Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[tomsk]

Disable DNS Privacy and try again. Or if it's enabled through Unbound Manager, disable it there.

its enabled throughout the GUI ... i'll turn it of and go again...

EDIT : well i have cycled dnsmasq bypass on and off half a dozen times with the DNS privacy off and its rock solid so far.... getting late for me now so will do some more testing tomorrow... thanks for your efforts guys.

EDIT EDIT : Well several switches back and forth this morning and its all rock solid... switching the DNS privacy back on i got a failure after three attempts... so looks like Stubby is indeed the bad boy here. I only left it on as i assumed it was a "don't care" setting as Unbound was bypassing it anyway.. probably good to add turning it off into the router settings recommendation for unbound.... don't know how you would deal with it from the unbound manager advanced stubby setup.

 

[juched]

Having been used to ad blocking for so long, it's a feature i wouldn't want to live without. Having used Diversion since it was called AB-Solution i have a certain affinity for it, however i would like to experiment with unbound adblocking too. Seeing as the two aren't really complementary, would it be possible to automate having unbound with the adblocking enabled when dnsmasq is bypassed, but turning off the unbound adblocking when dnsmasq is switched in to block with pixelserv and unbound as the authoritative server...... maybe not something many people would want i suppose, plumping for one or the other but there might be interest?

They are not really incompatible. Just that unbound uses more memory, and dnsmasq uses more memory when they load lists to block ads. You can completely run both and they shouldn't conflict. If dnsmasq as first right of refusal than diversion does the blocking, if you us dnsmasq disable, then unbound will do it.

 

[tomsk]

They are not really incompatible. Just that unbound uses more memory, and dnsmasq uses more memory when they load lists to block ads. You can completely run both and they shouldn't conflict. If dnsmasq as first right of refusal than diversion does the blocking, if you us dnsmasq disable, then unbound will do it.

Yes i understand, i wasn't meaning that they can't co exist. I was thinking more about the wasted memory.
If you are giving dnsmasq "first refusal" then what ever blocking list you have in memory for enabled unbound ad blocking would be duplication of effort (most likely using a very similar list of domains) just catching the dribble of domains missed by diversion. Similarly once you bypassed dnsmasq and did the ad blocking via unbound, the hostfile for dnsmasq would still be sitting in memory with no purpose.
I'm impressed by @Martineau efforts to enable flipping between the two with a simple command and just offered up the idea as icing on the cake, as he says, probably a niche use case, and maybe not worth the coding effort for the few that might want it.
Im pretty interested in the DNS firewall and see that as a potential complimentary feature to ad blocking through dnsmasq or though unbound which ever is active.

 

[joe scian]

Yes i understand, i wasn't meaning that they can't co exist. I was thinking more about the wasted memory.
If you are giving dnsmasq "first refusal" then what ever blocking list you have in memory for enabled unbound ad blocking would be duplication of effort (most likely using a very similar list of domains) just catching the dribble of domains missed by diversion. Similarly once you bypassed dnsmasq and did the ad blocking via unbound, the hostfile for dnsmasq would still be sitting in memory with no purpose.
I'm impressed by @Martineau efforts to enable flipping between the two with a simple command and just offered up the idea as icing on the cake, as he says, probably a niche use case, and maybe not worth the coding effort for the few that might want it.
Im pretty interested in the DNS firewall and see that as a potential complimentary feature to ad blocking through dnsmasq or though unbound which ever is active.

Im using DNS Firewall which has yet to have 1 hit in last 3 weeks since it was enabled - whereas Suricata has had 6 hits in last week an example below ( using the emerging-dos.rules file )

05/01/2020-11:00:00.761397  [**] [1:2017919:2] ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03 [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 51.254.124.181:50723 -> 000.000.00.000:123

Suggest you look at Suricata as well

 

[tomsk]

Im using DNS Firewall which has yet to have 1 hit in last 3 weeks since it was enabled - whereas Suricata has had 6 hits in last week an example below ( using the emerging-dos.rules file )

05/01/2020-11:00:00.761397  [**] [1:2017919:2] ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03 [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 51.254.124.181:50723 -> 000.000.00.000:123

Suggest you look at Suricata as well

Suricata looks very impressive IPS and a possible open source replacement for the trend micro closed source stuff. But i'm guessing all your hits will be on bad IP addresses rather than anything dns specific

 

[joe scian]

Suricata looks very impressive IPS and a possible open source replacement for the trend micro closed source stuff. But i'm guessing all your hits will be on bad IP addresses rather than anything dns specific

Each of the 6 hits ive had with Suricata are targeting NTP Server on port 123

 

[Martineau]

EDIT EDIT : Well several switches back and forth this morning and its all rock solid... switching the DNS privacy back on i got a failure after three attempts... so looks like Stubby is indeed the bad boy here. I only left it on as i assumed it was a "don't care" setting as Unbound was bypassing it anyway.. probably good to add turning it off into the router settings recommendation for unbound.... don't know how you would deal with it from the unbound manager advanced stubby setup.

I've upload v3.10 Hotfix Thanks @dave14305 / @tomsk

Version=3.10
Github md5=393057e8776994fc9bc120926ec8c81b​

HotFix: 'dnsmasq disable' tweak to make the switch 100% reliable. - Thanks @dave14305/@tomsk
Hotfix: 'dig' cmmand was hard-coded for Port 53535, so if bypassing dnsmasq, ensure dig uses port '53'

If you have time/motivation etc., could you test the Hotfix, but it is a hack given there is no logic as to why DNS Privacy (aka DoT) when permanently ENABLED, randomly prevents unbound from starting in dnsmasq bypass mode.

Ensure that DNS Privacy is ENABLED in the GUI.

NOTE: Caveat emptor:

• Whilst I convert the NVRAM 'dhcp_staticlist/dhcp_hostnames' pairs to unbound format (see '/opt/share/unbound/configs/unbound.conf.localhosts') I suspect this may need a rethink if you find some entries are missing.
  
• The dnsmasq bypass currently won't survive a reboot.

 

[tomsk]

I've upload v3.10 Hotfix Thanks @dave14305 / @tomsk

Version=3.10
Github md5=393057e8776994fc9bc120926ec8c81b​

HotFix: 'dnsmasq disable' tweak to make the switch 100% reliable. - Thanks @dave14305/@tomsk
Hotfix: 'dig' cmmand was hard-coded for Port 53535, so if bypassing dnsmasq, ensure dig uses port '53'

If you have time/motivation etc., could you test the Hotfix, but it is a hack given there is no logic as to why DNS Privacy (aka DoT) when permanently ENABLED, randomly prevents unbound from starting in dnsmasq bypass mode.

Ensure that DNS Privacy is ENABLED in the GUI.

NOTE: Caveat emptor:

• Whilst I convert the NVRAM 'dhcp_staticlist/dhcp_hostnames' pairs to unbound format (see '/opt/share/unbound/configs/unbound.conf.localhosts') I suspect this may need a rethink if you find some entries are missing.
  
• The dnsmasq bypass currently won't survive a reboot.

Hi Martineau ... unfortunately the bypass failed on first attempt with DNS Privacy enabled ... looks like the stubby is being restarted

May  6 14:17:58 RT-AC68U-4690 rc_service: service 21487:notify_rc stop_stubby
May  6 14:17:58 RT-AC68U-4690 custom_script: Running /jffs/scripts/service-event (args: stop stubby)
May  6 14:18:03 RT-AC68U-4690 rc_service: service 21621:notify_rc restart_dnsmasq
May  6 14:18:03 RT-AC68U-4690 custom_script: Running /jffs/scripts/service-event (args: restart dnsmasq)
May  6 14:18:03 RT-AC68U-4690 custom_config: Appending content of /jffs/configs/dnsmasq.conf.add.
May  6 14:18:03 RT-AC68U-4690 custom_script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf)
May  6 14:18:04 RT-AC68U-4690 tOmsK: Failed to start unbound from .
May  6 14:18:05 RT-AC68U-4690 Diversion: restarted Dnsmasq to apply settings
May  6 14:18:05 RT-AC68U-4690 (dnsmasq.postconf): Updating /etc/dnsmasq.conf for unbound.....
May  6 14:18:05 RT-AC68U-4690 stubby[21870]: Read config from file /etc/stubby/stubby.yml

 

[dave14305]

If you have time/motivation etc., could you test the Hotfix, but it is a hack given there is no logic as to why DNS Privacy (aka DoT) when permanently ENABLED, randomly prevents unbound from starting in dnsmasq bypass mode.

Probably due to the watchdog interval between checks. It would be safer in my opinion to listen only on the LAN interface and 127.0.0.1. We don’t need or want Unbound also listening on the WAN interface, from a risk perspective. The firewall won’t allow the traffic from outside, but it’s safer to limit the exposure. Same for the access-control being open to any IP instead of just the LAN subnet and localhost.

There’s a strong undertow in these waters.

 

[Martineau]

Probably due to the watchdog interval between checks. It would be safer in my opinion to listen only on the LAN interface and 127.0.0.1. We don’t need or want Unbound also listening on the WAN interface, from a risk perspective. The firewall won’t allow the traffic from outside, but it’s safer to limit the exposure. Same for the access-control being open to any IP instead of just the LAN subnet and localhost.

There’s a strong undertow in these waters.

Sadly I have followed the advice promoted by (the SME...will I ever learn? ) @juched, so either @juched doesn't use DNS Privacy (DoT) , or he just got lucky?

 

[juched]

Sadly I have followed the advice promoted by (the SME...will I ever learn? ) @juched, so either @juched doesn't use DNS Privacy (DoT) , or he just got lucky?

Correct, I don’t use Stubby/DoT anymore since I use unbound as my recursive DNS and I didn’t want to complicate things during boot. Guess it helped avoid issues. Apologies if this caused issues.

 

[tomsk]

Probably due to the watchdog interval between checks. It would be safer in my opinion to listen only on the LAN interface and 127.0.0.1. We don’t need or want Unbound also listening on the WAN interface, from a risk perspective. The firewall won’t allow the traffic from outside, but it’s safer to limit the exposure. Same for the access-control being open to any IP instead of just the LAN subnet and localhost.

There’s a strong undertow in these waters.

So would changing the listen interface in the unbound conf file fix that?

# specify the interfaces to answer queries from by ip-address.
    # The default is to listen to localhost (127.0.0.1 and ::1).
    # specify 0.0.0.0 and ::0 to bind to all available interfaces.

 

[dave14305]

So would changing the listen interface in the unbound conf file fix that?

# specify the interfaces to answer queries from by ip-address.
    # The default is to listen to localhost (127.0.0.1 and ::1).
    # specify 0.0.0.0 and ::0 to bind to all available interfaces.

Yes, but I wouldn't recommend it if the unbound_manager script is intended to manipulate those parameters.

interface: 192.168.1.1
interface: 127.0.0.1
access-control: 0.0.0.0/0 refuse
access-control: 192.168.1.0/24 allow
access-control: 127.0.0.0/8 allow

This doesn't account for any IPv6 nor VPN access, so it's nothing more than a minimal config to test the theory with.

 

[Milan]

when i disable dnsmasq i am getting this error in unbound log:

May  6 15:53:26 RT-AX88U-F810 unbound: [19915:3] reply: 192.168.1.29 null TYPE0 CLASS0 REFUSED 0.000000 1 12

to be able to run unbound without dnsmasq i need to disable line :

server:
#include: "/opt/share/unbound/configs/unbound.conf.localhosts"

error is :

[1588773506] unbound-checkconf[24024:0] error: cannot parse private-domain:
[1588773506] unbound-checkconf[24024:0] error: Could not set private addresses
[1588773506] unbound-checkconf[24024:0] error: iterator: could not apply configuration settings.
[1588773506] unbound-checkconf[24024:0] fatal error: bad config for iterator module

mentioned file looks like :

# Replicate dnsmasq's local hosts

private-domain: ""

local-zone: "." static

what is a problem ?

 

[dave14305]

when i disable dnsmasq i am getting this error in unbound log:

May  6 15:53:26 RT-AX88U-F810 unbound: [19915:3] reply: 192.168.1.29 null TYPE0 CLASS0 REFUSED 0.000000 1 12

to be able to run unbound without dnsmasq i need to disable line :

server:
#include: "/opt/share/unbound/configs/unbound.conf.localhosts"

error is :

[1588773506] unbound-checkconf[24024:0] error: cannot parse private-domain:
[1588773506] unbound-checkconf[24024:0] error: Could not set private addresses
[1588773506] unbound-checkconf[24024:0] error: iterator: could not apply configuration settings.
[1588773506] unbound-checkconf[24024:0] fatal error: bad config for iterator module

mentioned file looks like :

# Replicate dnsmasq's local hosts

private-domain: ""

local-zone: "." static

what is a problem ?

You don't have a LAN Domain configured in the router, but the script assumes you do. You can set one on the LAN / LAN IP page in the router to get by for now (e.g. home.lan).

 

[Milan]

ok thanks.

now unbound is running and the names are resolved but still this in log :

May  6 15:53:26 RT-AX88U-F810 unbound: [19915:3] reply: 192.168.1.29 null TYPE0 CLASS0 REFUSED 0.000000 1 12

not nice as before it was. is it ok ? DNS resolving is ok. some names are resloved some not
and stats are on zero.

 

[dave14305]

ok thanks.

now unbound is running and the names are resolved but still this in log :

May  6 15:53:26 RT-AX88U-F810 unbound: [19915:3] reply: 192.168.1.29 null TYPE0 CLASS0 REFUSED 0.000000 1 12

not nice as before it was. is it ok ? DNS resolving is ok. some names are resloved some not
and stats are on zero.

I notice the default unbound.conf has a line:

access-control: 192.168.0.0/24 allow

but it should really be

access-control: 192.168.0.0/16 allow

But if you have the "access-control: 0.0.0.0/0 allow" enabled it should override it. Check with

grep "access-control:" /opt/var/lib/unbound/unbound.conf

 

[Milan]

grep returned :

#access-control: 0.0.0.0/0 allow
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/8 allow
access-control: 172.16.0.0/16 allow
access-control: 192.168.0.0/24 allow
# access-control: ::0/0 refuse
# access-control: ::1 allow

i modified refuse to allow and voila its working fine now it seems, log is shoving normal info

thanks for pointing out.

 

[dave14305]

access-control: 192.168.0.0/24 allow

Or you can change /24 to /16. Glad it worked.

 

[Safemode]

I notice the default unbound.conf has a line:

access-control: 192.168.0.0/24 allow

but it should really be

access-control: 192.168.0.0/16 allow

But if you have the "access-control: 0.0.0.0/0 allow" enabled it should override it. Check with

grep "access-control:" /opt/var/lib/unbound/unbound.conf

Good catch Mr. dave14305. Do you also recommend adding the port after the interface ip's?
ex:

##@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
port: 53535                                 # v1.08 If 53 (Requires 'port=0' in '/etc/dnsmasq.conf') to answer queries direct from LAN clients
interface: 127.0.0.1@53535                  # v1.01 as per @dave14305 minimal config
interface: 192.168.1.1@53535
#port: 53 #NOdnsmasq                        # v1.08 https://www.snbforums.com/threads/unbound-gui-stats-including-top-blocked-top-replies-todays-replies.63188/
#interface: 0.0.0.0
#interface: 127.0.0.1@53
#access-control: 0.0.0.0/0 allow
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@