Err.... choose the appropriate option from the menu
orCode:1 = Update unbound files and configuration 2 = Remove unbound/unbound_manager 3 = Stop unbound 4 = Show unbound statistics 5 = Uninstall Ad and Tracker blocker (Ad Block) 6 = Uninstall Graphical Statistics GUI Add-on TAB 7 = Disable DNS Firewall [?] ? = About Configuration v = View ('/opt/var/lib/unbound/'unbound.conf) e = Exit Script [?] E:Option ==>
Code:i = Update unbound and configuration ('/opt/var/lib/unbound/') l = Show unbound LIVE log entries (lx=Disable Logging) z = Remove unbound/unbound_manager v = View ('/opt/var/lib/unbound/') unbound Configuration (vx=Edit;vh=help) 3 = Advanced Tools rl = Reload Configuration (Doesn't halt unbound) e.g. 'rl test1[.conf]' (Recovery use 'rl reset/user') ? = About Configuration oq = Query unbound Configuration option e.g 'oq verbosity' (ox=Set) e.g. 'ox log-queries yes' rs = Restart (or Start) unbound (use 'rs nocache' to flush cache) s = Show unbound Extended statistics (s=Summary Totals; sa=All; http://10.88.8.1:80/user5.asp) e = Exit Script [?] A:Option ==>
Can you see which one might be appropriate?
Probably not.i noticed just now that the log-replies got commented out in the unbound.conf ....... i was getting both queries and replies in the log before i started testing things......
did i break it inadvertently?
No I can read...(and count) thank you, but if you are technically astute, then it's the OPs prerogative to choose whatever manual action is deemed appropriate in the circumstances....however, in the OP's particular case, it wasn't strictly necessary.I can but considering how there was a post about how someone had to manually delete all files related to unbound I thought I’d ask. Guess you missed that post.
#########################################
# integration LOG's
#
verbosity: 1 # v1.02 '1' is adequate to prove unbound is processing domains
logfile: "/opt/var/lib/unbound/unbound.log" # v1.01 as per @dave14305 minimal config (v3.06 now deletes this if size grows > 10MB)
log-time-ascii: yes # v1.01 as per @dave14305 minimal config
log-tag-queryreply: yes # v1.02 @Martineau Explicitly Tag log-queries/replies with 'query'/'reply'
log-queries: yes
#log-replies: yes
use-syslog: yes # v1.02 @Martineau Recommended to let scribe/syslog-ng handle the log(s)
#log-local-actions: yes # v1.02 @Martineau ('yes' required for @juched's Graphical Ad Block statistics)
log-servfail: yes # v1.01 as per @dave14305 minimal config
#########################################
Im running scribe... i just re-enabled it through the advanced menu and the log-replies is still commented outProbably not.
If you download 'unbound.conf' from GitHub using the '1/i Install/Update' then by default both are commented out.
If 'lo' is used, then the script should only auto-ENABLE the 'log-queries' - basically to prevent unmanaged native unbound logging from silently filling the disk.
(NOTE: With the new fail-safe cron job to restrict the native unbound log from growing larger than 10MB, perhaps this should now be changed.)
If you then enable 'scribe' or 'sgui' then both 'log-queries' and 'log-replies' should be auto-ENABLED.
Whoops, looks like for the v3.06 rewrite - I've somehow dropped the lineCode:######################################### # integration LOG's # verbosity: 1 # v1.02 '1' is adequate to prove unbound is processing domains logfile: "/opt/var/lib/unbound/unbound.log" # v1.01 as per @dave14305 minimal config (v3.06 now deletes this if size grows > 10MB) log-time-ascii: yes # v1.01 as per @dave14305 minimal config log-tag-queryreply: yes # v1.02 @Martineau Explicitly Tag log-queries/replies with 'query'/'reply' log-queries: yes #log-replies: yes use-syslog: yes # v1.02 @Martineau Recommended to let scribe/syslog-ng handle the log(s) #log-local-actions: yes # v1.02 @Martineau ('yes' required for @juched's Graphical Ad Block statistics) log-servfail: yes # v1.01 as per @dave14305 minimal config #########################################
Im running scribe... i just re-enabled it through the advanced menu and the log-replies is still commented out
my normal scripting prowess.... fix something ... break something elseWhoops, looks like for the v3.06 rewrite - I've somehow dropped the line
Fortunately 'lo' should still dynamically ENABLE both, so issue 'lo' and that should fix it!my normal scripting prowess.... fix something ... break something else
# rgnldo Github Version=v1.04 Martineau update (Date Loaded by unbound_manager Mon Feb 17 22:33:54 CET 2020)
# v1.04 Martineau - Change 'ip-ratelimit:'
# v1.03 Martineau - Remove 'dns64-prefix:' and 'module-config: "dns64 ..."' from auto ENABLE if IPv6 detected
# v1.02 Martineau - Add '#use-syslog:' '#log-local-actions:' '#log-tag-queryreply:' Option placeholders
# v1.01 Martineau - Add 'auth-zone:', 'edns-buffer-size:' log-time-ascii: 'log-servfail:' IPv6 'dns64-prefix:' and 'module-config: "dns64 ..."'
# Change 'interface: 0.0.0.0' to 'interface: 127.0.0.1@53535'
# Add If IPv6 detected, auto ENABLE 'dns64-prefix:' and modify to include 'module-config: "dns64 ..."'
server:
# port to answer queries from
port: 53535
#########################################
# integration LOG's
#
#verbosity: 1 # v1.02 '1' is adequate to prove unbound is processing domains
logfile: "/opt/var/lib/unbound/unbound.log" # v1.01 as per @dave14305 minimal config
log-time-ascii: yes # v1.01 as per @dave14305 minimal config
#log-tag-queryreply: yes # v1.02 @Martineau Explicitly Tag log-queries/replies with 'query'/'reply'
#log-queries: yes
#log-replies: yes
#use-syslog: yes # v1.02 @Martineau Let scribe/syslog-ng handle the log as it gets erased daily if Ad Block enabled :-(
#log-local-actions: yes # v1.02 @Martineau
log-servfail: yes # v1.01 as per @dave14305 minimal config
#########################################
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
# don't be picky about interfaces but consider your firewall
#interface: 0.0.0.0
interface: 127.0.0.1@53535 # v1.01 as per @dave14305 minimal config
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/8 allow
access-control: 172.16.0.0/16 allow
access-control: 192.168.0.0/24 allow
# RFC1918 private IP address - Protects against DNS Rebinding
private-address: 127.0.0.0/8
private-address: 169.254.0.0/16
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
#########################################
# integration IPV6
#
# do-ip6: yes
# interface: ::0
# access-control: ::0/0 refuse
# access-control: ::1 allow
# private-address: fd00::/8
# private-address: fe80::/10
#########################################
#module-config: "dns64 validator iterator" # v1.03 v1.01 perform a query against AAAA record exists
#dns64-prefix: 64:FF9B::/96 # v1.03 v1.01
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt" # v1.01 as per @dave14305 minimal config
# no threads and no memory slabs for threads
num-threads: 1
msg-cache-slabs: 2
rrset-cache-slabs: 2
infra-cache-slabs: 2
key-cache-slabs: 2
# tiny memory cache
key-cache-size: 8m
msg-cache-size: 8m
rrset-cache-size: 16m
cache-max-ttl: 21600
cache-min-ttl: 5
prefetch: yes
prefetch-key: yes
serve-expired: yes
serve-expired-ttl: 3600
incoming-num-tcp: 600
outgoing-num-tcp: 100
ip-ratelimit: 0 # v1.04 as per @L&LD as it impacts ipleak.net?
edns-buffer-size: 1472 # v1.01 as per @dave14305 minimal config
#########################################
# Options for integration with TCP/TLS Stubby
# udp-upstream-without-downstream: yes
#########################################
# prefetch
prefetch: yes
prefetch-key: yes
minimal-responses: yes
# gentle on recursion
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
harden-glue: yes
harden-below-nxdomain: yes
rrset-roundrobin: yes
aggressive-nsec: yes
deny-any: yes
# Self jail Unbound with user "nobody" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"
# The pid file
pidfile: "/opt/var/run/unbound.pid"
# ROOT Server's
root-hints: "/opt/var/lib/unbound/root.hints"
# DNSSEC
module-config: "validator iterator"
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
#########################################
# Adblock blacklist
#include: /opt/var/lib/unbound/adblock/adservers
#include: /opt/var/lib/unbound/adblock/firefox_DOH
#########################################
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 953
server-key-file: "/opt/var/lib/unbound/unbound_server.key"
server-cert-file: "/opt/var/lib/unbound/unbound_server.pem"
control-key-file: "/opt/var/lib/unbound/unbound_control.key"
control-cert-file: "/opt/var/lib/unbound/unbound_control.pem"
#########################################
#forward-zone:
# name: "."
# forward-addr: 127.0.0.1@5453
# forward-addr: 0::1@5453 # integration IPV6
#########################################
# v1.01 Added the following
auth-zone:
name: "."
url: "https://www.internic.net/domain/root.zone"
fallback-enabled: yes
for-downstream: no
for-upstream: yes
zonefile: root.zone
No I can read...(and count) thank you, but if you are technically astute, then it's the OPs prerogative to choose whatever manual action is deemed appropriate in the circumstances....however, in the OP's particular case, it wasn't strictly necessary.
Sorry to see you go.
When updated Unbound, it says my configuration contains duplicates. I am not really sure what to look for. Someone with ideas?
Code:# rgnldo Github Version=v1.04 Martineau update (Date Loaded by unbound_manager Mon Feb 17 22:33:54 CET 2020) # v1.04 Martineau - Change 'ip-ratelimit:' # v1.03 Martineau - Remove 'dns64-prefix:' and 'module-config: "dns64 ..."' from auto ENABLE if IPv6 detected # v1.02 Martineau - Add '#use-syslog:' '#log-local-actions:' '#log-tag-queryreply:' Option placeholders # v1.01 Martineau - Add 'auth-zone:', 'edns-buffer-size:' log-time-ascii: 'log-servfail:' IPv6 'dns64-prefix:' and 'module-config: "dns64 ..."' # Change 'interface: 0.0.0.0' to 'interface: 127.0.0.1@53535' # Add If IPv6 detected, auto ENABLE 'dns64-prefix:' and modify to include 'module-config: "dns64 ..."' server: # port to answer queries from port: 53535 ######################################### # integration LOG's # #verbosity: 1 # v1.02 '1' is adequate to prove unbound is processing domains logfile: "/opt/var/lib/unbound/unbound.log" # v1.01 as per @dave14305 minimal config log-time-ascii: yes # v1.01 as per @dave14305 minimal config #log-tag-queryreply: yes # v1.02 @Martineau Explicitly Tag log-queries/replies with 'query'/'reply' #log-queries: yes #log-replies: yes #use-syslog: yes # v1.02 @Martineau Let scribe/syslog-ng handle the log as it gets erased daily if Ad Block enabled :-( #log-local-actions: yes # v1.02 @Martineau log-servfail: yes # v1.01 as per @dave14305 minimal config ######################################### do-ip4: yes do-ip6: no do-udp: yes do-tcp: yes # don't be picky about interfaces but consider your firewall #interface: 0.0.0.0 interface: 127.0.0.1@53535 # v1.01 as per @dave14305 minimal config access-control: 0.0.0.0/0 refuse access-control: 127.0.0.0/8 allow access-control: 10.0.0.0/8 allow access-control: 172.16.0.0/16 allow access-control: 192.168.0.0/24 allow # RFC1918 private IP address - Protects against DNS Rebinding private-address: 127.0.0.0/8 private-address: 169.254.0.0/16 private-address: 10.0.0.0/8 private-address: 172.16.0.0/12 private-address: 192.168.0.0/16 ######################################### # integration IPV6 # # do-ip6: yes # interface: ::0 # access-control: ::0/0 refuse # access-control: ::1 allow # private-address: fd00::/8 # private-address: fe80::/10 ######################################### #module-config: "dns64 validator iterator" # v1.03 v1.01 perform a query against AAAA record exists #dns64-prefix: 64:FF9B::/96 # v1.03 v1.01 tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt" # v1.01 as per @dave14305 minimal config # no threads and no memory slabs for threads num-threads: 1 msg-cache-slabs: 2 rrset-cache-slabs: 2 infra-cache-slabs: 2 key-cache-slabs: 2 # tiny memory cache key-cache-size: 8m msg-cache-size: 8m rrset-cache-size: 16m cache-max-ttl: 21600 cache-min-ttl: 5 prefetch: yes prefetch-key: yes serve-expired: yes serve-expired-ttl: 3600 incoming-num-tcp: 600 outgoing-num-tcp: 100 ip-ratelimit: 0 # v1.04 as per @L&LD as it impacts ipleak.net? edns-buffer-size: 1472 # v1.01 as per @dave14305 minimal config ######################################### # Options for integration with TCP/TLS Stubby # udp-upstream-without-downstream: yes ######################################### # prefetch prefetch: yes prefetch-key: yes minimal-responses: yes # gentle on recursion hide-identity: yes hide-version: yes do-not-query-localhost: no qname-minimisation: yes harden-glue: yes harden-below-nxdomain: yes rrset-roundrobin: yes aggressive-nsec: yes deny-any: yes # Self jail Unbound with user "nobody" to /var/lib/unbound username: "nobody" directory: "/opt/var/lib/unbound" chroot: "/opt/var/lib/unbound" # The pid file pidfile: "/opt/var/run/unbound.pid" # ROOT Server's root-hints: "/opt/var/lib/unbound/root.hints" # DNSSEC module-config: "validator iterator" auto-trust-anchor-file: "/opt/var/lib/unbound/root.key" ######################################### # Adblock blacklist #include: /opt/var/lib/unbound/adblock/adservers #include: /opt/var/lib/unbound/adblock/firefox_DOH ######################################### remote-control: control-enable: yes control-interface: 127.0.0.1 control-port: 953 server-key-file: "/opt/var/lib/unbound/unbound_server.key" server-cert-file: "/opt/var/lib/unbound/unbound_server.pem" control-key-file: "/opt/var/lib/unbound/unbound_control.key" control-cert-file: "/opt/var/lib/unbound/unbound_control.pem" ######################################### #forward-zone: # name: "." # forward-addr: 127.0.0.1@5453 # forward-addr: 0::1@5453 # integration IPV6 ######################################### # v1.01 Added the following auth-zone: name: "." url: "https://www.internic.net/domain/root.zone" fallback-enabled: yes for-downstream: no for-upstream: yes zonefile: root.zone
Indeed it did. Thank you.When looking at the error message, doesn’t it tell you which line is duplicated? I believe that was the case for me once.
Connect to DNS Server automatically Yes
But DNS is still resolving? The below answer should be no, else you are getting your isp's dns service. You are done with them you got your own DNS resolver now.
Won't the DNS caching on the requesting machine make the figures drop?I had noticed from a month or so back that the cache hit statistics were steadily declining over time [from high seventies where it had stayed consistently before ... to low sixties] – which did not make sense in a small household where the internet usage patterns are fairly consistent.
So - I setup a factory reset router with my usual amtm add-ons – all fresh installed on a formatted USB – and then monitored unbound cache stats with only a SINGLE client PC attached to the router by Ethernet cable. I went about opening the same web pages [30 of them] repeatedly but clearing the DNS cache on the PC between each of the attempts.
After an initial modest pickup in cache hits – I found that repeated opening of the same web pages caused the cache hit stats to DECLINE ??? See images below ...
This one shows summary stats after a few browser sessions ...
View attachment 23162
This one straight after above with a single push to open those same 30 web pages.
View attachment 23163
Note %tage decline on hits from 35.75 to 30.79 ??
Full graph chart enclosed below ...
View attachment 23164
Any one else noticing a similar trend ???
He said:Won't the DNS caching on the requesting machine make the figures drop?
but a "PC" makes other DNS request in the background.clearing the DNS cache on the PC between each of the attempts
If you then enable 'scribe' or 'sgui' then both 'log-queries' and 'log-replies' should be auto-ENABLED.
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!