Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[Jack Yaz]

Additional question about the pre-reqs - how does Unbound handle DNS re-binding? For example, how do I ensure Plex resolution is OK, but block any other DNS rebind attempts?

EDIT: Answering my own question, the below in unbound.conf does rebind protection:

# RFC1918 private IP address - Protects against DNS Rebinding
private-address: 127.0.0.0/8
private-address: 169.254.0.0/16
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16

To allow a rebind, I appear to need to use:

private-domain: plex.direct

 

[dave14305]

Thanks this was a little confusing, I ended up just not touching anything from the DOT setup prior to Unbound.

View attachment 21265

You should leave a real DNS server in WAN DNS. Unbound_manager will take care of pointing dns to unbound behind the scenes. I’m afraid your router won’t boot properly with your current WAN DNS settings.

 

[Kingp1n]

@Martineau, 1st page is missing a donation link haha.

Is it normal that after updating the firmware or rebooting the router you have to reconfigure the unbound installation to get it working again?
As reported above, after rebooting the router my clients had no internet access. Running i = Update unbound Installation fixed the problem.

After a reboot, it seemed I had to restart unbound again by using 'rs'. I'll try to do test again later to see if it was small hiccup.

 

[dmillerzx]

You should leave a real DNS server in WAN DNS. Unbound_manager will take care of pointing dns to unbound behind the scenes. I’m afraid your router won’t boot properly with your current WAN DNS settings.

Thank you that makes sense! I changed the DNS server to Quad9's address.

 

[thelonelycoder]

Is there a servers-file= line in your dnsmasq.conf.add?

address and server, tough the server line is for Firefox (server=/use-application-dns.net/)

 

[bluzfanmr1]

I have gotten myself confused. Do I need to disable DoT in the WAN section and add a DNS Server when using unbound?

 

[dave14305]

I have gotten myself confused. Do I need to disable DoT in the WAN section and add a DNS Server when using unbound?

You should disable DoT only because it won't be used once Unbound is running (save your RAM). The WAN DNS server is for the router itself to resolve names, and for dnsmasq to work properly BEFORE Unbound is up and running, since Entware starts after dnsmasq is already started.

 

[bluzfanmr1]

You should disable DoT only because it won't be used once Unbound is running (save your RAM). The WAN DNS server is for the router itself to resolve names, and for dnsmasq to work properly BEFORE Unbound is up and running, since Entware starts after dnsmasq is already started.

Thank you for the clarification.

 

[SuperDuke]

Is anyone else getting non-validation errors in the non-verbose log? Doesn't appear to be a big deal...just wondering....

Feb 09 11:23:44 unbound[1049:0] info: validation failure <sigfail.verteiltesysteme.net. AAAA IN>: signature crypto failed from 134.91.78.139 and 134.91.78.141
Feb 09 11:23:45 unbound[1049:0] info: validation failure <sigfail.verteiltesysteme.net. A IN>: signature crypto failed from 134.91.78.141

 

[dave14305]

Is anyone else getting non-validation errors in the non-verbose log? Doesn't appear to be a big deal...just wondering....

Feb 09 11:23:44 unbound[1049:0] info: validation failure <sigfail.verteiltesysteme.net. AAAA IN>: signature crypto failed from 134.91.78.139 and 134.91.78.141
Feb 09 11:23:45 unbound[1049:0] info: validation failure <sigfail.verteiltesysteme.net. A IN>: signature crypto failed from 134.91.78.141

Yes, I think it's by design of the DNSSEC test on https://www.verteiltesysteme.net/. It's supposed to fail and it must be sending an invalid crypto signature to test the strength of your DNS resolver.

 

[Martineau]

Is anyone else getting non-validation errors in the non-verbose log?

Technically as you are using 'verbosity: 2' (hence the 'info' prefix), you are in first level verbose mode, which is intended to be used for actively investigating unbound issues.

Given the side effect is that the log file grows at an alarming rate, unbound_manager now defaults to 'verbosity: 1'.

Correction: By design, 'log-servfail: yes' will helpfully inject these specific 'info:' error messages even when '' verbosity: 1' is ACTIVE

As has been stated many times referring to Syslog, there are many esoteric messages issued by tasks that appear alarming unless you are privy to their true intention/meaning.

 

[dave14305]

Technically as you are using 'verbosity: 2' (hence the 'info' prefix), you are in first level verbose mode, which is intended to be used for actively investigating unbound issues.

I also got this message with verbosity 1 when running that DNSSEC check. It's actually the first time I've seen a message besides startup in my log.

Also I should mention that I was sloppy when posting my "minimal config" because it included log-servfail which I had been testing to see what sites were actually going to fail DNSSEC validation, but it's by no means part of a minimal configuration. Bad on me. I still use it, but may not be for everyone if they tend to freak out over log messages.

 

[SuperDuke]

@Martineau and @dave14305

Thank you sirs.....I wasn't particularly concerned as everything is functioning....if anything, it was a check to see if unbound is doing what it's supposed to be and if anyone else had similar entries....thanks as always for the clarity....always a learning opportunity

 

[Martineau]

I also got this message with verbosity 1 when running that DNSSEC check. It's actually the first time I've seen a message besides startup in my log.

Also I should mention that I was sloppy when posting my "minimal config" because it included log-servfail which I had been testing to see what sites were actually going to fail DNSSEC validation, but it's by no means part of a minimal configuration. Bad on me. I still use it, but may not be for everyone if they tend to freak out over log messages.

Don't beat yourself up about it....you're not the first to state 'it works for me', then suddenly backtrack because (as in the classic case of 'verbosity: 1' now silently identified in ALL configs as the recommended conservative choice )

So, IMHO it is a valid justification for continued use in the base config, i.e. it succinctly gives everyone a to-the-point heads-up that there may be an issue that warrants further investigation - without spamming the log with dross 'info' messages.

 

[QuikSilver]

View attachment 21264
Can those of us running ntpmerlin be accounted for, please?

This nvram setting will always be no, so that ntpd from entware does not conflict with the built-in ntpd

I was looking to see if anyone else was having this issue. Having to keep changing it to keep up with the unbound updates was annoying so I removed ntpmerlin temporarily. Would like to add it back though if possible.

 

[SuperDuke]

Don't beat yourself up about it....you're not the first to state 'it works for me', then suddenly backtrack because (as in the classic case of 'verbosity: 1' now silently identified in ALL configs as the recommended conservative choice )

So, IMHO it is a valid justification for continued use in the base config, i.e. it succinctly gives everyone a to-the-point heads-up that there may be an issue that warrants further investigation - without spamming the log with dross 'info' messages.

It works for me.....

 

[Martineau]

Is it normal that after updating the firmware or rebooting the router you have to reconfigure the unbound installation to get it working again?
As reported above, after rebooting the router my clients had no internet access. Running i = Update unbound Installation fixed the problem

There is nothing in Syslog?

If it happens again, before reinstalling using 'i', does 'rs' fix the issue?

Perhaps you should set up logging 'lo', then 'vx' and set 'verbosity: 4'

Then reboot.

This may help track down your issue.

NOTE: I do experience a weird error (documented in the code) but since I never REBOOT between the numerous uninstall/reinstall cycles, when the script encounters the error, if I wait a few seconds, usually the error goes away, or I have to bite the bullet and REBOOT.

P.S. Don't forget to reset 'verbosity: 1'

 

[L&LD]

Thank you that makes sense! I changed the DNS server to Quad9's address.

Did you mean CloudFlare's DNS servers (put in both 1.1.1.1 and 1.0.0.1).

 

[XIII]

Did you mean CloudFlare's DNS servers (put in both 1.1.1.1 and 1.0.0.1).

(S)He might really mean Quad9 (9.9.9.9).

 

[L&LD]

I was looking to see if anyone else was having this issue. Having to keep changing it to keep up with the unbound updates was annoying so I removed ntpmerlin temporarily. Would like to add it back though if possible.

I did too temporarily and missed the information/control/graphs too much!

After noticing that the 'i' option specifically said that the above warnings may be ignored? I just ignore it now!

And @Jack Yaz's ntpMerlin is back, baby!