What's new

Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

As I understand, unbound is asking the root-servers for names. (and then caching it)
Can I configure unbound in a way, that it is asking 1.1.1.1 and/or 1.0.0.1 with DoT instead?
 
Last edited:
@Martineau, what do you think? Would a reload suffice? I think so, but would that cause a problem if I changed to use "unbound-control reload" during the install?

From my quick testing, a reload still causes a hit percentage to drop, and the cache file to drop in size. So, until we can confirm it is best to stay with restart.
I pushed a v2.17 Hofix earlier (md5=e28cdca3082aee5bda4b51b411b64e79), to correct the 'unbound_manager reload config=' feature.

I have been using my hacked version of 'gen_adblock.sh' v1.04
Code:
Say(){
   echo -e $$ $@ | logger -st "($(basename $0))"
}

#echo "Restarting Unbound DNS server...";SayT "Restarting Unbound DNS server..."   # Martineau Hack

#/jffs/addons/unbound/unbound_manager.sh restart
Say "Reloading unbound config..."              # Martineau Hack
if [ -n "$(pidof unbound)" ];then                                                  # Martineau Hack
   /jffs/addons/unbound/unbound_manager.sh reload config=/opt/var/lib/unbound/unbound.conf
else
   Say "Warning unbound NOT running"
fi
#echo "Adblock update complete!"
Say "Adblock update complete!"                 # Martineau Hack

Code:
sh /opt/var/lib/unbound/adblock/gen_adblock.sh

(gen_adblock.sh): 21981 Ad Block v1.0.4 update starting.....

 Number of adblocked (ads/malware/tracker) and blacklisted domains: 51543
 Last updated: Sat Mar 14 13:26:21 2020
Removing possible temporary files..
Attempting to Download https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
######################################################################## 100.0%
Downloading User Allow List...
Combining User Custom block host...
Filtering user requested domains from adblock list...
Filtering required domains from adblock list...
Removing unnecessary formatting from the domain list...
51543 domains compiled
Generating Unbound adlist.....
Removing temporary files...
(gen_adblock.sh): 21981 Reloading unbound config...


Reloading 'unbound.conf' <<== /opt/var/lib/unbound/unbound.conf status=ok

(gen_adblock.sh): 21981 Adblock update complete!

and in Syslog...just in case unbound isn't UP and as confirmation that the Ad Block cron job did actually run!

Mar 14 13:53:05 RT-AC68U (gen_adblock.sh): 23622 Ad Block v1.0.4 update starting.....
Mar 14 13:53:16 RT-AC68U (gen_adblock.sh): 23622 Reloading unbound config...
Mar 14 13:53:20 RT-AC68U (gen_adblock.sh): 23622 Adblock update complete!
I hadn't noticed the drop in cache size, but if this is the case then I'll Hotfix 'unbound_manager' to save/restore the cache either side of the reload.

EDIT: Updated to v1.05 using command
Code:
e  = Exit Script

A:Option ==> i 3

Code:
 _____   _ _   _         _  
|  _  |_| | |_| |___ ___| |_
|     | . | . | | . |  _| '_|
|__|__|___|___|_|___|___|_,_|
 @juched - v1.0.5 - Thanks to @SomeWhereOverTheRainBow

Removing possible temporary files..
Downloading list(s) from block site(s) configured...
Attempting to Download 1 of 4 from https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts.
######################################################################## 100.0%
Attempting to Download 2 of 4 from #https://hosts-file.net/ad_servers.txt.
curl: (3) URL using bad/illegal format or missing URL
Attempting to Download 3 of 4 from #https://pgl.yoyo.org/as/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext.
curl: (3) URL using bad/illegal format or missing URL
Downloading list(s) from allow site(s) configured...
Adding user requested hosts to list...
Removing user requested hosts from list...
Removing required hosts from list...
Removing unnecessary formatting from the domain list...
Generating Unbound adlist.....
Number of adblocked hosts: 51545
Removing temporary files...
Restarting Unbound DNS server...

So I think this hack is very useful ;)
Code:
          for url in $(echo $line); do
              [ "${url:0:1}" == "#" ] && continue       # Martineau Hack
              echo "Attempting to Download $url"
              curl --progress-bar $url | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $NF}' | grep -v '^\\' | grep -v '\\$'| sort >> $list
              dos2unix $list
          done
 
Last edited:
I pushed a v2.17 Hofix earlier (md5=e28cdca3082aee5bda4b51b411b64e79), to correct the 'unbound_manager reload config=' feature.

I have been using my hacked version of 'gen_adblock.sh' v1.04

Great suggestions, I am incorporating and playing with reload.

Is there a change that can get the gen_adblock.sh output into the unbound logger, so they show up in the scribe bucket with unbound?

--- edit ---

I can confirm that the reload resets all the stats, extended stats, etc. This impacts the cache hit precentage as well as after reload the size of the in memory cache drops.

So, not sure this is really better than restart for saving performance.
 
Last edited:
Is there a change that can get the gen_adblock.sh output into the unbound logger, so they show up in the scribe bucket with unbound?

Use 'logger' rather than 'echo'
Code:
logger -t "unbound" "this should be picked up by scribe"
I can confirm that the reload resets all the stats, extended stats, etc. This impacts the cache hit precentage as well as after reload the size of the in memory cache drops.

Yup, whilst there is nothing we can do to retain the stats, perhaps we should always read the docs for the unbound-control utility

upload_2020-3-14_14-49-27.png


I've pushed v2.17 Hotfix

Version=2.17
Github md5=e5e05e28d6428f3cf7ddf6da359a0e8b​

So Ad Block users should use
Code:
e  = Exit Script

A:Option ==> i 3
 
I am not sure if this is related to Unbound but here it goes. When trying to implement vpnclient failover, once I switch to any vpnclient other than #1 in the gui interface all my network clients loose access to the web. For testing purposes I do things manually at this point. The vpnclient1 and vpnclient2 are configured exactly the same including access policies. VPN DNS is set to disabled in both.

I use NordVPN and have vpnclient1 connect auto on boot. That always work and no issues. When I manually turn off vpnclient1
and turn on vpnclient2 I get the Nord IP in the gui so I know it has connected and routing tables have been set. At that point I can SSH to the router invoke unbound_manager and perform dig commands and they work fine. Problem is that browser access for clients is disabled and I am unable to go to any site.

If I switch back to vpnclient1 everything starts to work again. Nothing is showing in the log files. When I switched to vpnclient2 I tried restarting Unbound and that did not help. I don't know what else I can do to find the issue. I also tried to change VPN DNS setting to Relaxed and it did not make a difference. I tried to set WAN DNS to Automatic and remove DoT servers. That also did not make a difference.

Update.
I configured vpnclient1 and vpnclient2 with the same NordVPN server and configuration.
What is interesting is that only vpnclient1 works. If I switch to vpnclient2 browser connectivity stops. So in my view this is not a configuration issue or NordVPN server since they are the same.

I am on fw 384.15 and at this point I am wondering if I have hit the bug with the firmware.

Update.

Did a router reset, reconfigured manually all settings (no jffs). Configured 2 separate vpnclients.
Perform test manually switching between vpnclient1 and vpnclient2. Does NOT work.
Only vpnclient1 works. We know that this is a firmware issue. I will raise is as a bug.
 

Attachments

  • Screen Shot 2020-03-14 at 8.54.33 AM.jpg
    Screen Shot 2020-03-14 at 8.54.33 AM.jpg
    23.1 KB · Views: 134
  • Screen Shot 2020-03-14 at 9.24.25 AM.jpg
    Screen Shot 2020-03-14 at 9.24.25 AM.jpg
    45.2 KB · Views: 135
Last edited by a moderator:
Use 'logger' rather than 'echo'
Code:
logger -t "unbound" "this should be picked up by scribe"


Yup, whilst there is nothing we can do to retain the stats, perhaps we should always read the docs for the unbound-control utility

View attachment 21914

I've pushed v2.17 Hotfix

Version=2.17
Github md5=e5e05e28d6428f3cf7ddf6da359a0e8b​

So Ad Block users should use
Code:
e  = Exit Script

A:Option ==> i 3

Good catch on the docs [emoji12]

I am using logger but it shows up in message and not unbound section. That is the question. Perhaps a change to the syslog config file for unbound logs is needed to include it.

So, if you run “i 3” it only does the install for adblock and leave the rest as is?

Thx
 
Good catch on the docs [emoji12]

I am using logger but it shows up in message and not unbound section. That is the question. Perhaps a change to the syslog config file for unbound logs is needed to include it.

It works for me...
Code:
Mar 14 14:11:52 RT-AC68U unbound: [18530:0] info:    0.000000    0.000001 13
Mar 14 14:11:52 RT-AC68U unbound: [18530:0] info:    0.000256    0.000512 1
Mar 14 14:11:52 RT-AC68U unbound: [18530:0] info:    0.002048    0.004096 1
Mar 14 14:11:52 RT-AC68U unbound: [18530:0] info:    0.004096    0.008192 9
Mar 14 14:11:52 RT-AC68U unbound: [18530:0] info:    0.008192    0.016384 20
Mar 14 14:11:52 RT-AC68U unbound: [18530:0] info:    0.016384    0.032768 20
Mar 14 14:11:52 RT-AC68U unbound: [18530:0] info:    0.032768    0.065536 32
Mar 14 14:11:52 RT-AC68U unbound: [18530:0] info:    0.065536    0.131072 28
Mar 14 14:11:52 RT-AC68U unbound: [18530:0] info:    0.131072    0.262144 13
Mar 14 14:11:52 RT-AC68U unbound: [18530:0] info:    0.262144    0.524288 13
Mar 14 14:11:52 RT-AC68U unbound: [18530:0] info:    0.524288    1.000000 9
Mar 14 14:11:52 RT-AC68U unbound: [18530:0] info:    1.000000    2.000000 2
Mar 14 14:11:52 RT-AC68U unbound: [18530:0] info:    2.000000    4.000000 2
Mar 14 14:26:28 RT-AC68U (unbound_manager.sh): 6867 Starting Script Execution (restart)
Mar 14 14:26:31 RT-AC68U S61unbound: Starting Unbound DNS server /opt/etc/init.d/S61unbound
Mar 14 14:26:41 RT-AC68U (unbound_manager): 7293 Starting Script Execution (menu)
Mar 14 14:28:15 RT-AC68U (unbound_manager.sh): 11269 Starting Script Execution (restart)
Mar 14 14:28:18 RT-AC68U S61unbound: Starting Unbound DNS server /opt/etc/init.d/S61unbound
Mar 14 14:28:49 RT-AC68U (unbound_manager): 11780 Starting Script Execution (menu)
Mar 14 14:29:05 RT-AC68U S61unbound: Starting Unbound DNS server /opt/etc/init.d/S61unbound
Mar 14 14:37:58 RT-AC68U (unbound_manager): 11780 Starting Script Execution (menu)
Mar 14 14:43:59 RT-AC68U (unbound_manager): 11780 Starting Script Execution (menu)
Mar 14 15:31:34 RT-AC68U unbound: this should be picked up by scribe

Is the '/opt/etc/syslog-ng.d/unbound' file valid?
So, if you run “i 3” it only does the install for adblock and leave the rest as is?
Yes, i.e. it is just a shortcut to eliminate the tedious confirmation prompts, but unlike say the later 'sgui' option, (which only retrieves the associated GUI files) it does (currently) trundle through and refresh all Entware files etc.
 
With the fast pace of updates for unbound_manager, I am doing 'u', 'i' and only accept 'y' for the CPU and memory tweaks option for each version released lately.

I am using sgui, of course, but after doing the above I also 'y' to the fastmenu option too. This resets the cache.

Am I needlessly enabling the fastmenu option each time? :)

Should the fastmenu option 'y' be part of a default install? :)
 
I am not sure if this is related to Unbound but here it goes. When trying to implement vpnclient failover, once I switch to any vpnclient other than #1 in the gui interface all my network clients loose access to the web. For testing purposes I do things manually at this point. The vpnclient1 and vpnclient2 are configured exactly the same including access policies. VPN DNS is set to disabled in both.

I use NordVPN and have vpnclient1 connect auto on boot. That always work and no issues. When I manually turn off vpnclient1
and turn on vpnclient2 I get the Nord IP in the gui so I know it has connected and routing tables have been set. At that point I can SSH to the router invoke unbound_manager and perform dig commands and they work fine. Problem is that browser access for clients is disabled and I am unable to go to any site.

If I switch back to vpnclient1 everything starts to work again. Nothing is showing in the log files. When I switched to vpnclient2 I tried restarting Unbound and that did not help. I don't know what else I can do to find the issue. I also tried to change VPN DNS setting to Relaxed and it did not make a difference. I tried to set WAN DNS to Automatic and remove DoT servers. That also did not make a difference.

Update.
I configured vpnclient1 and vpnclient2 with the same NordVPN server and configuration.
What is interesting is that only vpnclient1 works. If I switch to vpnclient2 browser connectivity stops. So in my view this is not a configuration issue or NordVPN server since they are the same.

I am on fw 384.15 and at this point I am wondering if I have hit the bug with the firmware.

FWIW, I had a very similar (if not identical problem) when I set ExpressVPN. In my case, I only set one client to access via VPN, but when I started/stopped as you did, that one client (this laptop) failed to connect. Nothing I did to tweak made any difference. Certainly weird....I never did figure out what the issue was.....how's that for an unhelpful post! :p
 
FWIW, I had a very similar (if not identical problem) when I set ExpressVPN. In my case, I only set one client to access via VPN, but when I started/stopped as you did, that one client (this laptop) failed to connect. Nothing I did to tweak made any difference. Certainly weird....I never did figure out what the issue was.....how's that for an unhelpful post! :p

I will try to uninstall Unbound and repeat the scenario. I want to make sure it’s not related to Unbound.
 
I reinstalled and got the following:

Code:
unbound-checkconf: no errors in /opt/var/lib/unbound/unbound.conf

error: SSL handshake failed
1075130368:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915:
 Shutting down unbound...              done.
 Starting unbound...              done.

Please wait for up to 10 seconds for status.....unbound OK

Manual install unbound Customisation complete 1 minutes and 24 seconds elapsed - Please wait for up to 10 seconds for status.....


    Installation of unbound completed

It doesn't seem to have broken anything but thought I'd post this to check.
 
With the fast pace of updates for unbound_manager, I am doing 'u', 'i' and only accept 'y' for the CPU and memory tweaks option for each version released lately.

I am using sgui, of course, but after doing the above I also 'y' to the fastmenu option too.

This resets the cache.
Sorry, 'fastmenu' doesn't reset the cache when I try it? :confused:
Should the fastmenu option 'y' be part of a default install? :)
Am I needlessly enabling the fastmenu option each time? :)
It depends on how much time you spend using the 'unbound_manager' interface/menu commands, as after a while I personally find the slow menu redraw tedious.

So for most, I suspect having LAN SSL ENABLED as the default is probably the best choice.

However, you can of course use the 'unbound.postconf' script to ensure 'fastmenu' is always enabled for you by default:

/opt/share/unbound/configs/unbound.postconf
Code:
#!/bin/sh

CONFIG=$1

POS="$(grep -Enw "[[:space:]]*server:" $CONFIG | cut -d':' -f1)"

MATCH="control-use-cert:";sed -i "$POS,$ {/#[[:space:]]*$MATCH/ s/#//1}" $CONFIG     # Enable 'fastmenu'

logger -t "($(basename "$0"))" "$$ unbound-control FAST response ENABLED (LAN SSL validation removed)"
 
@Martineau it seems like fastmenu does reset the cache at least for me. But I will pay closer attention next time to see which in-between step actually does that on the routers I update consistently.

Thank you for the additional options of having the unbound.postconf script available and I do agree LAN SSL Enabled should probably be the default too. :)
 
It works for me...
Is the '/opt/etc/syslog-ng.d/unbound' file valid?

I had to change the syslog-ng config for unbound to be this:
Code:
filter f_unbound {                                                                                                                                                             
    program("unbound") or                                                                                                                                                     
    program("gen_adblock");                                                                                                                                                   
};

Now my script outputs to the same log.

I am ready to push an update, but need a recommendation. Stay with "restart" or change to "reload"? reload is faster, but both reset caches.

Yes, i.e. it is just a shortcut to eliminate the tedious confirmation prompts, but unlike say the later 'sgui' option, (which only retrieves the associated GUI files) it does (currently) trundle through and refresh all Entware files etc.

Yes, aware of the shortcut, but if I want want to keep firefox_doh enabled, or CPU tweaks, do I need to remember to enter in more numbers like "i 3 5 6" or if I type "i 3" will it just install adblock and leave the other settings?

It is my guess that it would loose other settings from what I see. Would be great to have a command to re-install the same settings with the latest. Also, with the ability to add to the .conf file with post file etc, backing up and restoring the original isn't really that imporatant anymore I would guess.
 
I reinstalled and got the following:

Code:
unbound-checkconf: no errors in /opt/var/lib/unbound/unbound.conf

error: SSL handshake failed
1075130368:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915:
 Shutting down unbound...              done.
 Starting unbound...              done.

Please wait for up to 10 seconds for status.....unbound OK

Manual install unbound Customisation complete 1 minutes and 24 seconds elapsed - Please wait for up to 10 seconds for status.....


    Installation of unbound completed

It doesn't seem to have broken anything but thought I'd post this to check.
see this

P.S. Was this a first install?, or was unbound already installed?
 
see this

P.S. Was this a first install?, or was unbound already installed?

Apologies as I missed the posts with that error.

Unbound was already installed. I had been experimenting with the unbound.conf file and wanted to go back to the default.
 
So for most, I suspect having LAN SSL ENABLED as the default is probably the best choice.
My unsolicited opinion on this is that SSL certs are superfluous in this config because the unbound.conf is configured to only listen for remote control on 127.0.0.1. So if you can only reach it from the local router, there is no need to trust anyone with a cert (where all the keys are available in the unbound directory anyway). If you’re also listening on the LAN interface, then trust becomes an issue and certs are a good idea.
 
Maybe the cron job is still there?
Never used it. I notice that logorotate runs at the time in question.
Code:
12 4 * * * curl -o \/opt\/var\/lib\/unbound\/root\.hints https://www.internic.net/domain/named.cache #root_servers#
 0 5 * * * /opt/var/lib/unbound/adblock/gen_adblock.sh #adblock#
 */10 * * * * /jffs/scripts/ntpmerlin generate #ntpMerlin#
 59 * * * * /jffs/addons/unbound/unbound_stats.sh generate #Unbound_Stats.sh#
 5 0 * * * /opt/sbin/logrotate /opt/etc/logrotate.conf >> /opt/tmp/logrotate.daily 2>&1 #logrotate#
 */2 * * * * /etc/openvpn/server1/vpns-watchdog1.sh #CheckVPNServer1#
 */2 * * * * /etc/openvpn/server2/vpns-watchdog2.sh #CheckVPNServer2#
 0 * * * * /jffs/scripts/uiDivStats generate #uiDivStats#
 */5 * * * * /jffs/scripts/connmon generate #connmon#
 25 4 * * * sh /jffs/scripts/firewall banmalware #Skynet_banmalware#
 25 1 * * Mon sh /jffs/scripts/firewall update #Skynet_autoupdate#
 0 * * * * sh /jffs/scripts/firewall save #Skynet_save#
 40 */12 * * * sh /jffs/scripts/firewall debug genstats #Skynet_genstats#
 00 2 * * Mon sh /opt/share/diversion/file/update-bl.div reset #Diversion_UpdateBL#
 20 5 * * * sh /opt/share/diversion/file/rotate-logs.div #Diversion_RotateLogs#
 20 17 * * * diversion count_ads count #Diversion_CountAds#
 30 1 * * Mon sh /opt/share/diversion/file/stats.div #Diversion_WeeklyStats#
 
Never used it. I notice that logorotate runs at the time in question.
Code:
12 4 * * * curl -o \/opt\/var\/lib\/unbound\/root\.hints https://www.internic.net/domain/named.cache #root_servers#
 0 5 * * * /opt/var/lib/unbound/adblock/gen_adblock.sh #adblock#
 */10 * * * * /jffs/scripts/ntpmerlin generate #ntpMerlin#
 59 * * * * /jffs/addons/unbound/unbound_stats.sh generate #Unbound_Stats.sh#
 5 0 * * * /opt/sbin/logrotate /opt/etc/logrotate.conf >> /opt/tmp/logrotate.daily 2>&1 #logrotate#
 */2 * * * * /etc/openvpn/server1/vpns-watchdog1.sh #CheckVPNServer1#
 */2 * * * * /etc/openvpn/server2/vpns-watchdog2.sh #CheckVPNServer2#
 0 * * * * /jffs/scripts/uiDivStats generate #uiDivStats#
 */5 * * * * /jffs/scripts/connmon generate #connmon#
 25 4 * * * sh /jffs/scripts/firewall banmalware #Skynet_banmalware#
 25 1 * * Mon sh /jffs/scripts/firewall update #Skynet_autoupdate#
 0 * * * * sh /jffs/scripts/firewall save #Skynet_save#
 40 */12 * * * sh /jffs/scripts/firewall debug genstats #Skynet_genstats#
 00 2 * * Mon sh /opt/share/diversion/file/update-bl.div reset #Diversion_UpdateBL#
 20 5 * * * sh /opt/share/diversion/file/rotate-logs.div #Diversion_RotateLogs#
 20 17 * * * diversion count_ads count #Diversion_CountAds#
 30 1 * * Mon sh /opt/share/diversion/file/stats.div #Diversion_WeeklyStats#
It’s there in the second line. :confused: Use:
Code:
cru d adblock
And remove it from /jffs/scripts/services-start
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top