What's new

Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Should unbound restart automatically after a reboot? (Does it depend on ntpd being at the correct time)

Edit: As I’m having to start it up manually at times even after waiting 10 mins for the router to settle
unbound is an Entware App, so follows the startup criteria for all Entware Apps
Code:
ls -lah /opt/etc/init.d/
so usually 'post-mount' (when it detects the device hosting the target/opt filesystem is now available to be mounted) will usually symlink etc. and invoke 'rc.unslung'
 
Last edited:
Code:
      do-daemonize: <yes or no>
              Enable or disable whether the  unbound  server  forks  into  the
              background  as  a daemon.  Set the value to no when unbound runs
              as systemd service.  Default is yes.
So I rebooted, and decided to retest.

So I manually enforce logging by using 'vx' ; then I use 'rs' to restart unbound.

I leave everything for 10 mins, and all looks good, so I use 'l' to watch the log - again all looks good for 10 mins.

However, when I CTRL-C to terminate the log watch ...guess what... unbound suddenly goes AWOL.:confused:

Strange...until I notice you have included !!!!??? :eek::eek::rolleyes::rolleyes:
Code:
do-daemonize: no
then it all clicked.

PEBKAC :mad::mad:
Do i need to correct this?
 
Code:
      do-daemonize: <yes or no>
              Enable or disable whether the  unbound  server  forks  into  the
              background  as  a daemon.  Set the value to no when unbound runs
              as systemd service.  Default is yes.

Do i need to correct this?
Yes unbound needs to run as daemon ...
 
Yes unbound needs to run as daemon ...
Thank you. Will do asap.
Edit: Thanks to Martineau and Tomsk for clearing up the setting to daemonize unbound. I removed it from the configuration file which will result at the default yes.
Code:
# no threads and no memory slabs for threads
num-threads: 1
msg-cache-slabs: 1
rrset-cache-slabs: 1
infra-cache-slabs: 1
key-cache-slabs: 1

# tiny memory cache / # prefetch / # gentle on recursion
extended-statistics: yes                        # v1.06 Martineau for @juched GUI TAB
key-cache-size: 50m
msg-cache-size: 50m
rrset-cache-size: 100m
outgoing-range: 950
num-queries-per-thread: 512
edns-buffer-size: 1232
max-udp-size: 1232
harden-algo-downgrade: yes
harden-referral-path: yes
harden-large-queries: yes
harden-short-bufsize: yes
identity: "DNS"
unwanted-reply-threshold: 10000
use-caps-for-id: yes
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
aggressive-nsec: yes
ratelimit: 1000
prefetch: yes
prefetch-key: yes
serve-expired: yes
serve-expired-ttl: 3600
deny-any: yes
Ths is the new edited unbound configuration file.
 
Last edited:
Installed the 3.09 update, which appears to be working fine, though see the following when loading from amtm or through the console directly:
Code:
+======================================================================+
|  Welcome to the unbound Manager/Installation script (Asuswrt-Merlin) |
|                                                                      |
|                      Version 3.09 by Martineau                       |
|                                                                      |
+======================================================================+[: bad number
If you issue
Code:
e  = Exit Script [?]

A:Option ==> lx

unbound logging DISABLED
does the spurious text '[: bad number' go away?
 
Yes it does.
Abject apologies for the inconvenience :oops:

I was genuinely trying to eliminate the unnecessary manual intervention/disruption caused by the 'i config' command which, if users have used 'vx' 'unbound.conf' rather than add their config overrides to '/opt/share/unbound/configs/unbound.conf.add' would result in way more complaints than the spurious untidy error text.

Anyway the hack will auto-apply the 'lx' command....(safe option) which may still displease some users as they may need to manually reissue 'lo' anyway :rolleyes:

Uploaded Hotfix v3.06 Github md5=4bd9b8ad9059d14720c72952752cc67d
 
Updated to the minor version increment and spurious untidy error text is indeed gone. Thanks for identifying and resolving so quickly.

Having read through this full thread in the past several days, I did want to mention that I am also not seeing scribe from advanced options.

Yesterday, my router decided to go back to vanilla defaults for some reason, so I took the opportunity to format jffs and the flash drive to have a clean install. I have the following loaded from amtm (entware, Skynet (incl. 2GB swap), scribe (incl. uiScribe), unbound manager, nsrum, conmon, scMerlin, spdMerlin, and YaziFi added last). From the first install of unbound manager, scribe was notably missing from the advanced options, although it was already installed along with Skynet. Not sure why, but figured I pass along the information in case you were looking for a clean install validation of it being notably absent.
 
i notice that using the "include" directive we can drop extra bits of configuration into the unbound config file ( similar to the way scribe drops additional config files into the syslog-ng conf).
Would there be any mileage in having a very basic config file and the customisations in an additional file... although i guess the unbound.conf.add is doing a similar thing.

Code:
 Files  can be included using the include: directive. It can appear any-
       where, it accepts a single file name as argument.  Processing continues
       as  if  the text from the included file was copied into the config file
       at that point.  If also using chroot, using full  path  names  for  the
       included files works, relative pathnames for the included names work if
       the directory where the daemon is  started  equals  its  chroot/working
       directory  or is specified before the include statement with directory:
       dir.  Wildcards can be used to include multiple files, see glob(7).
 
Having read through this full thread in the past several days, I did want to mention that I am also not seeing scribe from advanced options.
It was on my list to fix, but simply forgot to prioritise it for the formal v3.09 release, but I'll address it tomorrow.

However, in the interim you can always execute the 'scribe' command even if it is not actually visible on the screen.
 
Last edited:
It was on my list to fix, but simply forgot to prioritise it for the formal v3.09 release, but I'll address it tomorrow.

However, in the interim you can always execute the 'scribe' command even if it is not actually visible on the screen.
I am curious about
Code:
val-override-date: <rrsig-style date spec>
    Default is "" or "0", which disables this debugging feature. If enabled by giving a RRSIG style date, that date is used for verifying RRSIG inception and expiration dates, instead of the current date. Do not set this unless you are debugging signature inception and expiration. The value -1 ignores the date altogether, useful for some special applications.

would setting this to -1 overide the need to validate date and "time" on dnssec signatures? this may be benefit the whole "oh no my clock didn't set". what are your thoughts? @dave14305 @Martineau
 
It was on my list to fix, but simply forgot to prioritise it for the formal v3.09 release, but I'll address it tomorrow.

However, in the interim you can always execute the 'scribe' command even if it is not actually visible on the screen.
I was able to do so; desire is to have minimal logging in Scribe to show that it is functioning as expected, though relying primarily on the Add-on page to confirm along with stats in SSH.

Not sure if you may know why, but I have not seen a single DNS Filtering hit over the 2 days before the greenfield install or in the day since. Perhaps this is expected behavior, though I'm not sure if there is some way to validate that it is indeed functioning as expected. It may be due to using a VPN with DNS set to Disabled, but Unbound shows to be working as expected with an above 90% hit rate and significant Ad-Block rate. Digging from Ubuntu on W10 also shows an initial response higher than the near 0ms second response.
 
doesn't
Code:
touch /opt/share/unbound/configs/unbound.conf.addgui

just create the file?... i had a look in there and its empty ... or is the fix just detecting the presence of the file?
I have standardized on using the "true" command rather than "touch" to create files in my shell scripts this past year.

Code:
<snip>
      true >"$VPNC_UP_FILE"
      {
        printf '%s\n' "#!/bin/sh"
        printf '%s\n' "$IPTABLES_ENTRY" 
      } >"$VPNC_UP_FILE"
      chmod 755 "$VPNC_UP_FILE"
      logger -st "($(basename "$0"))" $$ "$IPTABLES_ENTRY added to $VPNC_UP_FILE"
    fi
  done
 
I am curious about
Code:
val-override-date: <rrsig-style date spec>
    Default is "" or "0", which disables this debugging feature. If enabled by giving a RRSIG style date, that date is used for verifying RRSIG inception and expiration dates, instead of the current date. Do not set this unless you are debugging signature inception and expiration. The value -1 ignores the date altogether, useful for some special applications.

would setting this to -1 overide the need to validate date and "time" on dnssec signatures? this may be benefit the whole "oh no my clock didn't set". what are your thoughts? @dave14305 @Martineau
Yes, I did this with my own Unbound implementation. If ntp_ready = 0, then add val-override-date: -1 to unbound.conf. Once ntp is synced (I set a service-event trigger for "restart_diskmon"), restart Unbound without val-override-date. I stole this idea from OpenWRT.
 
Yes, I did this with my own Unbound implementation. If ntp_ready = 0, then add val-override-date: -1 to unbound.conf. Once ntp is synced (I set a service-event trigger for "restart_diskmon"), restart Unbound without val-override-date. I stole this idea from OpenWRT.
I can see it as highly beneficial.
 
Yes unbound needs to run as daemon ...
why would you run it as a daemon? ( not saying you shouldn't, just want clarification as we are running this on a router). Does it use less system resources or more or no difference?

(i figured it is more for using the unbound control features.)
 
I've uploaded v3.09

Version=3.09
Github md5=4bd9b8ad9059d14720c72952752cc67d

use 'u' to update when prompted on screen

Use of the 'i = Update unbound Installation' **Not required**

Code:
FIX:    Always explicitly DISABLE the default 'verbosity: 1' logging after the unbound install (if not requested/desired)
        Basically the 'verbosity:' directive is now always uncommented in 'unbound.conf' and explicitly set to either '0' or '1' (or the user specified log-level)
FIX:    Command line 'config=' does not validate full pathname
CHANGE: Command line 'recovery' directive to accommodate above changes, and improve the recovery process to disable addons.
CHANGE: Correct/remove redundant variables and reorder menu selection items to ensure 'generics' do not pre-empt specific commands
CHANGE: Advanced menu 'lo [log_level]' now optionally allows setting the desired increased logging level (2-5), and the current log level is now displayed on screen and in the log.
e.g. set logging level '3' (debug but dumps this line....'cache memory msg=125423 rrset=520300 infra=88944 val=45913' at regular intervals - as previously stated could be another useful graphical trending metric?)
Code:
i  = Update unbound and configuration ('/opt/var/lib/unbound/')     l  = Show unbound LIVE (Loglevel=1) log entries (lx=Disable Logging)

<snip>

e  = Exit Script [?]

A:Option ==> lo 3

unbound logging (Loglevel=3) ENABLED

/opt/var/lib/unbound/unbound.log (Loglevel=3)       Press CTRL-C to stop

Apr 30 14:52:30 unbound[16660:0] reply: 127.0.0.1 time.cloudflare.com. AAAA IN NOERROR 0.000000 1 93
Apr 30 14:52:30 unbound[16660:0] info: control cmd:  verbosity 0
Apr 30 14:52:32 unbound_manager: 'lx':  =================================================================================== Stopped
Apr 30 14:53:01 unbound_manager: 'lo':  =================================================================================== Started Loglevel=3
Apr 30 14:53:02 unbound[16660:0] debug: new control connection from 127.0.0.1 port 37333
Apr 30 14:53:02 unbound[16660:0] info: control cmd:  set_option verbosity 3
Apr 30 14:53:05 unbound[16660:0] query: 127.0.0.1 cdn.samsungcloudsolution.com. A IN
Apr 30 14:53:05 unbound[16660:0] reply: 127.0.0.1 cdn.samsungcloudsolution.com. A IN NOERROR 0.000000 1 165

<snip>

Apr 30 14:54:07 unbound[16660:0] reply: 127.0.0.1 lcprd1.samsungcloudsolution.net. A IN NXDOMAIN 0.000000 1 49
Apr 30 14:54:08 unbound[16660:0] query: 127.0.0.1 cdn.content.prod.cms.msn.com. A IN
Apr 30 14:54:08 unbound[16660:0] info: respip operate: query cdn.content.prod.cms.msn.com. A IN
Apr 30 14:54:08 unbound[16660:0] debug: validator[module 1] operate: extstate:module_state_initial event:module_event_pass
Apr 30 14:54:08 unbound[16660:0] info: validator operate: query cdn.content.prod.cms.msn.com. A IN
Apr 30 14:54:08 unbound[16660:0] debug: iterator[module 2] operate: extstate:module_state_initial event:module_event_pass
Apr 30 14:54:08 unbound[16660:0] info: resolving cdn.content.prod.cms.msn.com. A IN
Apr 30 14:54:08 unbound[16660:0] info: resolving (init part 2):  cdn.content.prod.cms.msn.com. A IN
Apr 30 14:54:08 unbound[16660:0] info: resolving (init part 3):  cdn.content.prod.cms.msn.com. A IN
Apr 30 14:54:08 unbound[16660:0] info: processQueryTargets: cdn.content.prod.cms.msn.com. A IN
Apr 30 14:54:08 unbound[16660:0] debug: removing 3 labels
Apr 30 14:54:08 unbound[16660:0] info: new target ns1-205.msn.com.msft.info. A IN
Apr 30 14:54:08 unbound[16660:0] info: new target ns2-205.msn.com.msftnet.org. A IN
Apr 30 14:54:08 unbound[16660:0] info: sending query: cms.msn.com. A IN
Apr 30 14:54:08 unbound[16660:0] debug: sending to target: <msn.com.> 13.107.24.205#53
Apr 30 14:54:08 unbound[16660:0] debug: iterator[module 2] operate: extstate:module_state_initial event:module_event_pass
Apr 30 14:54:08 unbound[16660:0] info: iterator operate: query ns1-205.msn.com.msft.info. A IN
Apr 30 14:54:08 unbound[16660:0] info: resolving ns1-205.msn.com.msft.info. A IN
Apr 30 14:54:08 unbound[16660:0] info: resolving (init part 2):  ns1-205.msn.com.msft.info. A IN
Apr 30 14:54:08 unbound[16660:0] info: resolving (init part 3):  ns1-205.msn.com.msft.info. A IN
Apr 30 14:54:08 unbound[16660:0] info: processQueryTargets: ns1-205.msn.com.msft.info. A IN
Apr 30 14:54:08 unbound[16660:0] debug: removing 2 labels
Apr 30 14:54:08 unbound[16660:0] info: sending query: com.msft.info. A IN
Apr 30 14:54:08 unbound[16660:0] debug: sending to target: <msft.info.> 40.90.4.4#53
Apr 30 14:54:08 unbound[16660:0] debug: iterator[module 2] operate: extstate:module_state_initial event:module_event_pass
Apr 30 14:54:08 unbound[16660:0] info: iterator operate: query ns2-205.msn.com.msftnet.org. A IN
Apr 30 14:54:08 unbound[16660:0] info: resolving ns2-205.msn.com.msftnet.org. A IN
Apr 30 14:54:08 unbound[16660:0] info: resolving (init part 2):  ns2-205.msn.com.msftnet.org. A IN
Apr 30 14:54:08 unbound[16660:0] info: resolving (init part 3):  ns2-205.msn.com.msftnet.org. A IN
Apr 30 14:54:08 unbound[16660:0] info: processQueryTargets: ns2-205.msn.com.msftnet.org. A IN
Apr 30 14:54:08 unbound[16660:0] debug: removing 2 labels
Apr 30 14:54:08 unbound[16660:0] info: sending query: com.msftnet.org. A IN
Apr 30 14:54:08 unbound[16660:0] debug: sending to target: <msftnet.org.> 13.107.24.7#53
Apr 30 14:54:08 unbound[16660:0] reply: 127.0.0.1 cdn.content.prod.cms.msn.com. A IN NOERROR 0.000000 1 153
Apr 30 14:54:08 unbound[16660:0] debug: iterator[module 2] operate: extstate:module_wait_reply event:module_event_reply
Apr 30 14:54:08 unbound[16660:0] info: iterator operate: query ns1-205.msn.com.msft.info. A IN
Apr 30 14:54:08 unbound[16660:0] info: response for ns1-205.msn.com.msft.info. A IN
Apr 30 14:54:08 unbound[16660:0] info: reply from <msft.info.> 40.90.4.4#53
Apr 30 14:54:08 unbound[16660:0] info: query response was nodata ANSWER
Apr 30 14:54:08 unbound[16660:0] info: processQueryTargets: ns1-205.msn.com.msft.info. A IN
Apr 30 14:54:08 unbound[16660:0] debug: removing 1 labels
Apr 30 14:54:08 unbound[16660:0] info: sending query: msn.com.msft.info. A IN
Apr 30 14:54:08 unbound[16660:0] debug: sending to target: <msft.info.> 13.107.160.4#53
Apr 30 14:54:08 unbound[16660:0] debug: cache memory msg=125423 rrset=520300 infra=88944 val=45913

Interesting, could graph cache size over time. Hmm
 
OK - so it sounds like cache hit levels no longer in the upper seventies - as they were when unbound first made available.
If cache hits are now regularly in the 40 to 50 % mark ... some logic must have changed in the stats being presented.

I will chill out and simply dump the webui stats page - really no point tracking if cache hits relatively insignificant.
thnx.

Not sure why you are getting stats from unbound like that. I am always around 91%.
 
Not sure why you are getting stats from unbound like that. I am always around 91%.

Agreed I think Kernol is the only one with this problem?
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top