What's new

Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Is this what the normal dnssec test looks like for unbound (unbound only)

upload_2020-2-24_22-22-14.png
 
Where can one run this test?
In unbound_manager under '3 = Advanced Tools' use the 'links' command to display useful clickable URLs:

e.g.
Code:
e  = Exit Script

A:Option ==> 3

<snip>

sd = Show dnsmasq Statistics/Cache Size                              s  = Show unbound statistics (s=Summary Totals; sa=All; s+=Enable Extended Stats)

scribe = Enable scribe (syslog-ng) unbound logging                   ad = Analyse Diversion White/Black lists ([ file_name [type=adblock] ])
dumpcache = Manually use restorecache after REBOOT                   ca = Cache Size Optimisation  ([ 'reset' ])

dig = {domain} Show dig info e.g. dig qnamemintest.internet.nl       lookup = {domain} Show the name servers used for domain e.g. lookup asciiart.eu
dnsinfo = {dns} Show DNS Server e.g. dnsinfo                         dnssec = {url} Show DNSSEC Validation Chain e.g. dnssec www.snbforums.com
links = Show list of external URL links


e  = Exit Script

[Enter] Leave Advanced Tools Menu

A:Option ==> links

Click https://rootcanary.org/test.html to view Web DNSSEC Test        Click https://www.quad9.net/faq/#outer-wrap to view QUAD9 FAQs/servers list etc.
Click https://1.1.1.1/help to view Cloudflare.                        Click https://cmdns.dev.dns-oarc.net/ to view Check My DNS.
Click https://root-servers.org/ to view Live Root Server status
 
Authoritative DNS servers will see recursive requests coming from your WAN IP. But that doesn’t mean the destination websites see your WAN IP if they are routed through a VPN client.

So, does this mean that the Government here in Australia can't log the metadata of the request to the Authoritative DNS servers? That's my main concern I have. I understand that the website can't see the DNS server I'm using.

The Australian Government logs ALL metadata of all citizens and holds it for 2 years, and the people who have access to such information appears to be widening.
 
I'm loving the results with unbound. We recently moved from the burbs of a major city to a city of about 90,000 people. Almost all the dns providers are far away from here and the results are far slower than where I lived before. The dnsperftest tool is amazing. In addition to the router, I added to the test a couple of hacked Pogoplug's running Debian where I have installed Pi-hole and unbound and they too have incredible response times.

Code:
bash ./dnstest.sh |sort -k 22 -n
             test1   test2   test3   test4   test5   test6   test7   test8   test9   test10  Average
PogoplugPro2 2 ms    2 ms    2 ms    2 ms    2 ms    2 ms    2 ms    2 ms    1 ms    2 ms      1.90
ASUSrouter   2 ms    2 ms    2 ms    3 ms    4 ms    2 ms    3 ms    4 ms    6 ms    2 ms      3.00
PogoplugPro1 3 ms    3 ms    2 ms    3 ms    4 ms    4 ms    2 ms    2 ms    7 ms    3 ms      3.30
74.82.42.42  18 ms   18 ms   17 ms   19 ms   18 ms   19 ms   18 ms   18 ms   18 ms   17 ms     18.00
1.0.0.1      18 ms   17 ms   17 ms   23 ms   19 ms   18 ms   18 ms   21 ms   18 ms   17 ms     18.60
comodo       36 ms   36 ms   38 ms   38 ms   38 ms   37 ms   38 ms   37 ms   36 ms   39 ms     37.30
quad9-2      41 ms   42 ms   45 ms   41 ms   42 ms   40 ms   41 ms   43 ms   43 ms   40 ms     41.80
level3       49 ms   49 ms   50 ms   49 ms   49 ms   50 ms   50 ms   49 ms   49 ms   50 ms     49.40
adguard      53 ms   52 ms   52 ms   52 ms   51 ms   52 ms   54 ms   54 ms   53 ms   51 ms     52.40
cleanbrowsng 52 ms   52 ms   54 ms   53 ms   52 ms   53 ms   53 ms   54 ms   53 ms   56 ms     53.20
neustar      54 ms   54 ms   54 ms   54 ms   54 ms   54 ms   54 ms   53 ms   53 ms   55 ms     53.90
norton       56 ms   56 ms   54 ms   59 ms   55 ms   60 ms   55 ms   56 ms   56 ms   56 ms     56.30
cloudflare   55 ms   56 ms   56 ms   82 ms   55 ms   55 ms   54 ms   56 ms   56 ms   56 ms     58.10
google       55 ms   55 ms   65 ms   53 ms   56 ms   87 ms   54 ms   54 ms   56 ms   56 ms     59.10
opendns      52 ms   52 ms   53 ms   52 ms   53 ms   101 ms  52 ms   62 ms   53 ms   69 ms     59.90
quad9        62 ms   70 ms   63 ms   63 ms   63 ms   63 ms   63 ms   67 ms   63 ms   79 ms     65.60
yandex       162 ms  162 ms  162 ms  162 ms  161 ms  162 ms  162 ms  181 ms  162 ms  160 ms    163.60
freenom      75 ms   82 ms   81 ms   74 ms   80 ms   73 ms   79 ms   77 ms   79 ms   5091 ms   579.10
 
@Martineau I know the adblock scripts do not have an owner, and I do find they work well, couple small suggested tweak:

Can the DNSWarden download link be replaced with this link:
https://raw.githubusercontent.com/dnswarden/blocklist/master/blacklist-formats/hostnames

The one used by the script is a static copy checked in Dec 2019. The link above is the regularly updated file it seems. Looking closer this new file is much larger.... so it seems this may be a bad bad idea :) Not really sure the current small list is adding much, couple spot checks shows it in Steven's list.

Can the frogeye first party trackers link be replaced with this link:
https://hostfiles.frogeye.fr/firstparty-trackers.txt

This one is not in the hosts name format, so the script can drop the extra processing commands. I see this file isn't currently downloaded as the line is commented out.

The StevensBlack would be great to find one already processed.


So, overall, I see now what it meant by the adblock needing work. I am interested to see how I can help, but I see @rgnldo hinted to some changes he is perhaps creating?

It seems a rather large jump in blocking entries from the conservative adservers list (51268) currently used by unbound_manager as the default...
Code:
curl --progress-bar https://raw.githubusercontent.com/dnswarden/blocklist/master/blacklist-full.txt > /mnt/RT-AC86U/dnswardenstatic.txt
 
time sed 's/^.*$/local-zone: "&" always_nxdomain/' /mnt/RT-AC86U/dnswardencurrent.txt > /mnt/RT-AC86U/adblock_adserversMAX1
 
  real 0m 7.03s
  user 0m 6.87s
  sys 0m 0.13s
 
  wc -l /mnt/RT-AC86U/adblock_adserversMAX1
 
        1359162 /mnt/RT-AC86U/adblock_adserversMAX1

but if the static conservative adservers list is out-of-date then clearly it is probably useless.

So, have you tried using the huge dnswarden list? - any adverse effects i.e. performance/mem usage etc?
 
I'm loving the results with unbound. We recently moved from the burbs of a major city to a city of about 90,000 people. Almost all the dns providers are far away from here and the results are far slower than where I lived before. The dnsperftest tool is amazing. In addition to the router, I added to the test a couple of hacked Pogoplug's running Debian where I have installed Pi-hole and unbound and they too have incredible response times.

Code:
bash ./dnstest.sh |sort -k 22 -n
             test1   test2   test3   test4   test5   test6   test7   test8   test9   test10  Average
PogoplugPro2 2 ms    2 ms    2 ms    2 ms    2 ms    2 ms    2 ms    2 ms    1 ms    2 ms      1.90
ASUSrouter   2 ms    2 ms    2 ms    3 ms    4 ms    2 ms    3 ms    4 ms    6 ms    2 ms      3.00
PogoplugPro1 3 ms    3 ms    2 ms    3 ms    4 ms    4 ms    2 ms    2 ms    7 ms    3 ms      3.30
74.82.42.42  18 ms   18 ms   17 ms   19 ms   18 ms   19 ms   18 ms   18 ms   18 ms   17 ms     18.00
1.0.0.1      18 ms   17 ms   17 ms   23 ms   19 ms   18 ms   18 ms   21 ms   18 ms   17 ms     18.60
comodo       36 ms   36 ms   38 ms   38 ms   38 ms   37 ms   38 ms   37 ms   36 ms   39 ms     37.30
quad9-2      41 ms   42 ms   45 ms   41 ms   42 ms   40 ms   41 ms   43 ms   43 ms   40 ms     41.80
level3       49 ms   49 ms   50 ms   49 ms   49 ms   50 ms   50 ms   49 ms   49 ms   50 ms     49.40
adguard      53 ms   52 ms   52 ms   52 ms   51 ms   52 ms   54 ms   54 ms   53 ms   51 ms     52.40
cleanbrowsng 52 ms   52 ms   54 ms   53 ms   52 ms   53 ms   53 ms   54 ms   53 ms   56 ms     53.20
neustar      54 ms   54 ms   54 ms   54 ms   54 ms   54 ms   54 ms   53 ms   53 ms   55 ms     53.90
norton       56 ms   56 ms   54 ms   59 ms   55 ms   60 ms   55 ms   56 ms   56 ms   56 ms     56.30
cloudflare   55 ms   56 ms   56 ms   82 ms   55 ms   55 ms   54 ms   56 ms   56 ms   56 ms     58.10
google       55 ms   55 ms   65 ms   53 ms   56 ms   87 ms   54 ms   54 ms   56 ms   56 ms     59.10
opendns      52 ms   52 ms   53 ms   52 ms   53 ms   101 ms  52 ms   62 ms   53 ms   69 ms     59.90
quad9        62 ms   70 ms   63 ms   63 ms   63 ms   63 ms   63 ms   67 ms   63 ms   79 ms     65.60
yandex       162 ms  162 ms  162 ms  162 ms  161 ms  162 ms  162 ms  181 ms  162 ms  160 ms    163.60
freenom      75 ms   82 ms   81 ms   74 ms   80 ms   73 ms   79 ms   77 ms   79 ms   5091 ms   579.10

With root's server's query.
add:
Code:
NAMESERVERS=`cat /opt/var/lib/unbound/root.hints | grep ^ROOT-SERVERS.NET. | cut -d " " -f 2 | sed 's/\(.*\)/&#&/'`

Code:
/opt/bin/bash dnsperftest.sh
                 test1   test2   test3   test4   test5   test6   test7   test8   test9   test10  test11  test12  test13  Average
Unbound_local_DNS 1 ms    1 ms    1 ms    1 ms    1 ms    1 ms    1 ms    1 ms    1 ms    1 ms    1 ms    1 ms    1 ms      1.00
cloudflare        47 ms   50 ms   50 ms   52 ms   52 ms   52 ms   51 ms   51 ms   51 ms   50 ms   50 ms   51 ms   51 ms     50.61
level3            149 ms  149 ms  159 ms  149 ms  151 ms  150 ms  152 ms  146 ms  149 ms  149 ms  149 ms  1000 ms 146 ms    215.23
google            51 ms   50 ms   50 ms   51 ms   51 ms   175 ms  51 ms   55 ms   52 ms   51 ms   50 ms   51 ms   53 ms     60.84
quad9             92 ms   94 ms   92 ms   94 ms   93 ms   93 ms   93 ms   95 ms   92 ms   93 ms   92 ms   94 ms   93 ms     93.07
freenom           1207 ms 1197 ms 1210 ms 211 ms  206 ms  198 ms  201 ms  211 ms  330 ms  210 ms  230 ms  197 ms  218 ms    448.15
opendns           50 ms   52 ms   50 ms   52 ms   52 ms   52 ms   52 ms   52 ms   53 ms   51 ms   168 ms  52 ms   52 ms     60.61
norton            139 ms  249 ms  141 ms  142 ms  141 ms  143 ms  142 ms  140 ms  140 ms  139 ms  140 ms  142 ms  289 ms    160.53
cleanbrowsing     89 ms   88 ms   89 ms   90 ms   114 ms  89 ms   92 ms   90 ms   92 ms   142 ms  91 ms   91 ms   85 ms     95.53
yandex            253 ms  244 ms  294 ms  245 ms  252 ms  243 ms  244 ms  242 ms  244 ms  244 ms  242 ms  245 ms  244 ms    248.92
adguard           159 ms  159 ms  159 ms  161 ms  160 ms  161 ms  160 ms  160 ms  160 ms  160 ms  159 ms  160 ms  183 ms    161.61
neustar           105 ms  117 ms  118 ms  111 ms  106 ms  109 ms  107 ms  107 ms  105 ms  110 ms  106 ms  110 ms  107 ms    109.07
comodo            171 ms  171 ms  173 ms  172 ms  172 ms  178 ms  173 ms  172 ms  1000 ms 172 ms  172 ms  171 ms  171 ms    236.00
 
So, overall, I see now what it meant by the adblock needing work. I am interested to see how I can help, but I see @rgnldo hinted to some changes he is perhaps creating?
The delay in updating is due to the absence of collaborators and the guarantee of a list with false positive problems. Feel free to rewrite.
update gen_adblock.sh
Code:
#!/bin/bash
destinationIP="0.0.0.0"
tempoutlist="/opt/var/lib/unbound/adblock/adlist.tmp"
outlist='/opt/var/lib/unbound/adblock/tmp.host'
finalist='/opt/var/lib/unbound/adblock/tmp.finalhost'
permlist='/opt/var/lib/unbound/adblock/permlist'
adlist='/opt/var/lib/unbound/adblock/adservers'

echo "Removing possible temporary files.."
[ -f $tempoutlist ] && rm -f $tempoutlist
[ -f $outlist ] && rm -f $outlist
[ -f $finalist ] && rm -f $finalist

echo "Dowloading StevenBlack Adlist..."
curl --progress-bar https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist
echo "Dowloading Domains wildcard 1 Adlist..."
curl --progress-bar https://raw.githubusercontent.com/rgnldo/knot-resolver-suricata/master/hosts >> $tempoutlist
echo "Dowloading Domains wildcard 2 Adlist..."
curl --progress-bar https://raw.githubusercontent.com/dnswarden/blocklist/master/blacklist-full.txt >> $tempoutlist
echo "Dowloading Malware domains Adlist..."
curl --progress-bar https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites/master/hacked-domains.list >> $tempoutlist

echo "Combining User Custom block host..."
cat /opt/var/lib/unbound/adblock/blockhost >> $tempoutlist

echo "Removing duplicate formatting from the domain list..."
cat $tempoutlist | sed -r -e 's/[[:space:]]+/\t/g' | sed -e 's/\t*#.*$//g' | sed -e 's/[^a-zA-Z0-9\.\_\t\-]//g' | sed -e 's/\t$//g' | sed -e '/^#/d' | sort -u | sed '/^$/d' | awk -v "IP=$destinationIP" '{sub(/\r$/,""); print IP" "$0}' > $outlist
numberOfAdsBlocked=$(cat $outlist | wc -l | sed 's/^[ \t]*//')
echo "$numberOfAdsBlocked domains compiled"

echo "Edit User Custon list of allowed domains..."
fgrep -vf $permlist $outlist  > $finalist

echo "Generating Unbound adlist....."
cat $finalist | grep '^0\.0\.0\.0' | awk '{print "local-zone: \""$2"\" always_nxdomain"}' > $adlist
numberOfAdsBlocked=$(cat $adlist | wc -l | sed 's/^[ \t]*//')
echo "$numberOfAdsBlocked suspicious and blocked domains"

echo "Removing temporary files..."
[ -f $tempoutlist ] && rm -f $tempoutlist
[ -f $outlist ] && rm -f $outlist
[ -f $finalist ] && rm -f $finalist

#echo "Removing log's files..."
#[ -f /opt/var/lib/unbound/unbound.log ] && rm -f /opt/var/lib/unbound/unbound.log
echo "Restarting DNS servers..."
/opt/etc/init.d/S61unbound restart

For best efficiency, check your unbound.conf for these options
Code:
    harden-algo-downgrade: yes
    harden-below-nxdomain: yes
    harden-dnssec-stripped: yes
    harden-large-queries: yes
    harden-short-bufsize: yes
    harden-glue: yes
    do-not-query-localhost: no
    qname-minimisation: yes
    minimal-responses: yes
    rrset-roundrobin: yes
    do-daemonize: no
    val-clean-additional: yes
    ip-ratelimit: 100
    ratelimit: 1000
I have a new script, but for now for my own use, since I know where to fix it.
 
Last edited:
It seems a rather large jump in blocking entries from the conservative adservers list (51268) currently used by unbound_manager as the default...
Code:
curl --progress-bar https://raw.githubusercontent.com/dnswarden/blocklist/master/blacklist-full.txt > /mnt/RT-AC86U/dnswardenstatic.txt
 
time sed 's/^.*$/local-zone: "&" always_nxdomain/' /mnt/RT-AC86U/dnswardencurrent.txt > /mnt/RT-AC86U/adblock_adserversMAX1
 
  real 0m 7.03s
  user 0m 6.87s
  sys 0m 0.13s
 
  wc -l /mnt/RT-AC86U/adblock_adserversMAX1
 
        1359162 /mnt/RT-AC86U/adblock_adserversMAX1

but if the static conservative adservers list is out-of-date then clearly it is probably useless.

So, have you tried using the huge dnswarden list? - any adverse effects i.e. performance/mem usage etc?

I have not tried the huge list, and I do not recommend it. As I was creating my message I did further evaluation and saw how big it was and that is why I added the message to not change.

Am considering making the script read from a file with URL and format (host vs. domain list) and then the script just needs to go through the cfg txt file and do one line at a time.... I will see what I can do.
 
If I choose to enable Stubby it throws me an error which says "DNS Privacy is not enabled in the GUI" something like this. What do I need to enable? Firmware's DoT and fill the DoT servers in GUI?
 
If I choose to enable Stubby it throws me an error which says "DNS Privacy is not enabled in the GUI" something like this. What do I need to enable? Firmware's DoT and fill the DoT servers in GUI?
Yes, it relies on the firmware DoT and not installing the Entware stubby unnecessarily. I’m not a fan of it because now your requests go through dnsmasq, unbound, stubby and then out to an external resolver. Lots of hops.
 
Yes, it relies on the firmware DoT and not installing the Entware stubby unnecessarily. I’m not a fan of it because now your requests go through dnsmasq, unbound, stubby and then out to an external resolver. Lots of hops.

Thanks. What bothers me is , if I don't use stubby and do as recommended , when I check what is my DNS server on DNS LEAK test websites, it reveals my real WAN IP and my ISP provider. I use VPN :\ it is bad no?
 
Thanks. What bothers me is , if I don't use stubby and do as recommended , when I check what is my DNS server on DNS LEAK test websites, it reveals my real WAN IP and my ISP provider. I use VPN :\ it is bad no?

I have my VPN DNS set to Disable. This way Unbound is only used as resolver and you will see only your WAN IP.
 
It seems a rather large jump in blocking entries from the conservative adservers list (51268) currently used by unbound_manager as the default...
Code:
curl --progress-bar https://raw.githubusercontent.com/dnswarden/blocklist/master/blacklist-full.txt > /mnt/RT-AC86U/dnswardenstatic.txt
 
time sed 's/^.*$/local-zone: "&" always_nxdomain/' /mnt/RT-AC86U/dnswardencurrent.txt > /mnt/RT-AC86U/adblock_adserversMAX1
 
  real 0m 7.03s
  user 0m 6.87s
  sys 0m 0.13s
 
  wc -l /mnt/RT-AC86U/adblock_adserversMAX1
 
        1359162 /mnt/RT-AC86U/adblock_adserversMAX1

but if the static conservative adservers list is out-of-date then clearly it is probably useless.

So, have you tried using the huge dnswarden list? - any adverse effects i.e. performance/mem usage etc?
If any one is interested in testing out my generated list (there is a conservative for those who like less=more approach and a regular list for those who want to block a decent amount of stuff.)

https://github.com/jumpsmm7/MyGeneratedDomainsList


*Edit*
At some point I will include an IP-set list, but i am not there yet with adapting my compiling.
 
Last edited:
So one thing I am noticing with Unbound is I am able to properly reverse lookup my ipv4 lan, but I am unable to properly reverse lookup ipv6 lan. everything ipv6 lan comes back with NXdomain. Has anyone who is using IPV6 tested this out?
 
The Australian Government logs ALL metadata of all citizens and holds it for 2 years, and the people who have access to such information appears to be widening.
They could log it since it is not encrypted.
At least qname minimization makes their work a little bit harder. You always have the option of sharing that data with a VPN provider instead, but either way, you will have to "trust" somebody, because (I think) DoT support for root servers are not coming in the near future (perhaps dprive will bring some change into this field?).
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top