Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[ugandy]

...hopefully it's an improvement on having to manually update the VPN Gateway IP - perhaps it's now ready for 'Easy' menu mode users?

in my case, i was missing the /jffs/scripts/openvpn-event file, that i was able to create, after searching the forum on the topic of vpn events. other than that , with the latest hotfix, works great thanks!
[edit] i also added:
/opt/etc/syslog-ng.d/openvpn and /opt/etc/logrotate.d/openvpn for easier event tracking
[edit2]
i'd say that to add this to the easy menu, maybe the creation of these scripts needs to be automated

 

[SuperDuke]

My understanding is that unbound DNS over VPN does NOT use the DNS of the VPN provider. But it uses a configured VPN Client to communicate with the severs for performing recursive DNS within unbound. So ISP in not able to sniff this DNS traffic - lets say not that easy...
I like the advantage of this setup to use also DNS-chache, the DNS-firewall and the DNS-adblock installed within my router - and not to be dependent on the DNS provided by the VPN provider. But for sure you need login credentials to have a running VPN Client...
I now that in this way I am leaking my WAN IP at DNS-leak test, but I my understanding is that I leak this information to single web-pages, not to one single ISP who knows already a lot of my personal data... But it depends on the aim of usage...

Thank you Chris. But how do you configure the VPN service then? I think this is the step I'm clearly missing.....do you set it up via the OpenVPN client in the firmware GUI? That's the only place I could think where login information is added....and if that's true, then can't you just set the VPN client DNS setting to use unbound/router anyway?

thanks again....

 

[Chris0815]

in my case, i was also missing the /jffs/scripts/openvpn-event file, that i was able to create, after searching the forum on the topic of vpn events. other than that , with the latest hotfix, works great thanks!

same step for me that had to be taken...

 

[ugandy]

Thank you Chris. But how do you configure the VPN service then? I think this is the step I'm clearly missing.....do you set it up via the OpenVPN client in the firmware GUI? That's the only place I could think where login information is added....and if that's true, then can't you just set the VPN client DNS setting to use unbound/router anyway?

thanks again....

correct. you need to have a valid vpn client already defined and running, before telling unbound to use it, to tunnel its queries to root servers.

 

[Chris0815]

Thank you Chris. But how do you configure the VPN service then? I think this is the step I'm clearly missing.....do you set it up via the OpenVPN client in the firmware GUI? That's the only place I could think where login information is added....and if that's true, then can't you just set the VPN client DNS setting to use unbound/router anyway?

thanks again....

Yes - I have set up the VPN Client in the GUI. Regarding DNS, there is a line called "Accept DNS Configuration". Use the dropdown and choose "Disabled". Thats it regarding VPN Client configuration in the GUI. So the DNS is not accepted from the VPN provider - if unbound is configured correct so far, DNS will still be done by unbound, even using the VPN to correspond directly with the DNS-root-servers.

 

[SuperDuke]

correct. you need to have a valid vpn client already defined and running, before telling unbound to use it, to tunnel its queries to root servers.

Thank you....

So if that's the case, how does setting this up in unbound differ from simply setting the 'Accept DNS configuration' to Disabled in the VPN Client?

Doesn't the above force the router to use the defined DNS config (in the case of unbound then itself?)

 

[SuperDuke]

Yes - I have set up the VPN Client in the GUI. Regarding DNS, there is a line called "Accept DNS Configuration". Use the dropdown and choose "Disabled". Thats it regarding VPN Client configuration in the GUI. So the DNS is not accepted from the VPN provider - if unbound is configured correct so far, DNS will still be done by unbound, even using the VPN to correspond directly with the DNS-servers.

Haha...your response beat me to it! So if that is the setup, why do you need to configure the VPN server in unbound?

 

[ugandy]

Thank you....

So if that's the case, how does setting this up in unbound differ from simply setting the 'Accept DNS configuration' to Disabled in the VPN Client?

Doesn't the above force the router to use the defined DNS config (in the case of unbound then itself?)

it's not using the vpn dns servers, it's just using the vpn tunnel to send out unbound traffic with dns root servers

 

[figorr]

Can you show the output of the command

cru l

This is what I am getting

ASUSWRT-Merlin RT-AX88U 384.16_0 Sun Apr 5 17:38:13 UTC 2020
admin@JUANDOASUS:/tmp/home/root# cru l
00 2 * * Fri sh /opt/share/diversion/file/update-bl.div reset #Diversion_UpdateBL#
20 5 * * * sh /opt/share/diversion/file/rotate-logs.div #Diversion_RotateLogs#
20 17 * * * diversion count_ads count #Diversion_CountAds#
25 17 * * * sh /jffs/scripts/firewall banmalware #Skynet_banmalware#
15 1 * * Mon sh /jffs/scripts/firewall update #Skynet_autoupdate#
0 * * * * sh /jffs/scripts/firewall save #Skynet_save#
54 */12 * * * sh /jffs/scripts/firewall debug genstats #Skynet_genstats#
0 * * * * /jffs/scripts/uiDivStats generate #uiDivStats#
5 0 * * * /opt/sbin/logrotate /opt/etc/logrotate.conf >> /opt/tmp/logrotate.daily 2>&1 #logrotate#
30 3 * * * /jffs/scripts/FreshJR_QOS -check #FreshJR_QOS#

I checked Unbound and the last update was this morning ... when I pushed the manual updated for the stats.

 

[SuperDuke]

it's not using the vpn dns servers, it's just using the vpn tunnel to send out unbound traffic with dns root servers

Thank you again....understood.....but if you set DNS config to disabled, wouldn't unbound traffic use the VPN tunnel anyway if the VPN is enabled and the VPN server is not defined in the unbound config?
Sorry for the basic questions...

 

[Chris0815]

Haha...your response beat me to it! So if that is the setup, why do you need to configure the VPN server in unbound?

The difference is the outgoing interface (only referring to DNS itself, not to the IP during surfing the Internet):

Normal way is that unbound uses the IP of the Router to communicate to the root-servers. In my case 192.168.1.1. I have defined in the GUI that the Router communicates via WAN, not VPN.
So querries to the DNS-root servers are performed via WAN.
Even if you use a VPN Client to hide the IP during surfing.

Using the VPN feature in unbound sends the DNS-traffic to the root-severs through the VPN (defined outgoing interface). So in that configuration the ISP will not see it.

IP for Surfing the web is still the same in both ways if VPN-Client is activated in the GUI.

 

[dave14305]

The difference is the outgoing interface (only referring to DNS itself, not to the IP during surfing the Internet):

Normal way is that unbound uses the IP of the Router to communicate to the root-servers. In my case 192.168.1.1. I have defined in the GUI that the Router communicates via WAN, not VPN.
So querries to the DNS-root servers are performed via WAN.
Even if you use a VPN Client to hide the IP during surfing.

Using the VPN feature in unbound sends the DNS-traffic to the root-severs through the VPN (defined outgoing interface). So in that configuration the ISP will not see it.

IP for Surfing the web is still the same in both ways if VPN-Client is activated in the GUI.

Officially, if not specified, unbound will use all available interfaces for outbound queries, so you might occasionally see a query go out the VPN client, but not guaranteed. By limiting outgoing-interfaces to the VPN client interface, you prevent queries from going out the WAN ISP interface. I don't have a VPN client to validate this assertion, FWIW.

 

[Chris0815]

juched, Regarding the advanced statistics, I get the following picture. If I look to the posts in this thread, it seems that I missed something.

I installed the GUI again, changed the logs in the unbound.config and did a restart of unbound.
Here also my configuration regarding logs, I tried even to activate everything but no effect until now...

#########################################
# integration LOG's
#
#verbosity: 1                               # v1.02 '1' is adequate to prove unbound is processing domains
logfile: "/opt/var/lib/unbound/unbound.log" # v1.01 as per @dave14305 minimal config
log-time-ascii: yes                         # v1.01 as per @dave14305 minimal config
log-tag-queryreply: yes                     # v1.02 @Martineau Explicitly Tag log-queries/replies with 'query'/'reply'
log-queries: yes
log-replies: yes
#use-syslog: yes                            # v1.02 @Martineau Let scribe/syslog-ng handle the log as it gets erased daily if Ad Block enabled :-(
log-local-actions: yes                     # v1.02 @Martineau ('yes' required for @juched's Graphical Ad Block statistics)
log-servfail: yes                           # v1.01 as per @dave14305 minimal config
#########################################

Any idea what I can change?

 

[SuperDuke]

The difference is the outgoing interface (only referring to DNS itself, not to the IP during surfing the Internet):

Normal way is that unbound uses the IP of the Router to communicate to the root-servers. In my case 192.168.1.1. I have defined in the GUI that the Router communicates via WAN, not VPN.
So querries to the DNS-root servers are performed via WAN.
Even if you use a VPN Client to hide the IP during surfing.

Using the VPN feature in unbound sends the DNS-traffic to the root-severs through the VPN (defined outgoing interface). So in that configuration the ISP will not see it.

IP for Surfing the web is still the same in both ways if VPN-Client is activated in the GUI.

So by rights, you could (theoretically), setup the VPN client, force no (or any number of them via the policy rules) devices to use the VPN tunnel itself but have unbound send requests via the tunnel for all requests??? (if the outbound server IP address is set in the .conf file). Interesting....(if I have finally wrapped my head around it all...haha).....thanks again

 

[Chris0815]

So by rights, you could (theoretically), setup the VPN client, force no (or any number of them via the policy rules) devices to use the VPN tunnel itself but have unbound send requests via the tunnel for all requests??? (if the outbound server IP address is set in the .conf file). Interesting....(if I have finally wrapped my head around it all...haha).....thanks again

Yes - a lot of different possibilities feasible - you can choose according your needs.
That is what I really learned to like during the last weeks getting experienced with all that stuff. Amazing! And even that a Noob like me is able to do so - for sure, only with a litte help here in that forum...

 

[ARKASHA]

Then yes, you would expect a lot of problems if your WAN DNS is not set to Automatic and you erase the 2 fields. Populate those fields or change it back to Automatic. Unbound manager will take care of “disconnecting” dnsmasq from these values once Unbound is up and running.

You must have gone through nvram to erase those since the GUI won’t allow it.

Please can you explain the right procedur as I miss "WAN Dns automatic setting?

 

[ugandy]

@Martineau another behavior i've experienced:
after updating with 'u', queries stop being logged until i do 'rs' (unbound is up after 'u', just not logging)

 

[Martineau]

@Martineau another behavior i've experienced:
after updating with 'u', queries stop being logged until i do 'rs' (unbound is up after 'u', just not logging)

When using the 'u' command, only the 'unbound_manager.sh' file is downloaded, and the current executing 'unbound_manager.sh' script then (silently) uses the new version.
EDIT: Ahh...the switch should be transparent but the menu mode can actually visibly switch back to the default menu mode (Fixed in next release )

If you are saying that this action causes 'unbound.conf' to be altered then can you please provide a before and after (DIFF) list of the changed directives.

 

[ugandy]

When using the 'u' command, only the 'unbound_manager.sh' file is downloaded, and the current executing 'unbound_manager.sh' script then (silently) uses the new version.

If you are saying that this action causes 'unbound.conf' to be altered then can you please provide a before and after (DIFF) list of the changed directives.

unbound.conf is not altered by 'u'.
but i won't see any further queries reported in unbound.log unless i do 'rs'
doesn't make sense since only the unbound_manager.sh script is changed. but it happened twice.
i'll keep observing to confirm. maybe I misread the situation. will report back on next update.
thx

 

[Martineau]

unbound.conf is not altered by 'u'.
but i won't see any further queries reported in unbound.log unless i do 'rs'
doesn't make sense since only the unbound_manager.sh script is changed. but it happened twice.
i'll keep observing to confirm. maybe I misread the situation.

will report back on next update.

You don't have to wait.... you can force the script update..

e  = Exit Script [?]

A:Option ==> uf