Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[juched]

I don't think @juched has copied his script from his GitHub dev area

Try

e  = Exit Script

A:Option ==> firewall dev

Just merged to master.

Enjoy!

 

[Martineau]

Just merged to master.

Enjoy!

Thanks,

I can now push a v3.02 Hotfix to allow access to the feature from the 'Easy' menu mode.

unbound (pid 6165) is running... uptime: 0 Days, 00:00:15 version: 1.10.0 # rgnldo Github Version=v1.09 Martineau update (Date Loaded by unbound_manager Mon Apr 13 09:54:04 DST 2020)

u = Push to Github PENDING for (Minor Hotfix) unbound_manager update >>>>  v3.02

1  = Update unbound files and configuration      
2  = Remove unbound/unbound_manager      
3  = Stop unbound      
4  = Show unbound statistics      
5  = Uninstall Ad and Tracker blocker (Ad Block)      
6  = Uninstall Graphical Statistics GUI Add-on TAB      
7  = Enable DNS Firewall      

?  = About Configuration      
v  = View ('/opt/var/lib/unbound/'unbound.conf)      

e  = Exit Script

E:Press desired Option key (no ENTER key reqd.) Option ==>

 

[L&LD]

@Martineau, I must say I've gotten a bit confused with the Easy and Advanced menus? I don't know why they both exist?

I don't know which one I'm on right now, but there is no option 7 available (and if I press '7', it says to enter a valid option.

Since the available commands don't show on the default menu now (can't type anything longer than a single character without it 'executing'), this is even more confusing, at least for me.

Could the first post be updated with the new features/commands? Thank you!

Otherwise, unbound works as it always has. Brilliantly!

 

[SomeWhereOverTheRainBow]

Agree. if you check out the dev branch you will see I have made this into a more fully-fledged script with install/uninstall and download commands. I plan to merge this into the master once I can review it with @Martineau. But with this format it follows the exact same pattern as unbound_stats.sh, so install/uninstall and it will keep up to date automatically and keep working after reboot.

nice cleanup

 

[SomeWhereOverTheRainBow]

You don't need a RPI.
That was easier than I thought, and it's fast as hell!
I just edited the WireGuard config, to point to 192.168.1.1 DNS (instead of 1.1.1.1).
Now, I'm using my router (which is running unbound) as DNS, and Cloudflare WARP on my Windows 10 PC.
And I benefit from Diversion adblocking again.
Keywords to find this again: How to use WireGuard and unbound. And read this.

well Warp is just another platform for you to use the information highway to cloudflare, but i am glad you figured out how to get your unbound shared through wireguard.

 

[JGrana]

I look forward to the update. BTW, for Hotfix do you append an "H"? Revision it 3.02.1?
Any indication that it is not the first 3.02?

Thanks

 

[Martineau]

@Martineau, I must say I've gotten a bit confused with the Easy and Advanced menus? I don't know why they both exist?

I don't know which one I'm on right now, but there is no option 7 available (and if I press '7', it says to enter a valid option.

Since the available commands don't show on the default menu now (can't type anything longer than a single character without it 'executing'), this is even more confusing, at least for me.

Could the first post be updated with the new features/commands? Thank you!

Otherwise, unbound works as it always has. Brilliantly!

From day one I acknowledged that skill levels vastly differ, but having two menu options seemed a good idea at the time, but a couple of users complained that the 'Advanced' menu was far too confusing, so too was the original 'Easy' menu …...go figure

'Easy' menu mode redesigned (from v1.xx) which is the default when invoked from amtm

1  = Update unbound files and configuration   
2  = Remove unbound/unbound_manager   
3  = Stop unbound   
4  = Show unbound statistics   
5  = Install Ad and Tracker blocker (Ad Block)   
6  = Uninstall Graphical Statistics GUI Add-on TAB   
7  = Disable DNS Firewall   

?  = About Configuration   
v  = View ('/opt/var/lib/unbound/'unbound.conf)   

e  = Exit Script

E:Press desired Option key (no ENTER key reqd.) Option ==>

and the command prompt is prefixed with 'E:' for Easy also note the prompt states only a single key press required.

'Advanced' menu mode with access to the the 'Advanced Tools' menu

i  = Update unbound and configuration ('/opt/var/lib/unbound/')        l  = Show unbound log entries (lo=Enable Logging)
z  = Remove unbound/unbound_manager                                    v  = View ('/opt/var/lib/unbound/') unbound Configuration (vx=Edit)
3  = Advanced Tools                                                    rl = Reload Configuration (Doesn't halt unbound) e.g. 'rl test1[.conf]' (Recovery use 'rl reset/user')
?  = About Configuration                                               oq = Query unbound Configuration option e.g 'oq verbosity' (ox=Set) e.g. 'ox log-queries yes'

rs = Restart (or Start) unbound (use 'rs nocache' to flush cache)      s  = Show unbound Extended statistics (s=Summary Totals; sa=All; http://10.88.8.1:80/user4.asp)

e  = Exit Script

A:Option ==>

and the command prompt is prefixed with 'A:' for ….. etc.

I am still deliberating whether to push the Hotfix to allow novice users access to the 'DNS firewall' feature - after all unbound v1.10.0 only became available on ASUS routers 3 days ago.

So whilst RPZ has been around for a while and used in DNS (e.g. BIND etc.) on other platforms, the rest of the world has probably 6 extra weeks to play with RPZ using unbound v1.10.0.

I naively assumed that advanced users would be able to tolerate teething issues, and be able to work-around issues as shown with the recent borked Entware unbound library fiasco yet some IT pros seem to struggle?

So no, at the moment there isn't an option '7' but 'Easy' option '1' has been around since the v1.xx days, even though recently you tried to point out that that option didn't exist as you haven't read the GitHub which I try to keep up to date - but the coding gets in the way.

Apologies if my script is too confusing for you, but fortunately that's why the forum exists.

Regards,

 

[juched]

From day one I acknowledged that skill levels vastly differ, but having two menu options seemed a good idea at the time, but a couple of users complained that the 'Advanced' menu was far too confusing, so too was the original 'Easy' menu …...go figure

'Easy' menu mode redesigned (from v1.xx) which is the default when invoked from amtm

1  = Update unbound files and configuration  
2  = Remove unbound/unbound_manager  
3  = Stop unbound  
4  = Show unbound statistics  
5  = Install Ad and Tracker blocker (Ad Block)  
6  = Uninstall Graphical Statistics GUI Add-on TAB  
7  = Disable DNS Firewall  

?  = About Configuration  
v  = View ('/opt/var/lib/unbound/'unbound.conf)  

e  = Exit Script

E:Press desired Option key (no ENTER key reqd.) Option ==>

and the command prompt is prefixed with 'E:' for Easy also note the prompt states only a single key press required.

'Advanced' menu mode with access to the the 'Advanced Tools' menu

i  = Update unbound and configuration ('/opt/var/lib/unbound/')        l  = Show unbound log entries (lo=Enable Logging)
z  = Remove unbound/unbound_manager                                    v  = View ('/opt/var/lib/unbound/') unbound Configuration (vx=Edit)
3  = Advanced Tools                                                    rl = Reload Configuration (Doesn't halt unbound) e.g. 'rl test1[.conf]' (Recovery use 'rl reset/user')
?  = About Configuration                                               oq = Query unbound Configuration option e.g 'oq verbosity' (ox=Set) e.g. 'ox log-queries yes'

rs = Restart (or Start) unbound (use 'rs nocache' to flush cache)      s  = Show unbound Extended statistics (s=Summary Totals; sa=All; http://10.88.8.1:80/user4.asp)

e  = Exit Script

A:Option ==>

and the command prompt is prefixed with 'A:' for ….. etc.

I am still deliberating whether to push the Hotfix to allow novice users access to the 'DNS firewall' feature - after all unbound v1.10.0 only became available on ASUS routers 3 days ago.

So whilst RPZ has been around for a while and used in DNS (e.g. BIND etc.) on other platforms, the rest of the world has probably 6 extra weeks to play with RPZ using unbound v1.10.0.

I naively assumed that advanced users would be able to tolerate teething issues, and be able to work-around issues as shown with the recent borked Entware unbound library fiasco yet some IT pros seem to struggle?

So no, at the moment there isn't an option '7' but 'Easy' option '1' has been around since the v1.xx days, even though recently you tried to point out that that option didn't exist as you haven't read the GitHub which I try to keep up to date - but the coding gets in the way.

Apologies if my script is too confusing for you, but fortunately that's why the forum exists.

Regards,

Thanks for sharing. It can be a hard balance to strike between getting new features and advanced items, and supporting the set it and forget it mode too. This is a good attempt to balance it.

In Easy mode, if you do a "1" to install updates, does it re-apply (and download the latest) scripts for Stats, adblock and scribe integration? Or will people need to re-run those tool each time? Just trying to set expectations for myself (and others).

I am considering making a conf.add file with the features I want always enabled, like use-syslog, log-replies, rpz config, etc. This way I do not need to worry about re-running those commands.

Also, in easy mode... not having to hit enter may be a bit too easy Do other scripts operation that way? I haven't see any, but I haven't used them all.

 

[SomeWhereOverTheRainBow]

My unbound went awol on reinstall

 

[SomeWhereOverTheRainBow]

Known Issues

Issue: Sev4 v2.06 Typo reported Thanks to @L&LD
Fixed: 7th Feb. 2020 Simply rerun v2.06 'i = Update unbound configuration' to retrieve 'unbound.conf' v1.03 Hotfix

Issue: 10th Apr. 2020. Upgrade from unbound v1.96.0 to v1.10.0 fails. (Entware borked)
Fixed: issue or if the one-line command doesn't work see instructions

opkg remove --force-depends libunbound

then 'i = Update unbound configuration'​

this fixed the issue

 

[L&LD]

@Martineau, I appreciate the reply. And I apologize for my easily-triggered and continued confusion.

For myself, 'easy' is seeing all available options (and even better, a description of each).

Can I suggest a switch between 'Easy' and 'Advanced' modes? And to make the selected mode stick, regardless of how unbound_manager is launched?

Right now, the GitHub shows that 'easy' and 'advanced' can be used to switch between the two modes if I'm understanding it correctly.

https://github.com/MartineauUK/Unbo...-the-commandline-the-default-is-advanced-mode

or you can quickly change modes at the option prompt

e = Exit Script

E:Option ==> [ easy | advanced ]

However, that is not possible when in Easy mode (because of the single character 'actionable' method it uses to execute menu commands).

For myself, Advanced mode is the simpler mode when you want more control over what happens. I would vote to kill Easy mode and possibly make your coding life easier too.

Please don't let this post frustrate you from a script-illiterate user. Just hoping I'm giving some useful feedback that may help not just myself, but others too.

And thank you for updating the first post. Fyi, there is a missing attachment though, '21263'.

 

[SomeWhereOverTheRainBow]

From day one I acknowledged that skill levels vastly differ, but having two menu options seemed a good idea at the time, but a couple of users complained that the 'Advanced' menu was far too confusing, so too was the original 'Easy' menu …...go figure

'Easy' menu mode redesigned (from v1.xx) which is the default when invoked from amtm

1  = Update unbound files and configuration
2  = Remove unbound/unbound_manager
3  = Stop unbound
4  = Show unbound statistics
5  = Install Ad and Tracker blocker (Ad Block)
6  = Uninstall Graphical Statistics GUI Add-on TAB
7  = Disable DNS Firewall

?  = About Configuration
v  = View ('/opt/var/lib/unbound/'unbound.conf)

e  = Exit Script

E:Press desired Option key (no ENTER key reqd.) Option ==>

and the command prompt is prefixed with 'E:' for Easy also note the prompt states only a single key press required.

'Advanced' menu mode with access to the the 'Advanced Tools' menu

i  = Update unbound and configuration ('/opt/var/lib/unbound/')        l  = Show unbound log entries (lo=Enable Logging)
z  = Remove unbound/unbound_manager                                    v  = View ('/opt/var/lib/unbound/') unbound Configuration (vx=Edit)
3  = Advanced Tools                                                    rl = Reload Configuration (Doesn't halt unbound) e.g. 'rl test1[.conf]' (Recovery use 'rl reset/user')
?  = About Configuration                                               oq = Query unbound Configuration option e.g 'oq verbosity' (ox=Set) e.g. 'ox log-queries yes'

rs = Restart (or Start) unbound (use 'rs nocache' to flush cache)      s  = Show unbound Extended statistics (s=Summary Totals; sa=All; http://10.88.8.1:80/user4.asp)

e  = Exit Script

A:Option ==>

and the command prompt is prefixed with 'A:' for ….. etc.

I am still deliberating whether to push the Hotfix to allow novice users access to the 'DNS firewall' feature - after all unbound v1.10.0 only became available on ASUS routers 3 days ago.

So whilst RPZ has been around for a while and used in DNS (e.g. BIND etc.) on other platforms, the rest of the world has probably 6 extra weeks to play with RPZ using unbound v1.10.0.

I naively assumed that advanced users would be able to tolerate teething issues, and be able to work-around issues as shown with the recent borked Entware unbound library fiasco yet some IT pros seem to struggle?

So no, at the moment there isn't an option '7' but 'Easy' option '1' has been around since the v1.xx days, even though recently you tried to point out that that option didn't exist as you haven't read the GitHub which I try to keep up to date - but the coding gets in the way.

Apologies if my script is too confusing for you, but fortunately that's why the forum exists.

Regards,

the one thing i can say i liked was the ability to edit the .conf without having to exit out of everything, go back to blank ssh terminal, then nano all the way to the .conf file, then re open the terminal again.

 

[juched]

@Martineau, I appreciate the reply. And I apologize for my easily-triggered and continued confusion.

For myself, 'easy' is seeing all available options (and even better, a description of each).

Can I suggest a switch between 'Easy' and 'Advanced' modes? And to make the selected mode stick, regardless of how unbound_manager is launched?

Right now, the GitHub shows that 'easy' and 'advanced' can be used to switch between the two modes if I'm understanding it correctly.

https://github.com/MartineauUK/Unbo...-the-commandline-the-default-is-advanced-mode



However, that is not possible when in Easy mode (because of the single character 'actionable' method it uses to execute menu commands).

For myself, Advanced mode is the simpler mode when you want more control over what happens. I would vote to kill Easy mode and possibly make your coding life easier too.

Please don't let this post frustrate you from a script-illiterate user. Just hoping I'm giving some useful feedback that may help not just myself, but others too.

And thank you for updating the first post. Fyi, there is a missing attachment though, '21263'.

Add this to your /jffs/configs/profile.add file:

alias uba='unbound_manager advanced'

Now you can type uba to get advanced menu.

 

[SomeWhereOverTheRainBow]

Add this to your /jffs/configs/profile.add file:

alias uba='unbound_manager advanced'

Now you can type uba to get advanced menu.

Don't tell people that!

Keep it Simple

 

[SomeWhereOverTheRainBow]

@juched
how are your test coming along with the dns firewall

 

[juched]

From day one I acknowledged that skill levels vastly differ, but having two menu options seemed a good idea at the time, but a couple of users complained that the 'Advanced' menu was far too confusing, so too was the original 'Easy' menu …...go figure

'Easy' menu mode redesigned (from v1.xx) which is the default when invoked from amtm

1  = Update unbound files and configuration
2  = Remove unbound/unbound_manager
3  = Stop unbound
4  = Show unbound statistics
5  = Install Ad and Tracker blocker (Ad Block)
6  = Uninstall Graphical Statistics GUI Add-on TAB
7  = Disable DNS Firewall

?  = About Configuration
v  = View ('/opt/var/lib/unbound/'unbound.conf)

e  = Exit Script

E:Press desired Option key (no ENTER key reqd.) Option ==>

and the command prompt is prefixed with 'E:' for Easy also note the prompt states only a single key press required.

'Advanced' menu mode with access to the the 'Advanced Tools' menu

i  = Update unbound and configuration ('/opt/var/lib/unbound/')        l  = Show unbound log entries (lo=Enable Logging)
z  = Remove unbound/unbound_manager                                    v  = View ('/opt/var/lib/unbound/') unbound Configuration (vx=Edit)
3  = Advanced Tools                                                    rl = Reload Configuration (Doesn't halt unbound) e.g. 'rl test1[.conf]' (Recovery use 'rl reset/user')
?  = About Configuration                                               oq = Query unbound Configuration option e.g 'oq verbosity' (ox=Set) e.g. 'ox log-queries yes'

rs = Restart (or Start) unbound (use 'rs nocache' to flush cache)      s  = Show unbound Extended statistics (s=Summary Totals; sa=All; http://10.88.8.1:80/user4.asp)

e  = Exit Script

A:Option ==>

and the command prompt is prefixed with 'A:' for ….. etc.

I am still deliberating whether to push the Hotfix to allow novice users access to the 'DNS firewall' feature - after all unbound v1.10.0 only became available on ASUS routers 3 days ago.

So whilst RPZ has been around for a while and used in DNS (e.g. BIND etc.) on other platforms, the rest of the world has probably 6 extra weeks to play with RPZ using unbound v1.10.0.

I naively assumed that advanced users would be able to tolerate teething issues, and be able to work-around issues as shown with the recent borked Entware unbound library fiasco yet some IT pros seem to struggle?

So no, at the moment there isn't an option '7' but 'Easy' option '1' has been around since the v1.xx days, even though recently you tried to point out that that option didn't exist as you haven't read the GitHub which I try to keep up to date - but the coding gets in the way.

Apologies if my script is too confusing for you, but fortunately that's why the forum exists.

Regards,

I've uploaded v3.02

Version=3.02
Github md5=b89b0ebbbc876a1e2bf743c21088fee7​

use 'u' to update when prompted on screen

Use of the 'i = Update unbound Installation' **Not required** if already using 'unbound.conf' v1.09

CHANGE: unbound v1.10.0 introduced RPZ aka DNS Firewall, and the 'rpz' command used in the Beta is now changed to 'firewall' to ENABLE/DISABLE to manage the feature.
        @juched's 'unbound_rpz.sh' script is now used to configure the DNS Firewall, together with a cron job
        (Retrieves the appropriate RPZ aka DNS Firewall configuration files every 15 minutes to ensure timely blocking of the most critical threats.)
        NOTE: **Available only in Advanced mode**

I moved to the latest 3.02 and set up my config again. I used the EASY menu to install with the latest CONF file 1.09. Things worked great. It remembered that GUI stats and ad block was enabled, and nothing broke. Then I switched to the advanced menu and I did "adblock" and it worked fine. Then I did "sgui extended" and it pulled from my dev branch with the extra stats and table, and it worked. It set port=0 on dnsmasq, but then failed to set the port on the unbound.conf.add. No problem, it wouldn't have been enough anyway as you do need the other lines. I think if you successfully write out the unbound.conf.add file the following lines, you will have that "dev" feature working.

/opt/share/unbound/configs/unbound.conf.add:

port: 53
interface: 0.0.0.0
access-control: 0.0.0.0/0 allow
log-replies: yes
log-local-actions: yes

Note: I only set log-replies: yes and log-local-actions: yes. No need to setup log-queries as I don't use that info, and it is just more IO and wear on the USB key, and takes up more space (as I do not flush those from the logs).

I used the "firewall" command and it seems to have downloaded and installed just fine. Will watch, but the file is correctly generated, and the corn job is there.

One other small item I see in the RPZ section. You have

url: "http://urlhaus.abuse.ch/downloads/rpz/"

from my debugging of unbound logs at a high verbosity a couple of nights ago, I see that this causes an HTTP 301 (permanently moved) code, which unbound fails on. It redirects to the HTTPS version, which currently doesn't work with unbound on that site due to the issue (https://github.com/NLnetLabs/unbound/issues/193). So, for now, even putting https in front doesn't help and just causes extra network traffic. I have tested, and for now, I would just leave URL: commented out, or remove it altogether. The file is downloaded via the RPZ script every 15 minutes and reloaded.


Finally, I saw this issue as well:
Calculated Cache Hit Percentage:
awk: cmd. line:1: Unexpected token
Adding new value to DB...
Error: near line 2: near ")": syntax error

This appears to be a non issue, just that no traffic has come through yet so it is a divide by zero. I will add in some code to skip that when I can.

 

[SomeWhereOverTheRainBow]

url: "http://urlhaus.abuse.ch/downloads/rpz/"

is this updated every 15 minutes remotely as well?

 

[juched]

is this updated every 15 minutes remotely as well?

That is the only one which is downloaded every 15.

 

[Centrifuge]

Don't tell people that!

Unless they give the secret handshake.

 

[SomeWhereOverTheRainBow]

Unless they give the secret handshake.

and know the correct password and/or knock!