Adding Unbound when you have Diversion

[Weblee2407]

I installed and configured Unbound as instructed by the setup routine and enabled the YouTube Ad blocking. It worked for the first day and hasn't worked since. I uninstalled, rebooted and installed again without the same impact. Anyway, every time I go into it and look at other options it "warns me" (ok scares me) that I am going to disable IpTables or DNSMasq - along with the ever present warning DIVERSION INSTALLED. It seems all the forum posts are at least 1-year-old and seem outdated and the Wiki doesn't seem to explain enough, so I am counting on the experts here to compare and contrast:

Stubby vs DNSmasq (I mistakenly thought DNSmasq WAS a resolver that queried root servers) vs DoT


How to best use both Diversion and Unbound, or do I have to choose?

Thanks in advance for the knowledge transfer to come!

 

[heysoundude]

It's late (for me), and I'm quite tired, but I don't quite understand what your concern or question is.
I've found that the YouTube blocking in both unbound and diversion is...hit and miss. I've left the diversion version on, and disabled the unbound on my router.
It's best to use diversion for ad-blocking and unbound for DNS in my experience.
both devs for those scripts are here and talk with each other (and Merlin) to streamline their functioning together, so there should be no need to un-install one in favour of the other - they were built to work together, except for YouTube blocking (which if you have engaged in both will be counterproductive), which is not uncommon or unexpected.
You shouldn't need to configure stubby (DoT) within unbound. IPTables is basically a firewall which can help diversion, and dnsmasq can be either a help or a hindrance to unbound depending on your setup.
bigger brains than I will see this and agree with or correct me, so be prepared for more in-depth advice...which was the point of your post

 

[Weblee2407]

Well, I will just chip away at things as they come up. I can't find an option to enable log-replies in the unbound_manager menu. Also, I see lots of statements about the "advanced options menu" - my option 3 is not advanced options it is STOP UNBOUND.

OK...looking into

Unbound - How to Enable "log-replies" to view Top Reply Domains"

I've enabled the graphical stats within unbound. I noticed towards the bottom there is a way to view Todays DNS replies & Top Reply Domains by enabling log replies. Dumb question, but who do you this??? I looked inside unbound to see if I could enabled this feature but didn't see it. To anyone...

www.snbforums.com

that worked!

 

[heysoundude]

ok, but the question or concern is "do you need that amount of logging for your network?"
remember: just because you CAN doesn't mean you SHOULD

 

[Martineau]

I can't find an option to enable log-replies in the unbound_manager menu. Also, I see lots of statements about the "advanced options menu" - my option 3 is not advanced options it is STOP UNBOUND.

Start unbound manager using

unbound_manager advanced

+======================================================================+
|  Welcome to the unbound Manager/Installation script (Asuswrt-Merlin) |
|                                                                      |
|                      Version 3.23bF by Martineau                     |
|                                                                      |
+======================================================================+
unbound (pid 9986) is running... uptime: 0 Days, 14:27:22 version: 1.17.1 # Version=v1.13 Martineau update (Date Loaded by unbound_manager Fri Jul 14 06:56:40 DST 2023)

i  = Update unbound and configuration ('/opt/var/lib/unbound/')        l  = Show unbound LIVE (Loglevel=1) log entries (lx=Disable Logging)
z  = Remove unbound/unbound_manager                                    v  = View ('/opt/var/lib/unbound/') unbound Configuration (vx=Edit;vh=help)
3  = Advanced Tools                                                    rl = Reload Configuration (Doesn't halt unbound) e.g. 'rl test1[.conf]' (Recovery use 'rl reset/user')
?  = About Configuration                                               oq = Query unbound Configuration option e.g 'oq verbosity' (ox=Set) e.g. 'ox log-queries yes'

rs = Restart (or Start) unbound (use 'rs nocache' to flush cache)      s  = Show unbound Extended statistics (s=Summary Totals; sa=All; http://10.88.8.1:80/user1.asp)

e  = Exit Script [?]

A:Option ==> 3

i  = Update unbound and configuration ('/opt/var/lib/unbound/')        l  = Show unbound LIVE (Loglevel=1) log entries (lx=Disable Logging)
z  = Remove unbound/unbound_manager                                    v  = View ('/opt/var/lib/unbound/') unbound Configuration (vx=Edit;vh=help)
x  = Stop unbound                                                      vb = Backup current (/opt/var/lib/unbound/unbound.conf) Configuration [filename]
                                                                       rl = Reload Configuration (Doesn't halt unbound) e.g. 'rl test1[.conf]' (Recovery use 'rl reset/user')
?  = About Configuration                                               oq = Query unbound Configuration option e.g 'oq verbosity' (ox=Set) e.g. 'ox log-queries yes'
sd = Show dnsmasq Statistics/Cache Size                                s  = Show unbound Extended statistics (s=Summary Totals; sa=All; http://10.88.8.1:80/user1.asp)
                                                                       adblock = Install Ad Block [uninstall | update | track]
DisableFirefoxDoH = Disable Firefox DoH [yes | no]                     youtube = Install YouTube Ad Block [uninstall | update]
Stubby = Enable Stubby Integration                                     DoT = Enable DNS-over-TLS
                                                                       firewall = Enable DNS Firewall [disable | ?]
bind = BIND unbound to WAN [debug | disable | debug show]              vpn = BIND unbound to VPN {vpnid [debug]} | [disable | debug show] e.g. vpn 1

scribe = Enable scribe (syslog-ng) unbound logging           
dnsmasq = Disable dnsmasq [disable | interfaces | nointerfaces]        ea = Edit Ad Block Allowlist (eb=Blocklist; eca=Config-AllowSites; ecb=Config-BlockSites; el {Ad Block file})
dumpcache = [bootrest] (or Manually use restorecache after REBOOT)     ca = Cache Size Optimisation [ min | calc ]
                                                                       views = [? | uninstall] | {view_name [? | remove]} | {view_name [[type] domain_name[...] | IP_address[...]] [del]} ]
                                                                       safesearch = Enable Safe Search [disable | status | ? ] e.g. redirect google.com to forcesafesearch.google.com
                                                                       localhost = Add { domain_name {IP_address | del} }

dig = {domain} [time] Show dig info e.g. dig asciiart.com              lookup = {domain} Show the name servers used for domain e.g. lookup asciiart.eu
dnsinfo = {dns} Show DNS Server e.g. dnsinfo                           dnssec = {url} Show DNSSEC Validation Chain e.g. dnssec www.snbforums.com
links = Show list of external URL links


[Enter] Leave Advanced Tools Menu

e  = Exit Script [?]

A:Option ==>

 

[Weblee2407]

ok, but the question or concern is "do you need that amount of logging for your network?"
remember: just because you CAN doesn't mean you SHOULD

Yeah the info wasn’t of much utility.