What's new

Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Additional question about the pre-reqs - how does Unbound handle DNS re-binding? For example, how do I ensure Plex resolution is OK, but block any other DNS rebind attempts?

EDIT: Answering my own question, the below in unbound.conf does rebind protection:
Code:
# RFC1918 private IP address - Protects against DNS Rebinding
private-address: 127.0.0.0/8
private-address: 169.254.0.0/16
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
To allow a rebind, I appear to need to use:
Code:
private-domain: plex.direct
 
@Martineau, 1st page is missing a donation link haha.
Is it normal that after updating the firmware or rebooting the router you have to reconfigure the unbound installation to get it working again?
As reported above, after rebooting the router my clients had no internet access. Running i = Update unbound Installation fixed the problem.
After a reboot, it seemed I had to restart unbound again by using 'rs'. I'll try to do test again later to see if it was small hiccup.
 
You should leave a real DNS server in WAN DNS. Unbound_manager will take care of pointing dns to unbound behind the scenes. I’m afraid your router won’t boot properly with your current WAN DNS settings.

Thank you that makes sense! I changed the DNS server to Quad9's address.
 
Is there a servers-file= line in your dnsmasq.conf.add?
address and server, tough the server line is for Firefox (server=/use-application-dns.net/)
 
I have gotten myself confused. Do I need to disable DoT in the WAN section and add a DNS Server when using unbound?
 
I have gotten myself confused. Do I need to disable DoT in the WAN section and add a DNS Server when using unbound?
You should disable DoT only because it won't be used once Unbound is running (save your RAM). The WAN DNS server is for the router itself to resolve names, and for dnsmasq to work properly BEFORE Unbound is up and running, since Entware starts after dnsmasq is already started.
 
You should disable DoT only because it won't be used once Unbound is running (save your RAM). The WAN DNS server is for the router itself to resolve names, and for dnsmasq to work properly BEFORE Unbound is up and running, since Entware starts after dnsmasq is already started.

Thank you for the clarification.
 
Is anyone else getting non-validation errors in the non-verbose log? Doesn't appear to be a big deal...just wondering....

Feb 09 11:23:44 unbound[1049:0] info: validation failure <sigfail.verteiltesysteme.net. AAAA IN>: signature crypto failed from 134.91.78.139 and 134.91.78.141
Feb 09 11:23:45 unbound[1049:0] info: validation failure <sigfail.verteiltesysteme.net. A IN>: signature crypto failed from 134.91.78.141
 
Is anyone else getting non-validation errors in the non-verbose log? Doesn't appear to be a big deal...just wondering....

Feb 09 11:23:44 unbound[1049:0] info: validation failure <sigfail.verteiltesysteme.net. AAAA IN>: signature crypto failed from 134.91.78.139 and 134.91.78.141
Feb 09 11:23:45 unbound[1049:0] info: validation failure <sigfail.verteiltesysteme.net. A IN>: signature crypto failed from 134.91.78.141
Yes, I think it's by design of the DNSSEC test on https://www.verteiltesysteme.net/. It's supposed to fail and it must be sending an invalid crypto signature to test the strength of your DNS resolver.
 
Is anyone else getting non-validation errors in the non-verbose log?
Technically as you are using 'verbosity: 2' (hence the 'info' prefix), you are in first level verbose mode, which is intended to be used for actively investigating unbound issues.

Given the side effect is that the log file grows at an alarming rate, unbound_manager now defaults to 'verbosity: 1'.

Correction: By design, 'log-servfail: yes' will helpfully inject these specific 'info:' error messages even when '' verbosity: 1' is ACTIVE

As has been stated many times referring to Syslog, there are many esoteric messages issued by tasks that appear alarming unless you are privy to their true intention/meaning. ;)
 
Last edited:
Technically as you are using 'verbosity: 2' (hence the 'info' prefix), you are in first level verbose mode, which is intended to be used for actively investigating unbound issues.
I also got this message with verbosity 1 when running that DNSSEC check. It's actually the first time I've seen a message besides startup in my log.

Also I should mention that I was sloppy when posting my "minimal config" because it included log-servfail which I had been testing to see what sites were actually going to fail DNSSEC validation, but it's by no means part of a minimal configuration. Bad on me. I still use it, but may not be for everyone if they tend to freak out over log messages.
 
@Martineau and @dave14305

Thank you sirs.....I wasn't particularly concerned as everything is functioning....if anything, it was a check to see if unbound is doing what it's supposed to be and if anyone else had similar entries....thanks as always for the clarity....always a learning opportunity
 
I also got this message with verbosity 1 when running that DNSSEC check. It's actually the first time I've seen a message besides startup in my log.

Also I should mention that I was sloppy when posting my "minimal config" because it included log-servfail which I had been testing to see what sites were actually going to fail DNSSEC validation, but it's by no means part of a minimal configuration. Bad on me. I still use it, but may not be for everyone if they tend to freak out over log messages.
Don't beat yourself up about it....you're not the first to state 'it works for me', then suddenly backtrack because (as in the classic case of 'verbosity: 1' now silently identified in ALL configs as the recommended conservative choice ;) )

So, IMHO it is a valid justification for continued use in the base config, i.e. it succinctly gives everyone a to-the-point heads-up that there may be an issue that warrants further investigation - without spamming the log with dross 'info' messages.
 
Last edited:
View attachment 21264
Can those of us running ntpmerlin be accounted for, please?

This nvram setting will always be no, so that ntpd from entware does not conflict with the built-in ntpd
I was looking to see if anyone else was having this issue. Having to keep changing it to keep up with the unbound updates was annoying so I removed ntpmerlin temporarily. Would like to add it back though if possible.
 
Don't beat yourself up about it....you're not the first to state 'it works for me', then suddenly backtrack because (as in the classic case of 'verbosity: 1' now silently identified in ALL configs as the recommended conservative choice ;) )

So, IMHO it is a valid justification for continued use in the base config, i.e. it succinctly gives everyone a to-the-point heads-up that there may be an issue that warrants further investigation - without spamming the log with dross 'info' messages.

It works for me.....
 
Is it normal that after updating the firmware or rebooting the router you have to reconfigure the unbound installation to get it working again?
As reported above, after rebooting the router my clients had no internet access. Running i = Update unbound Installation fixed the problem
There is nothing in Syslog?

If it happens again, before reinstalling using 'i', does 'rs' fix the issue?

Perhaps you should set up logging 'lo', then 'vx' and set 'verbosity: 4' :eek:

Then reboot.

This may help track down your issue.

NOTE: I do experience a weird error (documented in the code) but since I never REBOOT between the numerous uninstall/reinstall cycles, when the script encounters the error, if I wait a few seconds, usually the error goes away, or I have to bite the bullet and REBOOT.

P.S. Don't forget to reset 'verbosity: 1' ;)
 
Thank you that makes sense! I changed the DNS server to Quad9's address.

Did you mean CloudFlare's DNS servers (put in both 1.1.1.1 and 1.0.0.1). :)
 
I was looking to see if anyone else was having this issue. Having to keep changing it to keep up with the unbound updates was annoying so I removed ntpmerlin temporarily. Would like to add it back though if possible.

I did too temporarily and missed the information/control/graphs too much!

After noticing that the 'i' option specifically said that the above warnings may be ignored? I just ignore it now!

And @Jack Yaz's ntpMerlin is back, baby! :)
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top