Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[juched]

you switch unbound as your primary DNS by using the dnsmasq disable command in the unbound manager.
Then your client machines will make their DNS requests directly to unbound rather than going via dnsmasq.
you will see in your unbound log that each device request will now show its IP rather than every request coming from dnsmasq on 127.0.0.1. You don't need to change you WAN DNS settings

Correct. Unbound needs to be the primary handler of DNS requests to know who is asking. So dnsmasq disable is needed.

OR you could look at the dnsmasq logs.

 

[joe scian]

Yes, you got it. If you use allowhosts or blockhosts in the share folder it ensure it is or isn’t in the adserver file.

Unsure what issue you are having?

no issues at all now that i understand how it works !! I probably wasnt making the changes stick by not running adblock after making changes in allowhost and blockhost. All i was doing was running rl. And i was making changes to thos files using Winscp - not the inbuilt Nano. Perhaps if you use those inbuilt utilities then gen_adblock.sh gets invoked after making changes?

 

[Martineau]

Getting the same error message on the latest 3.16 version.

This has just started to happen, possibly GitHub is the problem ???!!!

 Version=3.16  (Change Log: https://github.com/MartineauUK/Unbound-Asuswrt-Merlin/commits/master/unbound_manager.sh)
 Local                                    md5=4f8cfe846cd233adf7252e2cc693da40
 Github                                   md5=
 /jffs/addons/unbound/unbound_manager.md5 md5=4f8cfe846cd233adf7252e2cc693da40

Possibly...or I shot myself in the foot again

i.e. For me, normally for both Github cURL requests to complete takes a total of 1 second:

+ date +%s
+ local START_TIME=1590447645

+ curl -fLN --retry 3 --connect-timeout 3 https://raw.githubusercontent.com/MartineauUK/unbound-Asuswrt-Merlin/master/unbound_manager.sh

+ tr -d "
+ sed s/VERSION\=//
+ grep -E ^VERSION
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  266k  100  266k    0     0   523k      0 --:--:-- --:--:-- --:--:--  618k
+ REMOTE_VERSION_NUMDOT=3.16
+ [ -z 3.16 ]
+ [ 3.16 == ?.?? ]
+ curl -fL --retry 3 --connect-timeout 3 https://raw.githubusercontent.com/MartineauUK/unbound-Asuswrt-Merlin/master/unbound_manager.sh
+ md5sum
+ awk {print $1}
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  266k  100  266k    0     0   960k      0 --:--:-- --:--:-- --:--:--  970k
+ remotemd5=5dce81880f662a81b709567f38371d75
+ echo 3.16
+ sed s/[^0-9]*//g
+ REMOTE_VERSION_NUM=316

+ date +%s
+ local END_TIME=1590447646

+ local DIFFTIME=1

When developing 'unbound_mangler' features, when I bork the script, I personally really don't see the point of waiting unnecessarily with half a menu drawn on-screen, so I thought 3 seconds wouldn't unduly try anyone's patience.

However, a busy Github may legitimately not respond within 3 seconds, so surely 10-12 seconds should be ample?

So now when things go wrong......it waits 10-12 seconds for just the first one (no point in trying the second) of the cURL request pair to fail:

+ date +%s
+ local START_TIME=1590445396

+ curl -fLN --retry 3 --connect-timeout 3 https://raw.githubusercontent.com/MartineauUK/unbound-Asuswrt-Merlin/master/unbound_manager.sh

+ tr -d "
+ grep -E ^VERSION
+ sed s/VERSION\=//
curl: (6) Couldn't resolve host 'raw.githubusercontent.com'
Warning: Transient problem: timeout Will retry in 1 seconds. 3 retries left.
curl: (6) Couldn't resolve host 'raw.githubusercontent.com'
Warning: Transient problem: timeout Will retry in 2 seconds. 2 retries left.
curl: (6) Couldn't resolve host 'raw.githubusercontent.com'
Warning: Transient problem: timeout Will retry in 4 seconds. 1 retries left.
curl: (6) name lookup timed out
+ REMOTE_VERSION_NUMDOT=
+ [ -z  ]
+ echo -e \e[0m\e[41m\a\t***ERROR Unable to verify Github version...check DNS/Internet access!\n\e[0m
    ***ERROR Unable to verify Github version...check DNS/Internet access!
+ REMOTE_VERSION_NUMDOT=

+ date +%s
+ local END_TIME=1590445407

+ local DIFFTIME=11

which is an eternity when nothing happens/changes on screen.

Anyway, hopefully the false-positives should have now been eliminated.

 

[Martineau]

Perhaps if you use those inbuilt utilities then gen_adblock.sh gets invoked after making changes?

Indeed as I proposed.

i.e. Options to manage the Whitelist/Blacklist are described under the 'Tools Advanced' menu

ew = Edit Ad Block Whitelist (eb=Blacklist; eca=Config-AllowSites; ecb=Config-BlockSites; el {Ad Block file})

If you physically modifiy a file then the Ad Block script will auto-execute to merge the lists

e  = Exit Script [?]

A:Option ==> ew

 Ad Block file '/opt/share/unbound/configs/allowhost' changed....updating Ad Block
                           
 _____   _ _   _         _ 
|  _  |_| | |_| |___ ___| |_
|     | . | . | | . |  _| '_|
|__|__|___|___|_|___|___|_,_|
(gen_adblock.sh): 3427 @juched - v1.0.8 - Thanks to @SomeWhereOverTheRainBow
<snip>

However, If you choose to edit the files manually say using WinSCP/Notepad++ (nano can be frustrating), then rather than wait for the daily cron job update,you can issue

e  = Exit Script [?]

A:Option ==> adblock update

 

[martinr]

you switch unbound as your primary DNS by using the dnsmasq disable command in the unbound manager.
Then your client machines will make their DNS requests directly to unbound rather than going via dnsmasq.
you will see in your unbound log that each device request will now show its IP rather than every request coming from dnsmasq on 127.0.0.1. You don't need to change you WAN DNS settings

I’ve seen that this is an experimental feature - making Unbound the primary DNS server, but what are the pros and cons of enabling this feature?

Whilst searching through this topic for answers, one con seems to be that Diversion would no longer work; is that right?

 

[QuikSilver]

I’ve seen that this is an experimental feature - making Unbound the primary DNS server, but what are the pros and cons of enabling this feature?

Whilst searching through this topic for answers, one con seems to be that Diversion would no longer work; is that right?

While I may be wrong and if I am hopefully someone will correct me....The main pro would be that all my searches aren't going thru big corporations who mine data (looking at you google ). Also since the lookups are cached on the router a response should be returned faster as it doesn't have to keep going out for the same query.

As for diversion I still use Diversion and have noticed no issue running it. Have contemplated turning it off and using the adblock and youtube block exclusively from unbound manager but I feel like i'm cheating on Diversion a little as it has sufficed for so long.

 

[tomsk]

While I may be wrong and if I am hopefully someone will correct me....The main pro would be that all my searches aren't going thru big corporations who mine data (looking at you google ). Also since the lookups are cached on the router a response should be returned faster as it doesn't have to keep going out for the same query.

As for diversion I still use Diversion and have noticed no issue running it. Have contemplated turning it off and using the adblock and youtube block exclusively from unbound manager but I feel like i'm cheating on Diversion a little as it has sufficed for so long.

The disadvantage that dnsmasq has, is that it can't do its own recursive dns queries and has to forward them to a resolver that can........ enter unbound..... instead of dnsmasq forwarding your queries to your ISP DNS, or Google, or Cloudflare ... or wherever.... dnsmasq will forward the query instead to unbound, and then unbound will directly query the root servers for an answer.

So the experimental feature lets clients query unbound directly rather than having dnsmasq forward the DNS query to unbound.
The downside is that anything that relies on dnsmasq like Diversion wont work anymore.

I would say that for the "average" user (whoever that may be), running unbound behind dnsmasq is the preferred option, as stuff like unbound X3M routing etc will all continue to work.

The pro of running unbound as primary DNS is that you can be sure that dnsmasq is no longer in the picture, and you can experiment with unbound's features without worrying that the dns requests from clients have been tampered with (e.g using @juched ed ADBlock script to do ad blocking without having dnsmasq through Diversion intercept and block the ad domain first)

 

[Deleted member 62525]

The pro of running unbound as primary DNS is that you can be sure that dnsmasq is no longer in the picture, and you can experiment with unbound's features without worrying that the dns requests from clients have been tampered with (e.g using @juched ed ADBlock script to do ad blocking without having dnsmasq through Diversion intercept and block the ad domain first)

There is not real advantage of disabling dnsmasq. The amount of time that dnsmasq forwards request to Unbound locally is so small that is negligible. Second, Asus router firmware is build around dnsmasq and making these changes (disabling dnsmasq) is or will have a potential for issues down the road. Having both is the best you can do and Unbound is still your DNS server.

The issues one may encounter later plus the Unbound maintenance of the fast growing code base is not worth in my opinion to justify disabling dnsmasq. When you configure dnsmasq cache=0 and forward the dns queries to Unbound is good enough and in honesty you will not get any benefits from disabling dnsmasq - performance or otherwise.

 

[ugandy]

When you configure dnsmasq cache=0 and forward the dns queries to Unbound is good enough

how to disable dnsmasq cache? just add "cache=0" in dnsmasq.conf?
thx

 

[tomsk]

how to disable dnsmasq cache? just add "cache=0" in dnsmasq.conf?
thx

you can't change the dnsmasq.conf file directly... you can do it using a dnsmasq postconf file but the unbound manager script does that for you. Check /etc/dnsmasq.conf

cache-size=0

 

[martinr]

...
As for diversion I still use Diversion and have noticed no issue running it. Have contemplated turning it off and using the adblock and youtube block exclusively from unbound manager but I feel like i'm cheating on Diversion a little as it has sufficed for so long.

So you are running with Unbound as your primary DNS server (dnsmasq disabled) and yet Diversion still works for you? (cf what Tomsk wrote: “The downside is that anything that relies on dnsmasq likeDiversion wont work anymore.”)

 

[Martineau]

You will not get any benefits from disabling dnsmasq - performance or otherwise.

Sadly I would have to disagree...with your 'otherwise' statement.

There is a URL that tabulates (with caveats) the feature list between dnsmasq and unbound, and unsurprisingly they are for all intents and purposes identical....except

i.e. there is only one feature in the comparison table where unbound seemingly has a unique-selling-point:

Split horizon:
Servers with the split-horizon DNS feature can give different answers depending on the source IP address of the query.​

Now does this feature matter on a router, or more importantly, is this something that would be useful if applied to your home LAN devices?

Disabling dnsmasq would therefore open up the opportunity to exploit this currently unique unbound feature; ultimately experiencing the tangible benefit - wouldn't you agree?

P.S. You can review the DNS Server comparison here

 

[rgnldo]

I am checking the unbound behavior with TLS servers on port 443, forcing TCP.
Whoever has some knowledge, can test. One of the servers runs the knot-resolver.
https://dns.cmrg.net/

Server:
       tcp-upstream: yes
    
forward-zone:
        name: "."
        forward-tls-upstream: yes
        forward-addr: 199.58.81.218@443
        forward-addr: 145.100.185.15@443
        forward-addr: 2001:470:1c:76d::53@443
        forward-addr: 2001:610:1:40ba:145:100:185:15@443

 

[rgnldo]

Is this something that is installed automatically with unbound or something special? Never seen this before...

The ideal is to use a comparator resource. Downloading when there is new root.hint. I will check your curl has this feature.

 

[ceolus]

Good morning all! I'm having trouble getting Unbound to start.
08:27:32 Checking 'unbound.conf' for syntax errors.....
08:27:32 Requesting unbound (S61unbound) restart.....
Starting unbound... failed.
08:27:32 Checking status, please wait.....


***ERROR unbound went AWOL after 1 seconds.....

Try option 'debug' and check for unbound.conf or runtime errors!

Warning unbound not running!! - Config last loaded info: # rgnldo Github Version=v1.10 Martineau update (Date Loaded by unbound_manager Tue May 26 08:27:32 PDT 2020)

1 = Update unbound files and configuration 5 = Install Ad and Tracker blocker (Ad Block)
2 = Remove unbound/unbound_manager 6 = n/a Install Graphical Statistics GUI Add-on TAB
3 = Start unbound 7 = n/a Enable DNS Firewall
4 = n/a Show unbound statistics 8 = n/a Install YouTube Ad blocker

? = About Configuration
v = View ('/opt/var/lib/unbound/'unbound.conf)

e = Exit Script [?]

E:Option ==> debug

'unbound.conf'

port: 53535 # v1.08 If 53, requires 'port=0' in '/etc/dnsmasq.conf' to 'disable' dnsmasq to answer queries direct from LAN clients
interface: 127.0.0.1@53535 # v1.01 As per @dave14305 minimal config; Will be overwritten by $(nvram get lan_ipaddr_rt) if dnsmasq 'disabled'
#interface: 127.0.0.1@53 # v1.10 Required by router if dnsmasq 'disabled'
#access-control: 0.0.0.0/0 allow # v1.10 Will be overwritten by LAN subnet "${lan_ip_addr_rt}/24" if 'dnsmasq disabled' aka bypassed
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


'/etc/dnsmasq.conf'

servers-file=/tmp/resolv.dnsmasq

netstat LISTEN Ports

tcp 0 0 0.0.0.0 3394 0.0.0.0:* LISTEN 15984/u2ec
tcp 0 0 0.0.0.0 3702 0.0.0.0:* LISTEN 5525/wsdd2
tcp 0 0 0.0.0.0 5152 0.0.0.0:* LISTEN 603/envrams
tcp 0 0 0.0.0.0 5473 0.0.0.0:* LISTEN 15984/u2ec
tcp 0 0 0.0.0.0 7788 0.0.0.0:* LISTEN 1106/cfg_server
tcp 0 0 0.0.0.0 8200 0.0.0.0:* LISTEN 5549/minidlna
tcp 0 0 0.0.0.0 18017 0.0.0.0:* LISTEN 899/wanduck
tcp 0 0 0.0.0.0 35454 0.0.0.0:* LISTEN 31585/miniupnpd
tcp 0 0 127.0.0.1 53 0.0.0.0:* LISTEN 22716/dnsmasq
tcp 0 0 127.0.1.1 53 0.0.0.0:* LISTEN 22713/stubby
tcp 0 0 127.0.0.1 80 0.0.0.0:* LISTEN 977/httpd
tcp 0 0 127.0.0.1 8888 0.0.0.0:* LISTEN 1005/vis-dcon
tcp 0 0 127.0.0.1 47753 0.0.0.0:* LISTEN 31473/mcpd
tcp 0 0 192.168.50.1 22 0.0.0.0:* LISTEN 6867/dropbear
tcp 0 0 192.168.50.1 53 0.0.0.0:* LISTEN 22716/dnsmasq
tcp 0 0 192.168.50.1 80 0.0.0.0:* LISTEN 977/httpd
tcp 0 0 192.168.50.2 80 0.0.0.0:* LISTEN 4325/pixelserv-tls
tcp 0 0 192.168.50.1 139 0.0.0.0:* LISTEN 5533/smbd
tcp 0 0 192.168.50.2 443 0.0.0.0:* LISTEN 4325/pixelserv-tls
tcp 0 0 192.168.50.1 445 0.0.0.0:* LISTEN 5533/smbd
tcp 0 0 192.168.50.1 515 0.0.0.0:* LISTEN 15990/lpd
tcp 0 0 192.168.50.1 1990 0.0.0.0:* LISTEN 15467/wps_monitor
tcp 0 0 192.168.50.1 3838 0.0.0.0:* LISTEN 15990/lpd
tcp 0 0 192.168.50.1 9100 0.0.0.0:* LISTEN 15990/lpd

unbound: symbol lookup error: unbound: undefined symbol: log_ident_set_default

What do I need to do to fix this issue?

Thank you!

 

[tomsk]

Good morning all! I'm having trouble getting Unbound to start.
08:27:32 Checking 'unbound.conf' for syntax errors.....
08:27:32 Requesting unbound (S61unbound) restart.....
Starting unbound... failed.
08:27:32 Checking status, please wait.....


***ERROR unbound went AWOL after 1 seconds.....

Try option 'debug' and check for unbound.conf or runtime errors!

Warning unbound not running!! - Config last loaded info: # rgnldo Github Version=v1.10 Martineau update (Date Loaded by unbound_manager Tue May 26 08:27:32 PDT 2020)

1 = Update unbound files and configuration 5 = Install Ad and Tracker blocker (Ad Block)
2 = Remove unbound/unbound_manager 6 = n/a Install Graphical Statistics GUI Add-on TAB
3 = Start unbound 7 = n/a Enable DNS Firewall
4 = n/a Show unbound statistics 8 = n/a Install YouTube Ad blocker

? = About Configuration
v = View ('/opt/var/lib/unbound/'unbound.conf)

e = Exit Script [?]

E:Option ==> debug

'unbound.conf'

port: 53535 # v1.08 If 53, requires 'port=0' in '/etc/dnsmasq.conf' to 'disable' dnsmasq to answer queries direct from LAN clients
interface: 127.0.0.1@53535 # v1.01 As per @dave14305 minimal config; Will be overwritten by $(nvram get lan_ipaddr_rt) if dnsmasq 'disabled'
#interface: 127.0.0.1@53 # v1.10 Required by router if dnsmasq 'disabled'
#access-control: 0.0.0.0/0 allow # v1.10 Will be overwritten by LAN subnet "${lan_ip_addr_rt}/24" if 'dnsmasq disabled' aka bypassed
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


'/etc/dnsmasq.conf'

servers-file=/tmp/resolv.dnsmasq

netstat LISTEN Ports

tcp 0 0 0.0.0.0 3394 0.0.0.0:* LISTEN 15984/u2ec
tcp 0 0 0.0.0.0 3702 0.0.0.0:* LISTEN 5525/wsdd2
tcp 0 0 0.0.0.0 5152 0.0.0.0:* LISTEN 603/envrams
tcp 0 0 0.0.0.0 5473 0.0.0.0:* LISTEN 15984/u2ec
tcp 0 0 0.0.0.0 7788 0.0.0.0:* LISTEN 1106/cfg_server
tcp 0 0 0.0.0.0 8200 0.0.0.0:* LISTEN 5549/minidlna
tcp 0 0 0.0.0.0 18017 0.0.0.0:* LISTEN 899/wanduck
tcp 0 0 0.0.0.0 35454 0.0.0.0:* LISTEN 31585/miniupnpd
tcp 0 0 127.0.0.1 53 0.0.0.0:* LISTEN 22716/dnsmasq
tcp 0 0 127.0.1.1 53 0.0.0.0:* LISTEN 22713/stubby
tcp 0 0 127.0.0.1 80 0.0.0.0:* LISTEN 977/httpd
tcp 0 0 127.0.0.1 8888 0.0.0.0:* LISTEN 1005/vis-dcon
tcp 0 0 127.0.0.1 47753 0.0.0.0:* LISTEN 31473/mcpd
tcp 0 0 192.168.50.1 22 0.0.0.0:* LISTEN 6867/dropbear
tcp 0 0 192.168.50.1 53 0.0.0.0:* LISTEN 22716/dnsmasq
tcp 0 0 192.168.50.1 80 0.0.0.0:* LISTEN 977/httpd
tcp 0 0 192.168.50.2 80 0.0.0.0:* LISTEN 4325/pixelserv-tls
tcp 0 0 192.168.50.1 139 0.0.0.0:* LISTEN 5533/smbd
tcp 0 0 192.168.50.2 443 0.0.0.0:* LISTEN 4325/pixelserv-tls
tcp 0 0 192.168.50.1 445 0.0.0.0:* LISTEN 5533/smbd
tcp 0 0 192.168.50.1 515 0.0.0.0:* LISTEN 15990/lpd
tcp 0 0 192.168.50.1 1990 0.0.0.0:* LISTEN 15467/wps_monitor
tcp 0 0 192.168.50.1 3838 0.0.0.0:* LISTEN 15990/lpd
tcp 0 0 192.168.50.1 9100 0.0.0.0:* LISTEN 15990/lpd

unbound: symbol lookup error: unbound: undefined symbol: log_ident_set_default

What do I need to do to fix this issue?

Thank you!

is servers-file=/tmp/resolv.dnsmasq the only line in your dnsmasq.conf?

 

[ugandy]

Split horizon:
Servers with the split-horizon DNS feature can give different answers depending on the source IP address of the query.​

Disabling dnsmasq would therefore open up the opportunity to exploit this currently unique unbound feature; ultimately experiencing the tangible benefit

is this already available with the current version of unbound_manager?
as in, can i disable queries for youtube for just one client (with dnsmasq disabled)?
thanks

 

[tomsk]

My dnsmasq.conf is empty.

thats weird... i think unbound isn't starting because it is expecting to listen on port 53535 but for that to happen the dnsmasq.conf should have a server=127.0.0.1#53535 line in it.
I have no idea why your dnsmasq.conf file would be empty... are you sure you have the right file try

nano /etc/dnsmasq.conf

from the command line and see what the contents are

 

[ceolus]

This is my dnsmasq.conf file:
pid-file=/var/run/dnsmasq.pid
user=nobody
bind-dynamic
interface=br0
interface=pptp*
no-dhcp-interface=pptp*
no-resolv
servers-file=/tmp/resolv.dnsmasq
no-poll
no-negcache
cache-size=1500
min-port=4096
bogus-priv
domain-needed
dhcp-range=lan,192.168.x.x,192.168.x.x,255.255.255.0,86400s
dhcp-option=lan,3,192.168.x.x
dhcp-option=lan,252,"\n"
dhcp-authoritative
address=/use-application-dns.net/
dhcp-name-match=set:wpad-ignore,wpad
dhcp-ignore-names=tag:wpad-ignore
dhcp-script=/sbin/dhcpc_lease
script-arp

# start of Diversion directives #
ptr-record=x.x.168.192.in-addr.arpa,192.168.x.x
addn-hosts=/opt/share/diversion/list/blacklist
addn-hosts=/opt/share/diversion/list/blockinglist
log-async
log-queries
log-facility=/opt/var/log/dnsmasq.log
# end of Diversion directives #

 

[tomsk]

This is my dnsmasq.conf file:
pid-file=/var/run/dnsmasq.pid
user=nobody
bind-dynamic
interface=br0
interface=pptp*
no-dhcp-interface=pptp*
no-resolv
servers-file=/tmp/resolv.dnsmasq
no-poll
no-negcache
cache-size=1500
min-port=4096
bogus-priv
domain-needed
dhcp-range=lan,192.168.x.x,192.168.x.x,255.255.255.0,86400s
dhcp-option=lan,3,192.168.x.x
dhcp-option=lan,252,"\n"
dhcp-authoritative
address=/use-application-dns.net/
dhcp-name-match=set:wpad-ignore,wpad
dhcp-ignore-names=tag:wpad-ignore
dhcp-script=/sbin/dhcpc_lease
script-arp

# start of Diversion directives #
ptr-record=x.x.168.192.in-addr.arpa,192.168.x.x
addn-hosts=/opt/share/diversion/list/blacklist
addn-hosts=/opt/share/diversion/list/blockinglist
log-async
log-queries
log-facility=/opt/var/log/dnsmasq.log
# end of Diversion directives #

ok can you see what are the contents of

nano /jffs/scripts/dnsmasq.postconf
nano /jffs/addons/unbound/unbound.postconf