Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[ugandy]

from what i understood, the YT blocking mechanism in unbound/diversion is not anywhere close to full-proof...

 

[donduck]

from what i understood, the YT blocking mechanism in unbound/diversion is not full-proof...

Is there additional config I can do in unbound?

 

[coxhaus]

...and the RPZ (Firewall) feature that can be used with Ubound. You can adjust Unbound in many ways - this is not possible by other DNS-Servers.

With Unbound you need to become a DNS expert so when the code fails you can handle it and not wait for someone to write new code which could take days or weeks.. I vote for using QUAD9 and let someone else that is an expert deal with DNS.

 

[ugandy]

With Unbound you need to become a DNS expert so when the code fails you can handle it and not wait for someone to write new code which could take days or weeks.. I vote for using QUAD9 and let someone else that is an expert deal with DNS.

that;s fearmongering, no? i've been using unbound problem free and i'm no DNS expert. all the needed info was in this thread.

 

[L&LD]

unbound_manager has been not only a set and forget script, but also an eye-opener for how responsive our networks should be too.

No DNS expert here either. Simply happy to ride on the coattails of the giants before me.

 

[heysoundude]

@Martineau since you're doing so much work for security and privacy in conjunction with the Merlin firmware, you should consider showing your work and possibly get rewarded:

Spoiler

https://www.reddit.com/r/privacy/comments/hv9e91

(moved to a spoiler block because that huge image was messing up the whole thread. -rm)

@rgnldo might also consider the same for suricata, which may be one of their projects/initiatives as well
...all the people who are contributing/have contributed: @RMerlin @ryzhov_al and anyone else who I'm not acknowledging

 

[Mikey Dread]

Recently I finally gave up and switched my main router to a cheap edgerouter x from my RT-AC86u because even though fail-over worked enough, fall-back never worked and just trying to switch back causes many many headaches... So I am just using the 86u as an access point now until Asus fixes things.

Because of the limitations of the Edgerouter (and my brain), I have been trying to use the Asus for more than just an access point mainly running unbound with the ad and tracker blocker (a la pihole) and just listing the LAN address of the 86u as the DNS in the router, which works. DNS leak test lists only my Comcast IP as the DNS and if I dig a domain, it list the lan IP of the Asus as the dns server.

But now I have noticed that the "cache hit succes" rate has been dropping steadily for a couple of days, down to 5% now in the graphs and the "Server failed to complete the DNS request" bar has grown huge, dwarfing the Queries completed. So maybe it is not working correctly?

But before I reboot, Can anyone recommend any best practices for a setup like mine or any tips. Thanks!

 

[heysoundude]

Recently I finally gave up and switched my main router to a cheap edgerouter x from my RT-AC86u because even though fail-over worked enough, fall-back never worked and just trying to switch back causes many many headaches... So I am just using the 86u as an access point now until Asus fixes things.

Because of the limitations of the Edgerouter (and my brain), I have been trying to use the Asus for more than just an access point mainly running unbound with the ad and tracker blocker (a la pihole) and just listing the LAN address of the 86u as the DNS in the router, which works. DNS leak test lists only my Comcast IP as the DNS and if I dig a domain, it list the lan IP of the Asus as the dns server.

But now I have noticed that the "cache hit succes" rate has been dropping steadily for a couple of days, down to 5% now in the graphs and the "Server failed to complete the DNS request" bar has grown huge, dwarfing the Queries completed. So maybe it is not working correctly?

But before I reboot, Can anyone recommend any best practices for a setup like mine or any tips. Thanks!

if your ac86 is being used as only an AP, it's not doing any routing/dns lookups - that's why unbound's hit rate is dropping
nothing against your ubiquiti product, but the package of scripts (and Merlin's firmware) are an all-around solution that can be tailored to deliver what you seem to be looking to accomplish - without needing a RasPi or to make different systems talk to each other. (the devs of the scripts and merlin work together to make magic happen).
what's even more brilliant is for extra wifi range, add another asus router and spin it up as an AiMesh node - no different SSIDs or Passwords to manage, plus, you're still covered by the ad-blocking etc on the master router (ac86)! and if you need the extra GigE ports, they're there on the Mesh node(s), maybe saving you some cable runs.

Welcome to the forum. just like Hogwarts, Help is given to those who ask, and those who most deserve it.

 

[Mikey Dread]

if your ac86 is being used as only an AP, it's not doing any routing/dns lookups - that's why unbound's hit rate is dropping
nothing against your ubiquiti product, but the package of scripts (and Merlin's firmware) are an all-around solution that can be tailored to deliver what you seem to be looking to accomplish - without needing a RasPi or to make different systems talk to each other. (the devs of the scripts and merlin work together to make magic happen).
what's even more brilliant is for extra wifi range, add another asus router and spin it up as an AiMesh node - no different SSIDs or Passwords to manage, plus, you're still covered by the ad-blocking etc on the master router (ac86)! and if you need the extra GigE ports, they're there on the Mesh node(s), maybe saving you some cable runs.

Welcome to the forum. just like Hogwarts, Help is given to those who ask, and those who most deserve it.

I agree I prefer the all in one solution, and have been using Asus routers with Merlin's GREAT firmware for years now, but it is just not reliable anymore for our situation.. will definitely switch back if/when Asus every fixes the failover fallback for our LTE, which we have to have, now, since it the ISP here is just not as consistent as it once was ( I keep track with connmon).

I just restarted unbound, and the cache hits graphs are going up again. So maybe it was just a temporary glitch. In any case, ad's are always blocked on all the devices on the LAN so I know unbound on the 86u is doing the DNS lookups for everything... So maybe I shouldn't worry about the graphs and only mess with it if I start seeing ads.

 

[raion969]

heyy when i restart my router the thap addons, does work properly it dont Shows any stats from unbound. The strange thing is when i deinstall the add on tap on the router GUI it is still visible but when i click it it Shows 404 error? After i reinstall the GUI menue in unbound the stats are Show corretly but the restarting the router it dont work anymore

 

[heysoundude]

I agree I prefer the all in one solution, and have been using Asus routers with Merlin's GREAT firmware for years now, but it is just not reliable anymore for our situation.. will definitely switch back if/when Asus every fixes the failover fallback for our LTE, which we have to have, now, since it the ISP here is just not as consistent as it once was ( I keep track with connmon).

I just restarted unbound, and the cache hits graphs are going up again. So maybe it was just a temporary glitch. In any case, ad's are always blocked on all the devices on the LAN so I know unbound on the 86u is doing the DNS lookups for everything... So maybe I shouldn't worry about the graphs and only mess with it if I start seeing ads.

I missed that you're Dual-WANing in that first post. (Never tried, but I am only 100m LOS from one of my provider's cell locations, so I probably should.)

 

[archiel]

Can someone help with a couple of questions - I think I have configured unbound correctly, but am not entirely sure with respect to the DNS Firewall and sending unbound requests via VPN Client.

With regards to the DNS Firewall, I can see this is enabled but there have been no hits at all since it was installed some weeks ago. Is there some way / site I can check this?

In respect of sending requests via a VPN client, in the Q&A it says


Q. Why does a DNS Leak test show my ISP assigned IP Address?
A. You are now your own recursive DNS resolver! - what other IP could possibly be shown? .... However, if you use a VPN Client, then you may opt to force unbound to bind to the VPN tunnel, so all unbound's DNS requests will be via the tunnel, so now your VPN assigned IP will be shown in a DNS Leak test.

I have most of my traffic going direct, but do have a VPN for a couple of devices. I have set unbound to use VPN 5, but in any leak test my DNS still shows as my local IP, not the VPN assigned IP - is this correct?

 

[juched]

I am a novice user of amtm and have used unbound for about 2 months now. Currently have Ad Block, DNS Firewall, GUI and Youtube Ad Blocker scripts enabled.

I have issues with YouTube ads still showing on the devices. I tried installing/uninstalling unbound & enabling/disabling unbound scripts but couldn't get it to work.

Could my location be the cause of the issue? I'm located in Canada and running RT-AC66U_B1 w/ Asuswrt-Merlin v384.17

FYI along with unbound, I have Skynet, YazFi and uiDivStats installed.

No further configuration should be needed. It takes some time for the ads to start reducing, since it needs to detect the servers and re-direct them to the same IP. So, for the first few days you will still see ads from time to time, but over time it should start going down. And it isn't fool proof, that is for sure, it was based on some experiments done on the Pi-hole forums and is related to some current behaviour (which YouTube can change at anytime) to base the # of ads to show on how long you are communicating with the same IP. After running for months now, my server list has grown to 475+.

Even now I still get ads from time to time.

 

[Mikey Dread]

Using unbound with ad-block enabled on Access Point only ac-86U, everything seems to work fine until this error starts flooding the log and the cache hits drop steadily until I restart unbound:

Jul 28 00:05:03 RT-AC86U-B3A0 unbound: [32465:0] error: SERVFAIL <sigfail.verteiltesysteme.net. A IN>: exceeded the maximum number of sends

Any Advice to fix this?

 

[SomeWhereOverTheRainBow]

Using unbound with ad-block enabled on Access Point only ac-86U, everything seems to work fine until this error starts flooding the log and the cache hits drop steadily until I restart unbound:

Jul 28 00:05:03 RT-AC86U-B3A0 unbound: [32465:0] error: SERVFAIL <sigfail.verteiltesysteme.net. A IN>: exceeded the maximum number of sends

View attachment 24966

Any Advice to fix this?

I am curious to find out if this is symptoms of using this in access point mode or are unbound settings messed up? I have never ran into this issue using unbound manager, but i have never tried this in access point mode either.

 

[Mikey Dread]

I am curious to find out if this is symptoms of using this in access point mode or are unbound settings messed up? I have never ran into this issue using unbound manager, but i have never tried this in access point mode either.

I want to find out too!. I don't think it's a issue with Access point mode. I figured out that verteiltesysteme.net is a DNSsec testing web page that I tried while testing things. No clue why it's flooding the logs... I just tried 'rs nocache' to restart unbound and see if it clears it out. next I will try uninstalling and reinstalling unbound and rebooting the router.

Other than this weird verteiltesysteme.net thing.... everythign works, I can watch the unbound.log live in the scribed system log and can see all the query and replays from all the devices on the network and ad blocking works well.

 

[Luizlp10]

Can someone help with a couple of questions - I think I have configured unbound correctly, but am not entirely sure with respect to the DNS Firewall and sending unbound requests via VPN Client.

With regards to the DNS Firewall, I can see this is enabled but there have been no hits at all since it was installed some weeks ago. Is there some way / site I can check this?

In respect of sending requests via a VPN client, in the Q&A it says


Q. Why does a DNS Leak test show my ISP assigned IP Address?
A. You are now your own recursive DNS resolver! - what other IP could possibly be shown? .... However, if you use a VPN Client, then you may opt to force unbound to bind to the VPN tunnel, so all unbound's DNS requests will be via the tunnel, so now your VPN assigned IP will be shown in a DNS Leak test.

I have most of my traffic going direct, but do have a VPN for a couple of devices. I have set unbound to use VPN 5, but in any leak test my DNS still shows as my local IP, not the VPN assigned IP - is this correct?

Would you please tell me how can I set unbound to use my vpn client?

 

[archiel]

Further to my earlier questions on the DNS firewall and VPN routing - see below - the DNS Firewall is now no longer working

Unbound works fine without it but if enable the Firewall then I get

[1596135750] unbound-checkconf[5209:0] error: /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone:1154 cannot insert RR of type CNAME
[1596135750] unbound-checkconf[5209:0] error: error parsing zonefile /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone for rpz.urlhaus.abuse.ch.
[1596135750] unbound-checkconf[5209:0] fatal error: Could not setup authority zones

***ERROR INVALID unbound configuration

I have tried hard and soft reboots (just in case), as well as option i = Update and unbound and configuration, without success - any suggestions on what I can try next?


Earlier Post
Can someone help with a couple of questions - I think I have configured unbound correctly, but am not entirely sure with respect to the DNS Firewall and sending unbound requests via VPN Client.

With regards to the DNS Firewall, I can see this is enabled but there have been no hits at all since it was installed some weeks ago. Is there some way / site I can check this?

In respect of sending requests via a VPN client, in the Q&A it says


Q. Why does a DNS Leak test show my ISP assigned IP Address?
A. You are now your own recursive DNS resolver! - what other IP could possibly be shown? .... However, if you use a VPN Client, then you may opt to force unbound to bind to the VPN tunnel, so all unbound's DNS requests will be via the tunnel, so now your VPN assigned IP will be shown in a DNS Leak test.

I have most of my traffic going direct, but do have a VPN for a couple of devices. I have set unbound to use VPN 5, but in any leak test my DNS still shows as my local IP, not the VPN assigned IP - is this correct?

 

[immi803]

@Martineau
I've no clue what's happening to unbound suddenly, it was working fine with adblock, shows it's running but dns getting resolved by custom dns ip inputted in wan as well as adblock is not working
Uninstalling & installing fresh from scratch didn't help, neither any efforts paid off yet , any help?

 

[Torson]

Further to my earlier questions on the DNS firewall and VPN routing - see below - the DNS Firewall is now no longer working

Unbound works fine without it but if enable the Firewall then I get

[1596135750] unbound-checkconf[5209:0] error: /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone:1154 cannot insert RR of type CNAME
[1596135750] unbound-checkconf[5209:0] error: error parsing zonefile /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone for rpz.urlhaus.abuse.ch.
[1596135750] unbound-checkconf[5209:0] fatal error: Could not setup authority zones

***ERROR INVALID unbound configuration

I have tried hard and soft reboots (just in case), as well as option i = Update and unbound and configuration, without success - any suggestions on what I can try next?


Earlier Post
Can someone help with a couple of questions - I think I have configured unbound correctly, but am not entirely sure with respect to the DNS Firewall and sending unbound requests via VPN Client.

With regards to the DNS Firewall, I can see this is enabled but there have been no hits at all since it was installed some weeks ago. Is there some way / site I can check this?

In respect of sending requests via a VPN client, in the Q&A it says


Q. Why does a DNS Leak test show my ISP assigned IP Address?
A. You are now your own recursive DNS resolver! - what other IP could possibly be shown? .... However, if you use a VPN Client, then you may opt to force unbound to bind to the VPN tunnel, so all unbound's DNS requests will be via the tunnel, so now your VPN assigned IP will be shown in a DNS Leak test.

I have most of my traffic going direct, but do have a VPN for a couple of devices. I have set unbound to use VPN 5, but in any leak test my DNS still shows as my local IP, not the VPN assigned IP - is this correct?

Indeed, looks like the firewall got cold feet - same error messages here. Just run

firewall disable

from the advanced menu and unbound will resume business as usual.
...and yes, the DNS shows as your local provider's IP, that's right. It means it works.