SomeWhereOverTheRainBow
Part of the Furniture
Is this what the normal dnssec test looks like for unbound (unbound only)
Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)
- Thread starter Martineau
- Start date
New2This
Senior Member
Attachments
Martineau
Part of the Furniture
In unbound_manager under '3 = Advanced Tools' use the 'links' command to display useful clickable URLs:
e.g.
Code:
e = Exit Script
A:Option ==> 3
<snip>
sd = Show dnsmasq Statistics/Cache Size s = Show unbound statistics (s=Summary Totals; sa=All; s+=Enable Extended Stats)
scribe = Enable scribe (syslog-ng) unbound logging ad = Analyse Diversion White/Black lists ([ file_name [type=adblock] ])
dumpcache = Manually use restorecache after REBOOT ca = Cache Size Optimisation ([ 'reset' ])
dig = {domain} Show dig info e.g. dig qnamemintest.internet.nl lookup = {domain} Show the name servers used for domain e.g. lookup asciiart.eu
dnsinfo = {dns} Show DNS Server e.g. dnsinfo dnssec = {url} Show DNSSEC Validation Chain e.g. dnssec www.snbforums.com
links = Show list of external URL links
e = Exit Script
[Enter] Leave Advanced Tools Menu
A:Option ==> links
Click https://rootcanary.org/test.html to view Web DNSSEC Test Click https://www.quad9.net/faq/#outer-wrap to view QUAD9 FAQs/servers list etc.
Click https://1.1.1.1/help to view Cloudflare. Click https://cmdns.dev.dns-oarc.net/ to view Check My DNS.
Click https://root-servers.org/ to view Live Root Server status
Skeptical.me
Very Senior Member
So, does this mean that the Government here in Australia can't log the metadata of the request to the Authoritative DNS servers? That's my main concern I have. I understand that the website can't see the DNS server I'm using.
The Australian Government logs ALL metadata of all citizens and holds it for 2 years, and the people who have access to such information appears to be widening.
They could log it since it is not encrypted.
bluzfanmr1
Senior Member
I'm loving the results with unbound. We recently moved from the burbs of a major city to a city of about 90,000 people. Almost all the dns providers are far away from here and the results are far slower than where I lived before. The dnsperftest tool is amazing. In addition to the router, I added to the test a couple of hacked Pogoplug's running Debian where I have installed Pi-hole and unbound and they too have incredible response times.
Code:
bash ./dnstest.sh |sort -k 22 -n
test1 test2 test3 test4 test5 test6 test7 test8 test9 test10 Average
PogoplugPro2 2 ms 2 ms 2 ms 2 ms 2 ms 2 ms 2 ms 2 ms 1 ms 2 ms 1.90
ASUSrouter 2 ms 2 ms 2 ms 3 ms 4 ms 2 ms 3 ms 4 ms 6 ms 2 ms 3.00
PogoplugPro1 3 ms 3 ms 2 ms 3 ms 4 ms 4 ms 2 ms 2 ms 7 ms 3 ms 3.30
74.82.42.42 18 ms 18 ms 17 ms 19 ms 18 ms 19 ms 18 ms 18 ms 18 ms 17 ms 18.00
1.0.0.1 18 ms 17 ms 17 ms 23 ms 19 ms 18 ms 18 ms 21 ms 18 ms 17 ms 18.60
comodo 36 ms 36 ms 38 ms 38 ms 38 ms 37 ms 38 ms 37 ms 36 ms 39 ms 37.30
quad9-2 41 ms 42 ms 45 ms 41 ms 42 ms 40 ms 41 ms 43 ms 43 ms 40 ms 41.80
level3 49 ms 49 ms 50 ms 49 ms 49 ms 50 ms 50 ms 49 ms 49 ms 50 ms 49.40
adguard 53 ms 52 ms 52 ms 52 ms 51 ms 52 ms 54 ms 54 ms 53 ms 51 ms 52.40
cleanbrowsng 52 ms 52 ms 54 ms 53 ms 52 ms 53 ms 53 ms 54 ms 53 ms 56 ms 53.20
neustar 54 ms 54 ms 54 ms 54 ms 54 ms 54 ms 54 ms 53 ms 53 ms 55 ms 53.90
norton 56 ms 56 ms 54 ms 59 ms 55 ms 60 ms 55 ms 56 ms 56 ms 56 ms 56.30
cloudflare 55 ms 56 ms 56 ms 82 ms 55 ms 55 ms 54 ms 56 ms 56 ms 56 ms 58.10
google 55 ms 55 ms 65 ms 53 ms 56 ms 87 ms 54 ms 54 ms 56 ms 56 ms 59.10
opendns 52 ms 52 ms 53 ms 52 ms 53 ms 101 ms 52 ms 62 ms 53 ms 69 ms 59.90
quad9 62 ms 70 ms 63 ms 63 ms 63 ms 63 ms 63 ms 67 ms 63 ms 79 ms 65.60
yandex 162 ms 162 ms 162 ms 162 ms 161 ms 162 ms 162 ms 181 ms 162 ms 160 ms 163.60
freenom 75 ms 82 ms 81 ms 74 ms 80 ms 73 ms 79 ms 77 ms 79 ms 5091 ms 579.10Skeptical.me
Very Senior Member
Thanks for that, Dave.
Martineau
Part of the Furniture
@Martineau I know the adblock scripts do not have an owner, and I do find they work well, couple small suggested tweak:
Can the DNSWarden download link be replaced with this link:
https://raw.githubusercontent.com/dnswarden/blocklist/master/blacklist-formats/hostnames
The one used by the script is a static copy checked in Dec 2019. The link above is the regularly updated file it seems. Looking closer this new file is much larger.... so it seems this may be a bad bad ideaNot really sure the current small list is adding much, couple spot checks shows it in Steven's list.
Can the frogeye first party trackers link be replaced with this link:
https://hostfiles.frogeye.fr/firstparty-trackers.txt
This one is not in the hosts name format, so the script can drop the extra processing commands. I see this file isn't currently downloaded as the line is commented out.
The StevensBlack would be great to find one already processed.
So, overall, I see now what it meant by the adblock needing work. I am interested to see how I can help, but I see @rgnldo hinted to some changes he is perhaps creating?
It seems a rather large jump in blocking entries from the conservative adservers list (51268) currently used by unbound_manager as the default...
Code:
curl --progress-bar https://raw.githubusercontent.com/dnswarden/blocklist/master/blacklist-full.txt > /mnt/RT-AC86U/dnswardenstatic.txt
time sed 's/^.*$/local-zone: "&" always_nxdomain/' /mnt/RT-AC86U/dnswardencurrent.txt > /mnt/RT-AC86U/adblock_adserversMAX1
real 0m 7.03s
user 0m 6.87s
sys 0m 0.13s
wc -l /mnt/RT-AC86U/adblock_adserversMAX1
1359162 /mnt/RT-AC86U/adblock_adserversMAX1but if the static conservative adservers list is out-of-date then clearly it is probably useless.
So, have you tried using the huge dnswarden list? - any adverse effects i.e. performance/mem usage etc?
rgnldo
Very Senior Member
With root's server's query.
add:
Code:
NAMESERVERS=`cat /opt/var/lib/unbound/root.hints | grep ^ROOT-SERVERS.NET. | cut -d " " -f 2 | sed 's/\(.*\)/&#&/'`
Code:
/opt/bin/bash dnsperftest.sh
test1 test2 test3 test4 test5 test6 test7 test8 test9 test10 test11 test12 test13 Average
Unbound_local_DNS 1 ms 1 ms 1 ms 1 ms 1 ms 1 ms 1 ms 1 ms 1 ms 1 ms 1 ms 1 ms 1 ms 1.00
cloudflare 47 ms 50 ms 50 ms 52 ms 52 ms 52 ms 51 ms 51 ms 51 ms 50 ms 50 ms 51 ms 51 ms 50.61
level3 149 ms 149 ms 159 ms 149 ms 151 ms 150 ms 152 ms 146 ms 149 ms 149 ms 149 ms 1000 ms 146 ms 215.23
google 51 ms 50 ms 50 ms 51 ms 51 ms 175 ms 51 ms 55 ms 52 ms 51 ms 50 ms 51 ms 53 ms 60.84
quad9 92 ms 94 ms 92 ms 94 ms 93 ms 93 ms 93 ms 95 ms 92 ms 93 ms 92 ms 94 ms 93 ms 93.07
freenom 1207 ms 1197 ms 1210 ms 211 ms 206 ms 198 ms 201 ms 211 ms 330 ms 210 ms 230 ms 197 ms 218 ms 448.15
opendns 50 ms 52 ms 50 ms 52 ms 52 ms 52 ms 52 ms 52 ms 53 ms 51 ms 168 ms 52 ms 52 ms 60.61
norton 139 ms 249 ms 141 ms 142 ms 141 ms 143 ms 142 ms 140 ms 140 ms 139 ms 140 ms 142 ms 289 ms 160.53
cleanbrowsing 89 ms 88 ms 89 ms 90 ms 114 ms 89 ms 92 ms 90 ms 92 ms 142 ms 91 ms 91 ms 85 ms 95.53
yandex 253 ms 244 ms 294 ms 245 ms 252 ms 243 ms 244 ms 242 ms 244 ms 244 ms 242 ms 245 ms 244 ms 248.92
adguard 159 ms 159 ms 159 ms 161 ms 160 ms 161 ms 160 ms 160 ms 160 ms 160 ms 159 ms 160 ms 183 ms 161.61
neustar 105 ms 117 ms 118 ms 111 ms 106 ms 109 ms 107 ms 107 ms 105 ms 110 ms 106 ms 110 ms 107 ms 109.07
comodo 171 ms 171 ms 173 ms 172 ms 172 ms 178 ms 173 ms 172 ms 1000 ms 172 ms 172 ms 171 ms 171 ms 236.00rgnldo
Very Senior Member
The delay in updating is due to the absence of collaborators and the guarantee of a list with false positive problems. Feel free to rewrite.
update gen_adblock.sh
Code:
#!/bin/bash
destinationIP="0.0.0.0"
tempoutlist="/opt/var/lib/unbound/adblock/adlist.tmp"
outlist='/opt/var/lib/unbound/adblock/tmp.host'
finalist='/opt/var/lib/unbound/adblock/tmp.finalhost'
permlist='/opt/var/lib/unbound/adblock/permlist'
adlist='/opt/var/lib/unbound/adblock/adservers'
echo "Removing possible temporary files.."
[ -f $tempoutlist ] && rm -f $tempoutlist
[ -f $outlist ] && rm -f $outlist
[ -f $finalist ] && rm -f $finalist
echo "Dowloading StevenBlack Adlist..."
curl --progress-bar https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist
echo "Dowloading Domains wildcard 1 Adlist..."
curl --progress-bar https://raw.githubusercontent.com/rgnldo/knot-resolver-suricata/master/hosts >> $tempoutlist
echo "Dowloading Domains wildcard 2 Adlist..."
curl --progress-bar https://raw.githubusercontent.com/dnswarden/blocklist/master/blacklist-full.txt >> $tempoutlist
echo "Dowloading Malware domains Adlist..."
curl --progress-bar https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites/master/hacked-domains.list >> $tempoutlist
echo "Combining User Custom block host..."
cat /opt/var/lib/unbound/adblock/blockhost >> $tempoutlist
echo "Removing duplicate formatting from the domain list..."
cat $tempoutlist | sed -r -e 's/[[:space:]]+/\t/g' | sed -e 's/\t*#.*$//g' | sed -e 's/[^a-zA-Z0-9\.\_\t\-]//g' | sed -e 's/\t$//g' | sed -e '/^#/d' | sort -u | sed '/^$/d' | awk -v "IP=$destinationIP" '{sub(/\r$/,""); print IP" "$0}' > $outlist
numberOfAdsBlocked=$(cat $outlist | wc -l | sed 's/^[ \t]*//')
echo "$numberOfAdsBlocked domains compiled"
echo "Edit User Custon list of allowed domains..."
fgrep -vf $permlist $outlist > $finalist
echo "Generating Unbound adlist....."
cat $finalist | grep '^0\.0\.0\.0' | awk '{print "local-zone: \""$2"\" always_nxdomain"}' > $adlist
numberOfAdsBlocked=$(cat $adlist | wc -l | sed 's/^[ \t]*//')
echo "$numberOfAdsBlocked suspicious and blocked domains"
echo "Removing temporary files..."
[ -f $tempoutlist ] && rm -f $tempoutlist
[ -f $outlist ] && rm -f $outlist
[ -f $finalist ] && rm -f $finalist
#echo "Removing log's files..."
#[ -f /opt/var/lib/unbound/unbound.log ] && rm -f /opt/var/lib/unbound/unbound.log
echo "Restarting DNS servers..."
/opt/etc/init.d/S61unbound restartFor best efficiency, check your unbound.conf for these options
Code:
harden-algo-downgrade: yes
harden-below-nxdomain: yes
harden-dnssec-stripped: yes
harden-large-queries: yes
harden-short-bufsize: yes
harden-glue: yes
do-not-query-localhost: no
qname-minimisation: yes
minimal-responses: yes
rrset-roundrobin: yes
do-daemonize: no
val-clean-additional: yes
ip-ratelimit: 100
ratelimit: 1000
Last edited:
juched
Very Senior Member
I have not tried the huge list, and I do not recommend it. As I was creating my message I did further evaluation and saw how big it was and that is why I added the message to not change.
Am considering making the script read from a file with URL and format (host vs. domain list) and then the script just needs to go through the cfg txt file and do one line at a time.... I will see what I can do.
Yes, it relies on the firmware DoT and not installing the Entware stubby unnecessarily. I’m not a fan of it because now your requests go through dnsmasq, unbound, stubby and then out to an external resolver. Lots of hops.
Thanks. What bothers me is , if I don't use stubby and do as recommended , when I check what is my DNS server on DNS LEAK test websites, it reveals my real WAN IP and my ISP provider. I use VPN :\ it is bad no?
D
Deleted member 62525
Guest
I have my VPN DNS set to Disable. This way Unbound is only used as resolver and you will see only your WAN IP.
SomeWhereOverTheRainBow
Part of the Furniture
If any one is interested in testing out my generated list (there is a conservative for those who like less=more approach and a regular list for those who want to block a decent amount of stuff.)
https://github.com/jumpsmm7/MyGeneratedDomainsList
*Edit*
At some point I will include an IP-set list, but i am not there yet with adapting my compiling.
Last edited:
SomeWhereOverTheRainBow
Part of the Furniture
So one thing I am noticing with Unbound is I am able to properly reverse lookup my ipv4 lan, but I am unable to properly reverse lookup ipv6 lan. everything ipv6 lan comes back with NXdomain. Has anyone who is using IPV6 tested this out?
At least qname minimization makes their work a little bit harder. You always have the option of sharing that data with a VPN provider instead, but either way, you will have to "trust" somebody, because (I think) DoT support for root servers are not coming in the near future (perhaps dprive will bring some change into this field?).
Similar threads
Similar threads
Similar threads
-
Unbound Force all DNS requests through Unbound using iptables?- Started by muffintastic
- Replies: 14
-
-
-
-
-
-
Is it possible to use nord dns with unbound or any way to add it?- Started by Jack-Sparr0w
- Replies: 9
-
-
Unbound Use unbound/router as default DNS server
- Started by BeachGuy
- Replies: 2
-