet, Unbound and Scribe.

If I specify NTP as pool.ntp.org when Unbound boots with S61unbound script it waits for NTP. I see message in the unbound log waiting for NTP.

If all my setting s in WAN tab are empty/disabled it will not work. I am thinking it is happening because pool.ntp.org cannot resolve since there is not DNS specified. I had to enable DoT and have DoT DNS server entries. Then it would work.

Once I switch NTP from pool.ntp.org to IP address on Administration/System tab and disabled all WAN settings as in attached image everything is working.
Then yes, you would expect a lot of problems if your WAN DNS is not set to Automatic and you erase the 2 fields. Populate those fields or change it back to Automatic. Unbound manager will take care of “disconnecting” dnsmasq from these values once Unbound is up and running.

You must have gone through nvram to erase those since the GUI won’t allow it.
 
Then yes, you would expect a lot of problems if your WAN DNS is not set to Automatic and you erase the 2 fields. Populate those fields or change it back to Automatic. Unbound manager will take care of “disconnecting” dnsmasq from these values once Unbound is up and running.

You must have gone through nvram to erase those since the GUI won’t allow it.

You are correct. Lol. I did nvram dns_probe resets long time ago. My experiments and your help gave me a good insite how Unbound works. Very much appreciated. Got everything figured out and working. Thanks again.
 
If using unbound for ad-block (instead of diversion), then how does one add whitelist or blacklist items? Do we need to use diversion to add them?

Thank you.

--- edit ---

I found the permlist and blocklist here:
/opt/var/lib/unbound/adblock/


Do we just edit that file manually? Seems simple.

--- edit 2 ----

And then run gen_adblock.sh to update.
This does cause the entire download to happen again, but it seems pretty quick.
 
Last edited:
If using unbound for ad-block (instead of diversion), then how does one add whitelist or blacklist items? Do we need to use diversion to add them?

Thank you.

--- edit ---

I found the permlist and blocklist here:
/opt/var/lib/unbound/adblock/


Do we just edit that file manually? Seems simple.

--- edit 2 ----

And then run gen_adblock.sh to update.
This does cause the entire download to happen again, but it seems pretty quick.


@juched You may have done this already. If not make sure you add the include line for the blockhost file in unbound.conf prior to running gen_adblock.sh so the contents of blockhost get included in the generated adservers file. I also ran 'rl' in unbound_manager after adding that include line. You could also just wait for the cron to kick off gen_adblock.sh too.

Code:
#########################################
# Adblock blacklist
include: /opt/var/lib/unbound/adblock/adservers
include: /opt/var/lib/unbound/adblock/firefox_DOH
include: /opt/var/lib/unbound/adblock/blockhost
#########################################
 
If not make sure you add the include line for the blockhost file in unbound.conf prior to running gen_adblock.sh so the contents of blockhost get included in the generated adservers file.
That’s not necessary or desirable based on how the Adblock script works. What are you putting in your blockhost file? local-zone: syntax or hostnames?
 
@juched You may have done this already. If not make sure you add the include line for the blockhost file in unbound.conf prior to running gen_adblock.sh so the contents of blockhost get included in the generated adservers file. I also ran 'rl' in unbound_manager after adding that include line. You could also just wait for the cron to kick off gen_adblock.sh too.

Code:
#########################################
# Adblock blacklist
include: /opt/var/lib/unbound/adblock/adservers
include: /opt/var/lib/unbound/adblock/firefox_DOH
include: /opt/var/lib/unbound/adblock/blockhost
#########################################

You don’t need to do that since the gen_adblock.sh merges it into Adblock and then removes any whitelist items.
 
That’s not necessary or desirable based on how the Adblock script works. What are you putting in your blockhost file? local-zone: syntax or hostnames?

@dave14305 - I'm using local-zone: syntax to add something I want blocked without editing the adservers file that gets regenerated daily. This method works, as shown below, but if it isn't how it should be done then how can we add something similar to how one adds to Diversion's wildcard blacklist? It would be great to know the accepted procedure. Just because I got this to work doesn't mean it's right. I'd love to know the right way. Thanks!

I have some IoT devices that spew requests I don't want. By adding the include for this file in unbound.conf it brings in the lines in the blockhost file when the adservers file gets gen'd. I'm all ears for a better way :)

My blockhost file:
Code:
local-zone: "us.ntp.org.cn" refuse
local-zone: "www.amazon.cn" refuse

Excerpt from my unbound.log:
Code:
Feb 23 21:22:56 unbound[11015:0] query: 127.0.0.1 us.ntp.org.cn. A IN
Feb 23 21:22:56 unbound[11015:0] reply: 127.0.0.1 us.ntp.org.cn. A IN REFUSED 0.000000 1 31
Feb 23 21:22:56 unbound[11015:0] query: 127.0.0.1 us.ntp.org.cn. A IN
Feb 23 21:22:56 unbound[11015:0] reply: 127.0.0.1 us.ntp.org.cn. A IN REFUSED 0.000000 1 31
Feb 23 21:23:07 unbound[11015:0] query: 127.0.0.1 us.ntp.org.cn. A IN
Feb 23 21:23:07 unbound[11015:0] reply: 127.0.0.1 us.ntp.org.cn. A IN REFUSED 0.000000 1 31
Feb 23 21:23:07 unbound[11015:0] query: 127.0.0.1 us.ntp.org.cn. A IN
Feb 23 21:23:07 unbound[11015:0] reply: 127.0.0.1 us.ntp.org.cn. A IN REFUSED 0.000000 1 31
Feb 23 21:23:07 unbound[11015:0] query: 127.0.0.1 us.ntp.org.cn. A IN
Feb 23 21:23:07 unbound[11015:0] reply: 127.0.0.1 us.ntp.org.cn. A IN REFUSED 0.000000 1 31
 
Last edited:
@Martineau - can I ask you to take a look at this thread - and the one immediately above it?
https://www.snbforums.com/threads/amtm-the-asuswrt-merlin-terminal-menu.42415/page-93#post-554761

Since updating unbound to ver 2.12 - and subsequently updating amtm to 3.1.4 FW - I have issues running "u" in amtm menu - "update errors" on most of the menu items. As soon as I stop unbound [option "x"] - the "u" update query runs fine. Bring unbound back up - and they fail.

And yes - I have full cleared the unbound cache [rs nocache] twice and confirmed with s+ option.
Still comes up with errors - immediately and 10 minutes after unbound back up again.
 
@Martineau - can I ask you to take a look at this thread - and the one immediately above it?
https://www.snbforums.com/threads/amtm-the-asuswrt-merlin-terminal-menu.42415/page-93#post-554761

Since updating unbound to ver 2.12 - and subsequently updating amtm to 3.1.4 FW - I have issues running "u" in amtm menu - "update errors" on most of the menu items. As soon as I stop unbound [option "x"] - the "u" update query runs fine. Bring unbound back up - and they fail.

And yes - I have full cleared the unbound cache [rs nocache] twice and confirmed with s+ option.
Still comes up with errors - immediately and 10 minutes after unbound back up again.
What are your WAN DNS settings and Tools / Other Settings page “Wan: Use local caching DNS server as system resolver (default: No)”? Unbound should not even come into play for amtm unless you’ve changed this setting. So it doesn’t make sense yet to blame unbound without clarifying your normal WAN DNS settings.
 
If using unbound for ad-block (instead of diversion), then how does one add whitelist or blacklist items? Do we need to use diversion to add them?

Thank you.

--- edit ---

I found the permlist and blocklist here:
/opt/var/lib/unbound/adblock/


Do we just edit that file manually? Seems simple.

--- edit 2 ----

And then run gen_adblock.sh to update.
This does cause the entire download to happen again, but it seems pretty quick.
Add the domain to be allowed in the permlist file. Add the domain to be blocked in the blockhost file. Restart the unbound. Adblock hosts are enough to block ads. The always_nxdomain method tries to block as many domains and subdomains as possible. I recommend using only the unbound adblock and Skynet to get the best out of Unbound. It's efficient. I'm almost done with my new ad tracker script and with a lot more functions.:)
 
What are your WAN DNS settings and Tools / Other Settings page “Wan: Use local caching DNS server as system resolver (default: No)”? Unbound should not even come into play for amtm unless you’ve changed this setting. So it doesn’t make sense yet to blame unbound without clarifying your normal WAN DNS settings.

Hi @dave14305 - thanks for your response. My WAN settings unchanged - before and after updates described above.
WAN-DNS.JPG


I have however tried changed to Quad9 for both settings [Router and DoT] - but no improvement.

Please note - was NOT seeking to "blame" any one or any script - was just seeking help on a peculiar issue not experienced before.

I am now beginning to wonder if it may be a timing issue within latest amtm - so going back there for help.
 
Hi @dave14305 - thanks for your response. My WAN settings unchanged - before and after updates described above.
View attachment 21587

I have however tried changed to Quad9 for both settings [Router and DoT] - but no improvement.

Please note - was NOT seeking to "blame" any one or any script - was just seeking help on a peculiar issue not experienced before.

I am now beginning to wonder if it may be a timing issue within latest amtm - so going back there for help.

DNS privacy protocol should be set to "None".
 
Hi @dave14305 - thanks for your response. My WAN settings unchanged - before and after updates described above.
View attachment 21587

I have however tried changed to Quad9 for both settings [Router and DoT] - but no improvement.

Please note - was NOT seeking to "blame" any one or any script - was just seeking help on a peculiar issue not experienced before.

I am now beginning to wonder if it may be a timing issue within latest amtm - so going back there for help.
I love a good mystery. I’m guessing your /etc/resolv.conf contains 1.1.1.1, 1.0.0.1 and 127.0.1.1. If you run
Code:
nslookup diversion.ch
nslookup fwupdate.asuswrt-merlin.net
nslookup raw.githubusercontent.com
Do they all work? Share the output please.
 
@Martineau - can I ask you to take a look at this thread - and the one immediately above it?
https://www.snbforums.com/threads/amtm-the-asuswrt-merlin-terminal-menu.42415/page-93#post-554761

Since updating unbound to ver 2.12 - and subsequently updating amtm to 3.1.4 FW - I have issues running "u" in amtm menu - "update errors" on most of the menu items. As soon as I stop unbound [option "x"] - the "u" update query runs fine. Bring unbound back up - and they fail.

And yes - I have full cleared the unbound cache [rs nocache] twice and confirmed with s+ option.
Still comes up with errors - immediately and 10 minutes after unbound back up again.

Whilst I take full responsibility for any bugs/misunderstamdings introduced by my manky unbound_manager script, given the title of this thread, I suggest that you post your query in the official unbound support thread together with the requested supporting documentation.

upload_2020-2-24_13-58-12.png


However, despite you being the third person to have experienced difficulty with unbound, I notice that there is never any useful feedback/assistance from the resident SME for issues similar to yours.

So, although I have included the unbound 'lookup' feature in the unbound_manager menu, I think you may need to manually delve into the external 'dig' and 'tcpdump' utilities to investigate why unbound seemingly fails, but dnsmasq doesn't. :confused:

i.e. you should be able to provide tangible data metrics as a comparison when the utilities are used when unbound fails vs. dnsmasq success for the appropriate domains(s) 'diversion.ch' etc.
P.S. I think I saw a post where unbound vs bind resulted in a similar situation and 'dig +trace' / 'tcpdump port 53' on the WAN interface proved useful.
(NOTE: I think in this instance, the underlying issue was something to do with the remote load-balancing servers' response?)

EDIT: Forget the above @dave14305 has taken an interest! :D
 
Last edited:
Whilst I take full responsibility for any bugs/misunderstamdings introduced by my manky unbound_manager script, given the title of this thread, I suggest that you post your query in the official unbound support thread together with the requested supporting documentation.

View attachment 21590

However, despite you being the third person to have experienced difficulty with unbound, I notice that there is never any useful feedback/assistance from the resident SME for issues similar to yours.

So, although I have included the unbound 'lookup' feature in the unbound_manager menu, I think you may need to manually delve into the external 'dig' and 'tcpdump' utilities to investigate why unbound seemingly fails fails, but dnsmasq doesn't.

i.e. you should be able to provide tangible data metrics as a comparison when the utilities are used when unbound fails vs. dnsmasq success for the appropriate domains(s) 'diversion.ch' etc.
P.S. I think I saw a post where unbound vs bind resulted in a similar situation and 'dig +trace' / 'tcpdump port 53' on the WAN interface proved useful.
(NOTE: I think in this instance, the underlying issue was something to do with the remote load-balancing servers' response?)

EDIT: Forget the above @dave14305 has taken an interest! :D

Thanks @Martineau - if I had the slightest clue what you were suggesting - "dig" "tcdump" etc I would most certainly oblige - but I am not a coder by any stretch of anyone's imagination. I sit back, appreciate and FULLY enjoy the marvels that you coders weave for us non-coders.

Occasionally I hit a hiccup which I can't fathom - and then request help from the Guru's ... understanding that I may well have screwed something up along that way which experienced eyes will likely spot long before I possibly could. VERY occasionally my post may identify a bug in the code - which is usually corrected at warp speed [a fact in a volunteer community that never ceases to amaze me].

No worries - I have not done a FULL reset for sometime - so travelling the trusted @L&LD full factory reset route.
That routine 9 times out of 10 will cure aberrations such as the one recently suffered.
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top