Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[JemTheWire]

Can I ask, at the risk of being stupid, if I am using Skynet, is enabling the DNS Firewall in Unbound recommended? Or is it best to use one OR the other?

 

[dave14305]

Can I ask, at the risk of being stupid, if I am using Skynet, is enabling the DNS Firewall in Unbound recommended? Or is it best to use one OR the other?

Skynet enhances the real firewall on your router from known bad-guys, both inbound and outbound. The RPZ feature simulates an outbound DNS firewall similar to how other host-based ad-blocking solutions do, so I'd say you need both (if you think the DNS Firewall feature is robust enough to be worthwhile yet). Free source data seems scarce at the moment.

 

[Martineau]

Can I ask, at the risk of being stupid, if I am using Skynet, is enabling the DNS Firewall in Unbound recommended? Or is it best to use one OR the other?

see this post and follow-up post, i.e. @jusched's implementation refreshes the URLHaus filter list every 15 minutes.

 

[ColDen]

Unbound updated (as instructed) to v3.03 with no errors reported.

Thanks,

Denis

 

[SomeWhereOverTheRainBow]

In

Whoops Hotfix v3.03 Github md5=cef422d41ee5a36c4472694b34164dc4

'unbound_manager' didn't download 'rpzsites' file due to new functionality that I hadn't actually fully implemented in the script but had only gone-live in my head

Abject apologies @JGrana for the inconvenience caused.

Well it is nice to know the release is ahead of schedule. Just keep it as dev until all the bugs are worked out.

 

[juched]

Done

Got it!

Like I said not sure if anyone will actually manually add entries to 'rpzsites'?

Done. Pushed v1.2.0 to github.

 

[Martineau]

Done. Pushed v1.2.0 to github.

Thanks.

Also, as a courtesy, (in the same way I don't overwrite your Ad Block 'blocksites' etc.), if the file already exists should you prompt

e.g.

Overwrite 'unbound.conf.firewall'  y/n?

just in case someone has customised the file locally, and needs to either reinstall unbound or explicitly DISABLE/ENABLE the DNS Firewall (unlikely I know )

 

[SuperDuke]

Now here is a totally stupid and basic question...(so apologies in advance) but I am trying top mod the blocklist file via either nano or vi and for some reason or another it's not allowing me to update or even type.....any reason why that might be? I stopped unbound to attempt that as well.

edit: Amazing what you can find when you look at source code.....maybe a weird way to find out, but I knew the vx command from the manager.sh file edited so I searched the Github code for that.....allow me to be proud...haha

 

[SuperDuke]

@juched

If I have modified the adblock blockfiles file with an addition, how do I force it to download the new block list? Thanks!

I have the Adblocker and Firewall functional. Thanks for the hard work to all involved.

edit: I assumed a uninstall/reinstall...no issues...

 

[Martineau]

@juched

If I have modified the adblock blockfiles file with an addition, how do I force it to download the new block list? Thanks!

I have the Adblocker and Firewall functional. Thanks for the hard work to all involved.

edit: I assumed a uninstall/reinstall...no issues...

The next invocation of the scheduled cron job will use the new 'blocklist'

0 5 * * * /opt/var/lib/unbound/adblock/gen_adblock.sh #adblock#

or to force it - invoke it manually.

 

[juched]

Made a pass at adding DNS Firewall to stats page. Added to the dev branch.

• Add logging for DNS Firewall
• Add state generate for DNS Firewall
• Add UI reports for DNS Firewall
• Clean up logs hourly for extra messaging (static and transparent)
• Fixed issue with awk error on first install (div by zero)

 

[juched]

Thanks.

Also, as a courtesy, (in the same way I don't overwrite your Ad Block 'blocksites' etc.), if the file already exists should you prompt

e.g.

Overwrite 'unbound.conf.firewall'  y/n?

just in case someone has customised the file locally, and needs to either reinstall unbound or explicitly DISABLE/ENABLE the DNS Firewall (unlikely I know )

People shoulnd't create the unbound.conf.firewall, they should update the rpzsites and let it generate that file.

 

[SuperDuke]

The next invocation of

Thanks @Martineau .

When I review the unbound.conf file now, the RPZ block at the end is commented out. Do we need to uncomment for firewall functionality?

 

[Martineau]

Thanks @Martineau .

When I review the unbound.conf file now, the RPZ block at the end is commented out. Do we need to uncomment for firewall functionality?

No.

'unbound_manager' has now deprecated the static DNS Firewall commented block in favour of the more flexible

include: "/opt/share/unbound/configs/unbound.conf.firewall"        # Custom DNS Firewall

 

[juched]

No.

'unbound_manager' has now deprecated the static DNS Firewall commented block in favour of the more flexible

include: "/opt/share/unbound/configs/unbound.conf.firewall"        # Custom DNS Firewall

And that file is automatically generated from rpzsites file now during install of DNS Firewall option. No need to create that file.

 

[SomeWhereOverTheRainBow]

No.

'unbound_manager' has now deprecated the static DNS Firewall commented block in favour of the more flexible

include: "/opt/share/unbound/configs/unbound.conf.firewall"        # Custom DNS Firewall

if all you have is configs in this directory, you could just make one solid directory and define it as a single one line in the unbound.conf file

include: "/opt/share/unbound/configs/*"

this directory could include anything from AdBlock to DNSFirewall to user custom configs.

it would be a very flexible option to just be an exclusive directory for .conf files. you would never have to worry about uncommenting and commenting it as it would be solely for .conf additions.

or you could require the *to be followed by .conf if you wanted.

include: "/opt/share/unbound/configs/*.conf"

 

[immi803]

Just very basic two questions

1. What benefits does this firewall ON adds? As when someone has Skynet already working ??

2. How one can compare snappiness of unbound recursive DNS methodology with common public DNS like cloudflare or ISP provided ones?

 

[L&LD]

1). Skynet is doing something else. The lists for this firewall are the currently active malware DNS in the last 15 minutes.

2). ISP is like clamping a ball and chain to your ankle to go swimming. Cloudflare can be fast, but only as fast as your connection type allows (cable/DSL/satellite or even Fibre). Unbound is as fast for the first 'reach' into the 'net. After that? Webpages within the same websites you've just visited just magically appear (I love to read, no video/audio, etc. - too slow to ingest those formats.)

 

[Smokey613]

What used to be a lean, mean recursive DNS SERVER now seems to have evolved into a bloated mess. No matter what I try, amtm will not install unbound. Keep getting errors and I am unable to resolve them. Oh well, it was good while it lasted. Back to Quad9.

 

[Kingp1n]

What used to be a lean, mean recursive DNS SERVER now seems to have evolved into a bloated mess. No matter what I try, amtm will not install unbound. Keep getting errors and I am unable to resolve them. Oh well, it was good while it lasted. Back to Quad9.

Depending on how much you done to your router i.e. jumping from built in DOT and Unbound, you might have to reset and start from scratch. I know I did. I'm currently on DoT but will def try unbound again. Its come a long way.