Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[Safemode]

Thanks, is ratelimit and ip-ratelimit basically the same? Also, I noticed your not using serve-expired-ttl, correct.

Correct for serve-expired-ttl, i don't find it to be necessary. In my opinion ip-ratelimit is too agressive at this given time so i leave it at default.

       ratelimit: <number or 0>
            Enable  ratelimiting  of queries sent to nameserver for performing
            recursion.  If 0, the default, it is  disabled.   This  option  is
            experimental at this time.  The ratelimit is in queries per second
            that are allowed.  More queries are  turned  away  with  an  error
            (servfail).   This stops recursive floods, eg. random query names,
            but not spoofed reflection floods.  Cached responses are not rate-
            limited  by  this setting.  The zone of the query is determined by
            examining the nameservers for it, the zone name is  used  to  keep
            track  of  the rate.  For example, 1000 may be a suitable value to
            stop the server from being overloaded with random names, and keeps
            unbound from sending traffic to the nameservers for those zones.

       ip-ratelimit: <number or 0>
            Enable global ratelimiting of queries accepted per ip address.  If
            0, the default, it is disabled.  This option  is  experimental  at
            this  time.   The  ratelimit  is  in  queries  per second that are
            allowed.  More queries are completely dropped and will not receive
            a  reply,  SERVFAIL  or otherwise.  IP ratelimiting happens before
            looking in the cache. This may be useful for mitigating amplifica-
            tion attacks.

 

[Centrifuge]

This configuration is running smooth on my asus rt-ac3200

Any adjustments for trying these on the RT-AC86U?

 

[Kingp1n]

Any adjustments for trying these on the RT-AC86U?

I'm tryin Safemode settings now on AX88U. They sld be universal, I hope haha. No issues yet!

 

[Deleted member 62525]

Here are my stats

total.num.queries=24776 total.requestlist.avg=1.21784 total.recursion.time.median=0.196409
total.num.queries_ip_ratelimited=0 total.requestlist.max=17 total.tcpusage=0
total.num.cachehits=23379 total.requestlist.overwritten=0 msg.cache.count=2666
total.num.cachemiss=1397 total.requestlist.exceeded=0 rrset.cache.count=7566
total.num.prefetch=733 total.requestlist.current.all=0 infra.cache.count=1990
total.num.expired=708 total.requestlist.current.user=0 key.cache.count=376
total.num.recursivereplies=1397 total.recursion.time.avg=0.341286
Summary: Cache Hits success=94.00%


and unbounbd.conf

# no threads and no memory slabs for threads
num-threads: 1
msg-cache-slabs: 2
rrset-cache-slabs: 2
infra-cache-slabs: 2
key-cache-slabs: 2
# tiny memory cache
extended-statistics: yes # v1.06 Martineau for @juched GUI TAB
key-cache-size: 8m
msg-cache-size: 8m
rrset-cache-size: 16m
cache-max-ttl: 14400 # v1.08 Martineau
cache-min-ttl: 1200 # v1.08 Martineau
# prefetch
prefetch: yes
prefetch-key: yes
minimal-responses: yes
serve-expired: yes
serve-expired-ttl: 3600
so-reuseport: yes
outgoing-range: 450
num-queries-per-thread: 225
outgoing-num-tcp: 10
incoming-num-tcp: 10
outgoing-port-avoid: a,b,c

ip-ratelimit: 0 # v1.04 as per @L&LD as it impacts ipleak.net?
edns-buffer-size: 1472 # v1.01 as per @dave14305 minimal config
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
#so-rcvbuf: 1m # v1.05 Martineau see DEFAULT /proc/sys/net/core/rmem_default
#########################################
# Options for integration with TCP/TLS Stubby
# udp-upstream-without-downstream: yes
#########################################
# gentle on recursion
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
harden-glue: yes
harden-below-nxdomain: yes
rrset-roundrobin: yes
aggressive-nsec: yes
deny-any: yes

 

[juched]

Correct for serve-expired-ttl, i don't find it to be necessary. In my opinion ip-ratelimit is too agressive at this given time so i leave it at default.

       ratelimit: <number or 0>
            Enable  ratelimiting  of queries sent to nameserver for performing
            recursion.  If 0, the default, it is  disabled.   This  option  is
            experimental at this time.  The ratelimit is in queries per second
            that are allowed.  More queries are  turned  away  with  an  error
            (servfail).   This stops recursive floods, eg. random query names,
            but not spoofed reflection floods.  Cached responses are not rate-
            limited  by  this setting.  The zone of the query is determined by
            examining the nameservers for it, the zone name is  used  to  keep
            track  of  the rate.  For example, 1000 may be a suitable value to
            stop the server from being overloaded with random names, and keeps
            unbound from sending traffic to the nameservers for those zones.

       ip-ratelimit: <number or 0>
            Enable global ratelimiting of queries accepted per ip address.  If
            0, the default, it is disabled.  This option  is  experimental  at
            this  time.   The  ratelimit  is  in  queries  per second that are
            allowed.  More queries are completely dropped and will not receive
            a  reply,  SERVFAIL  or otherwise.  IP ratelimiting happens before
            looking in the cache. This may be useful for mitigating amplifica-
            tion attacks.

First one seems to limit the rate in which requests are passed through to the underlying nameservers, and the second is how many queries can be done by an IP on the network. They are on different ends of the requry request process as I see it.

 

[Chris0815]

juched, Martineau, there is something strange with the logging in unbound:
Currently I am running unbound manager 3.06 dev with juched "sgui dev". The problem is that logging and also live-logging works fine until XX:57 every hour. Then it suddenly stops - nothing more is logged. I watched live-log during this time and the log gets cleaned up so that the following line is the last line in the log:

Apr 23 14:25:39 unbound[28089:0] info: generate keytag query _ta-4f66. NULL IN

But from that time on, no more logging is done. But unbound_manager still states logging activated and and unbound.config still states "verbosity 1" without "'#" at the beginning.
Is this related to the cron:

57 * * * * /jffs/addons/unbound/unbound_log.sh #Unbound_Log.sh#

 

[bluzfanmr1]

You don’t happen to have num-threads > 1 do you? If you do then as I understand it bounces between them meaning you have two separate caches meaning it is harder to get cache hits higher.

It's at 1. Awhile back I tried 2 since I have a dual core router but as you say, cache hits were even lower with that setting.

 

[dave14305]

juched, Martineau, there is something strange with the logging in unbound:
Currently I am running unbound manager 3.06 dev with juched "sgui dev". The problem is that logging and also live-logging works fine until XX:57 every hour. Then it suddenly stops - nothing more is logged. I watched live-log during this time and the log gets cleaned up so that the following line is the last line in the log:

Apr 23 14:25:39 unbound[28089:0] info: generate keytag query _ta-4f66. NULL IN

But from that time on, no more logging is done. But unbound_manager still states logging activated and and unbound.config still states "verbosity 1" without "'#" at the beginning.
Is this related to the cron:

57 * * * * /jffs/addons/unbound/unbound_log.sh #Unbound_Log.sh#

There might need to be a "unbound-control log_reopen" command after the sed on the non-syslog-ng logfile.

 

[ugandy]

@Martineau

error on my route-up script execution:

(unbound_manager.sh): 21448 ***ERROR Invalid arg 'delay=10' - must in range 1-99


changed to "delay=9" to work around error

 

[Martineau]

I've uploaded v3.06

Version=3.06
Github md5=c98f949b718a7ba4974371c02745a625​

use 'u' to update when prompted on screen

Use of the 'i = Update unbound Installation' **Not required**

FIX:     Subsequent CTRL-C now honoured after 'l' command log viewing CTRL-C exit, and will now correctly release the lockfile.
FIX:     'u' command deletes 'unbound_manager.sh' if cURL download fails due to GitHub being DOWN!!!!
FIX:     'vpn=X delay=XX' arg doesn't accept value in range 10-99' - @ugandy
ADD:     Daily '00:01' cron job to delete the native unbound log file '/opt/var/lib/unbound/unbound.log' if it grows greater than 10MB.
ADD:     Option to explicitly force BIND unbound to only use the WAN interface rather than the default 'ANY' interface (as per the manual) in VPN or Dual-WAN environments Thanks @dave14305
CHANGE:  Rewritten the 'lo/lx' process. see below (mainly affects non-scribe/syslog-ng users)
ADD:     Reinstated 'vh' command to view NLnetLab's 'doc/example.conf.in' for guidance on 'unbound.conf' entries.
         ('i example' can be used to manually refresh file without going thru' the complete installation/update)

The logging command 'lo' now auto opens the log, and both 'lo'/'lx' commands now write eye catchers to the unbound log (see here), and multiple consecutive 'lx' commands no longer add increasing number of '#' characters.

Furthermore, now that there is a fail-safe cron job, both 'lo'/'lx' commands now update 'unbound.conf' so their invocations are now persistent over an unbound restart.

This should remove the user reported confusion, where the '?' command would show logging ENABLED, but 'unbound.conf' seemingly contradicted this (although clearly logging was physically occurring).

Clearly it is perfectly acceptable to have logging ENABLED, but explicitly DISABLE the actual DNS queries/replies (using unbound-control), so the '?' command will now issue an alert.

 [✔] unbound Logging (Warning; DNS Queries/Replies logging is DISABLED)
 [✔] Ad and Tracker Blocking (No. of Adblock domains=63868,Blocked Hosts=0,Whitelist=19)
 [✔] unbound CPU/Memory Performance tweaks
 [✔] Router Graphical GUI statistics TAB installed
 [✔] unbound-control FAST response ENABLED
 [✔] unbound requests force BIND via WAN (xxx.xxx.xxx.xxx) ENABLED
 [✔] DNS Firewall ENABLED

Many thanks to @dave14305 @ugandy & @Chris0815 for beta testing/bug tracking and keeping me honest!

 

[dave14305]

It looks like you pull the wan0 iface name, but hardcode vlan2 in the next statement. Show some love for eth0 people.

 

[Jack Yaz]

It looks like you pull the wan0 iface name, but hardcode vlan2 in the next statement. Show some love for eth0 people.

What about the ppp0 users?

 

[Martineau]

It looks like you pull the wan0 iface name, but hardcode vlan2 in the next statement. Show some love for eth0 people.

It wouldn't be my script if it didn't have my personal quirks hidden within! ...

    [✔] unbound requests force BIND via WAN (xxx.xxx.xxx.xxx) 'vlan2' ENABLED

@dave14305 / @Jack Yaz

Hotfix:

Version=3.06
Github md5=e266a0b8394f2d1e8ccd999a7cee8fb1​

 

[Mutzli]

I tried to activate the firewall feature, but it has only limited use. When someone uses Firefox with FPN it circumvents the block, even with Firefox DNS-over-HTTPS (DoH) DISABLE/Blocker active. I assume because Firefox does a DoH request through Cloudflare and loads the page anyway (49parallel.ca). Is there some other way to have all Firefox requests go through Unbounds firewall?

 

[Chris0815]

I've uploaded v3.06

Great! Would it also make sense to add these new features to the advanced menu? Things like "vpn X", "vh", "scribe"... Would make things easier for me... My capacity regarding memory is very limited...

Update:
Sorry - "vpn X" was still mentioned to be experimental...

 

[Martineau]

Great! Would it also make sense to add these new features to the advanced menu? Things like "vpn X", "vh", "scribe"... Would make things easier for me... My capacity regarding memory is very limited...

Err.... most are already listed under '3 Advanced Tools'....

3  = Advanced Tools                                                 rl = Reload Configuration (Doesn't halt unbound) e.g. 'rl test1[.conf]' (Recovery use 'rl reset/user')
?  = About Configuration                                            oq = Query unbound Configuration option e.g 'oq verbosity' (ox=Set) e.g. 'ox log-queries yes'
rs = Restart (or Start) unbound (use 'rs nocache' to flush cache)   s  = Show unbound Extended statistics (s=Summary Totals; sa=All; http://10.88.8.1:80/user4.asp)

e  = Exit Script [?]

A:Option ==> 3

unbound (pid 16934) is running... uptime: 0 Days, 01:43:43 version: 1.10.0 # rgnldo Github Version=v1.09 Martineau update (Date Loaded by unbound_manager Thu Apr 23 19:24:36 DST 2020)

i  = Update unbound and configuration ('/opt/var/lib/unbound/')     l  = Show unbound LIVE log entries (lx=Disable Logging)
z  = Remove unbound/unbound_manager                                 v  = View ('/opt/var/lib/unbound/') unbound Configuration (vx=Edit;vh=help)
x  = Stop unbound                                                   vb = Backup current (/opt/var/lib/unbound/unbound.conf) Configuration
                                                                    rl = Reload Configuration (Doesn't halt unbound) e.g. 'rl test1[.conf]' (Recovery use 'rl reset/user')
?  = About Configuration                                            oq = Query unbound Configuration option e.g 'oq verbosity' (ox=Set) e.g. 'ox log-queries yes'
sd = Show dnsmasq Statistics/Cache Size                             s  = Show unbound Extended statistics (s=Summary Totals; sa=All; http://10.88.8.1:80/user4.asp)
                                                                    adblock = Install Ad Block [uninstall]
Stubby = Enable Stubby Integration                                  DoT = Enable DNS-over-TLS
                                                                    firewall = Enable DNS Firewall [disable | ?]
scribe = Enable scribe (syslog-ng) unbound logging                  ad = Analyse Diversion White/Black lists ([ file_name [type=adblock] ])
                                                                    ew = Edit Ad Block Whitelist (eb=Blacklist; eca=Config-AllowSites; ecb=Config-BlockSites; el {Ad Block file})
dumpcache = [bootrest] (or Manually use restorecache after REBOOT)  ca = Cache Size Optimisation  ([ 'reset' ])
dig = {domain} [time] Show dig info e.g. dig asciiart.com           lookup = {domain} Show the name servers used for domain e.g. lookup asciiart.eu
dnsinfo = {dns} Show DNS Server e.g. dnsinfo                        dnssec = {url} Show DNSSEC Validation Chain e.g. dnssec www.snbforums.com
links = Show list of external URL links

e  = Exit Script [?]

[Enter] Leave Advanced Tools Menu

e  = Exit Script [?]

A:Option ==>

but I'll add 'vpn'/'bind' since the feature is no longer experimental.

 

[Chris0815]

unbound (pid 10064) is running... uptime: 0 Days, 00:04:33 version: 1.10.0 # rgnldo Github Version=v1.09 Martineau update (Date Loaded by unbound_manager Thu Apr 23 22:11:25 CEST 2020)

i  = Update unbound and configuration ('/opt/var/lib/unbound/')        l  = Show unbound LIVE log entries (lx=Disable Logging)
z  = Remove unbound/unbound_manager                    v  = View ('/opt/var/lib/unbound/') unbound Configuration (vx=Edit;vh=help)
x  = Stop unbound                            vb = Backup current (/opt/var/lib/unbound/unbound.conf) Configuration
                                    rl = Reload Configuration (Doesn't halt unbound) e.g. 'rl test1[.conf]' (Recovery use 'rl reset/user')
?  = About Configuration                        oq = Query unbound Configuration option e.g 'oq verbosity' (ox=Set) e.g. 'ox log-queries yes'
sd = Show dnsmasq Statistics/Cache Size                    s  = Show unbound Extended statistics (s=Summary Totals; sa=All; http://192.168.1.1:80/user1.asp)
                                    adblock = Install Ad Block [uninstall]
Stubby = Enable Stubby Integration                    DoT = Enable DNS-over-TLS
                                    firewall = Enable DNS Firewall [disable | ?]
                                    ew = Edit Ad Block Whitelist (eb=Blacklist; eca=Config-AllowSites; ecb=Config-BlockSites; el {Ad Block file})
dumpcache = [bootrest] (or Manually use restorecache after REBOOT)    ca = Cache Size Optimisation  ([ 'reset' ])

dig = {domain} [time] Show dig info e.g. dig asciiart.com        lookup = {domain} Show the name servers used for domain e.g. lookup asciiart.eu
dnsinfo = {dns} Show DNS Server e.g. dnsinfo                 dnssec = {url} Show DNSSEC Validation Chain e.g. dnssec www.snbforums.com
links = Show list of external URL links


e  = Exit Script [?]

[Enter] Leave Advanced Tools Menu

e  = Exit Script [?]

A:Option ==>

Why do I not see scribe?

 

[Martineau]

unbound (pid 10064) is running... uptime: 0 Days, 00:04:33 version: 1.10.0 # rgnldo Github Version=v1.09 Martineau update (Date Loaded by unbound_manager Thu Apr 23 22:11:25 CEST 2020)

i  = Update unbound and configuration ('/opt/var/lib/unbound/')        l  = Show unbound LIVE log entries (lx=Disable Logging)
z  = Remove unbound/unbound_manager                    v  = View ('/opt/var/lib/unbound/') unbound Configuration (vx=Edit;vh=help)
x  = Stop unbound                            vb = Backup current (/opt/var/lib/unbound/unbound.conf) Configuration
                                    rl = Reload Configuration (Doesn't halt unbound) e.g. 'rl test1[.conf]' (Recovery use 'rl reset/user')
?  = About Configuration                        oq = Query unbound Configuration option e.g 'oq verbosity' (ox=Set) e.g. 'ox log-queries yes'
sd = Show dnsmasq Statistics/Cache Size                    s  = Show unbound Extended statistics (s=Summary Totals; sa=All; http://192.168.1.1:80/user1.asp)
                                    adblock = Install Ad Block [uninstall]
Stubby = Enable Stubby Integration                    DoT = Enable DNS-over-TLS
                                    firewall = Enable DNS Firewall [disable | ?]
                                    ew = Edit Ad Block Whitelist (eb=Blacklist; eca=Config-AllowSites; ecb=Config-BlockSites; el {Ad Block file})
dumpcache = [bootrest] (or Manually use restorecache after REBOOT)    ca = Cache Size Optimisation  ([ 'reset' ])

dig = {domain} [time] Show dig info e.g. dig asciiart.com        lookup = {domain} Show the name servers used for domain e.g. lookup asciiart.eu
dnsinfo = {dns} Show DNS Server e.g. dnsinfo                 dnssec = {url} Show DNSSEC Validation Chain e.g. dnssec www.snbforums.com
links = Show list of external URL links


e  = Exit Script [?]

[Enter] Leave Advanced Tools Menu

e  = Exit Script [?]

A:Option ==>

Why do I not see scribe?

Weird ...no idea

It was one of the first 'word' menu features.

 

[Chris0815]

Weird ...no idea

But the "scribe" command works - I successfully installed scribe to test the extended stats - but deinstalled it again and installed unbound once again.

I also miss this one:

ad = Analyse Diversion White/Black lists

Sorry! Maybe one of my 10 thumbs of my two left hands...

 

[John Fitzgerald]

How do I correct this: (I use a second USB drive as a backup and I went to update all scripts and make sure the drives are somewhat in-sync) Updated Entware and then tried post #3;

opkg remove --force-depends libunbound

ERROR:
/opt/var/lib/unbound/unbound.conf:143: error: cannot open include file '/opt/var/lib/unbound/adblock/adservers': No such file or directory
read /opt/var/lib/unbound/unbound.conf failed: 1 errors in configuration file

***ERROR INVALID unbound configuration - use option 'vx' to correct 'unbound.conf' or 'rl' to load a valid configuration file

or 'e' exit; then issue debug command

unbound -dv

Thanks.