Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[juched]

Some progress...

Seems the issues I am having with rpz.spamhaus.org may be due to the performance of the master server:

debug: auth zone drop.rpz.spamhaus.org. soa probe sent to 34.194.195.25

debug: auth zone drop.rpz.spamhaus.org. soa probe timeout

And the issues with rpz.urlhaus.abuse.ch is an tls cert validation issue:

error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

Seems I am not the only one on the first one:
https://github.com/NLnetLabs/unbound/issues/193


--- edit ---

the probe needs to get a quick response its seems.

/** timeout for probe packets for SOA */
78#define AUTH_PROBE_TIMEOUT 100 /* msec */
79/** when to stop with SOA probes (when exponential timeouts exceed this) */
80#define AUTH_PROBE_TIMEOUT_STOP 1000 /* msec */

 

[figorr]

I have just installed unbound manager and I don’t know exactly which is the right setup.

I have turned to on the DNS FILTER. By default the Asus shows 8.8.8.8 for DNS1, DNS2 & DNS3. But I changed them to 1.1.1.1

I don’t know if these are correct or should I use other ones.

Thank you and sorry if this question had been solved before. I didn’t see it.

 

[dave14305]

I have just installed unbound manager and I don’t know exactly which is the right setup.

I have turned to on the DNS FILTER. By default the Asus shows 8.8.8.8 for DNS1, DNS2 & DNS3. But I changed them to 1.1.1.1

I don’t know if these are correct or should I use other ones.

Thank you and sorry if this question had been solved before. I didn’t see it.

Those 3 Custom choices relate to the drop down menu choices labeled Custom. You aren’t using them since you chose Router. Many people are confused by their purpose. You don’t need to change those for Unbound. Be certain no DNS is defined on the LAN DHCP server page. That could circumvent your desire to use Unbound.

 

[figorr]

Thank you @dave14305

I have just checked the LAN DHCP server and both DNS were in blank.

 

[juched]

Made a quick script until the SSL issue with unbound is figured out.

1. Download script
https://github.com/juched78/Unbound-Asuswrt-Merlin/blob/develop/unbound_rpz.sh
place in /jffs/addons/unbound/unbound_rpz.sh

2. Download rpzsites data file
https://github.com/juched78/Unbound-Asuswrt-Merlin/blob/develop/rpzsites
place it in /opt/share/unbound/configs

3. Run script once
chmod +x /jffs/addons/unbound/unbound-rpz.sh
/jffs/addons/unbound/unbound-rpz.sh

It will keep running every 15 minutes, updating with the latest RPZ and applying it without restarting unbound.

 

[Martineau]

I've uploaded v3.00 and unbound.conf v1.08

Version=3.00
Github md5=9394fa3ae2af0c1773332b162c04c0a5​

EDIT: If upgrading from v2.18 please follow instruction post #3

Use of the 'i = Update unbound Installation' **REQUIRED/RECOMMENDED**


Essentially I have revamped the original 'Easy' menu mode

Only the options that are considered appropriate for novice users are presented during the initial install.
Each option now has a recommended install description 'Recommended=YES/NO' to help remove confusion.

The 'Easy' mode menu is now dynamic, this means items are still context sensitive even more so than in the v2.18 release.

i.e. you can't 'stop' unbound if it is already DOWN so the option menu '3' will show 'start'.
Similarly, you can't install/access a feature unless unbound is UP i.e. '4 = Show statistics'
will be marked 'n/a' and 'greyed-out' if unbound is DOWN.

Although the 'Easy' menu has been renamed, the previous v2.18 options may still be used
i.e. '4' or 's' will display the statistics.

All bets are off regarding features/bugs - i.e. in the process of squashing some legacy v2.18 ones (Thanks @Toazd), I've no doubt introduced new ones.

NEW: Highlights include taking advantage of the new unbound v1.10.0 released 11th April
Optional - Implement unbound's RPZ "Firewall" feature as mentioned by @juched
Optional - (Experimental) pass DNS requests thru' VPN
Check 'unbound.conf' for duplicate directives that may result in an unexpected ambiguous configuration. (Does not validate 'include: unbound.conf.add')​

 

[Ubimo]

Thank you, the unbound menu now looks a lot simpler (for new users).
It's easier to understand what does what.

Edit:
How can we prevent that unbound is losing its cache after every (major) update? Or restart?

 

[Centrifuge]

Thank you, the unbound menu now looks a lot simpler (for new users).
It's easier to understand what is what.

Edit:
How can we prevent that unbound is losing its cache after every (major) update? Or restart?

Start here.

 

[L&LD]

I seem to have run into an issue.

Updated unbound from 2.18 to 3.00 and now it can't start at all. It even jumps out of the menu (and goes back to the prompt or to amtm) when trying from either amtm or from the prompt and shows the following error.

Not sure what to do next to fix this?

I'm sure I need to uninstall unbound_manager and start over, but I can't get to that step through normal means right now.

Edit: @Martineau (help!)

I have managed to uninstall unbound_manager by deleting the unbound.conf file.

When I use amtm to install unbound_manager again, it goes to the same problem as above.

I checked using WinSCP that the /opt/var/lib/unbound directory was removed successfully after the uninstall, is there anywhere else that I should check or manually delete any remaining unbound_manager files too?

 

[juched]

I seem to have run into an issue.

Updated unbound from 2.18 to 3.00 and now it can't start at all. It even jumps out of the menu (and goes back to the prompt or to amtm) when trying from either amtm or from the prompt and shows the following error.

View attachment 22559

Not sure what to do next to fix this?

I'm sure I need to uninstall unbound_manager and start over, but I can't get to that step through normal means right now.

Edit: @Martineau (help!)

I have managed to uninstall unbound_manager by deleting the unbound.conf file.

When I use amtm to install unbound_manager again, it goes to the same problem as above.

I checked using WinSCP that the /opt/var/lib/unbound directory was removed successfully after the uninstall, is there anywhere else that I should check or manually delete any remaining unbound_manager files too?

/jffs/addons/unbound
/opt/var/lib/unbound
/opt/share/unbound

It doesn’t like two interfaces defined. Seems one needs to be removed. How many interface lines do you see in your /opt/var/lib/unbound/unbound.conf file?

Do you have a .conf.add file?

 

[juched]

I've uploaded v3.00 and unbound.conf v1.08

Version=3.00
Github md5=9394fa3ae2af0c1773332b162c04c0a5​

Use of the 'i = Update unbound Installation' **REQUIRED/RECOMMENDED**


Essentially I have revamped the original 'Easy' menu mode

Only the options that are considered appropriate for novice users are presented during the initial install.
Each option now has a recommended install description 'Recommended=YES/NO' to help remove confusion.

The 'Easy' mode menu is now dynamic, this means items are still context sensitive even more so than in the v2.18 release.

i.e. you can't 'stop' unbound if it is already DOWN so the option menu '3' will show 'start'.
Similarly, you can't install/access a feature unless unbound is UP i.e. '4 = Show statistics'
will be marked 'n/a' and 'greyed-out' if unbound is DOWN.

Although the 'Easy' menu has been renamed, the previous v2.18 options may still be used
i.e. '4' or 's' will display the statistics.

All bets are off regarding features/bugs - i.e. in the process of squashing some legacy v2.18 ones (Thanks @Toazd), I've no doubt introduced new ones.

NEW: Highlights include taking advantage of the new unbound v1.10.0 released 11th April
Optional - Implement unbound's RPZ "Firewall" feature as mentioned by @juched
Optional - (Experimental) pass DNS requests thru' VPN
Check 'unbound.conf' for duplicate directives that may result in an unexpected ambiguous configuration. (Does not validate 'include: unbound.conf.add')​

Cool, look forward to trying it soon.

About the DNS Firewall using RPZ, that file is updated every 5 minutes, but I see it is more like every 10. They only host sites actively hosting malware and discovered in the last 48 hours. Doing an update once a a day is not a great idea for something moving that fast. I am using 15 minutes for my cron job script.

Also, you need to call unbound-control reload_auth_zone <name> to have it reload the file. I recommend doing that as well.

Once unbound fixes the https bug then unbound should keep it up to date itself and this cron isn’t needed.

I have also signed up for free access to the spamhaus DROP feed and let’s see if that can work. I think they block IPs that hit to often unless they have an account.

I am doing this all via the .conf.add. It can create duplicates of tags in the new version and not fail right?

 

[Martineau]

I seem to have run into an issue.

Updated unbound from 2.18 to 3.00 and now it can't start at all. It even jumps out of the menu (and goes back to the prompt or to amtm) when trying from either amtm or from the prompt and shows the following error.

View attachment 22559

Not sure what to do next to fix this?

I'm sure I need to uninstall unbound_manager and start over, but I can't get to that step through normal means right now.

Edit: @Martineau (help!)

I have managed to uninstall unbound_manager by deleting the unbound.conf file.

When I use amtm to install unbound_manager again, it goes to the same problem as above.

I checked using WinSCP that the /opt/var/lib/unbound directory was removed successfully after the uninstall, is there anywhere else that I should check or manually delete any remaining unbound_manager files too?

I have just pushed a Hotfix.
I have made a typo 'interfaces:' should be 'interface:' when detecting duplicates.

 

[L&LD]

@Martineau thank you! All good again.

 

[Martineau]

I am doing this all via the .conf.add. It can create duplicates of tags in the new version and not fail right?

I knew I would probably face problems trying to detect duplicates.

v3.00 should already allow duplicate 'rpx.*' statements but the Hotfix should now allow duplicate 'tags:'

 

[Martineau]

@Martineau thank you! All good again.

Do you have IPv6?

Since I only have IPv4, there has only ever been one 'interface:' statement in my 'unbound.conf'

 

[Deleted member 62525]

I've uploaded v3.00 and unbound.conf v1.08

Version=3.00
Github md5=9394fa3ae2af0c1773332b162c04c0a5​

Use of the 'i = Update unbound Installation' **REQUIRED/RECOMMENDED**


Essentially I have revamped the original 'Easy' menu mode

Only the options that are considered appropriate for novice users are presented during the initial install.
Each option now has a recommended install description 'Recommended=YES/NO' to help remove confusion.

The 'Easy' mode menu is now dynamic, this means items are still context sensitive even more so than in the v2.18 release.

i.e. you can't 'stop' unbound if it is already DOWN so the option menu '3' will show 'start'.
Similarly, you can't install/access a feature unless unbound is UP i.e. '4 = Show statistics'
will be marked 'n/a' and 'greyed-out' if unbound is DOWN.

Although the 'Easy' menu has been renamed, the previous v2.18 options may still be used
i.e. '4' or 's' will display the statistics.

All bets are off regarding features/bugs - i.e. in the process of squashing some legacy v2.18 ones (Thanks @Toazd), I've no doubt introduced new ones.

NEW: Highlights include taking advantage of the new unbound v1.10.0 released 11th April
Optional - Implement unbound's RPZ "Firewall" feature as mentioned by @juched
Optional - (Experimental) pass DNS requests thru' VPN
Check 'unbound.conf' for duplicate directives that may result in an unexpected ambiguous configuration. (Does not validate 'include: unbound.conf.add')​

Easter Egg - Thank you. The new menu looks very nice and easy to use.

 

[L&LD]

Do you have IPv6?

Since I only have IPv4, there has only ever been one 'interface:' statement in my 'unbound.conf'

Yes, I do have IPv6.

 

[L&LD]

unbound went AWOL.

This is on an RT-AC86U with no IPv6.

 

[Martineau]

About the DNS Firewall using RPZ, that file is updated every 5 minutes, but I see it is more like every 10. They only host sites actively hosting malware and discovered in the last 48 hours. Doing an update once a a day is not a great idea for something moving that fast. I am using 15 minutes for my cron job script.

Also, you need to call unbound-control reload_auth_zone <name> to have it reload the file. I recommend doing that as well.

Once unbound fixes the https bug then unbound should keep it up to date itself and this cron isn’t needed.

I have also signed up for free access to the spamhaus DROP feed and let’s see if that can work. I think they block IPs that hit to often unless they have an account.

Yes as noted in the release notes I added Experimental RPZ 'Firewall' so curious tinkerers had something new to play with over Easter - hence I purposely held back v3.00.

P.S. The RPZ 'tags:' feature would only be useful if you have disabled dnsmasq (port=0) on the LAN, so unbound see the actual IP address of the device rather than from the router?, and as you stated, not sure how much of an impact/effect this will have on the Ad Block option.

 

[SomeWhereOverTheRainBow]

unbound went AWOL.

View attachment 22561

This is on an RT-AC86U with no IPv6.