What's new

Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Can I ask, at the risk of being stupid, if I am using Skynet, is enabling the DNS Firewall in Unbound recommended? Or is it best to use one OR the other?
 
Can I ask, at the risk of being stupid, if I am using Skynet, is enabling the DNS Firewall in Unbound recommended? Or is it best to use one OR the other?
Skynet enhances the real firewall on your router from known bad-guys, both inbound and outbound. The RPZ feature simulates an outbound DNS firewall similar to how other host-based ad-blocking solutions do, so I'd say you need both (if you think the DNS Firewall feature is robust enough to be worthwhile yet). Free source data seems scarce at the moment.
 
Can I ask, at the risk of being stupid, if I am using Skynet, is enabling the DNS Firewall in Unbound recommended? Or is it best to use one OR the other?
see this post and follow-up post, i.e. @jusched's implementation refreshes the URLHaus filter list every 15 minutes.
 
Unbound updated (as instructed) to v3.03 with no errors reported. :)

Thanks,

Denis
 
In
Whoops :oops: Hotfix v3.03 Github md5=cef422d41ee5a36c4472694b34164dc4

'unbound_manager' didn't download 'rpzsites' file due to new functionality that I hadn't actually fully implemented in the script but had only gone-live in my head :rolleyes:

Abject apologies @JGrana for the inconvenience caused.
Well it is nice to know the release is ahead of schedule;). Just keep it as dev until all the bugs are worked out.
 
Done. Pushed v1.2.0 to github.
Thanks.

Also, as a courtesy, (in the same way I don't overwrite your Ad Block 'blocksites' etc.), if the file already exists should you prompt

e.g.
Code:
Overwrite 'unbound.conf.firewall'  y/n?
just in case someone has customised the file locally, and needs to either reinstall unbound or explicitly DISABLE/ENABLE the DNS Firewall (unlikely I know ;))
 
Now here is a totally stupid and basic question...(so apologies in advance) but I am trying top mod the blocklist file via either nano or vi and for some reason or another it's not allowing me to update or even type.....any reason why that might be? I stopped unbound to attempt that as well.

edit: Amazing what you can find when you look at source code.....maybe a weird way to find out, but I knew the vx command from the manager.sh file edited so I searched the Github code for that.....allow me to be proud...haha
 
Last edited:
@juched

If I have modified the adblock blockfiles file with an addition, how do I force it to download the new block list? Thanks!

I have the Adblocker and Firewall functional. Thanks for the hard work to all involved.

edit: I assumed a uninstall/reinstall...no issues...
 
@juched

If I have modified the adblock blockfiles file with an addition, how do I force it to download the new block list? Thanks!

I have the Adblocker and Firewall functional. Thanks for the hard work to all involved.

edit: I assumed a uninstall/reinstall...no issues...
The next invocation of the scheduled cron job will use the new 'blocklist'
Code:
0 5 * * * /opt/var/lib/unbound/adblock/gen_adblock.sh #adblock#
or to force it - invoke it manually.
 
Last edited:
Made a pass at adding DNS Firewall to stats page. Added to the dev branch.


  • Add logging for DNS Firewall
  • Add state generate for DNS Firewall
  • Add UI reports for DNS Firewall
  • Clean up logs hourly for extra messaging (static and transparent)
  • Fixed issue with awk error on first install (div by zero)
upload_2020-4-16_16-7-56.png
 
Thanks.

Also, as a courtesy, (in the same way I don't overwrite your Ad Block 'blocksites' etc.), if the file already exists should you prompt

e.g.
Code:
Overwrite 'unbound.conf.firewall'  y/n?
just in case someone has customised the file locally, and needs to either reinstall unbound or explicitly DISABLE/ENABLE the DNS Firewall (unlikely I know ;))
People shoulnd't create the unbound.conf.firewall, they should update the rpzsites and let it generate that file. :)
 
Thanks @Martineau .

When I review the unbound.conf file now, the RPZ block at the end is commented out. Do we need to uncomment for firewall functionality?
No.

'unbound_manager' has now deprecated the static DNS Firewall commented block in favour of the more flexible
Code:
include: "/opt/share/unbound/configs/unbound.conf.firewall"        # Custom DNS Firewall
 
No.

'unbound_manager' has now deprecated the static DNS Firewall commented block in favour of the more flexible
Code:
include: "/opt/share/unbound/configs/unbound.conf.firewall"        # Custom DNS Firewall

And that file is automatically generated from rpzsites file now during install of DNS Firewall option. No need to create that file.
 
No.

'unbound_manager' has now deprecated the static DNS Firewall commented block in favour of the more flexible
Code:
include: "/opt/share/unbound/configs/unbound.conf.firewall"        # Custom DNS Firewall
if all you have is configs in this directory, you could just make one solid directory and define it as a single one line in the unbound.conf file
Code:
include: "/opt/share/unbound/configs/*"
this directory could include anything from AdBlock to DNSFirewall to user custom configs.

it would be a very flexible option to just be an exclusive directory for .conf files. you would never have to worry about uncommenting and commenting it as it would be solely for .conf additions.

or you could require the *to be followed by .conf if you wanted.


Code:
include: "/opt/share/unbound/configs/*.conf"
 
Just very basic two questions

1. What benefits does this firewall ON adds? As when someone has Skynet already working ??

2. How one can compare snappiness of unbound recursive DNS methodology with common public DNS like cloudflare or ISP provided ones?
 
1). Skynet is doing something else. The lists for this firewall are the currently active malware DNS in the last 15 minutes. :)

2). ISP is like clamping a ball and chain to your ankle to go swimming. Cloudflare can be fast, but only as fast as your connection type allows (cable/DSL/satellite or even Fibre). Unbound is as fast for the first 'reach' into the 'net. After that? Webpages within the same websites you've just visited just magically appear (I love to read, no video/audio, etc. - too slow to ingest those formats.)
 
What used to be a lean, mean recursive DNS SERVER now seems to have evolved into a bloated mess. No matter what I try, amtm will not install unbound. Keep getting errors and I am unable to resolve them. Oh well, it was good while it lasted. Back to Quad9.
 
What used to be a lean, mean recursive DNS SERVER now seems to have evolved into a bloated mess. No matter what I try, amtm will not install unbound. Keep getting errors and I am unable to resolve them. Oh well, it was good while it lasted. Back to Quad9.
Depending on how much you done to your router i.e. jumping from built in DOT and Unbound, you might have to reset and start from scratch. I know I did. I'm currently on DoT but will def try unbound again. Its come a long way.
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top