SomeWhereOverTheRainBow
Part of the Furniture
Is this what the normal dnssec test looks like for unbound (unbound only)
In unbound_manager under '3 = Advanced Tools' use the 'links' command to display useful clickable URLs:Where can one run this test?
e = Exit Script
A:Option ==> 3
<snip>
sd = Show dnsmasq Statistics/Cache Size s = Show unbound statistics (s=Summary Totals; sa=All; s+=Enable Extended Stats)
scribe = Enable scribe (syslog-ng) unbound logging ad = Analyse Diversion White/Black lists ([ file_name [type=adblock] ])
dumpcache = Manually use restorecache after REBOOT ca = Cache Size Optimisation ([ 'reset' ])
dig = {domain} Show dig info e.g. dig qnamemintest.internet.nl lookup = {domain} Show the name servers used for domain e.g. lookup asciiart.eu
dnsinfo = {dns} Show DNS Server e.g. dnsinfo dnssec = {url} Show DNSSEC Validation Chain e.g. dnssec www.snbforums.com
links = Show list of external URL links
e = Exit Script
[Enter] Leave Advanced Tools Menu
A:Option ==> links
Click https://rootcanary.org/test.html to view Web DNSSEC Test Click https://www.quad9.net/faq/#outer-wrap to view QUAD9 FAQs/servers list etc.
Click https://1.1.1.1/help to view Cloudflare. Click https://cmdns.dev.dns-oarc.net/ to view Check My DNS.
Click https://root-servers.org/ to view Live Root Server status
Authoritative DNS servers will see recursive requests coming from your WAN IP. But that doesn’t mean the destination websites see your WAN IP if they are routed through a VPN client.
They could log it since it is not encrypted.So, does this mean that the Government here in Australia can't log the metadata of the request to the Authoritative DNS servers?
bash ./dnstest.sh |sort -k 22 -n
test1 test2 test3 test4 test5 test6 test7 test8 test9 test10 Average
PogoplugPro2 2 ms 2 ms 2 ms 2 ms 2 ms 2 ms 2 ms 2 ms 1 ms 2 ms 1.90
ASUSrouter 2 ms 2 ms 2 ms 3 ms 4 ms 2 ms 3 ms 4 ms 6 ms 2 ms 3.00
PogoplugPro1 3 ms 3 ms 2 ms 3 ms 4 ms 4 ms 2 ms 2 ms 7 ms 3 ms 3.30
74.82.42.42 18 ms 18 ms 17 ms 19 ms 18 ms 19 ms 18 ms 18 ms 18 ms 17 ms 18.00
1.0.0.1 18 ms 17 ms 17 ms 23 ms 19 ms 18 ms 18 ms 21 ms 18 ms 17 ms 18.60
comodo 36 ms 36 ms 38 ms 38 ms 38 ms 37 ms 38 ms 37 ms 36 ms 39 ms 37.30
quad9-2 41 ms 42 ms 45 ms 41 ms 42 ms 40 ms 41 ms 43 ms 43 ms 40 ms 41.80
level3 49 ms 49 ms 50 ms 49 ms 49 ms 50 ms 50 ms 49 ms 49 ms 50 ms 49.40
adguard 53 ms 52 ms 52 ms 52 ms 51 ms 52 ms 54 ms 54 ms 53 ms 51 ms 52.40
cleanbrowsng 52 ms 52 ms 54 ms 53 ms 52 ms 53 ms 53 ms 54 ms 53 ms 56 ms 53.20
neustar 54 ms 54 ms 54 ms 54 ms 54 ms 54 ms 54 ms 53 ms 53 ms 55 ms 53.90
norton 56 ms 56 ms 54 ms 59 ms 55 ms 60 ms 55 ms 56 ms 56 ms 56 ms 56.30
cloudflare 55 ms 56 ms 56 ms 82 ms 55 ms 55 ms 54 ms 56 ms 56 ms 56 ms 58.10
google 55 ms 55 ms 65 ms 53 ms 56 ms 87 ms 54 ms 54 ms 56 ms 56 ms 59.10
opendns 52 ms 52 ms 53 ms 52 ms 53 ms 101 ms 52 ms 62 ms 53 ms 69 ms 59.90
quad9 62 ms 70 ms 63 ms 63 ms 63 ms 63 ms 63 ms 67 ms 63 ms 79 ms 65.60
yandex 162 ms 162 ms 162 ms 162 ms 161 ms 162 ms 162 ms 181 ms 162 ms 160 ms 163.60
freenom 75 ms 82 ms 81 ms 74 ms 80 ms 73 ms 79 ms 77 ms 79 ms 5091 ms 579.10
They could log it since it is not encrypted.
@Martineau I know the adblock scripts do not have an owner, and I do find they work well, couple small suggested tweak:
Can the DNSWarden download link be replaced with this link:
https://raw.githubusercontent.com/dnswarden/blocklist/master/blacklist-formats/hostnames
The one used by the script is a static copy checked in Dec 2019. The link above is the regularly updated file it seems. Looking closer this new file is much larger.... so it seems this may be a bad bad idea Not really sure the current small list is adding much, couple spot checks shows it in Steven's list.
Can the frogeye first party trackers link be replaced with this link:
https://hostfiles.frogeye.fr/firstparty-trackers.txt
This one is not in the hosts name format, so the script can drop the extra processing commands. I see this file isn't currently downloaded as the line is commented out.
The StevensBlack would be great to find one already processed.
So, overall, I see now what it meant by the adblock needing work. I am interested to see how I can help, but I see @rgnldo hinted to some changes he is perhaps creating?
curl --progress-bar https://raw.githubusercontent.com/dnswarden/blocklist/master/blacklist-full.txt > /mnt/RT-AC86U/dnswardenstatic.txt
time sed 's/^.*$/local-zone: "&" always_nxdomain/' /mnt/RT-AC86U/dnswardencurrent.txt > /mnt/RT-AC86U/adblock_adserversMAX1
real 0m 7.03s
user 0m 6.87s
sys 0m 0.13s
wc -l /mnt/RT-AC86U/adblock_adserversMAX1
1359162 /mnt/RT-AC86U/adblock_adserversMAX1
I'm loving the results with unbound. We recently moved from the burbs of a major city to a city of about 90,000 people. Almost all the dns providers are far away from here and the results are far slower than where I lived before. The dnsperftest tool is amazing. In addition to the router, I added to the test a couple of hacked Pogoplug's running Debian where I have installed Pi-hole and unbound and they too have incredible response times.
Code:bash ./dnstest.sh |sort -k 22 -n test1 test2 test3 test4 test5 test6 test7 test8 test9 test10 Average PogoplugPro2 2 ms 2 ms 2 ms 2 ms 2 ms 2 ms 2 ms 2 ms 1 ms 2 ms 1.90 ASUSrouter 2 ms 2 ms 2 ms 3 ms 4 ms 2 ms 3 ms 4 ms 6 ms 2 ms 3.00 PogoplugPro1 3 ms 3 ms 2 ms 3 ms 4 ms 4 ms 2 ms 2 ms 7 ms 3 ms 3.30 74.82.42.42 18 ms 18 ms 17 ms 19 ms 18 ms 19 ms 18 ms 18 ms 18 ms 17 ms 18.00 1.0.0.1 18 ms 17 ms 17 ms 23 ms 19 ms 18 ms 18 ms 21 ms 18 ms 17 ms 18.60 comodo 36 ms 36 ms 38 ms 38 ms 38 ms 37 ms 38 ms 37 ms 36 ms 39 ms 37.30 quad9-2 41 ms 42 ms 45 ms 41 ms 42 ms 40 ms 41 ms 43 ms 43 ms 40 ms 41.80 level3 49 ms 49 ms 50 ms 49 ms 49 ms 50 ms 50 ms 49 ms 49 ms 50 ms 49.40 adguard 53 ms 52 ms 52 ms 52 ms 51 ms 52 ms 54 ms 54 ms 53 ms 51 ms 52.40 cleanbrowsng 52 ms 52 ms 54 ms 53 ms 52 ms 53 ms 53 ms 54 ms 53 ms 56 ms 53.20 neustar 54 ms 54 ms 54 ms 54 ms 54 ms 54 ms 54 ms 53 ms 53 ms 55 ms 53.90 norton 56 ms 56 ms 54 ms 59 ms 55 ms 60 ms 55 ms 56 ms 56 ms 56 ms 56.30 cloudflare 55 ms 56 ms 56 ms 82 ms 55 ms 55 ms 54 ms 56 ms 56 ms 56 ms 58.10 google 55 ms 55 ms 65 ms 53 ms 56 ms 87 ms 54 ms 54 ms 56 ms 56 ms 59.10 opendns 52 ms 52 ms 53 ms 52 ms 53 ms 101 ms 52 ms 62 ms 53 ms 69 ms 59.90 quad9 62 ms 70 ms 63 ms 63 ms 63 ms 63 ms 63 ms 67 ms 63 ms 79 ms 65.60 yandex 162 ms 162 ms 162 ms 162 ms 161 ms 162 ms 162 ms 181 ms 162 ms 160 ms 163.60 freenom 75 ms 82 ms 81 ms 74 ms 80 ms 73 ms 79 ms 77 ms 79 ms 5091 ms 579.10
NAMESERVERS=`cat /opt/var/lib/unbound/root.hints | grep ^ROOT-SERVERS.NET. | cut -d " " -f 2 | sed 's/\(.*\)/&#&/'`
/opt/bin/bash dnsperftest.sh
test1 test2 test3 test4 test5 test6 test7 test8 test9 test10 test11 test12 test13 Average
Unbound_local_DNS 1 ms 1 ms 1 ms 1 ms 1 ms 1 ms 1 ms 1 ms 1 ms 1 ms 1 ms 1 ms 1 ms 1.00
cloudflare 47 ms 50 ms 50 ms 52 ms 52 ms 52 ms 51 ms 51 ms 51 ms 50 ms 50 ms 51 ms 51 ms 50.61
level3 149 ms 149 ms 159 ms 149 ms 151 ms 150 ms 152 ms 146 ms 149 ms 149 ms 149 ms 1000 ms 146 ms 215.23
google 51 ms 50 ms 50 ms 51 ms 51 ms 175 ms 51 ms 55 ms 52 ms 51 ms 50 ms 51 ms 53 ms 60.84
quad9 92 ms 94 ms 92 ms 94 ms 93 ms 93 ms 93 ms 95 ms 92 ms 93 ms 92 ms 94 ms 93 ms 93.07
freenom 1207 ms 1197 ms 1210 ms 211 ms 206 ms 198 ms 201 ms 211 ms 330 ms 210 ms 230 ms 197 ms 218 ms 448.15
opendns 50 ms 52 ms 50 ms 52 ms 52 ms 52 ms 52 ms 52 ms 53 ms 51 ms 168 ms 52 ms 52 ms 60.61
norton 139 ms 249 ms 141 ms 142 ms 141 ms 143 ms 142 ms 140 ms 140 ms 139 ms 140 ms 142 ms 289 ms 160.53
cleanbrowsing 89 ms 88 ms 89 ms 90 ms 114 ms 89 ms 92 ms 90 ms 92 ms 142 ms 91 ms 91 ms 85 ms 95.53
yandex 253 ms 244 ms 294 ms 245 ms 252 ms 243 ms 244 ms 242 ms 244 ms 244 ms 242 ms 245 ms 244 ms 248.92
adguard 159 ms 159 ms 159 ms 161 ms 160 ms 161 ms 160 ms 160 ms 160 ms 160 ms 159 ms 160 ms 183 ms 161.61
neustar 105 ms 117 ms 118 ms 111 ms 106 ms 109 ms 107 ms 107 ms 105 ms 110 ms 106 ms 110 ms 107 ms 109.07
comodo 171 ms 171 ms 173 ms 172 ms 172 ms 178 ms 173 ms 172 ms 1000 ms 172 ms 172 ms 171 ms 171 ms 236.00
The delay in updating is due to the absence of collaborators and the guarantee of a list with false positive problems. Feel free to rewrite.So, overall, I see now what it meant by the adblock needing work. I am interested to see how I can help, but I see @rgnldo hinted to some changes he is perhaps creating?
#!/bin/bash
destinationIP="0.0.0.0"
tempoutlist="/opt/var/lib/unbound/adblock/adlist.tmp"
outlist='/opt/var/lib/unbound/adblock/tmp.host'
finalist='/opt/var/lib/unbound/adblock/tmp.finalhost'
permlist='/opt/var/lib/unbound/adblock/permlist'
adlist='/opt/var/lib/unbound/adblock/adservers'
echo "Removing possible temporary files.."
[ -f $tempoutlist ] && rm -f $tempoutlist
[ -f $outlist ] && rm -f $outlist
[ -f $finalist ] && rm -f $finalist
echo "Dowloading StevenBlack Adlist..."
curl --progress-bar https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist
echo "Dowloading Domains wildcard 1 Adlist..."
curl --progress-bar https://raw.githubusercontent.com/rgnldo/knot-resolver-suricata/master/hosts >> $tempoutlist
echo "Dowloading Domains wildcard 2 Adlist..."
curl --progress-bar https://raw.githubusercontent.com/dnswarden/blocklist/master/blacklist-full.txt >> $tempoutlist
echo "Dowloading Malware domains Adlist..."
curl --progress-bar https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites/master/hacked-domains.list >> $tempoutlist
echo "Combining User Custom block host..."
cat /opt/var/lib/unbound/adblock/blockhost >> $tempoutlist
echo "Removing duplicate formatting from the domain list..."
cat $tempoutlist | sed -r -e 's/[[:space:]]+/\t/g' | sed -e 's/\t*#.*$//g' | sed -e 's/[^a-zA-Z0-9\.\_\t\-]//g' | sed -e 's/\t$//g' | sed -e '/^#/d' | sort -u | sed '/^$/d' | awk -v "IP=$destinationIP" '{sub(/\r$/,""); print IP" "$0}' > $outlist
numberOfAdsBlocked=$(cat $outlist | wc -l | sed 's/^[ \t]*//')
echo "$numberOfAdsBlocked domains compiled"
echo "Edit User Custon list of allowed domains..."
fgrep -vf $permlist $outlist > $finalist
echo "Generating Unbound adlist....."
cat $finalist | grep '^0\.0\.0\.0' | awk '{print "local-zone: \""$2"\" always_nxdomain"}' > $adlist
numberOfAdsBlocked=$(cat $adlist | wc -l | sed 's/^[ \t]*//')
echo "$numberOfAdsBlocked suspicious and blocked domains"
echo "Removing temporary files..."
[ -f $tempoutlist ] && rm -f $tempoutlist
[ -f $outlist ] && rm -f $outlist
[ -f $finalist ] && rm -f $finalist
#echo "Removing log's files..."
#[ -f /opt/var/lib/unbound/unbound.log ] && rm -f /opt/var/lib/unbound/unbound.log
echo "Restarting DNS servers..."
/opt/etc/init.d/S61unbound restart
harden-algo-downgrade: yes
harden-below-nxdomain: yes
harden-dnssec-stripped: yes
harden-large-queries: yes
harden-short-bufsize: yes
harden-glue: yes
do-not-query-localhost: no
qname-minimisation: yes
minimal-responses: yes
rrset-roundrobin: yes
do-daemonize: no
val-clean-additional: yes
ip-ratelimit: 100
ratelimit: 1000
It seems a rather large jump in blocking entries from the conservative adservers list (51268) currently used by unbound_manager as the default...
Code:curl --progress-bar https://raw.githubusercontent.com/dnswarden/blocklist/master/blacklist-full.txt > /mnt/RT-AC86U/dnswardenstatic.txt time sed 's/^.*$/local-zone: "&" always_nxdomain/' /mnt/RT-AC86U/dnswardencurrent.txt > /mnt/RT-AC86U/adblock_adserversMAX1 real 0m 7.03s user 0m 6.87s sys 0m 0.13s wc -l /mnt/RT-AC86U/adblock_adserversMAX1 1359162 /mnt/RT-AC86U/adblock_adserversMAX1
but if the static conservative adservers list is out-of-date then clearly it is probably useless.
So, have you tried using the huge dnswarden list? - any adverse effects i.e. performance/mem usage etc?
Yes, it relies on the firmware DoT and not installing the Entware stubby unnecessarily. I’m not a fan of it because now your requests go through dnsmasq, unbound, stubby and then out to an external resolver. Lots of hops.If I choose to enable Stubby it throws me an error which says "DNS Privacy is not enabled in the GUI" something like this. What do I need to enable? Firmware's DoT and fill the DoT servers in GUI?
Yes, it relies on the firmware DoT and not installing the Entware stubby unnecessarily. I’m not a fan of it because now your requests go through dnsmasq, unbound, stubby and then out to an external resolver. Lots of hops.
Thanks. What bothers me is , if I don't use stubby and do as recommended , when I check what is my DNS server on DNS LEAK test websites, it reveals my real WAN IP and my ISP provider. I use VPN :\ it is bad no?
If any one is interested in testing out my generated list (there is a conservative for those who like less=more approach and a regular list for those who want to block a decent amount of stuff.)It seems a rather large jump in blocking entries from the conservative adservers list (51268) currently used by unbound_manager as the default...
Code:curl --progress-bar https://raw.githubusercontent.com/dnswarden/blocklist/master/blacklist-full.txt > /mnt/RT-AC86U/dnswardenstatic.txt time sed 's/^.*$/local-zone: "&" always_nxdomain/' /mnt/RT-AC86U/dnswardencurrent.txt > /mnt/RT-AC86U/adblock_adserversMAX1 real 0m 7.03s user 0m 6.87s sys 0m 0.13s wc -l /mnt/RT-AC86U/adblock_adserversMAX1 1359162 /mnt/RT-AC86U/adblock_adserversMAX1
but if the static conservative adservers list is out-of-date then clearly it is probably useless.
So, have you tried using the huge dnswarden list? - any adverse effects i.e. performance/mem usage etc?
The Australian Government logs ALL metadata of all citizens and holds it for 2 years, and the people who have access to such information appears to be widening.
At least qname minimization makes their work a little bit harder. You always have the option of sharing that data with a VPN provider instead, but either way, you will have to "trust" somebody, because (I think) DoT support for root servers are not coming in the near future (perhaps dprive will bring some change into this field?).They could log it since it is not encrypted.
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!