Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)
- Thread starter Martineau
- Start date
Is there additional config I can do in unbound?
With Unbound you need to become a DNS expert so when the code fails you can handle it and not wait for someone to write new code which could take days or weeks.. I vote for using QUAD9 and let someone else that is an expert deal with DNS.
that;s fearmongering, no? i've been using unbound problem free and i'm no DNS expert. all the needed info was in this thread.
Last edited:
heysoundude
Part of the Furniture
@Martineau since you're doing so much work for security and privacy in conjunction with the Merlin firmware, you should consider showing your work and possibly get rewarded:
(moved to a spoiler block because that huge image was messing up the whole thread. -rm)
@rgnldo might also consider the same for suricata, which may be one of their projects/initiatives as well
...all the people who are contributing/have contributed: @RMerlin @ryzhov_al and anyone else who I'm not acknowledging
(moved to a spoiler block because that huge image was messing up the whole thread. -rm)
@rgnldo might also consider the same for suricata, which may be one of their projects/initiatives as well
...all the people who are contributing/have contributed: @RMerlin @ryzhov_al and anyone else who I'm not acknowledging
Last edited by a moderator:
Mikey Dread
Occasional Visitor
Recently I finally gave up and switched my main router to a cheap edgerouter x from my RT-AC86u because even though fail-over worked enough, fall-back never worked and just trying to switch back causes many many headaches... So I am just using the 86u as an access point now until Asus fixes things.
Because of the limitations of the Edgerouter (and my brain), I have been trying to use the Asus for more than just an access point mainly running unbound with the ad and tracker blocker (a la pihole) and just listing the LAN address of the 86u as the DNS in the router, which works. DNS leak test lists only my Comcast IP as the DNS and if I dig a domain, it list the lan IP of the Asus as the dns server.
But now I have noticed that the "cache hit succes" rate has been dropping steadily for a couple of days, down to 5% now in the graphs and the "Server failed to complete the DNS request" bar has grown huge, dwarfing the Queries completed. So maybe it is not working correctly?
But before I reboot, Can anyone recommend any best practices for a setup like mine or any tips. Thanks!
Because of the limitations of the Edgerouter (and my brain), I have been trying to use the Asus for more than just an access point mainly running unbound with the ad and tracker blocker (a la pihole) and just listing the LAN address of the 86u as the DNS in the router, which works. DNS leak test lists only my Comcast IP as the DNS and if I dig a domain, it list the lan IP of the Asus as the dns server.
But now I have noticed that the "cache hit succes" rate has been dropping steadily for a couple of days, down to 5% now in the graphs and the "Server failed to complete the DNS request" bar has grown huge, dwarfing the Queries completed. So maybe it is not working correctly?
But before I reboot, Can anyone recommend any best practices for a setup like mine or any tips. Thanks!
heysoundude
Part of the Furniture
if your ac86 is being used as only an AP, it's not doing any routing/dns lookups - that's why unbound's hit rate is dropping
nothing against your ubiquiti product, but the package of scripts (and Merlin's firmware) are an all-around solution that can be tailored to deliver what you seem to be looking to accomplish - without needing a RasPi or to make different systems talk to each other. (the devs of the scripts and merlin work together to make magic happen).
what's even more brilliant is for extra wifi range, add another asus router and spin it up as an AiMesh node - no different SSIDs or Passwords to manage, plus, you're still covered by the ad-blocking etc on the master router (ac86)! and if you need the extra GigE ports, they're there on the Mesh node(s), maybe saving you some cable runs.
Welcome to the forum. just like Hogwarts, Help is given to those who ask, and those who most deserve it.
Mikey Dread
Occasional Visitor
if your ac86 is being used as only an AP, it's not doing any routing/dns lookups - that's why unbound's hit rate is dropping
nothing against your ubiquiti product, but the package of scripts (and Merlin's firmware) are an all-around solution that can be tailored to deliver what you seem to be looking to accomplish - without needing a RasPi or to make different systems talk to each other. (the devs of the scripts and merlin work together to make magic happen).
what's even more brilliant is for extra wifi range, add another asus router and spin it up as an AiMesh node - no different SSIDs or Passwords to manage, plus, you're still covered by the ad-blocking etc on the master router (ac86)! and if you need the extra GigE ports, they're there on the Mesh node(s), maybe saving you some cable runs.
Welcome to the forum. just like Hogwarts, Help is given to those who ask, and those who most deserve it.
I agree I prefer the all in one solution, and have been using Asus routers with Merlin's GREAT firmware for years now, but it is just not reliable anymore for our situation.. will definitely switch back if/when Asus every fixes the failover fallback for our LTE, which we have to have, now, since it the ISP here is just not as consistent as it once was ( I keep track with connmon).
I just restarted unbound, and the cache hits graphs are going up again. So maybe it was just a temporary glitch. In any case, ad's are always blocked on all the devices on the LAN so I know unbound on the 86u is doing the DNS lookups for everything... So maybe I shouldn't worry about the graphs and only mess with it if I start seeing ads.
raion969
Senior Member
heyy when i restart my router the thap addons, does work properly it dont Shows any stats from unbound. The strange thing is when i deinstall the add on tap on the router GUI it is still visible but when i click it it Shows 404 error? After i reinstall the GUI menue in unbound the stats are Show corretly but the restarting the router it dont work anymore
heysoundude
Part of the Furniture
I missed that you're Dual-WANing in that first post. (Never tried, but I am only 100m LOS from one of my provider's cell locations, so I probably should.)
Can someone help with a couple of questions - I think I have configured unbound correctly, but am not entirely sure with respect to the DNS Firewall and sending unbound requests via VPN Client.
With regards to the DNS Firewall, I can see this is enabled but there have been no hits at all since it was installed some weeks ago. Is there some way / site I can check this?
In respect of sending requests via a VPN client, in the Q&A it says
Q. Why does a DNS Leak test show my ISP assigned IP Address?
A. You are now your own recursive DNS resolver! - what other IP could possibly be shown? .... However, if you use a VPN Client, then you may opt to force unbound to bind to the VPN tunnel, so all unbound's DNS requests will be via the tunnel, so now your VPN assigned IP will be shown in a DNS Leak test.
I have most of my traffic going direct, but do have a VPN for a couple of devices. I have set unbound to use VPN 5, but in any leak test my DNS still shows as my local IP, not the VPN assigned IP - is this correct?
With regards to the DNS Firewall, I can see this is enabled but there have been no hits at all since it was installed some weeks ago. Is there some way / site I can check this?
In respect of sending requests via a VPN client, in the Q&A it says
Q. Why does a DNS Leak test show my ISP assigned IP Address?
A. You are now your own recursive DNS resolver! - what other IP could possibly be shown? .... However, if you use a VPN Client, then you may opt to force unbound to bind to the VPN tunnel, so all unbound's DNS requests will be via the tunnel, so now your VPN assigned IP will be shown in a DNS Leak test.
I have most of my traffic going direct, but do have a VPN for a couple of devices. I have set unbound to use VPN 5, but in any leak test my DNS still shows as my local IP, not the VPN assigned IP - is this correct?
juched
Very Senior Member
No further configuration should be needed. It takes some time for the ads to start reducing, since it needs to detect the servers and re-direct them to the same IP. So, for the first few days you will still see ads from time to time, but over time it should start going down. And it isn't fool proof, that is for sure, it was based on some experiments done on the Pi-hole forums and is related to some current behaviour (which YouTube can change at anytime) to base the # of ads to show on how long you are communicating with the same IP. After running for months now, my server list has grown to 475+.
Even now I still get ads from time to time.
Mikey Dread
Occasional Visitor
Using unbound with ad-block enabled on Access Point only ac-86U, everything seems to work fine until this error starts flooding the log and the cache hits drop steadily until I restart unbound:
Any Advice to fix this?
| Jul 28 00:05:03 RT-AC86U-B3A0 unbound: [32465:0] error: SERVFAIL <sigfail.verteiltesysteme.net. A IN>: exceeded the maximum number of sends |
Any Advice to fix this?
SomeWhereOverTheRainBow
Part of the Furniture
I am curious to find out if this is symptoms of using this in access point mode or are unbound settings messed up? I have never ran into this issue using unbound manager, but i have never tried this in access point mode either.
Mikey Dread
Occasional Visitor
I want to find out too!. I don't think it's a issue with Access point mode. I figured out that verteiltesysteme.net is a DNSsec testing web page that I tried while testing things. No clue why it's flooding the logs... I just tried 'rs nocache' to restart unbound and see if it clears it out. next I will try uninstalling and reinstalling unbound and rebooting the router.
Other than this weird verteiltesysteme.net thing.... everythign works, I can watch the unbound.log live in the scribed system log and can see all the query and replays from all the devices on the network and ad blocking works well.
Luizlp10
Regular Contributor
Would you please tell me how can I set unbound to use my vpn client?
Further to my earlier questions on the DNS firewall and VPN routing - see below - the DNS Firewall is now no longer working
Unbound works fine without it but if enable the Firewall then I get
I have tried hard and soft reboots (just in case), as well as option i = Update and unbound and configuration, without success - any suggestions on what I can try next?
Earlier Post
Can someone help with a couple of questions - I think I have configured unbound correctly, but am not entirely sure with respect to the DNS Firewall and sending unbound requests via VPN Client.
With regards to the DNS Firewall, I can see this is enabled but there have been no hits at all since it was installed some weeks ago. Is there some way / site I can check this?
In respect of sending requests via a VPN client, in the Q&A it says
Q. Why does a DNS Leak test show my ISP assigned IP Address?
A. You are now your own recursive DNS resolver! - what other IP could possibly be shown? .... However, if you use a VPN Client, then you may opt to force unbound to bind to the VPN tunnel, so all unbound's DNS requests will be via the tunnel, so now your VPN assigned IP will be shown in a DNS Leak test.
I have most of my traffic going direct, but do have a VPN for a couple of devices. I have set unbound to use VPN 5, but in any leak test my DNS still shows as my local IP, not the VPN assigned IP - is this correct?
Unbound works fine without it but if enable the Firewall then I get
Code:
[1596135750] unbound-checkconf[5209:0] error: /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone:1154 cannot insert RR of type CNAME
[1596135750] unbound-checkconf[5209:0] error: error parsing zonefile /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone for rpz.urlhaus.abuse.ch.
[1596135750] unbound-checkconf[5209:0] fatal error: Could not setup authority zones
***ERROR INVALID unbound configurationI have tried hard and soft reboots (just in case), as well as option i = Update and unbound and configuration, without success - any suggestions on what I can try next?
Earlier Post
Can someone help with a couple of questions - I think I have configured unbound correctly, but am not entirely sure with respect to the DNS Firewall and sending unbound requests via VPN Client.
With regards to the DNS Firewall, I can see this is enabled but there have been no hits at all since it was installed some weeks ago. Is there some way / site I can check this?
In respect of sending requests via a VPN client, in the Q&A it says
Q. Why does a DNS Leak test show my ISP assigned IP Address?
A. You are now your own recursive DNS resolver! - what other IP could possibly be shown? .... However, if you use a VPN Client, then you may opt to force unbound to bind to the VPN tunnel, so all unbound's DNS requests will be via the tunnel, so now your VPN assigned IP will be shown in a DNS Leak test.
I have most of my traffic going direct, but do have a VPN for a couple of devices. I have set unbound to use VPN 5, but in any leak test my DNS still shows as my local IP, not the VPN assigned IP - is this correct?
immi803
Senior Member
@Martineau
I've no clue what's happening to unbound suddenly, it was working fine with adblock, shows it's running but dns getting resolved by custom dns ip inputted in wan as well as adblock is not working
Uninstalling & installing fresh from scratch didn't help, neither any efforts paid off yet , any help?
I've no clue what's happening to unbound suddenly, it was working fine with adblock, shows it's running but dns getting resolved by custom dns ip inputted in wan as well as adblock is not working
Uninstalling & installing fresh from scratch didn't help, neither any efforts paid off yet , any help?
Indeed, looks like the firewall got cold feet - same error messages here. Just run
Code:
firewall disable...and yes, the DNS shows as your local provider's IP, that's right. It means it works.
Similar threads
Similar threads
Similar threads
-
Unbound Force all DNS requests through Unbound using iptables?- Started by muffintastic
- Replies: 14
-
-
-
-
-
-
Is it possible to use nord dns with unbound or any way to add it?- Started by Jack-Sparr0w
- Replies: 9
-
-
Unbound Use unbound/router as default DNS server
- Started by BeachGuy
- Replies: 2
-
Latest threads
-
Ubuntu Linux impacted by decade-old 'needrestart' flaw that gives root- Started by PR3MIUM
- Replies: 0
-
-
-
-
Upgrading from wifi 5 to wifi 6 and looking for suggestions
- Started by Listedguru2
- Replies: 6
Support SNBForums w/ Amazon
If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!