What's new

Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

@juched:

thanks for the tip! I renamed the opt/etc /unbound/unbound.conf and reinstalled it with option "1" . Now there is only one symblink left ... see screenshot ...
 

Attachments

  • unbound_conf.jpg
    unbound_conf.jpg
    18.2 KB · Views: 183
Last edited:
Juched

"from my debugging of unbound logs at a high verbosity a couple of nights ago, I see that this causes an HTTP 301 (permanently moved) code, which unbound fails on. It redirects to the HTTPS version, which currently doesn't work with unbound on that site due to the issue (https://github.com/NLnetLabs/unbound/issues/193). So, for now, even putting https in front doesn't help and just causes extra network traffic. I have tested, and for now, I would just leave URL: commented out, or remove it altogether. The file is downloaded via the RPZ script every 15 minutes and reloaded."


If you comment out url: "http://urlhaus.abuse.ch/downloads/rpz/" the following errors are obtained

Code:
[1586862044] unbound-checkconf[30159:0] error: cannot open zonefile rpz.urlhaus.abuse.ch.zone for rpz.urlhaus.abuse.ch.: No such file or directory
[1586862044] unbound-checkconf[30159:0] fatal error: Could not setup authority zones
***ERROR INVALID unbound configuration - use option 'vx' to correct 'unbound.conf' or 'rl' to load a valid configuration file
 
Juched

"from my debugging of unbound logs at a high verbosity a couple of nights ago, I see that this causes an HTTP 301 (permanently moved) code, which unbound fails on. It redirects to the HTTPS version, which currently doesn't work with unbound on that site due to the issue (https://github.com/NLnetLabs/unbound/issues/193). So, for now, even putting https in front doesn't help and just causes extra network traffic. I have tested, and for now, I would just leave URL: commented out, or remove it altogether. The file is downloaded via the RPZ script every 15 minutes and reloaded."


If you comment out url: "http://urlhaus.abuse.ch/downloads/rpz/" the following errors are obtained

Code:
[1586862044] unbound-checkconf[30159:0] error: cannot open zonefile rpz.urlhaus.abuse.ch.zone for rpz.urlhaus.abuse.ch.: No such file or directory
[1586862044] unbound-checkconf[30159:0] fatal error: Could not setup authority zones
***ERROR INVALID unbound configuration - use option 'vx' to correct 'unbound.conf' or 'rl' to load a valid configuration file

Ya, I saw that too, but is complaining of the file name. I tested that RPZ was working (using test site - testentry.rpz.urlhaus.abuse.ch) and the log shows RPZ applied.

I think it is an output error for check conf.
 
Juched

"from my debugging of unbound logs at a high verbosity a couple of nights ago, I see that this causes an HTTP 301 (permanently moved) code, which unbound fails on. It redirects to the HTTPS version, which currently doesn't work with unbound on that site due to the issue (https://github.com/NLnetLabs/unbound/issues/193). So, for now, even putting https in front doesn't help and just causes extra network traffic. I have tested, and for now, I would just leave URL: commented out, or remove it altogether. The file is downloaded via the RPZ script every 15 minutes and reloaded."


If you comment out url: "http://urlhaus.abuse.ch/downloads/rpz/" the following errors are obtained

Code:
[1586862044] unbound-checkconf[30159:0] error: cannot open zonefile rpz.urlhaus.abuse.ch.zone for rpz.urlhaus.abuse.ch.: No such file or directory
[1586862044] unbound-checkconf[30159:0] fatal error: Could not setup authority zones
***ERROR INVALID unbound configuration - use option 'vx' to correct 'unbound.conf' or 'rl' to load a valid configuration file
Try changing 'unbound.conf'

i.e.
Code:
zonefile: /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone             # v1.09 Match @juched's 'rpzsites'
 
I pushed Beta 3.03 for testing by the brave.

EDIT: One issue with the 'DNS Firewall' occurs reported here and a workaround

i.e. 'Advanced' mode
Code:
e  = Exit Script

A:Option ==> uf dev
 
Last edited:
Still having issues with setting up the DNS firewall.
First, I uninstalled my previous Unbound/Unbound_Manager installation

I then used amtm to install Unbound_manager. After the initial installation I did not ye ant install unbound. I quite amtm and then ran unbound_manager advanced. I did an uf dev to install 3.03 Beta.

Ran unbound_manager (now 3.03 Beta) and did the Unbound install.
After unbound installed and ran fine, I then selected 7 - Enable DNS Firewall.

Here is the output:

unbound_rpz.sh downloaded successfully

Created startup hook in services-start.
Created cron job.
/jffs/addons/unbound/unbound_rpz.sh: line 150: can't open /opt/share/unbound/configs/rpzsites: no such file
Installed.

unbound DNS Firewall ENABLED

[1586871887] unbound-checkconf[12216:0] error: cannot open zonefile rpz.urlhaus.abuse.ch.zone for rpz.urlhaus.abuse.ch.: No such file or directory
[1586871887] unbound-checkconf[12216:0] fatal error: Could not setup authority zones

***ERROR requested re(Start) of unbound ABORTed! - use option 'vx' to correct 'unbound.conf' or 'rl' to load a valid configuration file

Here is the relative section of unbound.conf:
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
# v1.08 Example rpz ( see https://medium.com/nlnetlabs/response-policy-zones-in-unbound-5d453de75f26)
# Uses @juched's script so until NLLabs fix the 'url:' download issue - assume the zonefile will be downloaded externa
# and an external cron job will update the DNS Firewall every 00:15 minutes
#
rpz:#RPZ # v1.08 DNS Firewall
name: rpz.urlhaus.abuse.ch
#url: "http://urlhaus.abuse.ch/downloads/rpz/"
zonefile: "rpz.urlhaus.abuse.ch.zone" # v1.09 Match @juched's 'rpzsites'
rpz-log: yes
rpz-log-name: "rpz.urlhaus.abuse.ch"
rpz-action-override: nxdomain
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Any advice?
 
Still having issues with setting up the DNS firewall.
First, I uninstalled my previous Unbound/Unbound_Manager installation

I then used amtm to install Unbound_manager. After the initial installation I did not ye ant install unbound. I quite amtm and then ran unbound_manager advanced. I did an uf dev to install 3.03 Beta.

Ran unbound_manager (now 3.03 Beta) and did the Unbound install.
After unbound installed and ran fine, I then selected 7 - Enable DNS Firewall.

Here is the output:

unbound_rpz.sh downloaded successfully

Created startup hook in services-start.
Created cron job.
/jffs/addons/unbound/unbound_rpz.sh: line 150: can't open /opt/share/unbound/configs/rpzsites: no such file
Installed.

unbound DNS Firewall ENABLED

[1586871887] unbound-checkconf[12216:0] error: cannot open zonefile rpz.urlhaus.abuse.ch.zone for rpz.urlhaus.abuse.ch.: No such file or directory
[1586871887] unbound-checkconf[12216:0] fatal error: Could not setup authority zones

***ERROR requested re(Start) of unbound ABORTed! - use option 'vx' to correct 'unbound.conf' or 'rl' to load a valid configuration file

Here is the relative section of unbound.conf:
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
# v1.08 Example rpz ( see https://medium.com/nlnetlabs/response-policy-zones-in-unbound-5d453de75f26)
# Uses @juched's script so until NLLabs fix the 'url:' download issue - assume the zonefile will be downloaded externa
# and an external cron job will update the DNS Firewall every 00:15 minutes
#
rpz:#RPZ # v1.08 DNS Firewall
name: rpz.urlhaus.abuse.ch
#url: "http://urlhaus.abuse.ch/downloads/rpz/"
zonefile: "rpz.urlhaus.abuse.ch.zone" # v1.09 Match @juched's 'rpzsites'
rpz-log: yes
rpz-log-name: "rpz.urlhaus.abuse.ch"
rpz-action-override: nxdomain
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Any advice?

see this post

I was hoping not to have to force a new version 1.10 of 'unbound.conf' for 'unbound_manager' v3.03 because then the user must always ensure that they accept the new default configuration, and will need to manually reapply the firewall.
To be honest I don't think use of the 'i' command is that much of an imposition, given the availability of 'dnsmasq.conf.add' / 'dnsmasq.postconf' to auto-apply any custom tweaks.

You can see what I mean to have the problem fix itself
Code:
e  = Exit Script

A:Option ==> i dev
 
Last edited:
Still having issues with setting up the DNS firewall.
First, I uninstalled my previous Unbound/Unbound_Manager installation

I then used amtm to install Unbound_manager. After the initial installation I did not ye ant install unbound. I quite amtm and then ran unbound_manager advanced. I did an uf dev to install 3.03 Beta.

Ran unbound_manager (now 3.03 Beta) and did the Unbound install.
After unbound installed and ran fine, I then selected 7 - Enable DNS Firewall.

Here is the output:

unbound_rpz.sh downloaded successfully

Created startup hook in services-start.
Created cron job.
/jffs/addons/unbound/unbound_rpz.sh: line 150: can't open /opt/share/unbound/configs/rpzsites: no such file
Installed.

unbound DNS Firewall ENABLED

[1586871887] unbound-checkconf[12216:0] error: cannot open zonefile rpz.urlhaus.abuse.ch.zone for rpz.urlhaus.abuse.ch.: No such file or directory
[1586871887] unbound-checkconf[12216:0] fatal error: Could not setup authority zones

***ERROR requested re(Start) of unbound ABORTed! - use option 'vx' to correct 'unbound.conf' or 'rl' to load a valid configuration file

Here is the relative section of unbound.conf:
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
# v1.08 Example rpz ( see https://medium.com/nlnetlabs/response-policy-zones-in-unbound-5d453de75f26)
# Uses @juched's script so until NLLabs fix the 'url:' download issue - assume the zonefile will be downloaded externa
# and an external cron job will update the DNS Firewall every 00:15 minutes
#
rpz:#RPZ # v1.08 DNS Firewall
name: rpz.urlhaus.abuse.ch
#url: "http://urlhaus.abuse.ch/downloads/rpz/"
zonefile: "rpz.urlhaus.abuse.ch.zone" # v1.09 Match @juched's 'rpzsites'
rpz-log: yes
rpz-log-name: "rpz.urlhaus.abuse.ch"
rpz-action-override: nxdomain
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Any advice?
Your unbound.conf should have this

rpz:#RPZ # v1.08 DNS Firewall
name: rpz.urlhaus.abuse.ch
url: "http://urlhaus.abuse.ch/downloads/rpz/"
zonefile: "rpz.urlhaus.abuse.ch.zone" # v1.09 Match @juched's 'rpzsites'
rpz-log: yes
rpz-log-name: "rpz.urlhaus.abuse.ch"
rpz-action-override: nxdomain

Also, confirm that rpz.urlhaus.abuse.ch.zone file exists in the same location as unbound.conf. Further make sure you have rpzsites file in /opt/share/unbound/configs location.
 
Your unbound.conf should have this

rpz:#RPZ # v1.08 DNS Firewall
name: rpz.urlhaus.abuse.ch
url: "http://urlhaus.abuse.ch/downloads/rpz/"
zonefile: "rpz.urlhaus.abuse.ch.zone" # v1.09 Match @juched's 'rpzsites'
rpz-log: yes
rpz-log-name: "rpz.urlhaus.abuse.ch"
rpz-action-override: nxdomain

Also, confirm that rpz.urlhaus.abuse.ch.zone file exists in the same location as unbound.conf. Further make sure you have rpzsites file in /opt/share/unbound/configs location.
see this error report by @joe scian

So with the 'url:' statement' you get 'hidden' errors, without it, then you need to use a full path to the 'zonefile:' as it appears even if the file physically exists, unbound throws a hissy fit with just the implied relative path.
 
Last edited:
is it possible to show DNS firewall stats in GUI ?
 
is it possible to show DNS firewall stats in GUI ?
Please have a little patience, I'm sure they will appear when the scripting is ready.

i.e. the implementation of the 'DNS Firewall' isn't fully fool-proof (yet) and hasn't even been made installable to the masses, but whilst the feasibility study proves it works, I'm not sure how well it scales in the real world.

So out of interest, how many 'DNS Firewall' events are you experiencing, that need to be charted statistically in the GUI?
 
Last edited:
i am curious if in my network i will see some activity. no hurry, keep your time ...
 
i am curious if in my network i will see some activity. no hurry, keep your time ...

Well in the couple of days that I have had the DNS Firewall ENABLED I don't believe I have had any real- world DNS Firewall blocked events.

but wait, would you believe it! I do have one..... :cool:

Recommended Scribe logging (use '/opt/var/lib/unbound/unbound.log' if using the unbound log)
Code:
grep RPZ /opt/var/log/unbound.log

Apr 14 18:08:19 RT-AC68U unbound: [13142:0] info: RPZ applied [rpz.urlhaus.abuse.ch] testentry.rpz.urlhaus.abuse.ch. nxdomain 127.0.0.1@33916 testentry.rpz.urlhaus.abuse.ch. A IN
To create the data for the histogram;
Summarise the observed interval count - first by Hourly Total and then (after the separator '---') sub-Total by Minute
Code:
awk '/RPZ/ {print $1" "$2" "$3}' /opt/var/log/unbound.log  | awk -F: '{h[$1]++;m[$1":"$2]++;}END{for(x in h)print x,h[x]; print "---"; for(x in m)print x,m[x]}'

Apr 14 18 1
---
Apr 14 18:08 1
 
Last edited:
Hi @Martineau. I ended up bailing on using the supplied script to create/update the zone file.
I did use the script to make a simplified cron script:

Code:
#!/bin/sh
curl -o /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone  "https://urlhaus.abuse.ch/downloads/rpz/"
dos2unix /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone
unbound-control auth_zone_reload rpz.urlhaus.abuse.ch

Seems to be working fine. I attempted to access a few places in the zone file. This showed in the unbound.log:

Apr 14 15:55:40 unbound[31043:0] query: 127.0.0.1 49parallel.ca. A IN
Apr 14 15:55:40 unbound[31043:0] info: RPZ applied [rpz.urlhaus.abuse.ch] 49parallel.ca. nxdomain 127.0.0.1@7255 49parallel.ca. A IN
Apr 14 15:55:40 unbound[31043:0] reply: 127.0.0.1 49parallel.ca. A IN NXDOMAIN 0.000000 1 31
Apr 14 15:55:40 unbound[31043:0] query: 127.0.0.1 www.49parallel.ca. A IN
Apr 14 15:55:40 unbound[31043:0] reply: 127.0.0.1 www.49parallel.ca. A IN NOERROR 0.185061 0 65
 
Hi @Martineau. I ended up bailing on using the supplied script to create/update the zone file.
I did use the script to make a simplified cron script:

Code:
#!/bin/sh
curl -o /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone  "https://urlhaus.abuse.ch/downloads/rpz/"
dos2unix /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone
unbound-control auth_zone_reload rpz.urlhaus.abuse.ch

Seems to be working fine. I attempted to access a few places in the zone file. This showed in the unbound.log:
I'm sure @juched will comment, but there should be a scheduled every-15 min cron job, but you can execute the script manually

e.g.
Code:
./unbound_rpz.sh download

Attempting to Download 1 of 1 from https://urlhaus.abuse.ch/downloads/rpz/.
######################################################################## 100.0%
Reload unbound for zone named rpz.urlhaus.abuse.ch
ok
so not sure why you say the script doesn't work?
 
Last edited:
Thanks, I did put the short script into cron - every 15 mins.

As far as @juched script, It would never install correctly - first complained it could not find the file rpzsites
I then created an rpzsites file and put the https line pointing to rpz.urlhaus.abuse.ch into it. (so curl would would work)
It then complained it could not create a directory.

I looked over the script and simply dumbed it down with constants. Just to see if I could get the RPZ zone working with unbound.

BTW, maybe a question for @juched , in looking at the function download_reload, it seems to be called with 2 arguments.
How does it derive $3 on this line?
$UNBOUNCTRLCMD auth_zone_reload "$3"

If it helps, this is on an AX88u running 384.16.
 
Thanks, I did put the short script into cron - every 15 mins.

As far as @juched script, It would never install correctly - first complained it could not find the file rpzsites
I then created an rpzsites file and put the https line pointing to rpz.urlhaus.abuse.ch into it. (so curl would would work)
It then complained it could not create a directory.

I looked over the script and simply dumbed it down with constants. Just to see if I could get the RPZ zone working with unbound.

BTW, maybe a question for @juched , in looking at the function download_reload, it seems to be called with 2 arguments.
How does it derive $3 on this line?
$UNBOUNCTRLCMD auth_zone_reload "$3"

If it helps, this is on an AX88u running 384.16.
It's reading it from the file at the end of the loop.
 
It's reading it from the file at the end of the loop.

Correct, once you enter the loop, $1/$2/$3 are changed to the arguments of that current line.

I can confirm, even though the check conf call shows that error, the file is loaded and run by unbound. If you open the rpz zone file and pick a newly entered entry (ie. search for today's date), you can try it in a browser and it will generate an RPZ event.

Good to know that a full path will stop the error, that is a good fix.
 
I can confirm, even though the check conf call shows that error, the file is loaded and run by unbound. If you open the rpz zone file and pick a newly entered entry (ie. search for today's date), you can try it in a browser and it will generate an RPZ event.

Good to know that a full path will stop the error, that is a good fix.
Indeed.

Might I suggest that to provide feedback that the script is working that you replace the 'echo' statements with 'logger' statements where appropriate?

e.g.
Code:
download_reload() {
  sitesfile=$1
  reload=$2
  count=1
  while read -r line
  do
    set -- $line
    #[ "${$line:0:1}" == "#" ] && continue
    logger -st unbound $$ "Attempting to Download $count of $(awk 'NF && !/^[:space:]*#/' $sitesfile | wc -l) from $1."
    curl --progress-bar $1 > $2
    dos2unix $2
    if [ "$reload" == "reload" ] && [ ! -z "$(pidof unbound)" ]; then
      logger -st unbound $$ "Reload unbound for zone named $3"
      $UNBOUNCTRLCMD auth_zone_reload "$3"
    fi
    count=$((count + 1))
  done < "$sitesfile"
}
resulting in confirmation download messages in the log
Code:
Apr 14 23:33:24 RT-AC68U unbound: 15925 Attempting to Download 1 of 1 from https://urlhaus.abuse.ch/downloads/rpz/.
Apr 14 23:33:24 RT-AC68U unbound: 15925 Reload unbound for zone named rpz.urlhaus.abuse.ch
It's late here so I will delay releasing v3.03 until tomorrow to see if there is anything you wish to investigate further with @JGrana etc.
 
Indeed.

Might I suggest that to provide feedback that the script is working that you replace the 'echo' statements with 'logger' statements where appropriate?

e.g.
Code:
download_reload() {
  sitesfile=$1
  reload=$2
  count=1
  while read -r line
  do
    set -- $line
    #[ "${$line:0:1}" == "#" ] && continue
    logger -st unbound $$ "Attempting to Download $count of $(awk 'NF && !/^[:space:]*#/' $sitesfile | wc -l) from $1."
    curl --progress-bar $1 > $2
    dos2unix $2
    if [ "$reload" == "reload" ] && [ ! -z "$(pidof unbound)" ]; then
      logger -st unbound $$ "Reload unbound for zone named $3"
      $UNBOUNCTRLCMD auth_zone_reload "$3"
    fi
    count=$((count + 1))
  done < "$sitesfile"
}
resulting in confirmation download messages in the log
Code:
Apr 14 23:33:24 RT-AC68U unbound: 15925 Attempting to Download 1 of 1 from https://urlhaus.abuse.ch/downloads/rpz/.
Apr 14 23:33:24 RT-AC68U unbound: 15925 Reload unbound for zone named rpz.urlhaus.abuse.ch
It's late here so I will delay releasing v3.03 until tomorrow to see if there is anything you wish to investigate further with @JGrana etc.
I concur @Martineau statement as the echo is only useful if outputting to a file or viewing it in the ssh terminal from a dry-run/manual-run.
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top