What's new

Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I did quickly post the solution (as identified by others) here, but I can't be held responsible for the Entware fiasco through your use of amtm. :(

Well thanks for this overwhelmingly disappointing expression of support for my efforts :rolleyes: ;.... yet another reason to throw in the towel and delete my posts and remove such offending scripts.

Good luck with Quad9 etc.

Regards,

I do owe you an apology for my comments. I was tired and what used to be a simple install in AMTM was broken. No fault of yours as I now know. Soon after that post, my searches finally returned a solution and I am back up and running happily with Unbound. As far as the “bloated” comment, that was only out of frustration as all I want from Unbound is a local recursive DNS server and none of the “extras” other people want. I am not casting dispersion on those that do, it’s just not want I want. Please continue your work on Unbound and disregard Old Farts like me. :)
 
I do owe you an apology for my comments. I was tired and what used to be a simple install in AMTM was broken. No fault of yours as I now know. Soon after that post, my searches finally returned a solution and I am back up and running happily with Unbound. As far as the “bloated” comment, that was only out of frustration as all I want from Unbound is a local recursive DNS server and none of the “extras” other people want. I am not casting dispersion on those that do, it’s just not want I want. Please continue your work on Unbound and disregard Old Farts like me. :)
Personal opinions are what they are.....but your integrity is refreshing, and although I didn't solicit an apology, it is cordially accepted.:)
 
Enabling the firewall resets the cache.
Can you please provide corroborating diagnostics rather than just the terse uncorroborated statement.
 
This happens when I disable the DNS firewall.
 

Attachments

  • Screenshot_20200417-233632_JuiceSSH.jpg
    Screenshot_20200417-233632_JuiceSSH.jpg
    56.7 KB · Views: 231
This happens when I disable the DNS firewall.
OK, thanks for the screenshot detailing the precise error.

So actually unbound fails to restart after the DNS Firewall is DISABLED which is the root cause, and the situation is not helped by the error message advising use of unavailable commands. :oops::oops::oops:

I've pushed v3.04 md5=7d94e03ecd12dc773232bd9265c06325

P.S. Technically it was never a cache save/restore issue. ;)
 
Last edited:
@Martineau or anyone that might know, can we use unbound while also using a VPN (in my case I use PIA)? I thought I read thru some of the comments previously stated here in the past and it seems there's mix reactions. I used a VPN on my router full time and maybe the Q&A can be updated to reflect correctly.

I think I read previously that unbound was not good to use if someone runs a VPN all the time. Maybe it was mentioned on the other unbound thread but I can be wrong.

Thanks!
 
@Martineau or anyone that might know, can we use unbound while also using a VPN (in my case I use PIA)? I thought I read thru some of the comments previously stated here in the past and it seems there's mix reactions. I used a VPN on my router full time and maybe the Q&A can be updated to reflect correctly.

I think I read previously that unbound was not good to use if someone runs a VPN all the time. Maybe it was mentioned on the other unbound thread but I can be wrong.
You shouldn't believe everything you read on the Internet;)

Once upon a time.... ha!:p

Of course you can use unbound with a permanently running VPN.

unbound will always use the WAN but be unencrypted (i.e. ISP snooping), and your LAN nominated Selective Routing devices can either use the VPN ISP's DNS (EXCLUSIVE) or unbound.

The only thing that is new is (optionally) unbound is also capable of sending it's requests though the VPN tunnel to prevent ISP snooping, but I doubt many have used the option within unbound_manager as it is experimental.
 
I wanted to pass some basic optimization tips for Unbound to the group. More detailed description can be found here .
Setting properly outgoing-range and num-queries-per-thread parameter will depend on your router cores. In my case with RT86U I have set it to below values following the included document.

outgoing-range: 450
num-queries-per-thread: 225


Next is the outgoing and incoming TCP buffers per thread. Default is 10 but you can certainly experiment with large values like 15 or 20. No need to go crazy above 100 on the router. If you had a PC running Unbound with lots of users, that value should be much larger. In my case I left it at default.

outgoing-num-tcp: 10
incoming-num-tcp: 10


Next are the ports. It is a good practice to specify what range of ports Unbound is going to use. Give it a wide range if you can above port 1024. If you have some devices on your LAN like Plex for example or you forward some ports on your router you should list them in outgoing-port-avoid parameter just to make sure there are no conflicts.

outgoing-port-avoid: <ports separated by comma>
outgoing-port-permit: <your port range>

If you have any additional optimization tips for the group please share :)

 
I wanted to pass some basic optimization tips for Unbound to the group. More detailed description can be found here .
Setting properly outgoing-range and num-queries-per-thread parameter will depend on your router cores. In my case with RT86U I have set it to below values following the included document.

outgoing-range: 450
num-queries-per-thread: 225


Next is the outgoing and incoming TCP buffers per thread. Default is 10 but you can certainly experiment with large values like 15 or 20. No need to go crazy above 100 on the router. If you had a PC running Unbound with lots of users, that value should be much larger. In my case I left it at default.

outgoing-num-tcp: 10
incoming-num-tcp: 10


Next are the ports. It is a good practice to specify what range of ports Unbound is going to use. Give it a wide range if you can above port 1024. If you have some devices on your LAN like Plex for example or you forward some ports on your router you should list them in outgoing-port-avoid parameter just to make sure there are no conflicts.

outgoing-port-avoid: <ports separated by comma>
outgoing-port-permit: <your port range>

If you have any additional optimization tips for the group please share :)


On the router we are using forked operation, so follow the bottom section.

The default seems to be 960, which seems to be in line with forked operation recommendation.
 
Last edited:
Can you please provide corroborating diagnostics rather than just the terse uncorroborated statement.
When I enable the DNS firewall, unbound is restarting, resulting in losing the cache. When I lookup the statistics after enabling the DNS firewall, they are back to 0.
But I guess this has to be so.
No big deal, thank you for your work.
 
Last edited:
The only thing that is new is (optionally) unbound is also capable of sending it's requests though the VPN tunnel to prevent ISP snooping, but I doubt many have used the option within unbound_manager as it is experimental.

I would like to test the VPN tunnel with unbound. How can I setup?
 
I wanted to pass some basic optimization tips for Unbound to the group. More detailed description can be found here .
Setting properly outgoing-range and num-queries-per-thread parameter will depend on your router cores. In my case with RT86U I have set it to below values following the included document.

outgoing-range: 450
num-queries-per-thread: 225


Next is the outgoing and incoming TCP buffers per thread. Default is 10 but you can certainly experiment with large values like 15 or 20. No need to go crazy above 100 on the router. If you had a PC running Unbound with lots of users, that value should be much larger. In my case I left it at default.

outgoing-num-tcp: 10
incoming-num-tcp: 10


Next are the ports. It is a good practice to specify what range of ports Unbound is going to use. Give it a wide range if you can above port 1024. If you have some devices on your LAN like Plex for example or you forward some ports on your router you should list them in outgoing-port-avoid parameter just to make sure there are no conflicts.

outgoing-port-avoid: <ports separated by comma>
outgoing-port-permit: <your port range>

If you have any additional optimization tips for the group please share :)
Just to show my low Linux knowledge, where to put these values and where to specify ports, I've whole lot of port forwards in my list
 
Another thing I noticed in unbound_conf:
During the installation of unbound, I chose to also use the CPU/Memory tweaks.
I thought, this would set the number of threads according to the CPU cores a router has.
Now, I have a router with 1 CPU and 2 cores, but in unbound_config, I see num-threads=1.
Do I have to manually set this to 2?
Or leave this setting be? I guess, unbound is only one process? So this setting is irrelevant?
 
Last edited:
Another thing I noticed in unbound_conf:
During the installation of unbound, I chose to also use the CPU/Memory tweaks.
I thought, this would set the number of threads according to the CPU cores a router has.
Now, I have a router with 1 CPU and 2 cores, but in unbound_config, I see num-threads=1.
Do I have to manually set this to 2?
Or leave this setting be? I guess, unbound is only one process? So this setting is irrelevant?
I would leave it as 1. That would be optimal for you.
 
When I enable the DNS firewall, unbound is restarting, resulting in losing the cache. When I lookup the statistics after enabling the DNS firewall, they are back to 0.
Can you please provide evidence?

i.e. Show the cache stats before the unbound restart
Code:
e  = Exit Script [?]

A:Option ==> s

total.num.queries=105172            total.num.expired=5080              total.requestlist.exceeded=0            total.tcpusage=0
total.num.queries_ip_ratelimited=0  total.num.recursivereplies=4631     total.requestlist.current.all=0         msg.cache.count=3768
total.num.cachehits=100541          total.requestlist.avg=0.819419      total.requestlist.current.user=0        rrset.cache.count=9193
total.num.cachemiss=4631            total.requestlist.max=19            total.recursion.time.avg=0.116197       infra.cache.count=3802
total.num.prefetch=6688             total.requestlist.overwritten=0     total.recursion.time.median=0.0538986   key.cache.count=409

Summary: Cache Hits success=95.00%
Now exit unbound_manager,
Code:
e  = Exit Script [?]

A:Option ==> e
and invoke it with debug trace,
Code:
sh -x /jffs/addons/unbound/unbound_manager.sh
and restart unbound either explicitly 'rs' command (or with a DNS Firewall action)
Code:
e  = Exit Script [?]

A:Option ==> rs
then check the cache stats again
Code:
e  = Exit Script [?]

A:Option ==> s

total.num.queries=108               total.num.expired=0                 total.requestlist.exceeded=0            total.tcpusage=0
total.num.queries_ip_ratelimited=0  total.num.recursivereplies=24       total.requestlist.current.all=0         msg.cache.count=952
total.num.cachehits=84              total.requestlist.avg=2.28571       total.requestlist.current.user=0        rrset.cache.count=4651
total.num.cachemiss=24              total.requestlist.max=13            total.recursion.time.avg=0.243672       infra.cache.count=3803
total.num.prefetch=4                total.requestlist.overwritten=0     total.recursion.time.median=0.157286    key.cache.count=28

Summary: Cache Hits success=77.00%
and please post the output.
 
Here is a screenshot of the statistics before.
A screenshot of "rs" does not work.
And the code and statistics (open spoiler) after the firewall restart. (didn't fit all in one screenshot)
Maybe I understand something wrong with cache?
Edit:
And why are the attached screenshot so small after uploading to snb?
unbound (pid 12082) is running... uptime: 0 Days, 06:46:33 version: 1.10.0 # rgnldo Github Version=v1.09 Martineau update (Date Loaded by unbound_manager Fri Apr 17 23:40:00 DST 2020)

1 = Update unbound files and configuration
2 = Remove unbound/unbound_manager
3 = Stop unbound
4 = Show unbound statistics
5 = Install Ad and Tracker blocker (Ad Block)
6 = Install Graphical Statistics GUI Add-on TAB
7 = Enable DNS Firewall

? = About Configuration
v = View ('/opt/var/lib/unbound/'unbound.conf)

e = Exit Script [?]

E:Option ==> 7

Do you want to enable DNS Firewall?

Reply 'y' or press [Enter] to skip
y
unbound_rpz.sh downloaded successfully
Custom '/opt/share/unbound/configs/rpzsites' already exists - 'rpzsites' download skipped

Created startup hook in services-start.
Created cron job.
Creating new unbound.conf.firewall file.
(unbound_rpz.sh): 27269 Attempting to Download 1 of 1 from https://urlhaus.abuse.ch/downloads/rpz/.

######################################################################## 100.0%
Adding zone rpz.urlhaus.abuse.ch to unbound.conf.firewall.
Installed.
Adding 'include: "/opt/share/unbound/configs/unbound.conf.firewall" '/opt/var/lib/unbound/unbound.conf'

unbound DNS Firewall ENABLED

unbound-checkconf: no errors in /opt/var/lib/unbound/unbound.conf

Shutting down unbound... done.
Starting unbound... done.

Checking status, please wait..... unbound OK

Router Configuration recommended pre-reqs status:

[✔] Swapfile=2097148 kB
[✔] DNS Filter=ON
[✔] DNS Filter=ROUTER
[✔] WAN: Use local caching DNS server as system resolver=NO
[✔] Enable local NTP server=YES
[✔] Enable DNS Rebind protection=NO
[✔] Enable DNSSEC support=NO

Options:

[✔] unbound CPU/Memory Performance tweaks
[✔] unbound-control FAST response ENABLED
[✔] DNS Firewall ENABLED



unbound (pid 27399) is running... uptime: 0 Days, 00:00:09 version: 1.10.0 # rgnldo Github Version=v1.09 Martineau update (Date Loaded by unbound_manager Fri Apr 17 23:40:00 DST 2020)

1 = Update unbound files and configuration
2 = Remove unbound/unbound_manager
3 = Stop unbound
4 = Show unbound statistics
5 = Install Ad and Tracker blocker (Ad Block)
6 = Install Graphical Statistics GUI Add-on TAB
7 = Disable DNS Firewall [?]

? = About Configuration
v = View ('/opt/var/lib/unbound/'unbound.conf)

e = Exit Script [?]

E:Option ==> 4

total.num.queries=0 total.num.prefetch=0 total.requestlist.max=0 total.requestlist.current.user=0 msg.cache.count=1011
total.num.queries_ip_ratelimited=0 total.num.expired=0 total.requestlist.overwritten=0 total.recursion.time.avg=0.000000 rrset.cache.count=5580
total.num.cachehits=0 total.num.recursivereplies=0 total.requestlist.exceeded=0 total.recursion.time.median=0 infra.cache.count=0
total.num.cachemiss=0 total.requestlist.avg=0 total.requestlist.current.all=0 total.tcpusage=0 key.cache.count=0

Summary: Cache Hits success=0.00%


unbound (pid 27399) is running... uptime: 0 Days, 00:00:14 version: 1.10.0 # rgnldo Github Version=v1.09 Martineau update (Date Loaded by unbound_manager Fri Apr 17 23:40:00 DST 2020)

1 = Update unbound files and configuration
2 = Remove unbound/unbound_manager
3 = Stop unbound
4 = Show unbound statistics
5 = Install Ad and Tracker blocker (Ad Block)
6 = Install Graphical Statistics GUI Add-on TAB
7 = Disable DNS Firewall [?]

? = About Configuration
v = View ('/opt/var/lib/unbound/'unbound.conf)

e = Exit Script [?]

E:Option ==>
 

Attachments

  • before.PNG
    before.PNG
    78.1 KB · Views: 181
  • rs.PNG
    rs.PNG
    54.1 KB · Views: 134
Last edited:
I would like to test the VPN tunnel with unbound. How can I setup?
Check the VPN config in 'unbound.conf' (or use 'v')
Code:
grep VPN /opt/var/lib/unbound/unbound.conf

#outgoing-interface: xxx.xxx.xxx.xxx        # v1.08 Martineau Use VPN tunnel to hide Root server queries from ISP
Check VPN status
Code:
ip route show | grep tun1
Start unbound_manager and request the VPN

e.g. VPN Client 1
Code:
e  = Exit Script [?]

A:Option ==> vpn 1

Option Auto Reply 'y'
 unbound requests via VPN Client  tunnel ENABLED

unbound-checkconf: no errors in /opt/var/lib/unbound/unbound.conf

 Shutting down unbound...              done.
 Starting unbound...              done.
'unbound.conf' entry should show VPN IP address
Code:
grep VPN /opt/var/lib/unbound/unbound.conf

outgoing-interface: 100.120.223.42        # v1.08 Martineau Use VPN tunnel to hide Root server queries from ISP
To reset unbound to the WAN
Code:
e  = Exit Script [?]

A:Option ==> vpn disable

 unbound requests via VPN Client tunnel DISABLED

unbound-checkconf: no errors in /opt/var/lib/unbound/unbound.conf

 Shutting down unbound...              done.
 Starting unbound...              done.
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top