What's new

Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Unfortunately, by default unbound receives DNS requests from dnsmasq, (rather than individual LAN devices) so the source IP will always be 127.0.0.1.
e.g. an unidentified LAN device is requesting a blocked ('always_nxdomain') domain 'ipid.shat.net'

If you need to have unbound report the actual IP of the LAN device then you will need to disable dnsmasq

Use 'Advanced' command 'dnsmasq disable'

e.g. unbound log will now identify/disclose LAN device 10.88.8.120 is requesting blocked ('always_nxdomain') domain 'ipid.shat.net'

Thank you for your guidance on ways to identify the blocked domain.

I am using the command
tail -f /opt/var/lib/unbound/unbound.log | grep -i "nxdomain" :)
to find the blocked domain and then add it to the whitelist if needed.

You have suggested that I can disable dnsmasq in case I need to identify the blocked domain by IP (192.168.1.27) address. I disabled dnsmasq and I am also able to identify blocked domains by specific IP addresses as well by the command
tail -f /opt/var/lib/unbound/unbound.log | grep -iE "nxdomain.*192.168.1.27" :)

Q: What are the disadvantages of disabling dnsmasq?

- I do not use Diversion or X3MRouting.
- I do have a few static IP addresses assigned by MAC address.
- I also run WireGuard as a server on the router

Will I lose anything by keeping dsnmasq permanently disabled and letting unbound manage the same?
 
@Martineau
How can i try unbound_manager v3.20 beta?
Issue command
Code:
unbound_manager update=uf dev
or you can get it direct from Github

1601194580160.png

Code:
curl --retry 3 "https://raw.githubusercontent.com/MartineauUK/Unbound-Asuswrt-Merlin/dev/unbound_manager.sh" -o "/jffs/addons/unbound/unbound_manager.sh"
 
Last edited:
I am using the command
Code:
tail -f /opt/var/lib/unbound/unbound.log | grep -i "nxdomain"
tail -f /opt/var/lib/unbound/unbound.log | grep -iE "nxdomain.*192.168.1.27"
If you wish to scan all of the file's contents, why waste time/effort/typing by loading two utilities...
Code:
grep -i "nxdomain"                  /opt/var/lib/unbound/unbound.log
grep -iE "nxdomain.*192.168.1.27"   /opt/var/lib/unbound/unbound.log

Q: What are the disadvantages of disabling dnsmasq?
- I do not use Diversion or X3MRouting.
- I do have a few static IP addresses assigned by MAC address.
- I also run WireGuard as a server on the router

Will I lose anything by keeping dsnmasq permanently disabled and letting unbound manage the same?
dnsmasq is a mature feature-rich inherent component of Asus routers.

Consequently there is a lot of knowledge/support available in the forums for fully exploiting dnsmasq's unique features etc., and it will take time for the number of knowledgeable unbound adopters to achieve the same level of tech-savvy critical mass.

i.e. although unbound v1.11.0 may now include an 'ipset' module (only HND-model routers?), I don't think it replicates the same functionality as dnsmasq's 'ipset=' directive, but even if you don't currently use X3MRouting, you may find that the feature may be useful outside of X3MRouting.

Performance-wise, DNS resolution for clients must be a few microseconds quicker by virtue of the fact that the LAN clients don't have to go thru dnsmasq i.e. bypassing the middleman.

I personally haven't noticed any issues with disabling dnsmasq, but unbound_manager's 'dnsmasq disable' migration feature may still be limited in its abilities in advanced dnsmasq case scenarios.

YMMV
 
Last edited:
If you wish to scan all of the file's contents, why waste time/effort/typing by loading two utilities...
Code:
grep -i "nxdomain"                  /opt/var/lib/unbound/unbound.log
grep -iE "nxdomain.*192.168.1.27"   /opt/var/lib/unbound/unbound.log

Thank you for your detailed response. I will keep dnsmasq enabled for now and just search for the blocked domains.

You are correct in your idea that I could just use grep.
The reason for using tail instead of grep is mainly that I can see the blocked domain entry in real-time as it is happening.
Use case: Browser page not loading properly or something being blocked.
ssh into router; Run the tail command; refresh the browser; and I can see the blocked domain appearing in the tail output.


Code:
tail -f /opt/var/lib/unbound/unbound.log | grep --color="auto" -i "always_nxdomain"

Thank you for your response; much appreciated.
 
If you wish to scan all of the file's contents, why waste time/effort/typing by loading two utilities...
Code:
grep -i "nxdomain"                  /opt/var/lib/unbound/unbound.log
grep -iE "nxdomain.*192.168.1.27"   /opt/var/lib/unbound/unbound.log


dnsmasq is a mature feature-rich inherent component of Asus routers.

Consequently there is a lot of knowledge/support available in the forums for fully exploiting dnsmasq's unique features etc., and it will take time for the number of knowledgeable unbound adopters to achieve the same level of tech-savvy critical mass.

i.e. although unbound v1.11.0 may now include an 'ipset' module (only HND-model routers?), I don't think it replicates the same functionality as dnsmasq's 'ipset=' directive, but even if you don't currently use X3MRouting, you may find that the feature may be useful outside of X3MRouting.

Performance-wise, DNS resolution for clients must be a few microseconds quicker by virtue of the fact that the LAN clients don't have to go thru dnsmasq i.e. bypassing the middleman.

I personally haven't noticed any issues with disabling dnsmasq, but unbound_manager's 'dnsmasq disable' migration feature may still be limited in its abilities in advanced dnsmasq case scenarios.

YMMV
So we are set to disable dnsmasq in models like ax88u? Considering performance utmost?
 
Last edited:
I like to disable dnsmasq and give unbound the reins entirely, for exactly the reasons mentioned but I also do a lot of blocklist tweaks.
One thing I noticed when I had Dnsmasq and this Unbound concurrently, is if you try to do blocking by country or domain, so something like

Code:
local-zone: "cn" always_nxdomain
which will block any and all websites ending in .cn (china-based websites which I would have no occasion to ever visit and therefore gain more than I lose by blocking)
it will return NOERROR i.e. work without blocking, unless unbound is flying solo where it should correctly report NXDOMAIN when drilling/digging on a clear cache.


You can do some neat things with this :), I have some work on github in an experimental stage, because by blocking an entire domain, while it can silently break the internet if a site needed a resource from a site with a country code you're blocking, it also means you can block ridiculously high numbers of advertising and tracking if you would never normally visit anything of that domain.
The question was "do I need to have an entry in my blocklist for "somebadsite.cn" and wait for hundreds of as-yet-unidentified entries if I never go on any chinese websites anyway?"

Targets for the chopping block in my case are country codes like "cn", "ru", "zw", and spamhaus.org recommends domains ending "icu", "ad" "fit". Got to be careful with those domain names though, as entries like .xyz and .io are increasingly popular, good and bad.

:eek: It's incredibly destructive (block "net" or "com" and you'll break almost the entire internet!), but has a lot of potential on a per user basis if you're absolutely 100% sure the sites you use won't need to connect to anything involving these addresses. I believe there's a use for it in moderation and it can significantly cut down on blocklist sizes.
 
I would like to try Unbound and Unbound Manager, but it may not play well with all my toys. I've got to figure out which ones to put up and which ones to keep.
 
I was checking out my ipv6 page & found a similar settings "connect to dns server automatically", in wan i certainly have placed it at NO which is prerequisite for unbound to work properly, what about ipv6, should i disable this option in ipv6 also or what's the mechanism of ipv6 with fallback ipv4?
 
@Martineau If I am running v3.20 beta the vpn 5 command does not work and returns VPN Client arg '5' invalid, must be in range 1-5. vpn disable works as expected. I can add the vpn by reverting to the current version, running vpn 5 and then re-loading the beta.
 
@Martineau If I am running v3.20 beta the vpn 5 command does not work and returns VPN Client arg '5' invalid, must be in range 1-5. vpn disable works as expected. I can add the vpn by reverting to the current version, running vpn 5 and then re-loading the beta.
Whoops :oops:.....one day I will learn to code. :rolleyes:

I have uploaded v3.20b2 to the Github dev branch.
 
Whoops :oops:.....one day I will learn to code. :rolleyes:

I have uploaded v3.20b2 to the Github dev branch.
You're doing a great job! If it helps you, you are further along than me but I can make a mean batch file for ya. ;)
 
I am confused about what should happen when routing DNS requests though a VPN

1. What DNS server should be visible for a device NOT using the VPN
2. What DNS server should be visible for a device using the VPN

Using bowserleaks.com/ip to check for the DNS address.
Enable DNS-based Filtering = Router
unbound set to use VPN 5
On the VPN 5, I set Policy Rules = Strict (with a list of devices using the VPN) and tested with both Accept DNS = Exclusive and Disabled

If Accept DNS = Exclusive then

Device not using VPN: DNS = Router IP address
Device using VPN: DNS = VPN assigned IP address

If Accept DNS = Disabled then

Device not using VPN: DNS = Router IP address
Device using VPN: DNS = Router assigned IP address

Is this what I should expect?
My configuration is similar to yours and I have the same results. After reading this entire thread, it seems some people actually see their VPN interface IP as the reported DNS server (rather than the WAN interface IP) when Accept DNS = Disabled for devices using the VPN. My knowledge here is very limited, but I believe it is working properly for us even though the various sites such as browserleaks.com or dnsleaktest.com show the WAN IP. Testing this from a client using the VPN tunnel, "nslookup whatever.com <WAN IP>" fails for me even though dnsleaktest reports this WAN IP as my DNS server. "Nslookup whatever.com <VPN IP>" works as hoped (again, even though dnsleaktest reports WAN IP as DNS server). Tenta https://tenta.com/test/ uses a different approach (try with all of your scenarios) and is unable to determine DNS server for VPN bound clients.
 
Last edited:
You're doing a great job! If it helps you, you are further along than me but I can make a mean batch file for ya. ;)
I agree with @QuikSilver! I have been "wrestling" with Unbound on a Raspberry Pi running Raspbian. Can't tell you how many times I wished unbound_manager was supported in the Pi...
 
Since updating to v3.20, I'm no longer validating DNSSEC. Completed a new build, same result. Anyone else seeing this?
unbound_manager v3.20 should not have altered the core functionality of unbound.

Do you have the Rootcanary DNSSEC test failure when using unbound_manager v3.19?
 
Since updating to v3.20, I'm no longer validating DNSSEC. Completed a new build, same result. Anyone else seeing this?

unbound_manager v3.20 should not have altered the core functionality of unbound.

Do you have the Rootcanary DNSSEC test failure when using unbound_manager v3.19?

After I updated to 3.20 by using U then 1, I found that the internet was slow loading pages.
My remedy was to use the pinhole reset on the modem.
I held it for about a minute and when the modem rebooted all was working as it should.
 
@baud
I'm currently v3.19 and getting the same results as you from rootcanary I do not believe the issue is with the script. I have zero testing nor facts, but I have learned that many of my network/router "issues" are PEBKAC. I'm looking into what setting I "adjusted", now.
EDIT:
Updated to current v3.20 all is well when checking other services & only rootcanary gives poor response.
 
Last edited:
It appears that this is specific to Rootcanary. When using other validation tools (four total), I get successful validation.

My apologies to Martineau for taking up your valuable time. Thank you for what you do. You rock!
What are the other 4 tools you used for validation? Would you mind listing these here please?
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top