Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)
- Thread starter Martineau
- Start date
60% is about my maximum. What’s really interesting is looking at the 24 hour cache hit rate after, say, visiting several sites I’ve never visited before, and guessing what that brings the hit rate down to.
Martineau
Part of the Furniture
I pushed a v2.17 Hofix earlier (md5=e28cdca3082aee5bda4b51b411b64e79), to correct the 'unbound_manager reload config=' feature.
I have been using my hacked version of 'gen_adblock.sh' v1.04
Code:
Say(){
echo -e $$ $@ | logger -st "($(basename $0))"
}
#echo "Restarting Unbound DNS server...";SayT "Restarting Unbound DNS server..." # Martineau Hack
#/jffs/addons/unbound/unbound_manager.sh restart
Say "Reloading unbound config..." # Martineau Hack
if [ -n "$(pidof unbound)" ];then # Martineau Hack
/jffs/addons/unbound/unbound_manager.sh reload config=/opt/var/lib/unbound/unbound.conf
else
Say "Warning unbound NOT running"
fi
#echo "Adblock update complete!"
Say "Adblock update complete!" # Martineau Hack
Code:
sh /opt/var/lib/unbound/adblock/gen_adblock.sh
(gen_adblock.sh): 21981 Ad Block v1.0.4 update starting.....
Number of adblocked (ads/malware/tracker) and blacklisted domains: 51543
Last updated: Sat Mar 14 13:26:21 2020
Removing possible temporary files..
Attempting to Download https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
######################################################################## 100.0%
Downloading User Allow List...
Combining User Custom block host...
Filtering user requested domains from adblock list...
Filtering required domains from adblock list...
Removing unnecessary formatting from the domain list...
51543 domains compiled
Generating Unbound adlist.....
Removing temporary files...
(gen_adblock.sh): 21981 Reloading unbound config...
Reloading 'unbound.conf' <<== /opt/var/lib/unbound/unbound.conf status=ok
(gen_adblock.sh): 21981 Adblock update complete!
and in Syslog...just in case unbound isn't UP and as confirmation that the Ad Block cron job did actually run!
Mar 14 13:53:05 RT-AC68U (gen_adblock.sh): 23622 Ad Block v1.0.4 update starting.....
Mar 14 13:53:16 RT-AC68U (gen_adblock.sh): 23622 Reloading unbound config...
Mar 14 13:53:20 RT-AC68U (gen_adblock.sh): 23622 Adblock update complete!EDIT: Updated to v1.05 using command
Code:
e = Exit Script
A:Option ==> i 3
Code:
_____ _ _ _ _
| _ |_| | |_| |___ ___| |_
| | . | . | | . | _| '_|
|__|__|___|___|_|___|___|_,_|
@juched - v1.0.5 - Thanks to @SomeWhereOverTheRainBow
Removing possible temporary files..
Downloading list(s) from block site(s) configured...
Attempting to Download 1 of 4 from https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts.
######################################################################## 100.0%
Attempting to Download 2 of 4 from #https://hosts-file.net/ad_servers.txt.
curl: (3) URL using bad/illegal format or missing URL
Attempting to Download 3 of 4 from #https://pgl.yoyo.org/as/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext.
curl: (3) URL using bad/illegal format or missing URL
Downloading list(s) from allow site(s) configured...
Adding user requested hosts to list...
Removing user requested hosts from list...
Removing required hosts from list...
Removing unnecessary formatting from the domain list...
Generating Unbound adlist.....
Number of adblocked hosts: 51545
Removing temporary files...
Restarting Unbound DNS server...So I think this hack is very useful
Code:
for url in $(echo $line); do
[ "${url:0:1}" == "#" ] && continue # Martineau Hack
echo "Attempting to Download $url"
curl --progress-bar $url | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $NF}' | grep -v '^\\' | grep -v '\\$'| sort >> $list
dos2unix $list
done
Last edited:
juched
Very Senior Member
Great suggestions, I am incorporating and playing with reload.
Is there a change that can get the gen_adblock.sh output into the unbound logger, so they show up in the scribe bucket with unbound?
--- edit ---
I can confirm that the reload resets all the stats, extended stats, etc. This impacts the cache hit precentage as well as after reload the size of the in memory cache drops.
So, not sure this is really better than restart for saving performance.
Last edited:
Martineau
Part of the Furniture
Use 'logger' rather than 'echo'
Code:
logger -t "unbound" "this should be picked up by scribe"Yup, whilst there is nothing we can do to retain the stats, perhaps we should always read the docs for the unbound-control utility
I've pushed v2.17 Hotfix
Version=2.17
Github md5=e5e05e28d6428f3cf7ddf6da359a0e8b
Github md5=e5e05e28d6428f3cf7ddf6da359a0e8b
So Ad Block users should use
Code:
e = Exit Script
A:Option ==> i 3
D
Deleted member 62525
Guest
I am not sure if this is related to Unbound but here it goes. When trying to implement vpnclient failover, once I switch to any vpnclient other than #1 in the gui interface all my network clients loose access to the web. For testing purposes I do things manually at this point. The vpnclient1 and vpnclient2 are configured exactly the same including access policies. VPN DNS is set to disabled in both.
I use NordVPN and have vpnclient1 connect auto on boot. That always work and no issues. When I manually turn off vpnclient1
and turn on vpnclient2 I get the Nord IP in the gui so I know it has connected and routing tables have been set. At that point I can SSH to the router invoke unbound_manager and perform dig commands and they work fine. Problem is that browser access for clients is disabled and I am unable to go to any site.
If I switch back to vpnclient1 everything starts to work again. Nothing is showing in the log files. When I switched to vpnclient2 I tried restarting Unbound and that did not help. I don't know what else I can do to find the issue. I also tried to change VPN DNS setting to Relaxed and it did not make a difference. I tried to set WAN DNS to Automatic and remove DoT servers. That also did not make a difference.
Update.
I configured vpnclient1 and vpnclient2 with the same NordVPN server and configuration.
What is interesting is that only vpnclient1 works. If I switch to vpnclient2 browser connectivity stops. So in my view this is not a configuration issue or NordVPN server since they are the same.
I am on fw 384.15 and at this point I am wondering if I have hit the bug with the firmware.
Update.
Did a router reset, reconfigured manually all settings (no jffs). Configured 2 separate vpnclients.
Perform test manually switching between vpnclient1 and vpnclient2. Does NOT work.
Only vpnclient1 works. We know that this is a firmware issue. I will raise is as a bug.
I use NordVPN and have vpnclient1 connect auto on boot. That always work and no issues. When I manually turn off vpnclient1
and turn on vpnclient2 I get the Nord IP in the gui so I know it has connected and routing tables have been set. At that point I can SSH to the router invoke unbound_manager and perform dig commands and they work fine. Problem is that browser access for clients is disabled and I am unable to go to any site.
If I switch back to vpnclient1 everything starts to work again. Nothing is showing in the log files. When I switched to vpnclient2 I tried restarting Unbound and that did not help. I don't know what else I can do to find the issue. I also tried to change VPN DNS setting to Relaxed and it did not make a difference. I tried to set WAN DNS to Automatic and remove DoT servers. That also did not make a difference.
Update.
I configured vpnclient1 and vpnclient2 with the same NordVPN server and configuration.
What is interesting is that only vpnclient1 works. If I switch to vpnclient2 browser connectivity stops. So in my view this is not a configuration issue or NordVPN server since they are the same.
I am on fw 384.15 and at this point I am wondering if I have hit the bug with the firmware.
Update.
Did a router reset, reconfigured manually all settings (no jffs). Configured 2 separate vpnclients.
Perform test manually switching between vpnclient1 and vpnclient2. Does NOT work.
Only vpnclient1 works. We know that this is a firmware issue. I will raise is as a bug.
Attachments
Last edited by a moderator:
juched
Very Senior Member
Good catch on the docs [emoji12]
I am using logger but it shows up in message and not unbound section. That is the question. Perhaps a change to the syslog config file for unbound logs is needed to include it.
So, if you run “i 3” it only does the install for adblock and leave the rest as is?
Thx
Martineau
Part of the Furniture
It works for me...
Code:
Mar 14 14:11:52 RT-AC68U unbound: [18530:0] info: 0.000000 0.000001 13
Mar 14 14:11:52 RT-AC68U unbound: [18530:0] info: 0.000256 0.000512 1
Mar 14 14:11:52 RT-AC68U unbound: [18530:0] info: 0.002048 0.004096 1
Mar 14 14:11:52 RT-AC68U unbound: [18530:0] info: 0.004096 0.008192 9
Mar 14 14:11:52 RT-AC68U unbound: [18530:0] info: 0.008192 0.016384 20
Mar 14 14:11:52 RT-AC68U unbound: [18530:0] info: 0.016384 0.032768 20
Mar 14 14:11:52 RT-AC68U unbound: [18530:0] info: 0.032768 0.065536 32
Mar 14 14:11:52 RT-AC68U unbound: [18530:0] info: 0.065536 0.131072 28
Mar 14 14:11:52 RT-AC68U unbound: [18530:0] info: 0.131072 0.262144 13
Mar 14 14:11:52 RT-AC68U unbound: [18530:0] info: 0.262144 0.524288 13
Mar 14 14:11:52 RT-AC68U unbound: [18530:0] info: 0.524288 1.000000 9
Mar 14 14:11:52 RT-AC68U unbound: [18530:0] info: 1.000000 2.000000 2
Mar 14 14:11:52 RT-AC68U unbound: [18530:0] info: 2.000000 4.000000 2
Mar 14 14:26:28 RT-AC68U (unbound_manager.sh): 6867 Starting Script Execution (restart)
Mar 14 14:26:31 RT-AC68U S61unbound: Starting Unbound DNS server /opt/etc/init.d/S61unbound
Mar 14 14:26:41 RT-AC68U (unbound_manager): 7293 Starting Script Execution (menu)
Mar 14 14:28:15 RT-AC68U (unbound_manager.sh): 11269 Starting Script Execution (restart)
Mar 14 14:28:18 RT-AC68U S61unbound: Starting Unbound DNS server /opt/etc/init.d/S61unbound
Mar 14 14:28:49 RT-AC68U (unbound_manager): 11780 Starting Script Execution (menu)
Mar 14 14:29:05 RT-AC68U S61unbound: Starting Unbound DNS server /opt/etc/init.d/S61unbound
Mar 14 14:37:58 RT-AC68U (unbound_manager): 11780 Starting Script Execution (menu)
Mar 14 14:43:59 RT-AC68U (unbound_manager): 11780 Starting Script Execution (menu)
Mar 14 15:31:34 RT-AC68U unbound: this should be picked up by scribeIs the '/opt/etc/syslog-ng.d/unbound' file valid?
Yes, i.e. it is just a shortcut to eliminate the tedious confirmation prompts, but unlike say the later 'sgui' option, (which only retrieves the associated GUI files) it does (currently) trundle through and refresh all Entware files etc.
L&LD
Part of the Furniture
With the fast pace of updates for unbound_manager, I am doing 'u', 'i' and only accept 'y' for the CPU and memory tweaks option for each version released lately.
I am using sgui, of course, but after doing the above I also 'y' to the fastmenu option too. This resets the cache.
Am I needlessly enabling the fastmenu option each time?
Should the fastmenu option 'y' be part of a default install?
I am using sgui, of course, but after doing the above I also 'y' to the fastmenu option too. This resets the cache.
Am I needlessly enabling the fastmenu option each time?
Should the fastmenu option 'y' be part of a default install?
SuperDuke
Regular Contributor
FWIW, I had a very similar (if not identical problem) when I set ExpressVPN. In my case, I only set one client to access via VPN, but when I started/stopped as you did, that one client (this laptop) failed to connect. Nothing I did to tweak made any difference. Certainly weird....I never did figure out what the issue was.....how's that for an unhelpful post!
D
Deleted member 62525
Guest
FWIW, I had a very similar (if not identical problem) when I set ExpressVPN. In my case, I only set one client to access via VPN, but when I started/stopped as you did, that one client (this laptop) failed to connect. Nothing I did to tweak made any difference. Certainly weird....I never did figure out what the issue was.....how's that for an unhelpful post!
I will try to uninstall Unbound and repeat the scenario. I want to make sure it’s not related to Unbound.
bluzfanmr1
Senior Member
I reinstalled and got the following:
It doesn't seem to have broken anything but thought I'd post this to check.
Code:
unbound-checkconf: no errors in /opt/var/lib/unbound/unbound.conf
error: SSL handshake failed
1075130368:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915:
Shutting down unbound... done.
Starting unbound... done.
Please wait for up to 10 seconds for status.....unbound OK
Manual install unbound Customisation complete 1 minutes and 24 seconds elapsed - Please wait for up to 10 seconds for status.....
Installation of unbound completedIt doesn't seem to have broken anything but thought I'd post this to check.
Martineau
Part of the Furniture
Sorry, 'fastmenu' doesn't reset the cache when I try it?
It depends on how much time you spend using the 'unbound_manager' interface/menu commands, as after a while I personally find the slow menu redraw tedious.Should the fastmenu option 'y' be part of a default install?
Am I needlessly enabling the fastmenu option each time?
So for most, I suspect having LAN SSL ENABLED as the default is probably the best choice.
However, you can of course use the 'unbound.postconf' script to ensure 'fastmenu' is always enabled for you by default:
/opt/share/unbound/configs/unbound.postconf
Code:
#!/bin/sh
CONFIG=$1
POS="$(grep -Enw "[[:space:]]*server:" $CONFIG | cut -d':' -f1)"
MATCH="control-use-cert:";sed -i "$POS,$ {/#[[:space:]]*$MATCH/ s/#//1}" $CONFIG # Enable 'fastmenu'
logger -t "($(basename "$0"))" "$$ unbound-control FAST response ENABLED (LAN SSL validation removed)"L&LD
Part of the Furniture
@Martineau it seems like fastmenu does reset the cache at least for me. But I will pay closer attention next time to see which in-between step actually does that on the routers I update consistently.
Thank you for the additional options of having the unbound.postconf script available and I do agree LAN SSL Enabled should probably be the default too.
Thank you for the additional options of having the unbound.postconf script available and I do agree LAN SSL Enabled should probably be the default too.
juched
Very Senior Member
I had to change the syslog-ng config for unbound to be this:
Code:
filter f_unbound {
program("unbound") or
program("gen_adblock");
};Now my script outputs to the same log.
I am ready to push an update, but need a recommendation. Stay with "restart" or change to "reload"? reload is faster, but both reset caches.
Yes, aware of the shortcut, but if I want want to keep firefox_doh enabled, or CPU tweaks, do I need to remember to enter in more numbers like "i 3 5 6" or if I type "i 3" will it just install adblock and leave the other settings?
It is my guess that it would loose other settings from what I see. Would be great to have a command to re-install the same settings with the latest. Also, with the ability to add to the .conf file with post file etc, backing up and restoring the original isn't really that imporatant anymore I would guess.
Martineau
Part of the Furniture
bluzfanmr1
Senior Member
Apologies as I missed the posts with that error.
Unbound was already installed. I had been experimenting with the unbound.conf file and wanted to go back to the default.
My unsolicited opinion on this is that SSL certs are superfluous in this config because the unbound.conf is configured to only listen for remote control on 127.0.0.1. So if you can only reach it from the local router, there is no need to trust anyone with a cert (where all the keys are available in the unbound directory anyway). If you’re also listening on the LAN interface, then trust becomes an issue and certs are a good idea.
Centrifuge
Senior Member
Never used it. I notice that logorotate runs at the time in question.
Code:
12 4 * * * curl -o \/opt\/var\/lib\/unbound\/root\.hints https://www.internic.net/domain/named.cache #root_servers#
0 5 * * * /opt/var/lib/unbound/adblock/gen_adblock.sh #adblock#
*/10 * * * * /jffs/scripts/ntpmerlin generate #ntpMerlin#
59 * * * * /jffs/addons/unbound/unbound_stats.sh generate #Unbound_Stats.sh#
5 0 * * * /opt/sbin/logrotate /opt/etc/logrotate.conf >> /opt/tmp/logrotate.daily 2>&1 #logrotate#
*/2 * * * * /etc/openvpn/server1/vpns-watchdog1.sh #CheckVPNServer1#
*/2 * * * * /etc/openvpn/server2/vpns-watchdog2.sh #CheckVPNServer2#
0 * * * * /jffs/scripts/uiDivStats generate #uiDivStats#
*/5 * * * * /jffs/scripts/connmon generate #connmon#
25 4 * * * sh /jffs/scripts/firewall banmalware #Skynet_banmalware#
25 1 * * Mon sh /jffs/scripts/firewall update #Skynet_autoupdate#
0 * * * * sh /jffs/scripts/firewall save #Skynet_save#
40 */12 * * * sh /jffs/scripts/firewall debug genstats #Skynet_genstats#
00 2 * * Mon sh /opt/share/diversion/file/update-bl.div reset #Diversion_UpdateBL#
20 5 * * * sh /opt/share/diversion/file/rotate-logs.div #Diversion_RotateLogs#
20 17 * * * diversion count_ads count #Diversion_CountAds#
30 1 * * Mon sh /opt/share/diversion/file/stats.div #Diversion_WeeklyStats#It’s there in the second line.
Use:
Code:
cru d adblockSimilar threads
Similar threads
Similar threads
-
Unbound Force all DNS requests through Unbound using iptables?- Started by muffintastic
- Replies: 14
-
-
-
-
-
-
Is it possible to use nord dns with unbound or any way to add it?- Started by Jack-Sparr0w
- Replies: 9
-
-
Unbound Use unbound/router as default DNS server
- Started by BeachGuy
- Replies: 2
-