What's new

Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I think you and I are quite kindred in our love of tweaking you know ;) I wouldn't mess with MTU though - the lower number of you to your router vs router to your isp etc etc will end up being the bottleneck and if it's too big, it'll cause fragmentation and a lot of icmp type 3 packets in response after it to say 'woahhh boy, get that mtu down!'
Jumbo frames purely on the LAN side is cool though - and can lead to some crazy transfer speeds. Internet's not ready for 9kb packet sizes lol

On the last point I beg to differ - if we're building 1Gbps internet AND have interfaces capable of that speed - turning up the pressure a bit (ok, sextupling it) shouldn't break it too badly. Seriously, 4096 is plenty big for me so far...that in-between, bigger than standard but not full blown jumbo (and if you look at the NIC in that article, it can go superjumbo 16000b !!! That would be handy on a 10G Fibre LAN, I suppose )
On your second point - do you happen to know if setting MRU to 0 in Merlin's WAN settings is the same as it is setting zeros/unlimited in Cake-QoS' up/down speeds? ;)
(I guess I pretty much just confirmed your very first point...lol) Yeah, MTU depends on the ISP and whatever is between you and them...best not to blow them up ;)

Frame sizes article: https://www.smallnetbuilder.com/lan...1-need-to-know-jumbo-frames-in-small-networks
GigE connections only it seems - as usual, copper beats aether.
 
What guys do you think, does the Unbound manager helps with online gaming performance ? Or is it better to use normal dns like 1.1.1.1 ?
would you recommend either use diversion or in the unbound manager the blocking script and also turn off ai protection ?
 
and how about the ad blocker, does unbound have the same good adblocker as diversion or do you think performance wise it is better to uinstall unbound and just use diversion and flexqos ?
 
and how about the ad blocker, does unbound have the same good adblocker as diversion or do you think performance wise it is better to uinstall unbound and just use diversion and flexqos ?
they use the exact same blocking files, diversion and unbound. The real question is, do you want to have unbound, diversion and FlexQoS running, or just unbound OR diversion and QoS?
 
@Martineau - can you advise what is being counted in the web page Top Reply Domains - is it queries, replies or both?
e.g. if I see this in the Syslog (via Scribe)
Code:
Oct 12 16:22:45 RT-AX88U-5050 unbound: [3811:0] query: 127.0.0.1 connectivitycheck.gstatic.com. A IN
Oct 12 16:22:45 RT-AX88U-5050 unbound: [3811:0] reply: 127.0.0.1 connectivitycheck.gstatic.com. A IN NOERROR 0.000000 1 63
Oct 12 16:22:45 RT-AX88U-5050 unbound: [3811:0] query: 127.0.0.1 connectivitycheck.gstatic.com. AAAA IN
Oct 12 16:22:45 RT-AX88U-5050 unbound: [3811:0] reply: 127.0.0.1 connectivitycheck.gstatic.com. AAAA IN NOERROR 0.000000 1 75
is this 2 or 4 entities? I see one block like this about once minute.

Background
I have noticed that 90%+ of all DNS queries were to one site connectivitycheck.gstatic.com and they all originated from two Nvidia Tv Shields and almost all of them were from the devices IPv6 addresses. I am now trying to look at whether this is just a Nvidia issue or is the way that unbound works part of the issue.

So far I have disabled IPv6 on each TV Shield and while connectivitycheck.gstatic.com is still the most common DNS call - now it is only 10% more than ipv6.msftconnecttest.com (and around twice www.google.com).

I did find some articles that discusses how the TV Shields like to phone home by running a /generate204 request and if they do not get it will immediately re-run. What I am trying to understand is whether this is failing under IPv6 and if so does Unbound have anything to do with it

I am thinking of using tcpdump to see what happens with IPv6 enabled on the TV Shields with and without unbound, using the IPv4 and IPv6 addresses, but am not sure of the syntax. At this stage I just looking to see if I have a substantially different levels of traffic

If i run "tcpdump -vvAs0 host 10.20.20.75 and port 53 -i br0" (10.20.20.75 is one of the TV Shields then I can see the requests and responses
but every response contains something like [bad udp cksum 0xyyyy -> 0xzzzz!] -

Code:
17:29:41.167226 IP (tos 0x0, ttl 64, id 33864, offset 0, flags [DF], proto UDP (17), length 75)
    10.20.20.75.60645 > RT-AX88U-5050..domain: [udp sum ok] 38266+ A? connectivitycheck.gstatic.com. (47)
E..K.H@.@.#.
7?K
7?....5.7...z...........connectivitycheck.gstatic.com.....

17:29:41.168598 IP (tos 0x0, ttl 64, id 61369, offset 0, flags [DF], proto UDP (17), length 91)
    RT-AX88U-5050..domain > 10.20.20.20.60645: [bad udp cksum 0x9312 -> 0xbb29!] 38266 q: A? connectivitycheck.gstatic.com. 1/0/0 connectivitycheck.gstatic.com. A 172.217.169.35 (63)
E..[..@.@...
7?.
7?K.5...G...z...........connectivitycheck.gstatic.com..............x.....#

I get the same [bad udp cksum 0xyyyy -> 0xzzzz!] in most replies - is this something I should be concerned about or just checksum offloading?
 
Got auto-response from developer to say ... on leave until 12th October ... :(
Developer has fixed ... Rootcanary test back up and running ...
rootcanary-test.JPG
 
I just observed that the AdBlock is not working for devices connected via 5G Wi-Fi.
This is happens for me on 386 alpha firmware only. Is AdBlock filtering somehow dependent on some interface names or something like this ?

RESOLVED - I had set a private DNS on my phone. Now it is working fine.
But, on 384.x it was working even with this set on.
 
Last edited:
Is there a way to confirm that Unbound is going to the Root servers via IPv6 and not hitting my local ISP DNS servers? The router stats pages only show IPv4 activity, so I don't see a way to confirm this for IPv6.
 
Is there a way to confirm that Unbound is going to the Root servers via IPv6 and not hitting my local ISP DNS servers? The router stats pages only show IPv4 activity, so I don't see a way to confirm this for IPv6.
Does the following 'Advanced mode' command give you the IPv6 stats?
Code:
e  = Exit Script [?]

A:Option ==> s query

total.num.queries=15130            total.num.expired=349                 total.requestlist.exceeded=0             total.tcpusage=0
total.num.queries_ip_ratelimited=0 total.num.recursivereplies=119        total.requestlist.current.all=0          msg.cache.count=508
total.num.cachehits=15011          total.requestlist.avg=0.0424144       total.requestlist.current.user=0         rrset.cache.count=1827
total.num.cachemiss=119            total.requestlist.max=5               total.recursion.time.avg=0.083536        infra.cache.count=628
total.num.prefetch=4172            total.requestlist.overwritten=0       total.recursion.time.median=0.0372364    key.cache.count=52

Summary: Cache Hits success=99.00%

num.query.type.A=10710        num.query.opcode.QUERY=15130    num.query.flags.QR=0        num.query.flags.AD=6          num.query.aggressive.NXDOMAIN=0
num.query.type.NS=237         num.query.tcp=0                 num.query.flags.AA=0        num.query.flags.CD=237        num.query.authzone.up=7
num.query.type.PTR=50         num.query.tcpout=17             num.query.flags.TC=0        num.query.edns.present=268    num.query.authzone.down=0
num.query.type.AAAA=4077      num.query.tls=0                 num.query.flags.RD=14893    num.query.edns.DO=231
num.query.type.SRV=56         num.query.tls.resume=0          num.query.flags.RA=0        num.query.ratelimited=0
num.query.class.IN=15130      num.query.ipv6=0                num.query.flags.Z=0         num.query.aggressive.NOERROR=2
NOTE: my ISP doesn't provide IPv6
 
I have been running unbound_manager without dnsmasq for quite a while now, just upgraded to 3.21
I found the whole setup very stable now. Keep up good work @Martineau
 
Does the following 'Advanced mode' command give you the IPv6 stats?
Code:
e  = Exit Script [?]

A:Option ==> s query
NOTE: my ISP doesn't provide IPv6

I get this - I am not sure if unbound truly listens on IPv6 on my local network, but clearly browser do not mind
Code:
Summary: Cache Hits success=99.00%

num.query.type.A=10602          num.query.type.PTR=2            num.query.class.IN=21277        num.query.tls.resume=0          num.query.flags.RD=21274        num.query.edns.present=2        num.query.authzone.up=1
num.query.type.NS=1             num.query.type.HINFO=1          num.query.opcode.QUERY=21277    num.query.ipv6=0                num.query.flags.RA=0            num.query.edns.DO=1             num.query.authzone.down=0
num.query.type.CNAME=1          num.query.type.TXT=5            num.query.tcp=0                 num.query.flags.QR=0            num.query.flags.Z=1             num.query.ratelimited=0
num.query.type.SOA=5            num.query.type.AAAA=10623       num.query.tcpout=0              num.query.flags.AA=0            num.query.flags.AD=0            num.query.aggressive.NOERROR=0
num.query.type.WKS=1            num.query.type.TYPE65=36        num.query.tls=0                 num.query.flags.TC=0            num.query.flags.CD=0            num.query.aggressive.NXDOMAIN=0

I never managed to understand how ipv6 config is supposed to work exactly, have a feeling I should add something - I have only standard section with ::0
Code:
 do-ip6: yes
 interface: ::0
 access-control: ::0/0 refuse
 access-control: ::1 allow
 private-address: fd00::/8
 private-address: fe80::/10

IPv6 address advertised as DNS server to client, as ipconfig /all shows

DNS Servers . . . . . . . . . . . : 2a00:2222:6666:8900::1
10.10.10.1
 
so I am trying to re-install to go into advanced mode. But no matter what I try I get a standard install. I am not getting the option to use an i as an option mode. In fact my menu shows a 1. See attached. So entering i all or i 5 results in an error.
 

Attachments

  • Screen Shot 2020-10-21 at 1.40.51 PM.png
    Screen Shot 2020-10-21 at 1.40.51 PM.png
    42.7 KB · Views: 128
I get this - I am not sure if unbound truly listens on IPv6 on my local network, but clearly browser do not mind
Code:
Summary: Cache Hits success=99.00%

num.query.type.A=10602          num.query.type.PTR=2            num.query.class.IN=21277        num.query.tls.resume=0          num.query.flags.RD=21274        num.query.edns.present=2        num.query.authzone.up=1
num.query.type.NS=1             num.query.type.HINFO=1          num.query.opcode.QUERY=21277    num.query.ipv6=0                num.query.flags.RA=0            num.query.edns.DO=1             num.query.authzone.down=0
num.query.type.CNAME=1          num.query.type.TXT=5            num.query.tcp=0                 num.query.flags.QR=0            num.query.flags.Z=1             num.query.ratelimited=0
num.query.type.SOA=5            num.query.type.AAAA=10623       num.query.tcpout=0              num.query.flags.AA=0            num.query.flags.AD=0            num.query.aggressive.NOERROR=0
num.query.type.WKS=1            num.query.type.TYPE65=36        num.query.tls=0                 num.query.flags.TC=0            num.query.flags.CD=0            num.query.aggressive.NXDOMAIN=0

I never managed to understand how ipv6 config is supposed to work exactly, have a feeling I should add something - I have only standard section with ::0
Code:
do-ip6: yes
interface: ::0
access-control: ::0/0 refuse
access-control: ::1 allow
private-address: fd00::/8
private-address: fe80::/10

IPv6 address advertised as DNS server to client, as ipconfig /all shows

DNS Servers . . . . . . . . . . . : 2a00:2222:6666:8900::1
10.10.10.1
Made a change in config to
Code:
interface: 2a00:2222:6666:8900::1
access-control: ::/0 refuse
Now nslookup on Windows prompt is fine, funny browsers worked anyway before
But this address will change on next reboot due to PD!
 
Made a change in config to
Code:
interface: 2a00:2222:6666:8900::1
access-control: ::/0 refuse
Now nslookup on Windows prompt is fine, funny browsers worked anyway before
So your num.query.ipv6 stats metric is now no longer 0 ?
 
VPN interface is 'stuck' using 3.21b and v1.11 (from uf dev and i dev respectively)

If run vpn disable (from unbound_manager advanced Option 3) then I can see the vpn interface disabled in unbound.conf

#outgoing-interface: 10.8.1.3 # v1.08 Martineau Use VPN tunnel to hide Root server queries from ISP (or force WAN ONLY)

However if I reboot the router, either by dismounting the USB disk and then rebooting from GUI (which I normally do) or by just rebooting then the VPN interface is re-enabled.

outgoing-interface: 10.8.2.6 # v1.08 Martineau Use VPN tunnel to hide Root server queries from ISP (or force WAN ONLY)

I also checked the position if I reverted to 3.21 and it is slightly different

Starting with VPN enabled and then disabling it in advance
if I dismount the USB drive and then reboot, it reverts to the setup with VPN enabled
if I just reboot then it keeps the vpn disabled setting
if I then apply uf dev, the VPN is immediately re-enabled.

I know I must be missing something, but I don't know what.
 
VPN interface is 'stuck' using 3.21b and v1.11 (from uf dev and i dev respectively)

If run vpn disable (from unbound_manager advanced Option 3) then I can see the vpn interface disabled in unbound.conf

#outgoing-interface: 10.8.1.3 # v1.08 Martineau Use VPN tunnel to hide Root server queries from ISP (or force WAN ONLY)

However if I reboot the router, either by dismounting the USB disk and then rebooting from GUI (which I normally do) or by just rebooting then the VPN interface is re-enabled.

outgoing-interface: 10.8.2.6 # v1.08 Martineau Use VPN tunnel to hide Root server queries from ISP (or force WAN ONLY)

I also checked the position if I reverted to 3.21 and it is slightly different

Starting with VPN enabled and then disabling it in advance
if I dismount the USB drive and then reboot, it reverts to the setup with VPN enabled
if I just reboot then it keeps the vpn disabled setting
if I then apply uf dev, the VPN is immediately re-enabled.

I know I must be missing something, but I don't know what.
If you wish to force all unbound requests via a VPN Client, then you should be using the appropriate openvpn-event triggers

e.g.

'/jffs/scripts/vpnclientX-up'
Code:
unbound_manager.sh vpn=X
'/jffs/scripts/vpnclientX-down'
Code:
unbound_manager.sh vpn=disable
to modify 'unbound.conf'

Also, as a failsafe during the boot process i.e. before the VPN Client(s) are connected, it is recommended that you also modify

'/jffs/scripts/post-mount'
Code:
logger "Checking unbound VPN bind....."
[ -n "$(which unbound_manager)" ] && { sh /jffs/addons/unbound/unbound_manager.sh vpn=disable; logger "unbound VPN routing DISABLED"; } # unbound_manager
 
Last edited:
Anyone ever seen this error msg:

Code:
unbound-checkconf: error while loading shared libraries: libevent-2.1.so.7: cannot open shared object file: No such file or directory

I'm basically trying to install unbound to test something.
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top