What's new

Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I'm using the native RMerlin NTP Server (pool.ntp.org)..is this what you're inquiring about?
@Kingp1n @JemTheWire

Yes, clearly my new code addition for checking if the Entware NTP Server version is installed is broken - but as I don't use it I'm not surprised. :oops:

Thanks for the feedback.
 
First time install. All went well however I did get the following:
Code:
    Router Configuration recommended pre-reqs status:

    [✔] Swapfile=1048572 kB
    [✔] DNS Filter=ON
    [✔] DNS Filter=ROUTER
    [✔] WAN: Use local caching DNS server as system resolver=NO
/jffs/addons/unbound/unbound_manager.sh: line 2403: /opt/etc/init.d/S77ntpd: not found
    [✔] Entware NTP server is running
    [✔] Enable DNS Rebind protection=NO
    [✔] Enable DNSSEC support=NO
and using the built-in ntpd
Code:
hardcat@RT-AX88U:/tmp/home/root# which ntpd
/usr/sbin/ntpd

Kudos @Martineau, I have been following this for a while and am pleased at how well it works. -Thank You once again..
 
I've uploaded v2.07

Fix: Analyse diversion 'ad' command for diversion lists...it failed if Ad Block isn't ENABLED! - doh!
Add: Allow variable name filter to be specifed on 's'/'sa' commands
e.g. ensure 's+' Enhanced Statistics is ENABLED; then 's thread' will cause 'thread*' variable stats to be also displayed.​
Change: The URLs displayed (to assist in setting the pre-reqs) will now honour HTTP/HTTPS and HTTP/HTTPS Custom Port @kfahoo
Change: amtm starts unbound_manger by default in 'easy' mode, if you prefer 'advanced' mode then issue 'adv' (or 'advanced') and unbound_manager (amtm) will 'remember' your preferred mode. @L&LD / @kernol
Change: The NTP Server pre-req will now accept either the native RMerlin NTP Server or the Entware NTP Server, but at least one must be ACTIVE.
Change: Easy mode still retains the two Install/Update options (1 & 2), but I have now decided the original SME brain-dead design should be changed, so option 2 will now only install logging and the simple Performance tweak, as they are now proven to work without fuss or drama.
Change: I have made the option Stubby-Integration refer to @dave14305's excellent synopsis of the need for Stubby-Integration.
i.e. a clickable link allows the user to read it and should ;) deter them from opting for the Stubby-Integration.

View attachment 21318

(Not sure if this redundant option should eventually be removed?)
Is the cpu/memory tweak reversible if one decide that he doesn't need it? It seems to be forced now with the upgrade not like before where you are asked. And another question please, how do I start from scratch, it seems uninstall unbound/unbound_manager doesn't work right now.
 
At one point in time, many arguments ago, there used to be a check in S61unbound to verify NTP was synced (waiting 5 mins). Then a different time check and delay was moved to a separate S00netwait startup script. But I don't see that script being downloaded by the unbound_manager code, so it's more likely that Unbound could start before the clock is synced.

I've sent a pull request to @Jack Yaz to add an NTP check to S61unbound, which would wait for up to 60 seconds for NTP to sync before starting Unbound.

https://github.com/jackyaz/Unbound-Asuswrt-Merlin/pull/1
 
I've pushed a v2.07 Hotfix to (hopefully) correct the detection of the NTP Server installed on the router i.e. RMerlin vs. Entware.

Feedback appreciated.
 
At one point in time, many arguments ago, there used to be a check in S61unbound to verify NTP was synced (waiting 5 mins). Then a different time check and delay was moved to a separate S00netwait startup script. But I don't see that script being downloaded by the unbound_manager code, so it's more likely that Unbound could start before the clock is synced.

I've sent a pull request to @Jack Yaz to add an NTP check to S61unbound, which would wait for up to 60 seconds for NTP to sync before starting Unbound.

https://github.com/jackyaz/Unbound-Asuswrt-Merlin/pull/1
Sorry, been busy hacking the v2.07 release but yes, unbound started 4 lines before the NTP sync'd message in Syslog, so it doesn't always happen.

Yes I do recall the rejection "conversations" that the time check/spin-loop was appropriate.
I think @SomeWhereOverTheRainBow also proposed some similar code for the 'dnsmasq.postconf' script?
 
Last edited:
If one has the amtm disk check script enabled, the internal NTP sync happens well before entware starts up. With my 86U, NTP starts 11 seconds into the boot, the time is synced 13 seconds into the boot, the disk check starts and finishes 2 second later, syslog-ng starts, and unbound starts 4 seconds after that.
 
Borrowing a page from OpenWRT, if unbound isn't compiled with libevent, they keep num-threads = 1. For memory, they have an interesting "t-shirt size" approach to calculating based on a few multipliers.
https://github.com/openwrt/packages/blob/master/net/unbound/files/unbound.sh#L723

I'm semi-obsessed with their config script and how we could make a UI page for the variables they define, then generate unbound.conf based on those settings stored in the new addon API settings file.
I’ve got my prototype of a script to generate unbound.conf based on custom values stored in the new Addon API config file if they exist, like Martineau has done with the easy/advanced menu mode sticky setting.

Now I need to persuade @Martineau to create a menu driven configuration system, or @Jack Yaz to create a UI to populate these settings via the API. Or both. :p

Derived from OpenWRT UCI here (I prepended unbound_ for the custom API namespace): https://github.com/openwrt/packages/tree/master/net/unbound/files#complete-list-of-uci-options
Code:
  UB_D_CONTROL=$(am_settings_get unbound_control); [ -z "$UB_D_CONTROL" ] && UB_D_CONTROL=1
  UB_B_DNSSEC=$(am_settings_get unbound_validator); [ -z "$UB_B_DNSSEC" ] && UB_B_DNSSEC=1
  UB_N_THREADS=$(am_settings_get unbound_num_threads); [ -z "$UB_N_THREADS" ] && UB_N_THREADS=1
  UB_D_VERBOSE=$(am_settings_get unbound_verbosity); [ -z "$UB_D_VERBOSE" ] && UB_D_VERBOSE=1
  UB_B_EXT_STATS=$(am_settings_get unbound_extended_stats); [ -z "$UB_B_EXT_STATS" ] && UB_B_EXT_STATS=1
  UB_D_PROTOCOL=$(am_settings_get unbound_protocol); [ -z "$UB_D_PROTOCOL" ] && UB_D_PROTOCOL=ip4_only
  UB_N_EDNS_SIZE=$(am_settings_get unbound_edns_size); [ -z "$UB_N_EDNS_SIZE" ] && UB_N_EDNS_SIZE=1280
  UB_N_RX_PORT=$(am_settings_get unbound_listen_port); [ -z "$UB_N_RX_PORT" ] && UB_N_RX_PORT=53535
  UB_D_RESOURCE=$(am_settings_get unbound_resource); [ -z "$UB_D_RESOURCE" ] && UB_D_RESOURCE=default
  UB_B_DNS64=$(am_settings_get unbound_dns64); [ -z "$UB_B_DNS64" ] && UB_B_DNS64=0
  UB_IP_DNS64=$(am_settings_get unbound_dns64_prefix); [ -z "$UB_IP_DNS64" ] && UB_IP_DNS64=64:ff9b::/96
  UB_D_RECURSION=$(am_settings_get unbound_recursion); [ -z "$UB_D_RECURSION" ] && UB_D_RECURSION=passive
  UB_B_QUERY_MIN=$(am_settings_get unbound_query_minimize); [ -z "$UB_B_QUERY_MIN" ] && UB_B_QUERY_MIN=1
  UB_B_QRY_MINST=$(am_settings_get unbound_query_min_strict); [ -z "$UB_B_QRY_MINST" ] && UB_B_QRY_MINST=0
  UB_B_HIDE_BIND=$(am_settings_get unbound_hide_binddata); [ -z "$UB_B_HIDE_BIND" ] && UB_B_HIDE_BIND=1
  UB_TTL_MIN=$(am_settings_get unbound_ttl_min); [ -z "$UB_TTL_MIN" ] && UB_TTL_MIN=120
  UB_D_PRIV_BLCK=$(am_settings_get unbound_rebind_protection); [ -z "$UB_D_PRIV_BLCK" ] && UB_D_PRIV_BLCK=1
  UB_B_LOCL_BLCK=$(am_settings_get unbound_rebind_localhost); [ -z "$UB_B_LOCL_BLCK" ] && UB_B_LOCL_BLCK=1
  UB_B_LOCL_SERV=$(am_settings_get unbound_localservice); [ -z "$UB_B_LOCL_SERV" ] && UB_B_LOCL_SERV=1
  UB_LIST_INSECURE=$(am_settings_get unbound_domain_insecure)
  UB_B_NTP_BOOT=$(am_settings_get unbound_validator_ntp); [ -z "$UB_B_NTP_BOOT" ] && UB_B_NTP_BOOT=1
 
I’ve got my prototype of a script to generate unbound.conf based on custom values stored in the new Addon API config file if they exist, like Martineau has done with the easy/advanced menu mode sticky setting.

Now I need to persuade @Martineau to create a menu driven configuration system, or @Jack Yaz to create a UI to populate these settings via the API. Or both. :p

Derived from OpenWRT UCI here (I prepended unbound_ for the custom API namespace): https://github.com/openwrt/packages/tree/master/net/unbound/files#complete-list-of-uci-options
Code:
  UB_D_CONTROL=$(am_settings_get unbound_control); [ -z "$UB_D_CONTROL" ] && UB_D_CONTROL=1
  UB_B_DNSSEC=$(am_settings_get unbound_validator); [ -z "$UB_B_DNSSEC" ] && UB_B_DNSSEC=1
  UB_N_THREADS=$(am_settings_get unbound_num_threads); [ -z "$UB_N_THREADS" ] && UB_N_THREADS=1
  UB_D_VERBOSE=$(am_settings_get unbound_verbosity); [ -z "$UB_D_VERBOSE" ] && UB_D_VERBOSE=1
  UB_B_EXT_STATS=$(am_settings_get unbound_extended_stats); [ -z "$UB_B_EXT_STATS" ] && UB_B_EXT_STATS=1
  UB_D_PROTOCOL=$(am_settings_get unbound_protocol); [ -z "$UB_D_PROTOCOL" ] && UB_D_PROTOCOL=ip4_only
  UB_N_EDNS_SIZE=$(am_settings_get unbound_edns_size); [ -z "$UB_N_EDNS_SIZE" ] && UB_N_EDNS_SIZE=1280
  UB_N_RX_PORT=$(am_settings_get unbound_listen_port); [ -z "$UB_N_RX_PORT" ] && UB_N_RX_PORT=53535
  UB_D_RESOURCE=$(am_settings_get unbound_resource); [ -z "$UB_D_RESOURCE" ] && UB_D_RESOURCE=default
  UB_B_DNS64=$(am_settings_get unbound_dns64); [ -z "$UB_B_DNS64" ] && UB_B_DNS64=0
  UB_IP_DNS64=$(am_settings_get unbound_dns64_prefix); [ -z "$UB_IP_DNS64" ] && UB_IP_DNS64=64:ff9b::/96
  UB_D_RECURSION=$(am_settings_get unbound_recursion); [ -z "$UB_D_RECURSION" ] && UB_D_RECURSION=passive
  UB_B_QUERY_MIN=$(am_settings_get unbound_query_minimize); [ -z "$UB_B_QUERY_MIN" ] && UB_B_QUERY_MIN=1
  UB_B_QRY_MINST=$(am_settings_get unbound_query_min_strict); [ -z "$UB_B_QRY_MINST" ] && UB_B_QRY_MINST=0
  UB_B_HIDE_BIND=$(am_settings_get unbound_hide_binddata); [ -z "$UB_B_HIDE_BIND" ] && UB_B_HIDE_BIND=1
  UB_TTL_MIN=$(am_settings_get unbound_ttl_min); [ -z "$UB_TTL_MIN" ] && UB_TTL_MIN=120
  UB_D_PRIV_BLCK=$(am_settings_get unbound_rebind_protection); [ -z "$UB_D_PRIV_BLCK" ] && UB_D_PRIV_BLCK=1
  UB_B_LOCL_BLCK=$(am_settings_get unbound_rebind_localhost); [ -z "$UB_B_LOCL_BLCK" ] && UB_B_LOCL_BLCK=1
  UB_B_LOCL_SERV=$(am_settings_get unbound_localservice); [ -z "$UB_B_LOCL_SERV" ] && UB_B_LOCL_SERV=1
  UB_LIST_INSECURE=$(am_settings_get unbound_domain_insecure)
  UB_B_NTP_BOOT=$(am_settings_get unbound_validator_ntp); [ -z "$UB_B_NTP_BOOT" ] && UB_B_NTP_BOOT=1

+1 ...
especially if the script can recognise the router model it is being installed on and use optimal performance settings for that router by default.
 
@Martineau - personal thanks for v2.07 update - I'm sure that many others will find this useful if they can figure out how to find it ;).

I have just one remaining "issue" - which may or may not be something you can assist with?
Sadly - down South here in RSA - we have acute power generation problems ... so frequently suffer "load shedding" where electricity supply is terminated by designated geographic areas for 2 hours usually twice in a 24 hour period.
@thelonelycoder many moons ago rectified an issue with Diversion in response to a similar request.

The issue is the webUI "Eject USB Disk" function which - prior to install of unbound - was working fine with a complete and correct umount.
Diversion added some lines to unmount script in /jffs/scripts to fix the Eject function back then.
Does something similar need to be added to unmount script for unbound to let go of the USB?

When the power goes off - my APC UPS kicks in - but can't last the full 2 hours - so issues commands to gracefully shutdown powered devices.
In the case of the RT-AC86U - it simply sends an unmount command so my USB does not get corrupted when power supply terminates.
 
Sorry, been busy hacking the v2.07 release but yes, unbound started 4 lines before the NTP sync'd message in Syslog, so it doesn't always happen.

Yes I do recall the rejection "conversations" that the time check/spin-loop was appropriate.
I think @SomeWhereOverTheRainBow also proposed some similar code for the 'dnsmasq.postconf' script?
Time... Who needs time.... Stay tuned... I will give you my newEST improved suggestions later....
 
Code:
start_monitor () {
  trap "" 1
  while [ `nvram get ntp_ready` -eq 0 ]; do sleep 1; done
  local NW_STATE
  local RES_STATE
  while true; do
    ping 1.1.1.1 -c1 -W2 >/dev/null 2>&1
    NW_STATE=$?
    nslookup google.com >/dev/null 2>&1
    RES_STATE=$?
    if [ -f /opt/etc/init.d/S61unbound ]; then
      if [ -z "`pidof unbound`" ]; then
        logger "Warning: unbound is dead"
        /opt/etc/init.d/S61unbound start
      elif [ $NW_STATE -eq 0 ] && [ $RES_STATE -ne 0 ]; then
        logger "Warning: unbound is not responding"
        /opt/etc/init.d/S61unbound start
      fi
    fi
    sleep 10
  done
}

A monitor triggered by an init-start script, technically it can be called once unbound starts as well.
 
Last edited:
I awoke early this morning to upgrade a remote site to 384.15. I was not able to connect to the router's OpenVPN server when using unbound. I saw a message that OpenVPN was unable to resolve the hostname. Once I uninstalled unbound, I was able to make the connection. I'll do some more testing as I believe I was successful the day before connecting to two sites when I had unbound installed over an OpenVPN connection.

I still can't connect to my providers OpenVPN server in LA. Unable to resolve the hostname. So far, that is the only location I have an issue with.
 
@Martineau I've tried to adapt the Stubby_Integration function to detect the built-in firmware support for Stubby before downloading from Entware. Please take a look in this commit in my fork to see if you want to include it. I'm not that good a scripter and I don't pretend the code works, but the ideas are there to support both Merlin and John's fork implementations of Stubby.

https://github.com/dave14305/Unbound-Asuswrt-Merlin/commit/0132e5424a950fad2f8ce476c63a88082b8725a9
Whilst the fate of the Stubby-Integration option in unbound_manager is still undecided, your pull-request will be incorporated in the v2.08 release.

Many thanks for looking out for those still running @john9527's 374.43 LTS releases.
 
At one point in time, many arguments ago, there used to be a check in S61unbound to verify NTP was synced (waiting 5 mins). Then a different time check and delay was moved to a separate S00netwait startup script. But I don't see that script being downloaded by the unbound_manager code, so it's more likely that Unbound could start before the clock is synced.

I've sent a pull request to @Jack Yaz to add an NTP check to S61unbound, which would wait for up to 60 seconds for NTP to sync before starting Unbound.

https://github.com/jackyaz/Unbound-Asuswrt-Merlin/pull/1
Many thanks, clearly this has fixed the incorrect unbound 'uptime' reported after the REBOOT.
 
Is the cpu/memory tweak reversible if one decide that he doesn't need it? It seems to be forced now with the upgrade not like before where you are asked
In 'easy' mode (the default when invoked from amtm), you are never prompted - see post #157, so to remove undesired options that are no longer deemed appropriate you have to uninstall unbound, and reinstall unbound with the desired options (or none).
And another question please, how do I start from scratch, it seems uninstall unbound/unbound_manager doesn't work right now.
o_Oo_O ???

Command
Code:
z  = Remove Existing unbound/unbound_manager Installation
should work? :confused:

The only minor uninstall issue (I'm aware of) - fixed in the (as yet unrelased) v2.08 release is the annoying dependency error that was introduced with the inclusion of 'unbound-checkconf' reinstated as an available package in the recent unbound v1.9.6 release
Code:
Existing unbound package found. Removing unbound
Removing package unbound-control-setup from root...
Removing package unbound-control from root...
Removing package unbound-anchor from root...
Removing package unbound-checkconf from root...
Collected errors:
 * print_dependents_warning: Package unbound-daemon is depended upon by packages:
 * print_dependents_warning:  unbound-checkconf
 * print_dependents_warning: These might cease to work if package unbound-daemon is removed.
 * print_dependents_warning: Force removal of this package with --force-depends.
 * print_dependents_warning: Force removal of this package and its dependents
 * print_dependents_warning: with --force-removal-of-dependent-packages.
 
 ***Error occurred when removing unbound
or are you reporting a different uninstall issue?
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top