Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[Bogey]

Thanks, removing and reinstalling unbound did the trick.
Edit:
No, now it says

/jffs/addons/unbound/unbound_manager.sh: line 3257: unbound-checkconf: not found

Trying again to uninstall, reboot, reinstall...

Can't install anymore... Installation always stops here:

A:Option ==> i

        Router Configuration recommended pre-reqs status:

        [✔] Swapfile=2097148 kB
        [✔] DNS Filter=ON
        [✔] DNS Filter=ROUTER
        [✔] WAN: Use local caching DNS server as system resolver=NO
        [✔] Enable local NTP server=YES
        [✔] Enable DNS Rebind protection=NO
        [✔] Enable DNSSEC support=NO

        Options: unbound Advanced install - User will be prompted to install options


INSTALLing unbound
Entware package list successfully updated
Installing unbound-checkconf (1.10.0-2) to root...
Downloading http://bin.entware.net/armv7sf-k2.6/unbound-checkconf_1.10.0-2_armv7-2.6.ipk
Installing libunbound-light (1.10.0-2) to root...
Downloading http://bin.entware.net/armv7sf-k2.6/libunbound-light_1.10.0-2_armv7-2.6.ipk
Installing unbound-control-setup (1.10.0-2) to root...
Downloading http://bin.entware.net/armv7sf-k2.6/unbound-control-setup_1.10.0-2_armv7-2.6.ipk
Installing unbound-daemon (1.10.0-2) to root...
Downloading http://bin.entware.net/armv7sf-k2.6/unbound-daemon_1.10.0-2_armv7-2.6.ipk
Installing unbound-control (1.10.0-2) to root...
Downloading http://bin.entware.net/armv7sf-k2.6/unbound-control_1.10.0-2_armv7-2.6.ipk
Package unbound-control (1.10.0-2) installed in root is up to date.
Installing unbound-anchor (1.10.0-2) to root...
Downloading http://bin.entware.net/armv7sf-k2.6/unbound-anchor_1.10.0-2_armv7-2.6.ipk
Package unbound-daemon (1.10.0-2) installed in root is up to date.
Configuring unbound-daemon.
Configuring unbound-control.
Configuring unbound-control-setup.
Configuring unbound-anchor.
Collected errors:
 * check_data_file_clashes: Package libunbound-light wants to install file /opt/lib/libunbound.so.8
        But that file is already provided by package  * libunbound
 * opkg_install_cmd: Cannot install package unbound-checkconf.


        ***ERROR occurred installing unbound

Edit:
I did

opkg remove libunbound

Then I could install unbound again.

And that fixed it for me.

 

[dave14305]

Whenever they rename packages (e.g. libunbound to libunbound-light) it seems to create problems upgrading.

 

[bluzfanmr1]

I had issues so I did the following:

opkg remove --force-depends libunbound
Removing package libunbound from root...

I then ran "i" to reinstall and everything now works.

 

[L&LD]

I came here a little backward (I have to read all the new posts first!).

I checked for updates via amtm and showed a bunch for Entware. That first batch updated with no issues.

However, after a further update check with amtm 'u', it showed an Unbound-daemon update to 1.10.0-2. Which kept failing to update.

I then checked unbound_manager and found that it was failing to start. I then went into the advanced settings and stopped Unbound 'x'.

When I finally read all the posts above, I followed the code @bluzfanmr1 posted above and checked for updates and this time it 'took'.

I then went and issued a restart 'rs' command for unbound_manager and all is right again.

Thank you one and all!

Happy Easter to everyone.

 

[nzwayne]

I had issues so I did the following:

opkg remove --force-depends libunbound
Removing package libunbound from root...

I then ran "i" to reinstall and everything now works.

Thanks, helped me resolve what the Entware update created.

 

[Centrifuge]

Bottom line, is updating entware going to break my unbound setup? Or is it just a matter of manual intervention or is it a problem that the entware team needs to fix, in which case I will patiently wait.

 

[L&LD]

@Centrifuge see my post (two above yours).

Nothing to worry about if you have a keyboard and you can copy/paste.

 

[Centrifuge]

Nothing to worry about

Believe me I'm fighting my hand like Dr. Strangelove. Heck, i'm just gonna do it and hope that would be the official guidance of the distro.

 

[Centrifuge]

fighting my hand

So I did it with in a slightly different order than L&LD:
1. stopped unbound using "x" in unbound manager.
2. executed

opkg remove --force-depends libunbound

3. updated entware packages via amtm.
4. selected option 1 in unbound manager to update.

No error messages packages all installed first time. Unbound 1.10 running.

 

[L&LD]

There is no '1' in unbound_manager to update?

Do you mean 'i'?

There are no updates to unbound_manager. You just needed to restart it 'rs'.

But as long as it worked, all good.

 

[Centrifuge]

Do you mean 'i'?

no "i" just 1 = Update unbound Installation. Maybe because I killed unbound before doing the entware upgrade. Post upgrade example:

 

[Martineau]

no "i" just 1 = Update unbound Installation. Maybe because I killed unbound before doing the entware upgrade.
View attachment 22517

As shown in post #1, when you access 'unbound_manager' v2.xx from amtm you are started in 'Easy' (rather than 'Advanced') menu mode, unless you have set the amtm persistent 'Advanced' mode flag.

 

[QuikSilver]

I'm sure I'm missing a step somewhere but where is the option to turn on "extended statistics"? Don't have any data to show in the Performance Histogram or DNS Answers to Queries section of the unbound gui. I've looked thinking it was advanced option then S and then S=all but that didnt work.

 

[Centrifuge]

I'm sure I'm missing a step somewhere but where is the option to turn on "extended statistics"? Don't have any data to show in the Performance Histogram or DNS Answers to Queries section of the unbound gui. I've looked thinking it was advanced option then S and then S=all but that didnt work.

s+

 

[juched]

It seems that with Unbound 1.10 we now have access to use RPZ (Reponse Policy Zones).
Lots of details here: https://dnsrpz.info/

The short of it is, unbound can now take commands to redirect or block bad sites based on domain or based on IP which would be found. Very powerful, and may need to consider re-doing adblock based on this. This makes unbound a DNS Firewall.

But for now, I wanted to see if this could be used to block bad sites (malware/phishing etc). So I played around with setting it up.

First you need to modify the module-config add respip:

module-config: "respip validator iterator"

Next you need to add in RPZ sections for the servers/services you want to use. Many are pay, but I tried out a base DROP list from Spamhaus. They describe why it is free as "The DROP list contains network ranges which can cause so much damage to internet users that Spamhaus provides it to all, free-of-charge, to help mitigate this damage."

So, to enable it, in a mode where it uses IXFR and AXFR to sync directly from the master, add this to your unbound.conf file:

rpz:
   name: "drop.rpz.spamhaus.org"
   master: 35.156.219.71
   master: 34.194.195.25
   zonefile: "/opt/var/lib/unbound/db.drop.rpz.spamhaus.org"
   rpz-log: yes
   rpz-log-name: "drop.rpz.spamhaus.org"

if you lookup the following test URL, you should see an item in the log:

drop.rpz.spamhaus.org.rpz-test.spamhaus.zone

log:
info: RPZ applied [drop.rpz.spamhaus] drop.rpz.spamhaus.org.rpz-test.spamhaus.zone. nxdomain ...

It seems hit and miss right now for getting it to work. Sometimes the file is downloaded, sometimes not.... still look at that.

Another config I am trying, but it isn't working yet is:

rpz:
   name: rpz.urlhaus.abuse.ch
   url: "http://urlhaus.abuse.ch/downloads/rpz/"
   zonefile: "/opt/var/lib/unbound/db.rpz.urlhaus.abuse.ch"
   rpz-log: yes
   rpz-log-name: "rpz.urlhaus.abuse.ch"
   rpz-action-override: nxdomain

If I download the file manually via wget on the router it works just fine, but isn't download it automatically. Also, https download isn't working.


Good article here: https://medium.com/nlnetlabs/response-policy-zones-in-unbound-5d453de75f26

 

[SomeWhereOverTheRainBow]

It seems that with Unbound 1.10 we now have access to use RPZ (Reponse Policy Zones).
Lots of details here: https://dnsrpz.info/

The short of it is, unbound can now take commands to redirect or block bad sites based on domain or based on IP which would be found. Very powerful, and may need to consider re-doing adblock based on this.

But for now, I wanted to see if this could be used to block bad sites (malware/phishing etc). So I played around with setting it up.

First you need to modify the module-config add respip:

module-config: "respip validator iterator"

Next you need to add in RPZ sections for the servers/services you want to use. Many are pay, but I tried out a base DROP list from Spamhaus. They describe why it is free as "The DROP list contains network ranges which can cause so much damage to internet users that Spamhaus provides it to all, free-of-charge, to help mitigate this damage."

So, to enable it, in a mode where it uses IXFR and AXFR to sync directly from the master, add this to your unbound.conf file:

rpz:
   name: "drop.rpz.spamhaus.org"
   master: 35.156.219.71
   master: 34.194.195.25
   zonefile: "/opt/var/lib/unbound/db.drop.rpz.spamhaus.org"
   rpz-log: yes
   rpz-log-name: "drop.rpz.spamhaus.org"

if you lookup the following test URL, you should see an item in the log:

drop.rpz.spamhaus.org.rpz-test.spamhaus.zone

log:
info: RPZ applied [drop.rpz.spamhaus] drop.rpz.spamhaus.org.rpz-test.spamhaus.zone. nxdomain ...

It seems hit and miss right now for getting it to work. Sometimes the file is downloaded, sometimes not.... still look at that.

Another config I am trying, but it isn't working yet is:

rpz:
   name: rpz.urlhaus.abuse.ch
   url: "http://urlhaus.abuse.ch/downloads/rpz/"
   zonefile: "/opt/var/lib/unbound/db.rpz.urlhaus.abuse.ch"
   rpz-log: yes
   rpz-log-name: "rpz.urlhaus.abuse.ch"
   rpz-action-override: nxdomain

If I download the file manually via wget on the router it works just fine, but isn't download it automatically. Also, https download isn't working.


Good article here: https://medium.com/nlnetlabs/response-policy-zones-in-unbound-5d453de75f26

Very interesting post. Thank you for taking the time to so elegantly lay all these details out. I look forward to hearing more of your findings or helping out in any way.

 

[Wolfschiesst]

I appreciate the huge work done on this scipt.
However, after I tested the unbound_manager on my RT-AC88U, I must admit, that for me - even though I read the 62 pages of this thread - it is still to unclear whether it would make sense for me to use it (leaving a side the known pros/cons arguments for a resolver) or not.
Open questions remaining:
1. Why do I need to activate the DNS-filter to tun it?
2. HOWTO missing: How to set @Merlin's DNS-related WAN-Settings (DNSSEC, DOH, DNS Privacy Protocol (DOT), Predefined DOT-Servery when I installed unbound_manager?
3. The default installations of many people here in the forum is to run Skynet and Diversion.
4. How to set individual root servers even though I wanna use Country blocking in Skynet?
The provided FAQ (second post in this threat) is not really explaining (just 2 sentences) how to best set it that combination with unbound_manager (Remove Diversion and use advanced add settings)?
Sorry, I am not so skilled to review the code to provide suitable answers helping more novice users.

 

[dave14305]

1. Why do I need to activate the DNS-filter to tun it?

You do not need to. It is needed only if you want to enforce all LAN clients to use Unbound and/or Diversion.

How to set @Merlin's DNS-related WAN-Settings (DNSSEC, DOH, DNS Privacy Protocol (DOT), Predefined DOT-Servery when I installed unbound_manager?

Set them how you want in the case you aren’t using Unbound. Unbound won’t use these settings once it starts (unless you choose Stubby integration, then DoT servers should be populated with your favorite servers).

3. The default installations of many people here in the forum is to run Skynet and Diversion.

Mine too. Works fine with Unbound (I don’t use Adblock in Unbound).

4. How to set individual root servers even though I wanna use Country blocking in Skynet?

I do not know if that is possible. I wonder if you can just edit the root.hints file? But I don’t think it’s likely to work.

 

[Martineau]

If I download the file manually via wget on the router it works just fine, but isn't download it automatically.

rpz:
   name: rpz.urlhaus.abuse.ch
   url: "http://urlhaus.abuse.ch/downloads/rpz/"
   zonefile: "/opt/var/lib/unbound/db.rpz.urlhaus.abuse.ch"
   rpz-log: yes
   rpz-log-name: "rpz.urlhaus.abuse.ch"
   rpz-action-override: nxdomain

According to the tutorial

"URLhaus, cracked 200,000 malware URLs tracked. The majority of the malware sites tracked by URLhaus are related to Emotet (aka Heodo), followed by Mirai, Gayfgyt and Gozi ISFB (aka Ursnif). But there are many other threats being tracked with the help of the infosec community. There are several ways how to utilize the data generated by the community to protect your network and users.

The URLhaus RPZ gets updated every 5 minutes and excludes the Alexa Top 1M sites to reduce the amount of false positives."​

so it implies that a manual download is required/recommended anyway?

 

[juched]

According to the tutorial

"URLhaus, cracked 200,000 malware URLs tracked. The majority of the malware sites tracked by URLhaus are related to Emotet (aka Heodo), followed by Mirai, Gayfgyt and Gozi ISFB (aka Ursnif). But there are many other threats being tracked with the help of the infosec community. There are several ways how to utilize the data generated by the community to protect your network and users.

The URLhaus RPZ gets updated every 5 minutes and excludes the Alexa Top 1M sites to reduce the amount of false positives."​

so it implies that a manual download is required/recommended anyway?

The unbound docs indicate if you specify a URL it will download based on SOA timer. Unsure if that yet.