Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)
- Thread starter Martineau
- Start date
^Tripper^
Senior Member
I can but considering how there was a post about how someone had to manually delete all files related to unbound I thought I’d ask. Guess you missed that post.
Thanks for the directions.
Martineau
Part of the Furniture
Probably not.
If you download 'unbound.conf' from GitHub using the '1/i Install/Update' then by default both are commented out.
If 'lo' is used, then the script should only auto-ENABLE the 'log-queries' - basically to prevent unmanaged native unbound logging from silently filling the disk.
(NOTE: With the new fail-safe cron job to restrict the native unbound log from growing larger than 10MB, perhaps this should now be changed.)
If you then enable 'scribe' or 'sgui' then both 'log-queries' and 'log-replies' should be auto-ENABLED.
Martineau
Part of the Furniture
No I can read...(and count) thank you, but if you are technically astute, then it's the OPs prerogative to choose whatever manual action is deemed appropriate in the circumstances....however, in the OP's particular case, it wasn't strictly necessary.
Sorry to see you go.
tomsk
Very Senior Member
Code:
#########################################
# integration LOG's
#
verbosity: 1 # v1.02 '1' is adequate to prove unbound is processing domains
logfile: "/opt/var/lib/unbound/unbound.log" # v1.01 as per @dave14305 minimal config (v3.06 now deletes this if size grows > 10MB)
log-time-ascii: yes # v1.01 as per @dave14305 minimal config
log-tag-queryreply: yes # v1.02 @Martineau Explicitly Tag log-queries/replies with 'query'/'reply'
log-queries: yes
#log-replies: yes
use-syslog: yes # v1.02 @Martineau Recommended to let scribe/syslog-ng handle the log(s)
#log-local-actions: yes # v1.02 @Martineau ('yes' required for @juched's Graphical Ad Block statistics)
log-servfail: yes # v1.01 as per @dave14305 minimal config
#########################################Im running scribe... i just re-enabled it through the advanced menu and the log-replies is still commented out
Martineau
Part of the Furniture
tomsk
Very Senior Member
my normal scripting prowess.... fix something ... break something elseWhoops, looks like for the v3.06 rewrite - I've somehow dropped the line
Martineau
Part of the Furniture
Fortunately 'lo' should still dynamically ENABLE both, so issue 'lo' and that should fix it!
i.e. you will then see the 'log-replies' in syslog-ng but 'unbound.conf' will still show it as commented out, or you can 'vx' it
I'll add it to the pending v3.08 Hotfix.
When updated Unbound, it says my configuration contains duplicates. I am not really sure what to look for. Someone with ideas?
Code:
# rgnldo Github Version=v1.04 Martineau update (Date Loaded by unbound_manager Mon Feb 17 22:33:54 CET 2020)
# v1.04 Martineau - Change 'ip-ratelimit:'
# v1.03 Martineau - Remove 'dns64-prefix:' and 'module-config: "dns64 ..."' from auto ENABLE if IPv6 detected
# v1.02 Martineau - Add '#use-syslog:' '#log-local-actions:' '#log-tag-queryreply:' Option placeholders
# v1.01 Martineau - Add 'auth-zone:', 'edns-buffer-size:' log-time-ascii: 'log-servfail:' IPv6 'dns64-prefix:' and 'module-config: "dns64 ..."'
# Change 'interface: 0.0.0.0' to 'interface: 127.0.0.1@53535'
# Add If IPv6 detected, auto ENABLE 'dns64-prefix:' and modify to include 'module-config: "dns64 ..."'
server:
# port to answer queries from
port: 53535
#########################################
# integration LOG's
#
#verbosity: 1 # v1.02 '1' is adequate to prove unbound is processing domains
logfile: "/opt/var/lib/unbound/unbound.log" # v1.01 as per @dave14305 minimal config
log-time-ascii: yes # v1.01 as per @dave14305 minimal config
#log-tag-queryreply: yes # v1.02 @Martineau Explicitly Tag log-queries/replies with 'query'/'reply'
#log-queries: yes
#log-replies: yes
#use-syslog: yes # v1.02 @Martineau Let scribe/syslog-ng handle the log as it gets erased daily if Ad Block enabled :-(
#log-local-actions: yes # v1.02 @Martineau
log-servfail: yes # v1.01 as per @dave14305 minimal config
#########################################
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
# don't be picky about interfaces but consider your firewall
#interface: 0.0.0.0
interface: 127.0.0.1@53535 # v1.01 as per @dave14305 minimal config
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/8 allow
access-control: 172.16.0.0/16 allow
access-control: 192.168.0.0/24 allow
# RFC1918 private IP address - Protects against DNS Rebinding
private-address: 127.0.0.0/8
private-address: 169.254.0.0/16
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
#########################################
# integration IPV6
#
# do-ip6: yes
# interface: ::0
# access-control: ::0/0 refuse
# access-control: ::1 allow
# private-address: fd00::/8
# private-address: fe80::/10
#########################################
#module-config: "dns64 validator iterator" # v1.03 v1.01 perform a query against AAAA record exists
#dns64-prefix: 64:FF9B::/96 # v1.03 v1.01
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt" # v1.01 as per @dave14305 minimal config
# no threads and no memory slabs for threads
num-threads: 1
msg-cache-slabs: 2
rrset-cache-slabs: 2
infra-cache-slabs: 2
key-cache-slabs: 2
# tiny memory cache
key-cache-size: 8m
msg-cache-size: 8m
rrset-cache-size: 16m
cache-max-ttl: 21600
cache-min-ttl: 5
prefetch: yes
prefetch-key: yes
serve-expired: yes
serve-expired-ttl: 3600
incoming-num-tcp: 600
outgoing-num-tcp: 100
ip-ratelimit: 0 # v1.04 as per @L&LD as it impacts ipleak.net?
edns-buffer-size: 1472 # v1.01 as per @dave14305 minimal config
#########################################
# Options for integration with TCP/TLS Stubby
# udp-upstream-without-downstream: yes
#########################################
# prefetch
prefetch: yes
prefetch-key: yes
minimal-responses: yes
# gentle on recursion
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
harden-glue: yes
harden-below-nxdomain: yes
rrset-roundrobin: yes
aggressive-nsec: yes
deny-any: yes
# Self jail Unbound with user "nobody" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"
# The pid file
pidfile: "/opt/var/run/unbound.pid"
# ROOT Server's
root-hints: "/opt/var/lib/unbound/root.hints"
# DNSSEC
module-config: "validator iterator"
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
#########################################
# Adblock blacklist
#include: /opt/var/lib/unbound/adblock/adservers
#include: /opt/var/lib/unbound/adblock/firefox_DOH
#########################################
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 953
server-key-file: "/opt/var/lib/unbound/unbound_server.key"
server-cert-file: "/opt/var/lib/unbound/unbound_server.pem"
control-key-file: "/opt/var/lib/unbound/unbound_control.key"
control-cert-file: "/opt/var/lib/unbound/unbound_control.pem"
#########################################
#forward-zone:
# name: "."
# forward-addr: 127.0.0.1@5453
# forward-addr: 0::1@5453 # integration IPV6
#########################################
# v1.01 Added the following
auth-zone:
name: "."
url: "https://www.internic.net/domain/root.zone"
fallback-enabled: yes
for-downstream: no
for-upstream: yes
zonefile: root.zone^Tripper^
Senior Member
I sincerely appreciate all the effort you put into unbound manager and the time you take to the answer questions and issues posted in here. Unbound can be confusing to some of us and your script goes a long way to making it so much more manageable. I am always in awe of the skill of script writers such as yourself (and the rest in here), Lord knows I’ve learnt so much!!(and there is so much more to learn!!)
bluzfanmr1
Senior Member
When looking at the error message, doesn’t it tell you which line is duplicated? I believe that was the case for me once.
Indeed it did. Thank you.
I now have other issues with libunbound. I will try things according to this before asking for further help. Really need the router to work since I am working from home due to Corona. I will try it this weekend.
Martin_D
Regular Contributor
Need some help to get unbound working on my setup
DNSFilter: Router
Connect to DNS Server automatically Yes
Forward local domain queries to upstream DNS No
Enable DNS Rebind protection No
Enable DNSSEC support No
Prevent client auto DoH Auto
DNS Privacy Protocol None
Enable local NTP server Yes
Intercept NTP client requests no
Now all I get is
May 5 06:06:29 Skynet: [*] Waiting For NTP To Sync
May 5 06:08:34 (unbound_manager.sh): 9491 Warning unbound not running!! # rgnldo Github Version=v1.09 Martineau update (Date Loaded by unbound_manager Wed Apr 29 23:08:01 IST 2020)
DNSFilter: Router
Connect to DNS Server automatically Yes
Forward local domain queries to upstream DNS No
Enable DNS Rebind protection No
Enable DNSSEC support No
Prevent client auto DoH Auto
DNS Privacy Protocol None
Enable local NTP server Yes
Intercept NTP client requests no
Now all I get is
May 5 06:06:29 Skynet: [*] Waiting For NTP To Sync
May 5 06:08:34 (unbound_manager.sh): 9491 Warning unbound not running!! # rgnldo Github Version=v1.09 Martineau update (Date Loaded by unbound_manager Wed Apr 29 23:08:01 IST 2020)
Last edited:
Centrifuge
Senior Member
But DNS is still resolving? The below answer should be no, else you are getting your isp's dns service. You are done with them you got your own DNS resolver now.
joe scian
Very Senior Member
That is not correct at all - a successful installation of Unbound overrides this setting. When Unbound is stopped either accidentally or commanded then this setting will allow successful resolving to your ISP's DNS servers. The problem with MartinDEE is presumably tied to the fact that his NTP server is non functional and NTP is not synced. Fix that first before you look further.
Install NTPMerlin using amtm and hopefully that will fix your NTP issue.
Last edited:
kernol
Very Senior Member
I had noticed from a month or so back that the cache hit statistics were steadily declining over time [from high seventies where it had stayed consistently before ... to low sixties] – which did not make sense in a small household where the internet usage patterns are fairly consistent.
So - I setup a factory reset router with my usual amtm add-ons – all fresh installed on a formatted USB – and then monitored unbound cache stats with only a SINGLE client PC attached to the router by Ethernet cable. I went about opening the same web pages [30 of them] repeatedly but clearing the DNS cache on the PC between each of the attempts.
After an initial modest pickup in cache hits – I found that repeated opening of the same web pages caused the cache hit stats to DECLINE ??? See images below ...
This one shows summary stats after a few browser sessions ...
This one straight after above with a single push to open those same 30 web pages.
Note %tage decline on hits from 35.75 to 30.79 ??
Full graph chart enclosed below ...
Any one else noticing a similar trend ???
So - I setup a factory reset router with my usual amtm add-ons – all fresh installed on a formatted USB – and then monitored unbound cache stats with only a SINGLE client PC attached to the router by Ethernet cable. I went about opening the same web pages [30 of them] repeatedly but clearing the DNS cache on the PC between each of the attempts.
After an initial modest pickup in cache hits – I found that repeated opening of the same web pages caused the cache hit stats to DECLINE ??? See images below ...
This one shows summary stats after a few browser sessions ...
This one straight after above with a single push to open those same 30 web pages.
Note %tage decline on hits from 35.75 to 30.79 ??
Full graph chart enclosed below ...
Any one else noticing a similar trend ???
tomsk
Very Senior Member
Won't the DNS caching on the requesting machine make the figures drop?
He said:
but a "PC" makes other DNS request in the background.
juched
Very Senior Member
sgui just needs log-replies. No need to turn on log-queries for the stats, they are ignored and just fill up the disk.
Similar threads
Similar threads
Similar threads
-
Unbound Force all DNS requests through Unbound using iptables?- Started by muffintastic
- Replies: 14
-
-
-
-
-
-
Is it possible to use nord dns with unbound or any way to add it?- Started by Jack-Sparr0w
- Replies: 9
-
-
Unbound Use unbound/router as default DNS server
- Started by BeachGuy
- Replies: 2
-