Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[tomsk]

i noticed just now that the log-replies got commented out in the unbound.conf ....... i was getting both queries and replies in the log before i started testing things...... did i break it inadvertently?

 

[^Tripper^]

Err.... choose the appropriate option from the menu

1  = Update unbound files and configuration
2  = Remove unbound/unbound_manager
3  = Stop unbound
4  = Show unbound statistics
5  = Uninstall Ad and Tracker blocker (Ad Block)
6  = Uninstall Graphical Statistics GUI Add-on TAB
7  = Disable DNS Firewall [?]

?  = About Configuration
v  = View ('/opt/var/lib/unbound/'unbound.conf)

e  = Exit Script [?]

E:Option ==>

or

i  = Update unbound and configuration ('/opt/var/lib/unbound/')     l  = Show unbound LIVE log entries (lx=Disable Logging)
z  = Remove unbound/unbound_manager                                 v  = View ('/opt/var/lib/unbound/') unbound Configuration (vx=Edit;vh=help)
3  = Advanced Tools                                                 rl = Reload Configuration (Doesn't halt unbound) e.g. 'rl test1[.conf]' (Recovery use 'rl reset/user')
?  = About Configuration                                            oq = Query unbound Configuration option e.g 'oq verbosity' (ox=Set) e.g. 'ox log-queries yes'
rs = Restart (or Start) unbound (use 'rs nocache' to flush cache)   s  = Show unbound Extended statistics (s=Summary Totals; sa=All; http://10.88.8.1:80/user5.asp)

e  = Exit Script [?]

A:Option ==>

Can you see which one might be appropriate?

I can but considering how there was a post about how someone had to manually delete all files related to unbound I thought I’d ask. Guess you missed that post.

Thanks for the directions.

 

[Martineau]

i noticed just now that the log-replies got commented out in the unbound.conf ....... i was getting both queries and replies in the log before i started testing things......

did i break it inadvertently?

Probably not.

If you download 'unbound.conf' from GitHub using the '1/i Install/Update' then by default both are commented out.

If 'lo' is used, then the script should only auto-ENABLE the 'log-queries' - basically to prevent unmanaged native unbound logging from silently filling the disk.
(NOTE: With the new fail-safe cron job to restrict the native unbound log from growing larger than 10MB, perhaps this should now be changed.)

If you then enable 'scribe' or 'sgui' then both 'log-queries' and 'log-replies' should be auto-ENABLED.

 

[Martineau]

I can but considering how there was a post about how someone had to manually delete all files related to unbound I thought I’d ask. Guess you missed that post.

No I can read...(and count) thank you, but if you are technically astute, then it's the OPs prerogative to choose whatever manual action is deemed appropriate in the circumstances....however, in the OP's particular case, it wasn't strictly necessary.

Sorry to see you go.

 

[tomsk]

#########################################
# integration LOG's
#
verbosity: 1                               # v1.02 '1' is adequate to prove unbound is processing domains
logfile: "/opt/var/lib/unbound/unbound.log" # v1.01 as per @dave14305 minimal config (v3.06 now deletes this if size grows > 10MB)
log-time-ascii: yes                         # v1.01 as per @dave14305 minimal config
log-tag-queryreply: yes                     # v1.02 @Martineau Explicitly Tag log-queries/replies with 'query'/'reply'
log-queries: yes
#log-replies: yes
use-syslog: yes                            # v1.02 @Martineau Recommended to let scribe/syslog-ng handle the log(s)
#log-local-actions: yes                     # v1.02 @Martineau ('yes' required for @juched's Graphical Ad Block statistics)
log-servfail: yes                           # v1.01 as per @dave14305 minimal config
#########################################

Probably not.

If you download 'unbound.conf' from GitHub using the '1/i Install/Update' then by default both are commented out.

If 'lo' is used, then the script should only auto-ENABLE the 'log-queries' - basically to prevent unmanaged native unbound logging from silently filling the disk.
(NOTE: With the new fail-safe cron job to restrict the native unbound log from growing larger than 10MB, perhaps this should now be changed.)

If you then enable 'scribe' or 'sgui' then both 'log-queries' and 'log-replies' should be auto-ENABLED.

Im running scribe... i just re-enabled it through the advanced menu and the log-replies is still commented out

 

[Martineau]

#########################################
# integration LOG's
#
verbosity: 1                               # v1.02 '1' is adequate to prove unbound is processing domains
logfile: "/opt/var/lib/unbound/unbound.log" # v1.01 as per @dave14305 minimal config (v3.06 now deletes this if size grows > 10MB)
log-time-ascii: yes                         # v1.01 as per @dave14305 minimal config
log-tag-queryreply: yes                     # v1.02 @Martineau Explicitly Tag log-queries/replies with 'query'/'reply'
log-queries: yes
#log-replies: yes
use-syslog: yes                            # v1.02 @Martineau Recommended to let scribe/syslog-ng handle the log(s)
#log-local-actions: yes                     # v1.02 @Martineau ('yes' required for @juched's Graphical Ad Block statistics)
log-servfail: yes                           # v1.01 as per @dave14305 minimal config
#########################################

Im running scribe... i just re-enabled it through the advanced menu and the log-replies is still commented out

Whoops, looks like for the v3.06 rewrite - I've somehow dropped the line

 

[tomsk]

Whoops, looks like for the v3.06 rewrite - I've somehow dropped the line

my normal scripting prowess.... fix something ... break something else

 

[Martineau]

my normal scripting prowess.... fix something ... break something else

Fortunately 'lo' should still dynamically ENABLE both, so issue 'lo' and that should fix it!

i.e. you will then see the 'log-replies' in syslog-ng but 'unbound.conf' will still show it as commented out, or you can 'vx' it

I'll add it to the pending v3.08 Hotfix.

 

[Salles]

When updated Unbound, it says my configuration contains duplicates. I am not really sure what to look for. Someone with ideas?

# rgnldo Github Version=v1.04 Martineau update (Date Loaded by unbound_manager Mon Feb 17 22:33:54 CET 2020)
# v1.04 Martineau - Change  'ip-ratelimit:'
# v1.03 Martineau - Remove  'dns64-prefix:' and 'module-config: "dns64 ..."' from auto ENABLE if IPv6 detected
# v1.02 Martineau - Add     '#use-syslog:' '#log-local-actions:' '#log-tag-queryreply:' Option placeholders
# v1.01 Martineau - Add     'auth-zone:', 'edns-buffer-size:' log-time-ascii: 'log-servfail:' IPv6 'dns64-prefix:' and 'module-config: "dns64 ..."'
#                   Change  'interface: 0.0.0.0' to 'interface: 127.0.0.1@53535'
#                   Add     If IPv6 detected, auto ENABLE 'dns64-prefix:' and modify to include 'module-config: "dns64 ..."'
server:
# port to answer queries from
port: 53535

#########################################
# integration LOG's
#
#verbosity: 1                               # v1.02 '1' is adequate to prove unbound is processing domains
logfile: "/opt/var/lib/unbound/unbound.log" # v1.01 as per @dave14305 minimal config
log-time-ascii: yes                         # v1.01 as per @dave14305 minimal config
#log-tag-queryreply: yes                    # v1.02 @Martineau Explicitly Tag log-queries/replies with 'query'/'reply'
#log-queries: yes
#log-replies: yes
#use-syslog: yes                            # v1.02 @Martineau Let scribe/syslog-ng handle the log as it gets erased daily if Ad Block enabled :-(
#log-local-actions: yes                     # v1.02 @Martineau
log-servfail: yes                           # v1.01 as per @dave14305 minimal config
#########################################

do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes

# don't be picky about interfaces but consider your firewall
#interface: 0.0.0.0
interface: 127.0.0.1@53535                  # v1.01 as per @dave14305 minimal config

access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/8 allow
access-control: 172.16.0.0/16 allow
access-control: 192.168.0.0/24 allow

# RFC1918 private IP address - Protects against DNS Rebinding
private-address: 127.0.0.0/8
private-address: 169.254.0.0/16
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16

#########################################
# integration IPV6
#
# do-ip6: yes
# interface: ::0
# access-control: ::0/0 refuse
# access-control: ::1 allow
# private-address: fd00::/8
# private-address: fe80::/10
#########################################
#module-config: "dns64 validator iterator"      # v1.03 v1.01 perform a query against AAAA record exists
#dns64-prefix: 64:FF9B::/96                     # v1.03 v1.01

tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"     # v1.01 as per @dave14305 minimal config

# no threads and no memory slabs for threads
num-threads: 1
msg-cache-slabs: 2
rrset-cache-slabs: 2
infra-cache-slabs: 2
key-cache-slabs: 2

# tiny memory cache
key-cache-size: 8m
msg-cache-size: 8m
rrset-cache-size: 16m
cache-max-ttl: 21600
cache-min-ttl: 5
prefetch: yes
prefetch-key: yes
serve-expired: yes
serve-expired-ttl: 3600
incoming-num-tcp: 600
outgoing-num-tcp: 100
ip-ratelimit: 0                                  # v1.04 as per @L&LD as it impacts ipleak.net?
edns-buffer-size: 1472                           # v1.01 as per @dave14305 minimal config

#########################################
# Options for integration with TCP/TLS Stubby
# udp-upstream-without-downstream: yes
#########################################

# prefetch
prefetch: yes
prefetch-key: yes
minimal-responses: yes

# gentle on recursion
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
harden-glue: yes
harden-below-nxdomain: yes
rrset-roundrobin: yes
aggressive-nsec: yes
deny-any: yes

# Self jail Unbound with user "nobody" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"

# The pid file
pidfile: "/opt/var/run/unbound.pid"

# ROOT Server's
root-hints: "/opt/var/lib/unbound/root.hints"

# DNSSEC
module-config: "validator iterator"
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"

#########################################
# Adblock blacklist
#include: /opt/var/lib/unbound/adblock/adservers
#include: /opt/var/lib/unbound/adblock/firefox_DOH
#########################################

remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 953
server-key-file: "/opt/var/lib/unbound/unbound_server.key"
server-cert-file: "/opt/var/lib/unbound/unbound_server.pem"
control-key-file: "/opt/var/lib/unbound/unbound_control.key"
control-cert-file: "/opt/var/lib/unbound/unbound_control.pem"

#########################################
#forward-zone:
#   name: "."
#   forward-addr: 127.0.0.1@5453
#   forward-addr: 0::1@5453 # integration IPV6
#########################################

# v1.01 Added the following
auth-zone:
       name: "."
       url: "https://www.internic.net/domain/root.zone"
       fallback-enabled: yes
       for-downstream: no
       for-upstream: yes
       zonefile: root.zone

 

[^Tripper^]

No I can read...(and count) thank you, but if you are technically astute, then it's the OPs prerogative to choose whatever manual action is deemed appropriate in the circumstances....however, in the OP's particular case, it wasn't strictly necessary.

Sorry to see you go.

I sincerely appreciate all the effort you put into unbound manager and the time you take to the answer questions and issues posted in here. Unbound can be confusing to some of us and your script goes a long way to making it so much more manageable. I am always in awe of the skill of script writers such as yourself (and the rest in here), Lord knows I’ve learnt so much!!(and there is so much more to learn!!)

 

[bluzfanmr1]

When updated Unbound, it says my configuration contains duplicates. I am not really sure what to look for. Someone with ideas?

# rgnldo Github Version=v1.04 Martineau update (Date Loaded by unbound_manager Mon Feb 17 22:33:54 CET 2020)
# v1.04 Martineau - Change  'ip-ratelimit:'
# v1.03 Martineau - Remove  'dns64-prefix:' and 'module-config: "dns64 ..."' from auto ENABLE if IPv6 detected
# v1.02 Martineau - Add     '#use-syslog:' '#log-local-actions:' '#log-tag-queryreply:' Option placeholders
# v1.01 Martineau - Add     'auth-zone:', 'edns-buffer-size:' log-time-ascii: 'log-servfail:' IPv6 'dns64-prefix:' and 'module-config: "dns64 ..."'
#                   Change  'interface: 0.0.0.0' to 'interface: 127.0.0.1@53535'
#                   Add     If IPv6 detected, auto ENABLE 'dns64-prefix:' and modify to include 'module-config: "dns64 ..."'
server:
# port to answer queries from
port: 53535

#########################################
# integration LOG's
#
#verbosity: 1                               # v1.02 '1' is adequate to prove unbound is processing domains
logfile: "/opt/var/lib/unbound/unbound.log" # v1.01 as per @dave14305 minimal config
log-time-ascii: yes                         # v1.01 as per @dave14305 minimal config
#log-tag-queryreply: yes                    # v1.02 @Martineau Explicitly Tag log-queries/replies with 'query'/'reply'
#log-queries: yes
#log-replies: yes
#use-syslog: yes                            # v1.02 @Martineau Let scribe/syslog-ng handle the log as it gets erased daily if Ad Block enabled :-(
#log-local-actions: yes                     # v1.02 @Martineau
log-servfail: yes                           # v1.01 as per @dave14305 minimal config
#########################################

do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes

# don't be picky about interfaces but consider your firewall
#interface: 0.0.0.0
interface: 127.0.0.1@53535                  # v1.01 as per @dave14305 minimal config

access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/8 allow
access-control: 172.16.0.0/16 allow
access-control: 192.168.0.0/24 allow

# RFC1918 private IP address - Protects against DNS Rebinding
private-address: 127.0.0.0/8
private-address: 169.254.0.0/16
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16

#########################################
# integration IPV6
#
# do-ip6: yes
# interface: ::0
# access-control: ::0/0 refuse
# access-control: ::1 allow
# private-address: fd00::/8
# private-address: fe80::/10
#########################################
#module-config: "dns64 validator iterator"      # v1.03 v1.01 perform a query against AAAA record exists
#dns64-prefix: 64:FF9B::/96                     # v1.03 v1.01

tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"     # v1.01 as per @dave14305 minimal config

# no threads and no memory slabs for threads
num-threads: 1
msg-cache-slabs: 2
rrset-cache-slabs: 2
infra-cache-slabs: 2
key-cache-slabs: 2

# tiny memory cache
key-cache-size: 8m
msg-cache-size: 8m
rrset-cache-size: 16m
cache-max-ttl: 21600
cache-min-ttl: 5
prefetch: yes
prefetch-key: yes
serve-expired: yes
serve-expired-ttl: 3600
incoming-num-tcp: 600
outgoing-num-tcp: 100
ip-ratelimit: 0                                  # v1.04 as per @L&LD as it impacts ipleak.net?
edns-buffer-size: 1472                           # v1.01 as per @dave14305 minimal config

#########################################
# Options for integration with TCP/TLS Stubby
# udp-upstream-without-downstream: yes
#########################################

# prefetch
prefetch: yes
prefetch-key: yes
minimal-responses: yes

# gentle on recursion
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
harden-glue: yes
harden-below-nxdomain: yes
rrset-roundrobin: yes
aggressive-nsec: yes
deny-any: yes

# Self jail Unbound with user "nobody" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"

# The pid file
pidfile: "/opt/var/run/unbound.pid"

# ROOT Server's
root-hints: "/opt/var/lib/unbound/root.hints"

# DNSSEC
module-config: "validator iterator"
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"

#########################################
# Adblock blacklist
#include: /opt/var/lib/unbound/adblock/adservers
#include: /opt/var/lib/unbound/adblock/firefox_DOH
#########################################

remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 953
server-key-file: "/opt/var/lib/unbound/unbound_server.key"
server-cert-file: "/opt/var/lib/unbound/unbound_server.pem"
control-key-file: "/opt/var/lib/unbound/unbound_control.key"
control-cert-file: "/opt/var/lib/unbound/unbound_control.pem"

#########################################
#forward-zone:
#   name: "."
#   forward-addr: 127.0.0.1@5453
#   forward-addr: 0::1@5453 # integration IPV6
#########################################

# v1.01 Added the following
auth-zone:
       name: "."
       url: "https://www.internic.net/domain/root.zone"
       fallback-enabled: yes
       for-downstream: no
       for-upstream: yes
       zonefile: root.zone

When looking at the error message, doesn’t it tell you which line is duplicated? I believe that was the case for me once.

 

[Salles]

When looking at the error message, doesn’t it tell you which line is duplicated? I believe that was the case for me once.

Indeed it did. Thank you.
I now have other issues with libunbound. I will try things according to this before asking for further help. Really need the router to work since I am working from home due to Corona. I will try it this weekend.

 

[Martin_D]

Need some help to get unbound working on my setup

DNSFilter: Router

Connect to DNS Server automatically Yes

Forward local domain queries to upstream DNS No

Enable DNS Rebind protection No

Enable DNSSEC support No

Prevent client auto DoH Auto

DNS Privacy Protocol None

Enable local NTP server Yes
Intercept NTP client requests no

Now all I get is

May 5 06:06:29 Skynet: [*] Waiting For NTP To Sync
May 5 06:08:34 (unbound_manager.sh): 9491 Warning unbound not running!! # rgnldo Github Version=v1.09 Martineau update (Date Loaded by unbound_manager Wed Apr 29 23:08:01 IST 2020)

 

[Centrifuge]

But DNS is still resolving? The below answer should be no, else you are getting your isp's dns service. You are done with them you got your own DNS resolver now.

Connect to DNS Server automatically Yes

 

[joe scian]

But DNS is still resolving? The below answer should be no, else you are getting your isp's dns service. You are done with them you got your own DNS resolver now.

That is not correct at all - a successful installation of Unbound overrides this setting. When Unbound is stopped either accidentally or commanded then this setting will allow successful resolving to your ISP's DNS servers. The problem with MartinDEE is presumably tied to the fact that his NTP server is non functional and NTP is not synced. Fix that first before you look further.
Install NTPMerlin using amtm and hopefully that will fix your NTP issue.

 

[kernol]

I had noticed from a month or so back that the cache hit statistics were steadily declining over time [from high seventies where it had stayed consistently before ... to low sixties] – which did not make sense in a small household where the internet usage patterns are fairly consistent.

So - I setup a factory reset router with my usual amtm add-ons – all fresh installed on a formatted USB – and then monitored unbound cache stats with only a SINGLE client PC attached to the router by Ethernet cable. I went about opening the same web pages [30 of them] repeatedly but clearing the DNS cache on the PC between each of the attempts.

After an initial modest pickup in cache hits – I found that repeated opening of the same web pages caused the cache hit stats to DECLINE ??? See images below ...
This one shows summary stats after a few browser sessions ...

This one straight after above with a single push to open those same 30 web pages.

Note %tage decline on hits from 35.75 to 30.79 ??

Full graph chart enclosed below ...

Any one else noticing a similar trend ???

 

[tomsk]

I had noticed from a month or so back that the cache hit statistics were steadily declining over time [from high seventies where it had stayed consistently before ... to low sixties] – which did not make sense in a small household where the internet usage patterns are fairly consistent.

So - I setup a factory reset router with my usual amtm add-ons – all fresh installed on a formatted USB – and then monitored unbound cache stats with only a SINGLE client PC attached to the router by Ethernet cable. I went about opening the same web pages [30 of them] repeatedly but clearing the DNS cache on the PC between each of the attempts.

After an initial modest pickup in cache hits – I found that repeated opening of the same web pages caused the cache hit stats to DECLINE ??? See images below ...
This one shows summary stats after a few browser sessions ...
View attachment 23162
This one straight after above with a single push to open those same 30 web pages.
View attachment 23163
Note %tage decline on hits from 35.75 to 30.79 ??

Full graph chart enclosed below ...
View attachment 23164
Any one else noticing a similar trend ???

Won't the DNS caching on the requesting machine make the figures drop?

 

[ika]

Won't the DNS caching on the requesting machine make the figures drop?

He said:

clearing the DNS cache on the PC between each of the attempts

but a "PC" makes other DNS request in the background.

 

[tomsk]

oops i missed that ..... I'm assuming he's not using dnsmasq as a forwarder to unbound either ..

 

[juched]

If you then enable 'scribe' or 'sgui' then both 'log-queries' and 'log-replies' should be auto-ENABLED.

sgui just needs log-replies. No need to turn on log-queries for the stats, they are ignored and just fill up the disk.