Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[Martineau]

Here is a screenshot of the statistics before.
A screenshot of "rs" does not work.
And the code and statistics (open spoiler) after the firewall restart. (didn't fit all in one screenshot)
Maybe I understand something wrong with cache?
Edit:
And why are the attached screenshot so small after uploading to snb?

Spoiler

unbound (pid 12082) is running... uptime: 0 Days, 06:46:33 version: 1.10.0 # rgnldo Github Version=v1.09 Martineau update (Date Loaded by unbound_manager Fri Apr 17 23:40:00 DST 2020)

1 = Update unbound files and configuration
2 = Remove unbound/unbound_manager
3 = Stop unbound
4 = Show unbound statistics
5 = Install Ad and Tracker blocker (Ad Block)
6 = Install Graphical Statistics GUI Add-on TAB
7 = Enable DNS Firewall

? = About Configuration
v = View ('/opt/var/lib/unbound/'unbound.conf)

e = Exit Script [?]

E:Option ==> 7

Do you want to enable DNS Firewall?

Reply 'y' or press [Enter] to skip
y
unbound_rpz.sh downloaded successfully
Custom '/opt/share/unbound/configs/rpzsites' already exists - 'rpzsites' download skipped

Created startup hook in services-start.
Created cron job.
Creating new unbound.conf.firewall file.
(unbound_rpz.sh): 27269 Attempting to Download 1 of 1 from https://urlhaus.abuse.ch/downloads/rpz/.

######################################################################## 100.0%
Adding zone rpz.urlhaus.abuse.ch to unbound.conf.firewall.
Installed.
Adding 'include: "/opt/share/unbound/configs/unbound.conf.firewall" '/opt/var/lib/unbound/unbound.conf'

unbound DNS Firewall ENABLED

unbound-checkconf: no errors in /opt/var/lib/unbound/unbound.conf

Shutting down unbound... done.
Starting unbound... done.

Checking status, please wait..... unbound OK

Router Configuration recommended pre-reqs status:

[✔] Swapfile=2097148 kB
[✔] DNS Filter=ON
[✔] DNS Filter=ROUTER
[✔] WAN: Use local caching DNS server as system resolver=NO
[✔] Enable local NTP server=YES
[✔] Enable DNS Rebind protection=NO
[✔] Enable DNSSEC support=NO

Options:

[✔] unbound CPU/Memory Performance tweaks
[✔] unbound-control FAST response ENABLED
[✔] DNS Firewall ENABLED



unbound (pid 27399) is running... uptime: 0 Days, 00:00:09 version: 1.10.0 # rgnldo Github Version=v1.09 Martineau update (Date Loaded by unbound_manager Fri Apr 17 23:40:00 DST 2020)

1 = Update unbound files and configuration
2 = Remove unbound/unbound_manager
3 = Stop unbound
4 = Show unbound statistics
5 = Install Ad and Tracker blocker (Ad Block)
6 = Install Graphical Statistics GUI Add-on TAB
7 = Disable DNS Firewall [?]

? = About Configuration
v = View ('/opt/var/lib/unbound/'unbound.conf)

e = Exit Script [?]

E:Option ==> 4

total.num.queries=0 total.num.prefetch=0 total.requestlist.max=0 total.requestlist.current.user=0 msg.cache.count=1011
total.num.queries_ip_ratelimited=0 total.num.expired=0 total.requestlist.overwritten=0 total.recursion.time.avg=0.000000 rrset.cache.count=5580
total.num.cachehits=0 total.num.recursivereplies=0 total.requestlist.exceeded=0 total.recursion.time.median=0 infra.cache.count=0
total.num.cachemiss=0 total.requestlist.avg=0 total.requestlist.current.all=0 total.tcpusage=0 key.cache.count=0

Summary: Cache Hits success=0.00%


unbound (pid 27399) is running... uptime: 0 Days, 00:00:14 version: 1.10.0 # rgnldo Github Version=v1.09 Martineau update (Date Loaded by unbound_manager Fri Apr 17 23:40:00 DST 2020)

1 = Update unbound files and configuration
2 = Remove unbound/unbound_manager
3 = Stop unbound
4 = Show unbound statistics
5 = Install Ad and Tracker blocker (Ad Block)
6 = Install Graphical Statistics GUI Add-on TAB
7 = Disable DNS Firewall [?]

? = About Configuration
v = View ('/opt/var/lib/unbound/'unbound.conf)

e = Exit Script [?]

E:Option ==>

Unfortunately your very small picture doesn't help, but I think shows

before

msg.cache.count=24xx
rrset.cache.count=69xx

and after

msg.cache.count=1011
rrset.cache.count=5580

The after cache reference statistics

total.num.queries=0
total.num.cachehits=0
total.num.cachemiss=0

show that you have made no requests to reference either the preserved 1011 msg.cache entries nor to the preserved 5580 rrset.cache entries available.

You are therefore wrong in your assumption that the cache is totally trashed, it's only the cache reference statistics (rather than the cache contents) that is lost after an unbound restart.

Do you understand the difference?

 

[juched]

I would leave it as 1. That would be optimal for you.

Yes, given forked operation each thread is really a new process.

In the GUI report I purposely show these two items for this reason, to allow people to tweak.

Number of queries dropped because request list was full: 0
 Average number of requests in list for recursive processing: 0.735453

On my network the request list was never so full it dropped any requests. Secondly, the number of requests to be recursively processed ( remember cache hits are super fast, just recursive get stats) is under 1, meaning it never has a queue really.

I would guess that number would have to be entering double digits to justify another process.

That is my thinking. But perhaps others feel differently.

 

[Chris0815]

VPN Client 1

Thank you for realizing this feature! Setting up is much easier by your script. And if the VPN-IP of tun1 changes (it sometimes doe...) , it is quite simple to correct within unbound. Perfect!

 

[Martineau]

Thank you for realizing this feature! Setting up is much easier by your script. And if the VPN-IP of tun1 changes (it sometimes doe...) , it is quite simple to correct within unbound. Perfect!

Kudos to yourself, for innovating/proving the concept

So hopefully if you have the time, could you test my 'bloated mess!' of a script further?......you should be able to automate the process when the VPN IP changes:

Use the openvpn-event trigger
EDIT: As per post #1574

i.e. vpnclient1-up

/jffs/addons/unbound/unbound_manager.sh   vpn=1   delay=1   &

vpnclient1-route-pre-down

/jffs/addons/unbound/unbound_manager.sh   vpn=disable

 

[Chris0815]

'bloated mess!' of a script

haha... this script makes it possible for people like me to use things like unbound and even add-on like Adblock and now DNS over VPN... very appreciated!
I keep testing the VPN add-on, for sure! And thank you for your hints about the configuration regarding the changing IP.

 

[juched]

Pushed an updated GUI stats change. Fixed display issues, script issues during install and added some features. You do not need to enable the new features as from my testing this should work just fine without that date (but will show some sections with No Data).

- Added adblocked stats (requires log-local-actions enabled)
- Added DNS Firewall stats (requires DNS Firewall enabled, log-rpz)
- Added Top Reply Domains (requires DNS Firewall enabled)

To support this log scraping is done every hour, but if logs not enabled this has no impact.

NOTE: you will need to re-install GUI Stats to get new files and install new tasks.


-- edit ---

Also, it seems unbound team has fixed the URL: issues with the urlhaus site. Seems they didn't support TLS SNI checks for their cert and they have added it. Will need to enable the new tls-use-sni: conf once we have a build in entware that has this change. Likely a few months.

https://github.com/NLnetLabs/unbound/issues/193

 

[immi803]

@JGrana
Here's your services-start copied from other thread

Sure. Here is my services-start:
#!/bin/sh
/jjfs/scripts/setbashrc.sh
/jffs/scripts/uiScribe startup # uiScribe
/jffs/scripts/connmon startup # connmon
if [ -x /jffs/scripts/MountNAS.sh ]; then
/jffs/scripts/MountNAS.sh # mount local QNap Nas
fi
/jffs/scripts/ntpmerlin startup # ntpMerlin
cru a root_servers "12 4 * * * curl -o \/opt\/var\/lib\/unbound\/root\.hints https://www.internic.net/domain/named.cache" # unbound_manager
cru a UpdateRPZ "*/15 * * * * /opt/var/lib/unbound/rpzupdate.sh"
/jffs/addons/unbound/unbound_rpz.sh startup # Unbound_RPZ.sh
/jffs/addons/unbound/ubcash restore & # Restire Unbound cache if not too old
/jffs/scripts/spdmerlin startup & # spdMerlin

Note - MountNAS.sh is a one-line script that mounts my local NAS share (smb)
ubcash restore is a home made script that reloads unbounds cache if less than 10 mins old.

I don't see unbound in my services start as well as please eleborate MountNAS.sh?
Thanks

 

[Kingp1n]

Start unbound_manager and request the VPN

e.g. VPN Client 1

e  = Exit Script [?]

A:Option ==> vpn 1

Option Auto Reply 'y'
 unbound requests via VPN Client  tunnel ENABLED

unbound-checkconf: no errors in /opt/var/lib/unbound/unbound.conf

 Shutting down unbound...              done.
 Starting unbound...              done.

[/CODE]

For some odd reason, I'm stuck here. When I start unbound_manager and request to look at VPN 1, I keep getting the: "Invalid option "vpn 1" Please enter a valid option.

I'm currently using VPN 1.

 

[ugandy]

Check the VPN config in 'unbound.conf' (or use 'v')

grep VPN /opt/var/lib/unbound/unbound.conf

#outgoing-interface: xxx.xxx.xxx.xxx        # v1.08 Martineau Use VPN tunnel to hide Root server queries from ISP

Check VPN status

ip route show | grep tun1

Start unbound_manager and request the VPN

e.g. VPN Client 1

e  = Exit Script [?]

A:Option ==> vpn 1

Option Auto Reply 'y'
 unbound requests via VPN Client  tunnel ENABLED

unbound-checkconf: no errors in /opt/var/lib/unbound/unbound.conf

 Shutting down unbound...              done.
 Starting unbound...              done.

'unbound.conf' entry should show VPN IP address

grep VPN /opt/var/lib/unbound/unbound.conf

outgoing-interface: 100.120.223.42        # v1.08 Martineau Use VPN tunnel to hide Root server queries from ISP

To reset unbound to the WAN

e  = Exit Script [?]

A:Option ==> vpn disable

 unbound requests via VPN Client tunnel DISABLED

unbound-checkconf: no errors in /opt/var/lib/unbound/unbound.conf

 Shutting down unbound...              done.
 Starting unbound...              done.

cromo@RT-AX88U:/tmp/home/root# unbound_manager vpn=2
/opt/bin/unbound_manager: local: line 3725: 2: bad variable name
sed: unmatched '/'

unbound requests via VPN Client tunnel ENABLED

[1587236484] unbound-checkconf[23944:0] error: cannot parse ip address: 'xxx.xxx.xxx.xxx'
[1587236484] unbound-checkconf[23944:0] fatal error: cannot parse outgoing-interface specified as 'xxx.xxx.xxx.xxx'

***ERROR requested re(Start) of unbound ABORTed! - use option 'vx' to correct 'unbound.conf' or 'rl' to load a valid configuration file


should i have set the IP on the conf file first?

 

[JGrana]

@JGrana
Here's your services-start copied from other thread

Sure. Here is my services-start:
#!/bin/sh
/jjfs/scripts/setbashrc.sh
/jffs/scripts/uiScribe startup # uiScribe
/jffs/scripts/connmon startup # connmon
if [ -x /jffs/scripts/MountNAS.sh ]; then
/jffs/scripts/MountNAS.sh # mount local QNap Nas
fi
/jffs/scripts/ntpmerlin startup # ntpMerlin
cru a root_servers "12 4 * * * curl -o \/opt\/var\/lib\/unbound\/root\.hints https://www.internic.net/domain/named.cache" # unbound_manager
cru a UpdateRPZ "*/15 * * * * /opt/var/lib/unbound/rpzupdate.sh"
/jffs/addons/unbound/unbound_rpz.sh startup # Unbound_RPZ.sh
/jffs/addons/unbound/ubcash restore & # Restire Unbound cache if not too old
/jffs/scripts/spdmerlin startup & # spdMerlin

Note - MountNAS.sh is a one-line script that mounts my local NAS share (smb)
ubcash restore is a home made script that reloads unbounds cache if less than 10 mins old.

I don't see unbound in my services start as well as please eleborate MountNAS.sh?
Thanks

Hi,

Unbound is started by /opt/etc/init.d - not services-start. The periodic updating of information (root_servers and rpz) are handled by services-start (via a cron job/cru).

The MountNAS.sh is an older script I wrote that mounts a partition from a NAS to the router (using SMB). I used to coordinate a back up job with it. I left it in - it's often a quick way to move files between other PC's in my house and the router. Im too lazy to look for and plug in USB sticks ;-)

 

[Martineau]

cromo@RT-AX88U:/tmp/home/root# unbound_manager vpn=2
/opt/bin/unbound_manager: local: line 3725: 2: bad variable name
sed: unmatched '/'

unbound requests via VPN Client tunnel ENABLED

[1587236484] unbound-checkconf[23944:0] error: cannot parse ip address: 'xxx.xxx.xxx.xxx'
[1587236484] unbound-checkconf[23944:0] fatal error: cannot parse outgoing-interface specified as 'xxx.xxx.xxx.xxx'

***ERROR requested re(Start) of unbound ABORTed! - use option 'vx' to correct 'unbound.conf' or 'rl' to load a valid configuration file


should i have set the IP on the conf file first?

I've pushed a Hofix; use 'u' when it appears.

Version=3.04 md5=c72b117b0a1c009e30a49c849e168fac
​

although I can't replicate the 'sed' error.. but the xxx.xxx.xxx.xxx is correctly replaced in 'unbound_conf'

 unbound_manager vpn=1

/opt/bin/unbound_manager: local: line 3725: 1: bad variable name
 unbound requests via VPN Client  tunnel ENABLED

unbound-checkconf: no errors in /opt/var/lib/unbound/unbound.conf

Adding 'include: "/opt/share/unbound/configs/unbound.conf.add"  '/opt/var/lib/unbound/unbound.conf'
 Shutting down unbound...              done.
 Starting unbound...              done.

Checking status, please wait..... unbound OK

 

[Martineau]

For some odd reason, I'm stuck here. When I start unbound_manager and request to look at VPN 1, I keep getting the: "Invalid option "vpn 1" Please enter a valid option.

I'm currently using VPN 1.

In 'Easy' menu mode, many commands are not available - particularly experimental 'Advanced' commands/features.

 

[ugandy]

I've pushed a Hofix; use 'u' when it appears.

Version=3.04 md5=c72b117b0a1c009e30a49c849e168fac
​

although I can't replicate the 'sed' error.. but the xxx.xxx.xxx.xxx is correctly replaced in 'unbound_conf'

 unbound_manager vpn=1

/opt/bin/unbound_manager: local: line 3725: 1: bad variable name
 unbound requests via VPN Client  tunnel ENABLED

unbound-checkconf: no errors in /opt/var/lib/unbound/unbound.conf

Adding 'include: "/opt/share/unbound/configs/unbound.conf.add"  '/opt/var/lib/unbound/unbound.conf'
 Shutting down unbound...              done.
 Starting unbound...              done.

Checking status, please wait..... unbound OK

it works!
thanks!
if vpn goes down, dns stops, right? or is there a fallback?

 

[Martineau]

if vpn goes down, dns stops, right? or is there a fallback?

Yes, if the VPN disconnects then unbound will stop.

The feature is currently experimental to use at your own risk.

However, as an 'Advanced' user, you will need to ensure that you implement a fallback

vpnclientX-route-pre-down

unbound_manager   vpn=disable

etc.

 

[ugandy]

Yes, if the VPN disconnects then unbound will stop.

The feature is currently experimental to use at your own risk.

However, as an 'Advanced' user, you will need to ensure that you implement a fallback

vpnclientX-route-pre-down

unbound_manager   vpn=disable

etc.

thank you,

do I simply create /jffs/scripts/vnpclient1-route-pre-down and /jffs/scripts/vpnclient1-route-up, and they are automatically called on those events?


[edit]
found it: i needed to get a copy of /jffs/scripts/openvpn-event too

 

[Kingp1n]

In 'Easy' menu mode, many commands are not available - particularly experimental 'Advanced' commands/features.

Ok ...I apologize for my ignorance, but how do I get to advanced mode?

 

[joe scian]

Ok ...I apologize for my ignorance, but how do I get to advanced mode?

unbound_manager advanced

 

[Marin]

Ok ...I apologize for my ignorance, but how do I get to advanced mode?

See the link “Advanced” on the first post:


https://github.com/MartineauUK/Unbo...-the-commandline-the-default-is-advanced-mode


Sent from my iPhone using Tapatalk

 

[Kingp1n]

Check VPN status

ip route show | grep tun1

Start unbound_manager and request the VPN
[/CODE]

Ok, finally im getting somewhere haha. So when I run the command "ip route show | grep tun1" I get the following:
admin@RT-AX88U-xxxx:/tmp/home/root# ip route show | grep tun1
10.16.10.9 dev tun11 proto kernel scope link src 10.16.10.10

Do I simply copy and paste the 10.16.10.9 to the unbound script?
#outgoing-interface: xxx.xxx.xxx.xxx

 

[Martineau]

Ok, finally im getting somewhere haha. So when I run the command "ip route show | grep tun1" I get the following:
admin@RT-AX88U-xxxx:/tmp/home/root# ip route show | grep tun1
10.16.10.9 dev tun11 proto kernel scope link src 10.16.10.10

Do I simply copy and paste the 10.16.10.9 to the unbound script?

Why not follow the instruction in post #1500