[Release] unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

Torson

Regular Contributor
Further to my earlier questions on the DNS firewall and VPN routing - see below - the DNS Firewall is now no longer working

Unbound works fine without it but if enable the Firewall then I get

Code:
[1596135750] unbound-checkconf[5209:0] error: /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone:1154 cannot insert RR of type CNAME
[1596135750] unbound-checkconf[5209:0] error: error parsing zonefile /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone for rpz.urlhaus.abuse.ch.
[1596135750] unbound-checkconf[5209:0] fatal error: Could not setup authority zones

***ERROR INVALID unbound configuration
I have tried hard and soft reboots (just in case), as well as option i = Update and unbound and configuration, without success - any suggestions on what I can try next?


Earlier Post
Can someone help with a couple of questions - I think I have configured unbound correctly, but am not entirely sure with respect to the DNS Firewall and sending unbound requests via VPN Client.

With regards to the DNS Firewall, I can see this is enabled but there have been no hits at all since it was installed some weeks ago. Is there some way / site I can check this?

In respect of sending requests via a VPN client, in the Q&A it says


Q. Why does a DNS Leak test show my ISP assigned IP Address?
A. You are now your own recursive DNS resolver! - what other IP could possibly be shown? .... However, if you use a VPN Client, then you may opt to force unbound to bind to the VPN tunnel, so all unbound's DNS requests will be via the tunnel, so now your VPN assigned IP will be shown in a DNS Leak test.

I have most of my traffic going direct, but do have a VPN for a couple of devices. I have set unbound to use VPN 5, but in any leak test my DNS still shows as my local IP, not the VPN assigned IP - is this correct?
Indeed, looks like the firewall got cold feet - same error messages here. Just run
Code:
firewall disable
from the advanced menu and unbound will resume business as usual.
...and yes, the DNS shows as your local provider's IP, that's right. It means it works.
 

immi803

Regular Contributor
Further to my earlier questions on the DNS firewall and VPN routing - see below - the DNS Firewall is now no longer working

Unbound works fine without it but if enable the Firewall then I get

Code:
[1596135750] unbound-checkconf[5209:0] error: /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone:1154 cannot insert RR of type CNAME
[1596135750] unbound-checkconf[5209:0] error: error parsing zonefile /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone for rpz.urlhaus.abuse.ch.
[1596135750] unbound-checkconf[5209:0] fatal error: Could not setup authority zones

***ERROR INVALID unbound configuration
I have tried hard and soft reboots (just in case), as well as option i = Update and unbound and configuration, without success - any suggestions on what I can try next?


Earlier Post
Can someone help with a couple of questions - I think I have configured unbound correctly, but am not entirely sure with respect to the DNS Firewall and sending unbound requests via VPN Client.

With regards to the DNS Firewall, I can see this is enabled but there have been no hits at all since it was installed some weeks ago. Is there some way / site I can check this?

In respect of sending requests via a VPN client, in the Q&A it says


Q. Why does a DNS Leak test show my ISP assigned IP Address?
A. You are now your own recursive DNS resolver! - what other IP could possibly be shown? .... However, if you use a VPN Client, then you may opt to force unbound to bind to the VPN tunnel, so all unbound's DNS requests will be via the tunnel, so now your VPN assigned IP will be shown in a DNS Leak test.

I have most of my traffic going direct, but do have a VPN for a couple of devices. I have set unbound to use VPN 5, but in any leak test my DNS still shows as my local IP, not the VPN assigned IP - is this correct?
Same problem, nothing is working as it should like adblock etc, tried "unbound -dv" and here's the outcome
Code:
v  = View ('/opt/var/lib/unbound/'unbound.conf)

e  = Exit Script [?]

E:Option ==> 7

Do you want to enable DNS Firewall?

        Reply 'y' or press [Enter]  to skip
y
        unbound_rpz.sh downloaded successfully
Custom '/opt/share/unbound/configs/rpzsites' already exists - 'rpzsites' download skipped

Created startup hook in services-start.
Created cron job.
Creating new unbound.conf.firewall file.
(unbound_rpz.sh): 5185 Attempting to Download 1 of 1 from https://urlhaus.abuse.ch/downloads/rpz/.

#=#=#                                                                        ##O#-#                                                                                                                                                  0.################                                                          23.#############################################                             63.######################################################################## 100.0%
Adding zone rpz.urlhaus.abuse.ch to unbound.conf.firewall.
Installed.
Adding 'include: "/opt/share/unbound/configs/unbound.conf.firewall" to '/opt/var/lib/unbound/unbound.conf'

        unbound DNS Firewall ENABLED

[1596155942] unbound-checkconf[5272:0] error: /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone:1137 cannot insert RR of type CNAME
[1596155942] unbound-checkconf[5272:0] error: error parsing zonefile /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone for rpz.urlhaus.abuse.ch.
[1596155942] unbound-checkconf[5272:0] fatal error: Could not setup authority zones

***ERROR requested re(Start) of unbound ABORTed! - use option 'vx' to correct 'unbound.conf' or 'rl' to load a valid configuration file

        Router Configuration recommended pre-reqs status:

        [✔] Swapfile=2097148 kB
        [✔] DNS Filter=ON
        [✔] DNS Filter=ROUTER
        [✔] WAN: Use local caching DNS server as system resolver=NO
        [✔] Entware NTP server is running
        [✔] Enable DNS Rebind protection=NO
        [✔] Enable DNSSEC support=NO

        Options:

        [✔] Ad and Tracker Blocking (No. of Adblock domains=58208,Blocked Hosts=0,Allowlist=19)
        [✔] unbound CPU/Memory Performance tweaks
        [✔] unbound-control FAST response ENABLED
        [✔] DNS Firewall ENABLED


              _
   ____ ____ | |_  ____                                                        / _  |    \|  _)|    \
 ( ( | | | | | |__| | | |                                                      \_||_|_|_|_|\___)_|_|_|
   Goodbye

[email protected]:/tmp/home/root# unbound -dv                            [1596155973] unbound[6342:0] notice: Start of unbound 1.10.1.
Jul 31 00:39:34 unbound[6342:0] error: can't bind socket: Address already in use for 127.0.0.1 port 53535                                                 Jul 31 00:39:34 unbound[6342:0] fatal error: could not open ports
[email protected]:/tmp/home/root#
 

tomsk

Very Senior Member
The format of the rpz file downloaded has changed... thats what's using the causing the config check to fail when the firewall is enabled.... every entry is interpreted as having a resource record of CNAME .. maybe @juched can take a look at this?

Code:
error: /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone:1137 cannot insert RR of type CNAME
Code:
$TTL 30
@ SOA rpz.urlhaus.abuse.ch. hostmaster.urlhaus.abuse.ch. 2007310909 300 1800 604800 30
 NS localhost.
;
; abuse.ch URLhaus Response Policy Zones (RPZ)
; Last updated: 2020-07-31 09:09:04 (UTC)
;
; Terms Of Use: https://urlhaus.abuse.ch/api/
; For questions please contact urlhaus [at] abuse.ch
;
testentry.rpz.urlhaus.abuse.ch CNAME . ; Test entry for testing URLhaus RPZ
01.shgrasp.vip CNAME . ; Malware download (2020-07-30), see https://urlhaus.abuse.ch/host/01.shgrasp.vip/
0eed1ejih.com CNAME . ; Malware download (2020-07-30), see https://urlhaus.abuse.ch/host/0eed1ejih.com/
14cam.com CNAME . ; Malware download (2020-07-30), see https://urlhaus.abuse.ch/host/14cam.com/
1home.az CNAME . ; Malware download (2020-06-11), see https://urlhaus.abuse.ch/host/1home.az/
1iif89rvl.com CNAME . ; Malware download (2020-07-30), see https://urlhaus.abuse.ch/host/1iif89rvl.com/
2000kumdo.com CNAME . ; Malware download (2019-04-14), see https://urlhaus.abuse.ch/host/2000kumdo.com/
21robo.com CNAME . ; Malware download (2019-02-20), see https://urlhaus.abuse.ch/host/21robo.com/
224fgbet.com CNAME . ; Malware download (2020-07-20), see https://urlhaus.abuse.ch/host/224fgbet.com/
 

juched

Senior Member
I have narrowed it down to this entry:
Code:
sipesv.org. CNAME . ; Malware download (2020-07-30), see https://urlhaus.abuse.ch/host/sipesv.org./

Seems it doesn't like the fully qualified "." domain ending.
 

Milan

Regular Contributor
I have narrowed it down to this entry:
Code:
sipesv.org. CNAME . ; Malware download (2020-07-30), see https://urlhaus.abuse.ch/host/sipesv.org./

Seems it doesn't like the fully qualified "." domain ending.
thx for identifying, dot removed and now error message is gone.
 

Torson

Regular Contributor
Could someone explain to me why cache.txt does not get restored at all after reboot, unbound restart etc. Here is an example:

Code:
15:17:49 Checking 'unbound.conf' for valid Syntax.....
15:17:50 Saving unbound cache to '/opt/share/unbound/configs/cache.txt' msg.cache=3223/958 rrset.cache=8798/5351
15:17:50 Requesting unbound (S61unbound) restart.....
 Shutting down unbound...              done.
 Starting unbound...              done.
15:17:51 Checking status, please wait.....
15:17:54 Restoring unbound cache from '/opt/share/unbound/configs/cache.txt' (2020-07-31 15:17:50) msg.cache=0/958 rrset.cache=0/5351
15:17:54 unbound OK
 

Milan

Regular Contributor
I pushed an update to remove any offending lines like that. Just need to uninstall and re-install DNS Firewall to get the new fix.

Note: this file downloads every 15 minutes, so if you manually remove it will come back :)
seems working properly, thx
 

dave14305

Part of the Furniture
Could someone explain to me why cache.txt does not get restored at all after reboot, unbound restart etc. Here is an example:

Code:
15:17:49 Checking 'unbound.conf' for valid Syntax.....
15:17:50 Saving unbound cache to '/opt/share/unbound/configs/cache.txt' msg.cache=3223/958 rrset.cache=8798/5351
15:17:50 Requesting unbound (S61unbound) restart.....
Shutting down unbound...              done.
Starting unbound...              done.
15:17:51 Checking status, please wait.....
15:17:54 Restoring unbound cache from '/opt/share/unbound/configs/cache.txt' (2020-07-31 15:17:50) msg.cache=0/958 rrset.cache=0/5351
15:17:54 unbound OK
I think the first number is the cache size before the reload (0), and the second number is the size of what was to be reloaded from the file. So it’s good.
 

Martineau

Part of the Furniture
Could someone explain to me why cache.txt does not get restored at all after reboot, unbound restart etc. Here is an example:

Code:
15:17:49 Checking 'unbound.conf' for valid Syntax.....
15:17:50 Saving unbound cache to '/opt/share/unbound/configs/cache.txt' msg.cache=3223/958 rrset.cache=8798/5351
15:17:50 Requesting unbound (S61unbound) restart.....
Shutting down unbound...              done.
Starting unbound...              done.
15:17:51 Checking status, please wait.....
15:17:54 Restoring unbound cache from '/opt/share/unbound/configs/cache.txt' (2020-07-31 15:17:50) msg.cache=0/958 rrset.cache=0/5351
15:17:54 unbound OK
The metrics show 'No. of cache hits'/'cached DNS entries'.

e.g. The saved cache.txt metric msg.cache=3223/958 means there are currently 958 cached entries with 3223 hits.

The restored msg.cache=0/958 means 958 valid cache entries are now restored with zero cache hits.

NOTE: Sometimes I have observed the number of restored cache entries can be 20% less than the reported saved entries - presumably the deleted/missing cache entries are deemed stale/expired entries by the unbound-control restore process.
 

immi803

Regular Contributor
@Martineau
I certainly need help , i always used to get my ip in dns leak test, but suddenly i get following result, getting Google servers 6/7 at times (servers from Zurich), see screenshot

I don't know what's going on with my dns as prior unbound always worked perfectly in past as well as ad blocker , now ad blocker is not working as well
Screenshot_20200801-230122__01.jpg
 

QuikSilver

Very Senior Member
@Martineau
I certainly need help , i always used to get my ip in dns leak test, but suddenly i get following result, getting Google servers 6/7 at times (servers from Zurich), see screenshot

I don't know what's going on with my dns as prior unbound always worked perfectly in past as well as ad blocker , now ad blocker is not working as well
View attachment 25054
Unbound not running possibly? Need some more info....Show us some of the settings.....
 

raion969

Regular Contributor
is it good for performance to enable in unbound dns filter ? also if i enable youtube adblock does it interfere with diversion ?
 

pigcanswim

Occasional Visitor
I may need some help as well. This may sound stupid but I'm trying to use VPN+Unbound for DNS such that my DNS resolving will go through my VPN whereas my normal browsing will still be my actual WAN.

I get the feeling that it's impossible but would like to check if anyone had any luck getting it worked out as I'm now browsing with my VPN IP on whatsmyip.

Reason being I do not want to browse the net through my VPN as I'm not sure about my VPN network stability and IP bans from certain countries for my VPN IPs and I'm very sure that my ISP can surf pretty much everywhere.

I went to OVPN GUI on the router Force Internet traffic through tunnel = no and I did a dnsleak and whatsmyip and both show my VPN.

If I set to policy and have my computer set to WAN then both my DNS and whatsmyip will show my WAN.


Edit:
Also, when I try to bind to VPN it still shows as bind to WAN with my WAN IP. (I'm currently double NAT if that matters)

But all tests shows my VPN

Any help is truly appreciated.
 
Last edited:

archiel

Regular Contributor
I may need some help as well. This may sound stupid but I'm trying to use VPN+Unbound for DNS such that my DNS resolving will go through my VPN whereas my normal browsing will still be my actual WAN.

I get the feeling that it's impossible but would like to check if anyone had any luck getting it worked out as I'm now browsing with my VPN IP on whatsmyip.

Reason being I do not want to browse the net through my VPN as I'm not sure about my VPN network stability and IP bans from certain countries for my VPN IPs and I'm very sure that my ISP can surf pretty much everywhere.

I went to OVPN GUI on the router Force Internet traffic through tunnel = no and I did a dnsleak and whatsmyip and both show my VPN.

If I set to policy and have my computer set to WAN then both my DNS and whatsmyip will show my WAN.


Edit:
Also, when I try to bind to VPN it still shows as bind to WAN with my WAN IP. (I'm currently double NAT if that matters)

But all tests shows my VPN

Any help is truly appreciated.
I am also very new to this and quite confused on this setting. I just use my VPN for one device
VPN client 5
Accept DNS Configuration : Exclusive
Policy Rules: Strict

If check the connection (browserleaks, etc) I only see the VPN DNS server as expected.

Other than this all clients connect through the WAN interface, DNSFilter is set to Router and DNS lookup is router through the VPN
unbound_manager advanced, option 3 (advanced tools), vpn 5

I have also installed x3mrouting with option 3 and then
Code:
vpnclientn-route-pre-down (0755)
    #!/bin/sh
    /jffs/addons/unbound/unbound_manager.sh vpn=disable
vpnclientn-up (0755)
    #!/bin/sh
    /jffs/addons/unbound/unbound_manager.sh vpn=n delay=9 &
Where n is the number of the vpnclient

With unbound not bound to the vpn then if I use Browserleaks from any other device

I see my home IPs (ipv4 and ipv6) as DNS servers and both are shown as resolving addresses

With unbound bound to the vpn then only the IPv4 address is shown as a DNS server / resolver, though this still can resolve ipv6 addresses - this is what I would expect as both the OpenVPN server and clients on merlin currently only support ipv4.

What I do not understand is that the DNS server address shown is still my local WAN IP, but the notes on item 4 state
'However, if you use a VPN Client, then you may opt to force unbound to bind to the VPN tunnel, so all unbound's DNS requests will be via the tunnel, so now your VPN assigned IP will be shown in a DNS Leak test.'
For clarity the VPN assigned IP is NOT shown in the DNS Leak test, only the WAN IP
 

pigcanswim

Occasional Visitor
I am also very new to this and quite confused on this setting. I just use my VPN for one device
VPN client 5
Accept DNS Configuration : Exclusive
Policy Rules: Strict
Actually after some testing, I managed to get it working. its very unstable. Sometimes it seems to work, others it doesn't. Now I'm not even sure if I'm doing it right. lol

Try changing your unbound.conf - outgoing-interface to your VPN IP. Get back to Unbound advanced settings, restart the service and check the config with "?" and see if its binding to your VPN. I had mine bind correctly.
It should say [✔] unbound requests via VPN Client (10.8.0.4) tunnel ENABLED
not [✔] unbound requests force BIND via WAN (192.168.1.114) 'eth0' ENABLED


Next in router GUI - VPN Client - I set Force Internet traffic through tunnel = no , Accept DNS Configuration = no

I now have leaktest showing my VPN and whatsmyip showing my WAN.


@Martineau Problems with unbound I've faced during the test, the VPN bind does not work correctly, it will always force bind to WAN the only way is to change the config directly and input the VPN IP. Even if I input the correct IP from my VPN, it does not update automatically once the VPN IP changes. Not sure if it's meant to be this way.
 
Last edited:

immi803

Regular Contributor
It sounds more like the Android device is set to use Private DNS (DoT), bypassing the router completely.
I rechecked my Android device & no such settings detected to use private dns
:(

Edit : found discrepancy on my device side, huge thanks @dave14305 for pointing to right direction, rocks :D
 
Last edited:

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top