from what i understood, the YT blocking mechanism in unbound/diversion is not full-proof...
...and the RPZ (Firewall) feature that can be used with Ubound. You can adjust Unbound in many ways - this is not possible by other DNS-Servers.
that;s fearmongering, no? i've been using unbound problem free and i'm no DNS expert. all the needed info was in this thread.With Unbound you need to become a DNS expert so when the code fails you can handle it and not wait for someone to write new code which could take days or weeks.. I vote for using QUAD9 and let someone else that is an expert deal with DNS.
Recently I finally gave up and switched my main router to a cheap edgerouter x from my RT-AC86u because even though fail-over worked enough, fall-back never worked and just trying to switch back causes many many headaches... So I am just using the 86u as an access point now until Asus fixes things.
Because of the limitations of the Edgerouter (and my brain), I have been trying to use the Asus for more than just an access point mainly running unbound with the ad and tracker blocker (a la pihole) and just listing the LAN address of the 86u as the DNS in the router, which works. DNS leak test lists only my Comcast IP as the DNS and if I dig a domain, it list the lan IP of the Asus as the dns server.
But now I have noticed that the "cache hit succes" rate has been dropping steadily for a couple of days, down to 5% now in the graphs and the "Server failed to complete the DNS request" bar has grown huge, dwarfing the Queries completed. So maybe it is not working correctly?
But before I reboot, Can anyone recommend any best practices for a setup like mine or any tips. Thanks!
if your ac86 is being used as only an AP, it's not doing any routing/dns lookups - that's why unbound's hit rate is dropping
nothing against your ubiquiti product, but the package of scripts (and Merlin's firmware) are an all-around solution that can be tailored to deliver what you seem to be looking to accomplish - without needing a RasPi or to make different systems talk to each other. (the devs of the scripts and merlin work together to make magic happen).
what's even more brilliant is for extra wifi range, add another asus router and spin it up as an AiMesh node - no different SSIDs or Passwords to manage, plus, you're still covered by the ad-blocking etc on the master router (ac86)! and if you need the extra GigE ports, they're there on the Mesh node(s), maybe saving you some cable runs.
Welcome to the forum. just like Hogwarts, Help is given to those who ask, and those who most deserve it.
I missed that you're Dual-WANing in that first post. (Never tried, but I am only 100m LOS from one of my provider's cell locations, so I probably should.)I agree I prefer the all in one solution, and have been using Asus routers with Merlin's GREAT firmware for years now, but it is just not reliable anymore for our situation.. will definitely switch back if/when Asus every fixes the failover fallback for our LTE, which we have to have, now, since it the ISP here is just not as consistent as it once was ( I keep track with connmon).
I just restarted unbound, and the cache hits graphs are going up again. So maybe it was just a temporary glitch. In any case, ad's are always blocked on all the devices on the LAN so I know unbound on the 86u is doing the DNS lookups for everything... So maybe I shouldn't worry about the graphs and only mess with it if I start seeing ads.
I am a novice user of amtm and have used unbound for about 2 months now. Currently have Ad Block, DNS Firewall, GUI and Youtube Ad Blocker scripts enabled.
I have issues with YouTube ads still showing on the devices. I tried installing/uninstalling unbound & enabling/disabling unbound scripts but couldn't get it to work.
Could my location be the cause of the issue? I'm located in Canada and running RT-AC66U_B1 w/ Asuswrt-Merlin v384.17
FYI along with unbound, I have Skynet, YazFi and uiDivStats installed.
Jul 28 00:05:03 RT-AC86U-B3A0 unbound: [32465:0] error: SERVFAIL <sigfail.verteiltesysteme.net. A IN>: exceeded the maximum number of sends |
I am curious to find out if this is symptoms of using this in access point mode or are unbound settings messed up? I have never ran into this issue using unbound manager, but i have never tried this in access point mode either.Using unbound with ad-block enabled on Access Point only ac-86U, everything seems to work fine until this error starts flooding the log and the cache hits drop steadily until I restart unbound:
Jul 28 00:05:03 RT-AC86U-B3A0 unbound: [32465:0] error: SERVFAIL <sigfail.verteiltesysteme.net. A IN>: exceeded the maximum number of sends
View attachment 24966
Any Advice to fix this?
I am curious to find out if this is symptoms of using this in access point mode or are unbound settings messed up? I have never ran into this issue using unbound manager, but i have never tried this in access point mode either.
Can someone help with a couple of questions - I think I have configured unbound correctly, but am not entirely sure with respect to the DNS Firewall and sending unbound requests via VPN Client.
With regards to the DNS Firewall, I can see this is enabled but there have been no hits at all since it was installed some weeks ago. Is there some way / site I can check this?
In respect of sending requests via a VPN client, in the Q&A it says
Q. Why does a DNS Leak test show my ISP assigned IP Address?
A. You are now your own recursive DNS resolver! - what other IP could possibly be shown? .... However, if you use a VPN Client, then you may opt to force unbound to bind to the VPN tunnel, so all unbound's DNS requests will be via the tunnel, so now your VPN assigned IP will be shown in a DNS Leak test.
I have most of my traffic going direct, but do have a VPN for a couple of devices. I have set unbound to use VPN 5, but in any leak test my DNS still shows as my local IP, not the VPN assigned IP - is this correct?
[1596135750] unbound-checkconf[5209:0] error: /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone:1154 cannot insert RR of type CNAME
[1596135750] unbound-checkconf[5209:0] error: error parsing zonefile /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone for rpz.urlhaus.abuse.ch.
[1596135750] unbound-checkconf[5209:0] fatal error: Could not setup authority zones
***ERROR INVALID unbound configuration
Indeed, looks like the firewall got cold feet - same error messages here. Just runFurther to my earlier questions on the DNS firewall and VPN routing - see below - the DNS Firewall is now no longer working
Unbound works fine without it but if enable the Firewall then I get
Code:[1596135750] unbound-checkconf[5209:0] error: /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone:1154 cannot insert RR of type CNAME [1596135750] unbound-checkconf[5209:0] error: error parsing zonefile /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone for rpz.urlhaus.abuse.ch. [1596135750] unbound-checkconf[5209:0] fatal error: Could not setup authority zones ***ERROR INVALID unbound configuration
I have tried hard and soft reboots (just in case), as well as option i = Update and unbound and configuration, without success - any suggestions on what I can try next?
Earlier Post
Can someone help with a couple of questions - I think I have configured unbound correctly, but am not entirely sure with respect to the DNS Firewall and sending unbound requests via VPN Client.
With regards to the DNS Firewall, I can see this is enabled but there have been no hits at all since it was installed some weeks ago. Is there some way / site I can check this?
In respect of sending requests via a VPN client, in the Q&A it says
Q. Why does a DNS Leak test show my ISP assigned IP Address?
A. You are now your own recursive DNS resolver! - what other IP could possibly be shown? .... However, if you use a VPN Client, then you may opt to force unbound to bind to the VPN tunnel, so all unbound's DNS requests will be via the tunnel, so now your VPN assigned IP will be shown in a DNS Leak test.
I have most of my traffic going direct, but do have a VPN for a couple of devices. I have set unbound to use VPN 5, but in any leak test my DNS still shows as my local IP, not the VPN assigned IP - is this correct?
firewall disable
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!