What's new

Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Updated BETA v3.02 to call your rewritten DNS Firewall script API functions
Code:
e  = Exit Script

A:Option ==> rpz dev

Do you want to enable DNS Firewall?

    Reply 'y' or press [Enter]  to skip
y
    unbound_rpz.sh downloaded successfully Github 'dev/development' branch

Attempting to Download 1 of 1 from https://urlhaus.abuse.ch/downloads/rpz/.
######################################################################## 100.0%
Installed.

    unbound DNS Firewall ENABLED

unbound-checkconf: no errors in /opt/var/lib/unbound/unbound.conf

 Shutting down unbound...              done.
 Starting unbound...              done.

Thank you. I think it is safe to merge to master, do you agree?

Also, how do you see the extended stats feature to work? If they say extended you seem to turn off DNS via dnsmasq and change unbound port to 53. Seems like a plan to enable the new graphs and DNS replies table to work and would allow for the stats to be collect including client_ip. But you also need to enable :

interface: 0.0.0.0
access-control: 0.0.0.0/0 allow
log-replies: yes
log-local-actions: yes
log-tag-queryreply: yes

Does RPZ and extended stats survive a re-start or a re-install?
 
@juched,
Der Befehl ist in 3.01 nicht mehr vorhanden ...

Ich habe sowohl auf der ax88u als auch auf dem ac86u ungebunden vollständig deinstalliert und neu installiert. Die Installation auf dem ac86u verlief fehlerfrei, auf der ax88u trat während der Installation 6 (GUI) der folgende Fehler auf.

Speichern von MD5 der installierten Datei /jffs/addons/unbound/unboundstats_www.asp zu /jffs/addons/unbound/www-installed.md5
awk: cmd. zeile:1: Division durch Null
Berechneter Cache-Treffer-Prozentsatz:
awk: cmd. line:1: Unerwartetes Token
Der DB wird ein neuer Wert hinzugefügt...
Fehler: Near Line 2: near ")": Syntaxfehler
Tägliche Daten werden berechnet...
Wöchentliche und monatliche Daten werden berechnet...
Histogramm-Leistungsdaten werden wiedergibt...
Antwortdaten werden wiedergegeben...

Die total.xxx Daten sind nach x Stunden immer noch NULL:

total.num.queries=0 total.requestlist.avg=0 total.recursion.time.median=0
total.num.queries_ip_ratelimited=0 total.requestlist.max=0 total.tcpusage=0
total.num.cachehits=0 total.requestlist.overwritten=0 msg.cache.count=20
total.num.cachemiss=0 total.requestlist.exceeded=0 rrset.cache.count=120
total.num.prefetch=0 total.requestlist.current.all=0 infra.cache.count=24
total.num.expired=0 total.requestlist.current.user=0 key.cache.count=6
total.num.recursivereplies=0 total.recursion.time.avg=0.000000
 

Attachments

  • upload_2020-4-13_18-40-39.png
    upload_2020-4-13_18-40-39.png
    312 bytes · Views: 171
Thank you. I think it is safe to merge to master, do you agree?
Whoa..after you have spent so much time with the hidden intro....just added critical option.....:p
Code:
e  = Exit Script

A:Option ==> firewall ?

##
# (        ) (      (                               
# )\ )  ( /( )\ )   )\ )                         (  (
#(()/(  )\()|()/(  (()/( (  (     (  (  (      ) )\ )\
# /(_))((_)\ /(_))  /(_)))\ )(   ))\ )\))(  ( /(((_|(_)
#(_))_  _((_|_))   (_))_((_|()\ /((_|(_)()\ )(_))_  _
# |   \| \| / __|  | |_  (_)((_|_)) _(()((_|(_)_| || |
# | |) | .` \__ \  | __| | | '_/ -_)\ V  V / _` | || |
# |___/|_|\_|___/  |_|   |_|_| \___| \_/\_/\__,_|_||_|
## by @juched - DNS Firewall in Unbound (needs unbound 1.10.0+) - v1.1.0

unbound_rpz.sh
        install   - Starts the automatic download of data files
        download  - Download and reload the data files used for DNS Firewall
        uninstall - Stops the automatic download of data files, and clean up

Also, how do you see the extended stats feature to work? If they say extended you seem to turn off DNS via dnsmasq and change unbound port to 53. Seems like a plan to enable the new graphs and DNS replies table to work and would allow for the stats to be collect including client_ip. But you also need to enable :

Code:
interface: 0.0.0.0
access-control: 0.0.0.0/0 allow
log-replies: yes
log-local-actions: yes
log-tag-queryreply: yes
:eek::eek::eek::eek:Not for public consumption? :cool:...I doubt many want to go down this route?
P.S. I couldn't get it to work, but I might have another go if I get bored.:)

Does RPZ and extended stats survive a re-start or a re-install?
Restart YES
Update Reinstall only if you reply to keep existing 'unbound.conf'[/QUOTE]
 
Last edited:
@juched ....where in the adblock install (or file) do you specify your krozga list?

Your work is awesome and I am now very interested in using your setup....thanks

I add this line:
Code:
https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites/master/hacked-domains.list

to /opt/share/unbound/configs/blocksites
 
Whoa..after you have spent so much time with the hidden intro....just added.....:p
Code:
e  = Exit Script

A:Option ==> rpz ?

##
# (        ) (      (                                
# )\ )  ( /( )\ )   )\ )                         (  (
#(()/(  )\()|()/(  (()/( (  (     (  (  (      ) )\ )\
# /(_))((_)\ /(_))  /(_)))\ )(   ))\ )\))(  ( /(((_|(_)
#(_))_  _((_|_))   (_))_((_|()\ /((_|(_)()\ )(_))_  _
# |   \| \| / __|  | |_  (_)((_|_)) _(()((_|(_)_| || |
# | |) | .` \__ \  | __| | | '_/ -_)\ V  V / _` | || |
# |___/|_|\_|___/  |_|   |_|_| \___| \_/\_/\__,_|_||_|
## by @juched - DNS Firewall in Unbound (needs unbound 1.10.0+) - v1.1.0

unbound_rpz.sh
        install   - Starts the automatic download of data files
        download  - Download and reload the data files used for DNS Firewall
        uninstall - Stops the automatic download of data files, and clean up


:eek::eek::eek::eek:Not for public consumption? :cool:...I doubt many want to go down this route?
P.S. I couldn't get it to work, but I might have another go if I get bored.:)


Restart YES
Update Reinstall only if you reply to keep existing 'unbound.conf'
[/QUOTE]

May as well add some ascii art right? :)

Ok, for now the new stats and DNS lookups table can be left to those wanting to use the dev branch. If you want help to get it working for you please let me know. For now I will need to keep those entries in my conf.add file. I need to merge my setup up to your 3.02 script tonight, and clean up my conf.add.
 
May as well add some ascii art right? :)

Ok, for now the new stats and DNS lookups table can be left to those wanting to use the dev branch. If you want help to get it working for you please let me know. For now I will need to keep those entries in my conf.add file. I need to merge my setup up to your 3.02 script tonight, and clean up my conf.add.
I have made an executive decision, and will rename the esoteric 'rpz' command with 'firewall', and will publically push v3.02 later.
 
Last edited:
Agree, which is why I made it a file that you can add more sources to for yourself, and the script will keep it up to date too.
That being said, urlhaus is almost the perfect solution for me anyways. It is small and focused, ONLY currently live malware sites AND those found in the last 48 hours. With a quick 15 minute update, it protects you quickly from new sites found, and I checked, the RPZ file has updates from today, so it is up to date every 5 minutes.

Then I use https://github.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites in my gen_adblock list. It includes the longer term items, but only updated nightly, as they don't change as often.

I think that makes a good mix.

-- edit ---

Good presentation of the benefits of DNS Firewall:
https://www.first.org/resources/papers/kathmandu2018/11-SumonSaha-DNS-Firewall-with-RPZ-bdcert.pdf

This is also a benefit of diversion if you choose sources with malware sites.

No issue about usefulness of RTZ and there are many web site and presentations about it. I was purely making a point.
I even found a site where Steven Black list is published in RTZ format which actually nice since it standardizes how we can deploy and manage malware, bots and Adblock sites with separate zones.
 
@juched,
Der Befehl ist in 3.01 nicht mehr vorhanden ...

Ich habe sowohl auf der ax88u als auch auf dem ac86u ungebunden vollständig deinstalliert und neu installiert. Die Installation auf dem ac86u verlief fehlerfrei, auf der ax88u trat während der Installation 6 (GUI) der folgende Fehler auf.

Speichern von MD5 der installierten Datei /jffs/addons/unbound/unboundstats_www.asp zu /jffs/addons/unbound/www-installed.md5
awk: cmd. zeile:1: Division durch Null
Berechneter Cache-Treffer-Prozentsatz:
awk: cmd. line:1: Unerwartetes Token
Der DB wird ein neuer Wert hinzugefügt...
Fehler: Near Line 2: near ")": Syntaxfehler
Tägliche Daten werden berechnet...
Wöchentliche und monatliche Daten werden berechnet...
Histogramm-Leistungsdaten werden wiedergibt...
Antwortdaten werden wiedergegeben...

Die total.xxx Daten sind nach x Stunden immer noch NULL:

total.num.queries=0 total.requestlist.avg=0 total.recursion.time.median=0
total.num.queries_ip_ratelimited=0 total.requestlist.max=0 total.tcpusage=0
total.num.cachehits=0 total.requestlist.overwritten=0 msg.cache.count=20
total.num.cachemiss=0 total.requestlist.exceeded=0 rrset.cache.count=120
total.num.prefetch=0 total.requestlist.current.all=0 infra.cache.count=24
total.num.expired=0 total.requestlist.current.user=0 key.cache.count=6
total.num.recursivereplies=0 total.recursion.time.avg=0.000000

The fact this metric remains at 0 "total.num.queries=0" after a few hours means that unbound itself isn't tracking stats. This should be a base stat as well, not even extended.

What do you get when you run "unbound-control stats_noreset" directly from the bash shell, not from inside unbound_manager menu.

It could also mean that no DNS requests are making it your unbound and you are still getting responses from dnsmasq. Also surprised that my english comments got translated to german in the logs :)

Did you keep your old conf file during re-install? Try running the i command again and do not keep the ubnound.conf existing file, let it download and try again.
 
I've uploaded v3.02

Version=3.02
Github md5=b89b0ebbbc876a1e2bf743c21088fee7

use 'u' to update when prompted on screen

Use of the 'i = Update unbound Installation' **Not required** if already using 'unbound.conf' v1.09

Code:
CHANGE: unbound v1.10.0 introduced RPZ aka DNS Firewall, and the 'rpz' command used in the Beta is now changed to 'firewall' to ENABLE/DISABLE to manage the feature.
        @juched's 'unbound_rpz.sh' script is now used to configure the DNS Firewall, together with a cron job
        (Retrieves the appropriate RPZ aka DNS Firewall configuration files every 15 minutes to ensure timely blocking of the most critical threats.)
        NOTE: **Available only in Advanced mode**
 
Updated to v3.02. Selected “firewall” but get an error from unbound_rpz.sh.
Error message is line 32:cant open /opt/share/unbound/config/rpzsites.
Do I need to setup rpzsites manually first?
 
I just upgraded to 3.02 - the upgrade completed without errors. However when I tried enabling the DNS firewall, here is what I see:
Do you want to enable DNS Firewall?

Reply 'y' or press [Enter] to skip
y
unbound_rpz.sh downloaded successfully

Unbound-RPZ.sh - V1.0.1 running...
/jffs/addons/unbound/unbound_rpz.sh: line 32: can't open /opt/share/unbound/configs/rpzsites: no such file

unbound DNS Firewall ENABLED

Any suggestion?

Edit: Also, Ad and Tracking Blocking got uninstalled. Manually reinstalled from the easy menu and now back to normal.
 
Updated to v3.02. Selected “firewall” but get an error from unbound_rpz.sh.
Error message is line 32:cant open /opt/share/unbound/config/rpzsites.
Do I need to setup rpzsites manually first?
I don't think @juched has copied his script from his GitHub dev area

Try
Code:
e  = Exit Script

A:Option ==> firewall dev
 
I just upgraded to 3.02 - the upgrade completed without errors. However when I tried enabling the DNS firewall, here is what I see:

Any suggestion?
see post #1354

Edit: Also, Ad and Tracking Blocking got uninstalled. Manually reinstalled from the easy menu and now back to normal.
I don't think that is possible? o_O, but I'll take a look.

P.S. Use 'adblock' in 'Advanced' mode....seem to have lost the menu entry:rolleyes:
 
Last edited:
I don't think @juched has copied his script from his GitHub dev area

Try
Code:
e  = Exit Script

A:Option ==> firewall dev
No, still doesn’t create rpzsites. This time the error is reported on line 150 :)
 
No, still doesn’t create rpzsites. This time the error is reported on line 150 :)
Does

'/opt/share/unbound/configs/'
exist?
 
fixed. Also get same error with firewall as JGrana
 
Last edited:
Does

'/opt/share/unbound/configs/'
exist?
Yes, contains one directory - adblock (which is empty) and 2 files - reset.conf and user.conf
 
Unbound fails to start for me.

unbound-checkconf: no errors in /opt/var/lib/unbound/unbound.conf
Starting unbound... failed.
Checking status, please wait.....
***ERROR unbound went AWOL after 1 seconds.....
Try debug mode and check for unbound.conf or runtime errors!
unbound-control: symbol lookup error: unbound-control: undefined symbol: rpz_action_to_string
Starting unbound... failed.
unbound-checkconf: no errors in /opt/var/lib/unbound/unbound.conf
Starting unbound... failed.
Checking status, please wait.....
***ERROR unbound went AWOL after 1 seconds.....
Try debug mode and check for unbound.conf or runtime errors!
Manual install unbound Customisation complete 0 minutes and 50 seconds elapsed - Please wait for up to 10 seconds for status.....
***ERROR unbound went AWOL after 1 seconds.....
***ERROR Unsuccessful installation of unbound detected
Apr 13 23:45:22 (dnsmasq.postconf): Updating /etc/dnsmasq.conf for unbound.....
Apr 13 23:45:23 (unbound_manager): 32766 ***ERROR unbound went AWOL after 1 seconds.... Try debug mode and check for unbound.conf or runtime errors!
unbound: symbol lookup error: unbound: undefined symbol: log_ident_set_default
see post #3
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top