Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[Martineau]

I had to manually create the rpzsites file. Then this:

see HotFix

 

[juched]

I had to manually create the rpzsites file. Then this:

Apr 15 09:15:00 RT-AC86U (unbound_rpz.sh): 27765 Attempting to Download 1 of 1 from https://urlhaus.abuse.ch/downloads/rpz/.
Apr 15 09:15:01 RT-AC86U (unbound_rpz.sh): 27765 Reload unbound for zone named rpz.urlhaus.abuse.ch
Apr 15 09:15:01 RT-AC86U (unbound_rpz.sh): 27765 Attempting to Download 2 of 1 from .
Apr 15 09:15:01 RT-AC86U (unbound_rpz.sh): 27765 Reload unbound for zone named

Something about the read loop?
Prior to the hotfix.

You must have an empty line at the end of the file. Can you check?

 

[juched]

My one line (awk-based) Histogram statistics reporter method is even better!

I am thinking a table for the sites blocked (and count) over the last 30 days. I think for malware you may want more than just a chart, but to know the site as well.

OR

Would it be better to have a line graph with #1 of blocked events each day over the past 30 days? Just a graph?

 

[elorimer]

You must have an empty line at the end of the file. Can you check?

Yes, that was it.

And with the hotfix no errors now.

 

[Martineau]

I am thinking a table for the sites blocked (and count) over the last 30 days. I think for malware you may want more than just a chart, but to know the site as well.

OR

Would it be better to have a line graph with #1 of blocked events each day over the past 30 days? Just a graph?

Well it depends!

I defer to your better GUI HTML skills, but since we have barely touched the possibilities of the DNS Firewall, i.e. currently 'NXDOMAIN' i.e. block only, I'm thinking how much time/motivation would you have to devote in order to accommodate the other possibilities such as the 'walled-garden' GUI landing page etc.

P.S. Hopefully you will find my 'unbound.conf.firewall' tweak useful?.....which may mean you could expand your 'unbound_rpz.sh' script?....after all I have promoted your contribution in the menus '7?' or 'firewall ?'

 

[Martineau]

I'm sure many are wanting to understand if/why we need a DNS Firewall? - particularly since I recently referred to a 'walled-garden' in the context of DNS Firewall aka RPZ.

DNS Response Policy Zones (RPZ) was invented at ISC and first implemented in BIND, but it is an open and vendor-neutral standard for the interchange of DNS firewall configuration information.

Taken from the ISC's documentation.

Technical Details

The rules in a Response Policy Zone consist of triggers or filters that identify what responses to modify, and policy actions to apply to these responses. Each rule can use one of five policy triggers and specify one of eight policy actions.

Response Policy Triggers

• by the query name. [QNAME]
• by an address which would be present in a truthful response. [RPZ-IP]
• by the name or address of an authoritative name server responsible for publishing the original response. [RPZ-NSDNAME and RPZ-NSIP]
• by the IP address of the DNS client. [RPZ-CLIENT-IP]

Response Policy Actions

• to synthesize a “domain does not exist” response. [NXDOMAIN]
• to synthesize a “name exists but there are no records of the requested type” response. [NODATA]
• to redirect the user via a CNAME to a walled garden. [CNAME example.org]
• to replace the response with specified data. [Local Data]
• to require the client to re-submit the query via TCP. [CNAME rpz-tcp-only]
• to exempt the response from further policy processing. [DISABLED, CNAME rpz-passthru]
• to drop the query, without any response to the client. [CNAME rpz-drop]

The most common use of a DNS firewall is to poison a domain name, IP address, name server name, or name server IP address.

Poisoning is usually done by forcing a synthetic “domain does not exist” response. This means if you know a list of known “phishing” domains you could make these names unreachable by your customers or end users just by adding some firewall policy into your recursive DNS server, with a trigger for each known “phishing” domain, and an action in every case forcing a synthetic “domain does not exist” response.

Or you could use a data replacement action such as answering for these known “phishing” domains with the name of a local web server that can display a warning page.

Such a web server would be called a “walled garden.”

** Bold and Italics etc. added by me.

 

[JGrana]

Whoops Hotfix v3.03 Github md5=cef422d41ee5a36c4472694b34164dc4

'unbound_manager' didn't download 'rpzsites' file due to new functionality that I hadn't actually fully implemented in the script but had only gone-live in my head

Abject apologies @JGrana for the inconvenience caused.

No worries, glad I could help.
You guys are doing a great job making a fairly complex feature easy

 

[juched]

Well it depends!

I defer to your better GUI HTML skills, but since we have barely touched the possibilities of the DNS Firewall, i.e. currently 'NXDOMAIN' i.e. block only, I'm thinking how much time/motivation would you have to devote in order to accommodate the other possibilities such as the 'walled-garden' GUI landing page etc.

P.S. Hopefully you will find my 'unbound.conf.firewall' tweak useful?.....which may mean you could expand your 'unbound_rpz.sh' script?....after all I have promoted your contribution in the menus '7?' or 'firewall ?'

I am not sure what you mean by unbound.conf.firewall? I don't see any file checked in like that? I am opening to making tweaks for sure.

 

[ugandy]

while enabling firewall in advanced mode i get:

Do you want to enable DNS Firewall?

Reply 'y' or press [Enter] to skip
y
unbound_rpz.sh downloaded successfully
rpzsites downloaded successfully

Created startup hook in services-start.
Created cron job.
(unbound_rpz.sh): 30012 Attempting to Download 1 of 1 from https://urlhaus.abuse.ch/downloads/rpz/.
######################################################################## 100.0%
Installed.

unbound DNS Firewall ENABLED

[1586963535] unbound-checkconf[30099:0] error: cannot open zonefile rpz.urlhaus.abuse.ch.zone for rpz.urlhaus.abuse.ch.: No such file or directory
[1586963535] unbound-checkconf[30099:0] fatal error: Could not setup authority zones

***ERROR requested re(Start) of unbound ABORTed! - use option 'vx' to correct 'unbound.conf' or 'rl' to load a valid configuration file

Router Configuration recommended pre-reqs status:

[✔] Swapfile=2097148 kB
[✔] DNS Filter=ON
[✔] DNS Filter=ROUTER
[✔] WAN: Use local caching DNS server as system resolver=NO
[✔] Entware NTP server is running
[✔] Enable DNS Rebind protection=NO
[✔] Enable DNSSEC support=NO

Options: Auto Reply='y' for User Selectable Options ('4') Performance Tweaks

[✔] unbound CPU/Memory Performance tweaks
[✔] Router Graphical GUI statistics TAB installed
[✔] unbound-control FAST response ENABLED
[✔] DNS Firewall ENABLED



[1586963535] unbound-checkconf[30511:0] error: cannot open zonefile rpz.urlhaus.abuse.ch.zone for rpz.urlhaus.abuse.ch.: No such file or directory
[1586963535] unbound-checkconf[30511:0] fatal error: Could not setup authority zones

***ERROR INVALID unbound configuration - use option 'vx' to correct 'unbound.conf' or 'rl' to load a valid configuration file

or 'e' exit; then issue debug command

unbound -dv


this is with a fresh installation of 3.03

 

[Martineau]

while enabling firewall in advanced mode i get:

[1586963535] unbound-checkconf[30099:0] error: cannot open zonefile rpz.urlhaus.abuse.ch.zone for rpz.urlhaus.abuse.ch.: No such file or directory
[1586963535] unbound-checkconf[30099:0] fatal error: Could not setup authority zones

***ERROR requested re(Start) of unbound ABORTed! - use option 'vx' to correct 'unbound.conf' or 'rl' to load a valid configuration file

Whoops , I haven't merged the GitHub dev branch 'unbound.conf' v1.09 with the master branch....

Please update 'unbound.conf'

e  = Exit Script [?]

E:Option ==> i

 

[ugandy]

Whoops , I haven't merged the GitHub dev branch 'unbound.conf' v1.09 with the master branch....

Please update 'unbound.conf'

e  = Exit Script [?]

E:Option ==> i

that did it! no errors reported during firewall enable
thanks!

 

[ugandy]

question: if i enable the firefox dot option, does unbound still work as recursive server, or does that change?

 

[Martineau]

question: if i enable the firefox dot option, does unbound still work as recursive server, or does that change?

No, if you ENABLE that option, unbound will still be the recursive DNS

 

[Martineau]

I am not sure what you mean by unbound.conf.firewall? I don't see any file checked in like that? I am opening to making tweaks for sure.

It's in my script!

 

[Twiglets]

Martineau,
I just updated 'unbound_manager' to v3.03.
When 'unbound_manager' was run I saw that v3.04 was available.
I selected the 'i' option to install and after install it failed with errors similar to

Juched

[1586862044] unbound-checkconf[30159:0] error: cannot open zonefile rpz.urlhaus.abuse.ch.zone for rpz.urlhaus.abuse.ch.: No such file or directory
[1586862044] unbound-checkconf[30159:0] fatal error: Could not setup authority zones
***ERROR INVALID unbound configuration - use option 'vx' to correct 'unbound.conf' or 'rl' to load a valid configuration file

I corrected the unbound.conf as per your post
[https://www.snbforums.com/threads/r...ecursive-dns-server.61669/page-70#post-570829]:

zonefile: /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone             # v1.09 Match @juched's 'rpzsites'

Now all runs but it states it is v3.03 and does not detect a newer version 3.04 as it originally did !!!

I am confused, did I imagine v3.04 ???

 

[Martineau]

I just updated 'unbound_manager' to v3.03. When 'unbound_manager' was run I saw that v3.04 was available. I corrected the unbound.conf as per your post
Now all runs but it states it is v3.03 and does not detect a newer version 3.04 as it originally did !!!

I am confused, did I imagine v3.04 ???

I doubt there will ever be a v3.04......not with my appalling/shoddy/slapdash coding/Github skills etc. for v3.03

But unless there is another repository hosting a bug-free v3.04 then I'm afraid we are both confused - most likely due to lockdown-fever madness?

 

[Twiglets]

I doubt there will ever be a v3.04......not with my appalling/shoddy/slapdash coding/Github skills etc. for v3.03

But unless there is another repository hosting a bug-free v3.04 then I'm afraid we are both confused - most likely due to lockdown-fever madness?

OK !!

I was absolutely sure I read v3.04 ........... !!!???

Just searched through my session log(s) and cannot find it !!!!!

Off to the funny farm I go ....... [Hi Ho Hi Ho .........]

Hope they have PPE ....... just in case .......

 

[juched]

It's in my script!

Ahh, I swear I searched (both master and dev) for that string but got no hits. Now I see it.

So, the idea is that I host another file (unbound.conf.firewall) which I would maintain to match rpzsites file ...... You would need to add in download code then, but I do like that idea.

Wait... no! I could generate the unbound.conf.firewall file from the rpzsites file.

Not sure I can do this today, but will look into this.


--- edit ---

Curious, what are you using this for? What settings do you keep in that block?

                            # Modify /opt/share/unbound/configs/unbound.conf.add
                            local FN="/opt/share/unbound/configs/unbound.conf.add"
                            [ -f $FN ] && sed -i '/#NOdnsmasq/,/#NOdnsmasqEND/ s/^#//' $FN

 

[Martineau]

Ahh, I swear I searched (both master and dev) for that string but got no hits. Now I see it.

So, the idea is that I host another file (unbound.conf.firewall) which I would maintain to match rpzsites file ...... You would need to add in download code then, but I do like that idea.

Wait... no! I could generate the unbound.conf.firewall file from the rpzsites file.

Not sure I can do this today, but will look into this.

Got it!

Like I said not sure if anyone will actually manually add entries to 'rpzsites'?

Spoiler: My current file....

# Example rpz ( see https://medium.com/nlnetlabs/response-policy-zones-in-unbound-5d453de75f26 )
# Uses @juched's script so until vendor nlnetlabs.nl fix the 'url:' download issue - assume the zonefile will be downloaded externally,
#      and an external cron job will update the DNS Firewall every 00:15 minutes
#

rpz:                                                             # DNS Firewall
  name: rpz.urlhaus.abuse.ch                                     # Zone name used by
  #url: "http://urlhaus.abuse.ch/downloads/rpz/"                 # Until fixed by nlnetlabs.nl; comment out and use full path below
  zonefile: /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone       # Sample @juched's 'rpzsites'
  rpz-log: yes                                                   # DNS Firewall logging
  rpz-log-name: "rpz.urlhaus.abuse.ch.log"                       # DNS Firewall log destination
  rpz-action-override: nxdomain                                  # Default action for zone entries

#==========================================================================================================================
# Define additional DNS Firewall rules/zones (@juched's script should ideally do this for you! ;-) from 'rpzsites' contents

#     RPZ Zone download URL                      Download RPZ destination                          RPZ zone name
#     ---------------------                      ------------------------                          -------------
#     https://urlhaus.abuse.ch/downloads/rpz/    /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone    rpz.urlhaus.abuse.ch
#     http://abcdef.ghijk.lmnopq.rstuvw.xyz/     /opt/var/lib/unbound/rpz.myfirewall.rules1.zone   rpz.myfirewall.rules1

#name: rpz.myfirewall.rules1                                     # Zone name used by 'unbound-control auth_zone_reload xxxx'
#  url: "http://abcdef.ghijk.lmnopq.rstuvw.xyz"                  # Until fixed by nlnetlabs.nl; comment out and use full path below
#  zonefile: /opt/var/lib/unbound/rpz.myfirewall.rules1.zone     # Custom URL for custom zone 'rpz.myfirewall.rules1'
#  rpz-log: yes                                                  # DNS Firewall logging
#  rpz-log-name: "rpz.myfirewall.rules1.log"                     # DNS Firewall log destination
#  rpz-action-override: nxdomain                                 # Default action for zone entries


# Additional DNS Firewall rules/zones customisation using tags
#
# e.g. Define two tag, and only apply the DNS Firewall rules to certain LAN devices....
#server:
#  define-tag: "malware social"
#  access-control-tag 127.0.0.10/32 "social"
#  access-control-tag 127.0.0.20/32 "social malware"
#  access-control-tag 127.0.0.30/32 "malware"
#rpz:
#  name: malware.rpz.example.com
#  zonefile: malware.rpz.example.com
#  tags: "malware"
#rpz:
#  name: social.rpz.example.com
#  zonefile: social.rpz.example.com
#  tags: "social"

 

[Martineau]

Curious, what are you using this for? What settings do you keep in that block?

                            # Modify /opt/share/unbound/configs/unbound.conf.add
                            local FN="/opt/share/unbound/configs/unbound.conf.add"
                            [ -f $FN ] && sed -i '/#NOdnsmasq/,/#NOdnsmasqEND/ s/^#//' $FN

It's part of the experimental 'extended' code,...only partially implemented in the public release - but wasn't to be formally disclosed.