1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

[Release] unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

Discussion in 'Asuswrt-Merlin' started by Martineau, Feb 7, 2020.

  1. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,866
    Location:
    UK
    This thread is for the discussion topic : unbound_manager script.

    As per the GitHub Hints/Tips: Differences between the operational modes​


    'Easy' mode - you only have two Install options:

    1. Install unbound (NO options)
    or
    2. Install unbound (ALL options v2.07 only o1 and o4)
    'Advanced' mode - you can fully customise the choice of options implemented.


    'Advanced' mode

    upload_2020-2-10_13-5-57.png

    'Easy' mode (This is the default when invoked from amtm)

    upload_2020-2-10_13-6-21.png

    INSTALLATION NOTE: If you wish to manually install unbound (or understand the necessary steps) see the instructions here

    Pre-reqs:

    • Asus Router running the RMerlin firmware (see AsusWRT-Merlin)
    • Entware must be installed (Many popular 3rd Party scripts now require Entware e.g. amtm)
    Recommended unbound compatible Router Settings pre-reqs:

    [✔] Swapfile=262140 kB (min 256 MB)
    [✔] DNS Filter=ON
    [✔] DNS Filter=ROUTER
    [✔] WAN: Use local caching DNS server as system resolver=NO
    [✔] Enable local NTP server=YES
    [✔] Enable DNS Rebind protection=NO
    [✔] Enable DNSSEC support=NO

    If the router settings do not match the above, a hyperlink will be shown to assist

    e.g.
    [] ***ERROR WAN: Use local caching DNS server as system resolver=YES
    see http://192.168.1.1/Tools_OtherSettings.asp ->Advanced Tweaks and Hacks​

    Manual installation of unbound - like most tasks - is easy once you know how, but for non-techies, why spend time frustratingly typing in cryptic directives/commands into the router when you could simply let someone else facilitate the task, who will remain accountable when it goes wrong! ;)

    The goal of unbound_manager is to seamlessly integrate unbound with the inherent dnsmasq but to ensure that unbound_manager can always be used to instantly remove unbound in seconds, i.e. a REBOOT (whilst recommended) isn't mandatory during the installation, nor for an uninstall.

    Furthermore, the script provides useful features via simple menu options, that do not intimidate non-techies, but allows then to investigate (and for the adventurous) tweak the unbound configuration without any drama.

    If you are running amtm >v3.1.2

    upload_2020-2-9_14-42-45.png

    then use item '7', otherwise see the one-line command unbound_manager Manual Installation

    The unbound_manager.sh script is hosted on GitHub, and you can follow the development history here.
     
    Last edited: Mar 14, 2020
  2. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,866
    Location:
    UK
    Reserved

    As of 3rd Feb. 2020 @Jack Yaz is generously hosting the auxiliary files on his GitHub.
     
    Last edited: Feb 7, 2020
    GaselK, LimJK, vesalius and 8 others like this.
  3. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,866
    Location:
    UK
    Known Issues

    Issue: Sev4 v2.06 Typo reported :oops: Thanks to @L&LD
    Fixed: 7th Feb. 2020 Simply rerun v2.06 'i = Update unbound configuration' to retrieve 'unbound.conf' v1.03 Hotfix​
     
    Last edited: Feb 7, 2020
    Kingp1n, a5m, Clark Griswald and 3 others like this.
  4. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,866
    Location:
    UK
    Q&A

    Q. Do I need (Official Website) unbound?
    A. Well... it depends - However, using this script you should be able to perform a truly transparent risk-free trial to decide for yourself i.e. usually no need for a REBOOT.​

    Q. dnsmasq (Trusted/mature/familiar and feature-rich) is included by default in the RMerlin firmware, is there a comparison list of features that dnsmasq has that aren't (yet) available in unbound?
    A. Not that I know of (unless proven wrong! ;)) but diversion/x3mRouting rely heavily on dnsmasq for certain features.​

    Q. Can I run unbound+dnsmasq+diversion together?
    A. Yes. However, unbound+Ad Block+diversion is NOT recommended, simply because Ad Block and diversion essentially perform the same function so a duplication of effort is wasteful. Also, the domains must be stored in memory, so if you have both Ad Block and diversion installed (issue the 'ad' command to see how many entries are in use) one set may simply not be referenced but still occupies memory.​

    Q. Can I run unbound with IPv6?
    A. Yes, but with caveats. I have no way of testing IPv6, but some use it successfully, while others have hit snags, but I believe the script does work for basic/simple IPv6 environments.

    Q. Do I need Stubby Integration?
    A. Well...Stubby encrypts your DNS traffic to an upstream DNS service. Normally you are forced to trust the upstream DNS provider/your ISP. unbound communicates directly with the authoritative name servers, thereby eliminating snooping by any upstream "middle-men" such as Google, Cloudflare, Quad9 etc.
    So, if you want to remain as your own trusted recursive DNS resolver then the answer is No.

    Q. Can unbound run with DNSSEC ENABLED?
    A. Yes. The script configures unbound to perform DNSSEC validation (see howto) hence the recommendation in the Router Settings pre-reqs to DISABLE it in the router.

    Q. Do I need to opt for the 'Customise the CPU/Memory' option?
    A. Yes. i.e. the kernel tweaks don't cause any noticeable negative effect, and HND router owners will also have the TCP Fast Open tweak applied. (see script '/jffs/addons/unbound/stuning')

    Q. Why are DSA and GOST NOT validated, when I click on the hyperlink 'Click https://rootcanary.org/test.html to view Web DNSSEC Test' displayed by the '? = About Configuration' command?
    A. Deprecated i.e. unbound explicitly disables support e.g. unbound -V shows compile options '--disable-dsa' and '--disable-gost'

    Q. Does unbound support DoT
    A.
    @dave14305 replied: "unbound does not use any encrypted traffic as a 'recursive resolver'. It can’t make 'recursive queries' using encryption. You can reconfigure unbound to become a forwarder (like dnsmasq and Stubby) and use DoT, but what’s the value of unbound then as just another forwarder? when dnsmasq+Stubby already do that well enough."

    NOTE: For completeness/freedom of choice, v2.12 now does allow unbound DoT to be configured using both Cloudflare & Quad9 IPv4/IPv6 servers.​
     
    Last edited: Feb 24, 2020
    a5m, Seamaster, kernol and 10 others like this.
  5. skeal

    skeal Part of the Furniture

    Joined:
    Apr 30, 2016
    Messages:
    3,836
    Location:
    Riderville, SK
  6. Kingp1n

    Kingp1n Senior Member

    Joined:
    Feb 27, 2018
    Messages:
    445
    I think I know the answer but IPV6 can be enabled with the current unbound script correct?
     
    Treadler likes this.
  7. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,866
    Location:
    UK
    see Q&A :D
     
    Last edited: Feb 7, 2020
    Treadler and Kingp1n like this.
  8. heysoundude

    heysoundude Very Senior Member

    Joined:
    Sep 20, 2016
    Messages:
    721
    I tried clicking on this as if it were a link, to no avail; I take it that means it’s awfully new and un-installed as yet, since there are no issues listed.
    It’ll be interesting to see who makes the switch and why, and how it works out for them...

    Is this getting added to amtm?


    Sent from my iPhone using Tapatalk
     
  9. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,866
    Location:
    UK
    Hyperlinks appear underlined in blue? in posts, and if you hover over them with a mouse, then the target URL appears usually in the bottom left corner of your browser.

    So no, currently v2.06 and no-one has reported any script issues such as crashes/syntax errors/illogical/unexpected mangling of 'unbound.conf' or typos (even in in comments! - and Yes this has happened to me in the past by pedantic w*nk*rs :mad:)

    ….or any new feature requests.
    Don't know... gave my consent a while back, was forced to rewrite (hence v2.xx) to comply - I'm not holding my breath.
     
    Last edited: Feb 7, 2020
  10. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    11,435
    My spidey-senses tell me amtm and Diversion are due for a major overhaul (at least under the hood) before RMerlin 384.15 final is released. I am also very hopeful that unbound_manager will be included when RMerlin 384.15_0 release lands. :)

    Sorry, I'm going to be one of those 'pedantic w*nk*rs' to you. (That means winkers, correct? ;) ). lol... :D

    Code:
    # Self jail Unbound with user "unbound" to /var/lib/unbound
    username: "nobody"
    directory: "/opt/var/lib/unbound"
    chroot: "/opt/var/lib/unbound"
    Should the comment be 'with user "nobody" to /var/lib/unbound? Or, am I reading the script wrong (again!)? :)
     
    Clark Griswald and Treadler like this.
  11. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,866
    Location:
    UK
    :oops: ….and we have a winner! - just knew someone couldn't resist! :p
     
  12. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    11,435
    v.207 unbound_manager is now downloading... :D
     
  13. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,866
    Location:
    UK
    Treadler, skeal and L&LD like this.
  14. Treadler

    Treadler Very Senior Member

    Joined:
    Nov 9, 2017
    Messages:
    625
    Location:
    South Australia
    If your network has ipv6 enabled, Unbound knows what to do.:)
     
  15. skeal

    skeal Part of the Furniture

    Joined:
    Apr 30, 2016
    Messages:
    3,836
    Location:
    Riderville, SK
    Can someone explain the memory and cpu advanced menu options? Or is this something to stay away from for the average SOHO user?
     
    Kingp1n likes this.
  16. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    11,435
    @skeal, I can't explain it well, but with a 4 core CPU (RT-AX88U), I thought I would see if the defaults were too conservative. :)

    Code:
    # no threads and no memory slabs for threads
    num-threads: 4                                  # v1.01 as per @L&LD (default 1)
    msg-cache-slabs: 8                            #v1.01 as per @L&LD (default 2)
    rrset-cache-slabs: 8                           #v1.01 as per @L&LD (default 2)
    infra-cache-slabs: 8                           #v1.01 as per @L&LD (default 2)
    key-cache-slabs: 8                             #v1.01 as per @L&LD (default 2)
    
    # tiny memory cache
    key-cache-size: 16m                           #v1.01 as per @L&LD (default 8m)
    msg-cache-size: 16m                          #v1.01 as per @L&LD (default 8m)
    rrset-cache-size: 32m                        #v1.01 as per @L&LD (default 16m)
    cache-max-ttl: 21600
    cache-min-ttl: 5
    prefetch: yes
    prefetch-key: yes
    serve-expired: yes
    serve-expired-ttl: 3600
    incoming-num-tcp: 600
    outgoing-num-tcp: 100
    ip-ratelimit: 100
    edns-buffer-size: 1472                           # v1.01 as per @dave14305 minimal config
    
    This is what my router has been running for at least 4 hours now with no issues so far.

    After I made the changes from the defaults above, I issued an 'rs' command and could immediately see an increase in responsiveness from surfing to running amtm and the 'u' and 'uu' commands to accessing my NAS too.

    I can't guess what the other settings in tiny memory cache do, so I don't think I will be fooling around with those (yet!).

    Seeing as you have the same AX model as me, maybe you'd like to try these settings (edit carefully!) and see if you see the same improvements too.

    Interestingly, the 's' command in unbound_manager now only shows 37% (with light network usage), but it feels faster than when it was in the 90% range with the previous settings. :)
     
    Clark Griswald, skeal and Treadler like this.
  17. JemTheWire

    JemTheWire Senior Member

    Joined:
    Jan 12, 2016
    Messages:
    261
    Location:
    UK, Manchester
    Strange, i have v2.06 installed and it says that I have the latest version.

    'unbound_manager.sh is already the latest version. db710abb7e6c7776d959fcf2edce164b'
     
    L&LD likes this.
  18. Mutzli

    Mutzli Senior Member

    Joined:
    Dec 22, 2014
    Messages:
    480
    Looks like a busy weekend ahead testing out this new script. I was trying out unbound a couple of months ago and had to uninstall it again because it wasn't working right. How is it now?
     
  19. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    11,435
    @JemTheWire, I can't tell if you're just being funny? :)

    I only posted that in jest because of the insignificant 'error' I found in the comments. :)
     
    Smokey613 likes this.
  20. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    11,435
    @Mutzli, depending on what you have running on your router currently, it works great. :)
     
    Skeptical.me likes this.