1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

[Release] unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

Discussion in 'Asuswrt-Merlin' started by Martineau, Feb 7, 2020.

  1. Jack Yaz

    Jack Yaz Part of the Furniture

    Joined:
    Apr 20, 2017
    Messages:
    2,940
    Additional question about the pre-reqs - how does Unbound handle DNS re-binding? For example, how do I ensure Plex resolution is OK, but block any other DNS rebind attempts?

    EDIT: Answering my own question, the below in unbound.conf does rebind protection:
    Code:
    # RFC1918 private IP address - Protects against DNS Rebinding
    private-address: 127.0.0.0/8
    private-address: 169.254.0.0/16
    private-address: 10.0.0.0/8
    private-address: 172.16.0.0/12
    private-address: 192.168.0.0/16
    
    To allow a rebind, I appear to need to use:
    Code:
    private-domain: plex.direct
    
     
    Cam, jsbeddow, L&LD and 2 others like this.
  2. dave14305

    dave14305 Part of the Furniture

    Joined:
    May 19, 2018
    Messages:
    2,399
    Location:
    USA
    You should leave a real DNS server in WAN DNS. Unbound_manager will take care of pointing dns to unbound behind the scenes. I’m afraid your router won’t boot properly with your current WAN DNS settings.
     
    L&LD, a5m and dmillerzx like this.
  3. Kingp1n

    Kingp1n Senior Member

    Joined:
    Feb 27, 2018
    Messages:
    445
    @Martineau, 1st page is missing a donation link haha.
    After a reboot, it seemed I had to restart unbound again by using 'rs'. I'll try to do test again later to see if it was small hiccup.
     
  4. dmillerzx

    dmillerzx Occasional Visitor

    Joined:
    Feb 18, 2013
    Messages:
    34
    Thank you that makes sense! I changed the DNS server to Quad9's address.
     
  5. thelonelycoder

    thelonelycoder Part of the Furniture

    Joined:
    Jan 23, 2014
    Messages:
    6,454
    Location:
    Switzerland
    address and server, tough the server line is for Firefox (server=/use-application-dns.net/)
     
  6. bluzfanmr1

    bluzfanmr1 Regular Contributor

    Joined:
    Mar 18, 2018
    Messages:
    104
    Location:
    Santa Fe, NM (Recent) via St Louis, MO (Lifelong)
    I have gotten myself confused. Do I need to disable DoT in the WAN section and add a DNS Server when using unbound?
     
  7. dave14305

    dave14305 Part of the Furniture

    Joined:
    May 19, 2018
    Messages:
    2,399
    Location:
    USA
    You should disable DoT only because it won't be used once Unbound is running (save your RAM). The WAN DNS server is for the router itself to resolve names, and for dnsmasq to work properly BEFORE Unbound is up and running, since Entware starts after dnsmasq is already started.
     
    L&LD, a5m and skeal like this.
  8. bluzfanmr1

    bluzfanmr1 Regular Contributor

    Joined:
    Mar 18, 2018
    Messages:
    104
    Location:
    Santa Fe, NM (Recent) via St Louis, MO (Lifelong)
    Thank you for the clarification.
     
  9. SuperDuke

    SuperDuke Regular Contributor

    Joined:
    Aug 2, 2019
    Messages:
    77
    Location:
    Canada
    Is anyone else getting non-validation errors in the non-verbose log? Doesn't appear to be a big deal...just wondering....

    Feb 09 11:23:44 unbound[1049:0] info: validation failure <sigfail.verteiltesysteme.net. AAAA IN>: signature crypto failed from 134.91.78.139 and 134.91.78.141
    Feb 09 11:23:45 unbound[1049:0] info: validation failure <sigfail.verteiltesysteme.net. A IN>: signature crypto failed from 134.91.78.141
     
  10. dave14305

    dave14305 Part of the Furniture

    Joined:
    May 19, 2018
    Messages:
    2,399
    Location:
    USA
    Yes, I think it's by design of the DNSSEC test on https://www.verteiltesysteme.net/. It's supposed to fail and it must be sending an invalid crypto signature to test the strength of your DNS resolver.
     
    L&LD likes this.
  11. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,866
    Location:
    UK
    Technically as you are using 'verbosity: 2' (hence the 'info' prefix), you are in first level verbose mode, which is intended to be used for actively investigating unbound issues.

    Given the side effect is that the log file grows at an alarming rate, unbound_manager now defaults to 'verbosity: 1'.

    Correction: By design, 'log-servfail: yes' will helpfully inject these specific 'info:' error messages even when '' verbosity: 1' is ACTIVE

    As has been stated many times referring to Syslog, there are many esoteric messages issued by tasks that appear alarming unless you are privy to their true intention/meaning. ;)
     
    Last edited: Feb 9, 2020
    L&LD, a5m and Clark Griswald like this.
  12. dave14305

    dave14305 Part of the Furniture

    Joined:
    May 19, 2018
    Messages:
    2,399
    Location:
    USA
    I also got this message with verbosity 1 when running that DNSSEC check. It's actually the first time I've seen a message besides startup in my log.

    Also I should mention that I was sloppy when posting my "minimal config" because it included log-servfail which I had been testing to see what sites were actually going to fail DNSSEC validation, but it's by no means part of a minimal configuration. Bad on me. I still use it, but may not be for everyone if they tend to freak out over log messages.
     
    L&LD likes this.
  13. SuperDuke

    SuperDuke Regular Contributor

    Joined:
    Aug 2, 2019
    Messages:
    77
    Location:
    Canada
    @Martineau and @dave14305

    Thank you sirs.....I wasn't particularly concerned as everything is functioning....if anything, it was a check to see if unbound is doing what it's supposed to be and if anyone else had similar entries....thanks as always for the clarity....always a learning opportunity
     
    L&LD likes this.
  14. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,866
    Location:
    UK
    Don't beat yourself up about it....you're not the first to state 'it works for me', then suddenly backtrack because (as in the classic case of 'verbosity: 1' now silently identified in ALL configs as the recommended conservative choice ;) )

    So, IMHO it is a valid justification for continued use in the base config, i.e. it succinctly gives everyone a to-the-point heads-up that there may be an issue that warrants further investigation - without spamming the log with dross 'info' messages.
     
    Last edited: Feb 9, 2020
    L&LD and dave14305 like this.
  15. QuikSilver

    QuikSilver Senior Member

    Joined:
    Jan 30, 2019
    Messages:
    431
    Location:
    BFE
    I was looking to see if anyone else was having this issue. Having to keep changing it to keep up with the unbound updates was annoying so I removed ntpmerlin temporarily. Would like to add it back though if possible.
     
  16. SuperDuke

    SuperDuke Regular Contributor

    Joined:
    Aug 2, 2019
    Messages:
    77
    Location:
    Canada
    It works for me.....
     
  17. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,866
    Location:
    UK
    There is nothing in Syslog?

    If it happens again, before reinstalling using 'i', does 'rs' fix the issue?

    Perhaps you should set up logging 'lo', then 'vx' and set 'verbosity: 4' :eek:

    Then reboot.

    This may help track down your issue.

    NOTE: I do experience a weird error (documented in the code) but since I never REBOOT between the numerous uninstall/reinstall cycles, when the script encounters the error, if I wait a few seconds, usually the error goes away, or I have to bite the bullet and REBOOT.

    P.S. Don't forget to reset 'verbosity: 1' ;)
     
    L&LD and Mutzli like this.
  18. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    11,432
    Did you mean CloudFlare's DNS servers (put in both 1.1.1.1 and 1.0.0.1). :)
     
    dmillerzx likes this.
  19. XIII

    XIII Very Senior Member

    Joined:
    Feb 27, 2014
    Messages:
    1,081
    (S)He might really mean Quad9 (9.9.9.9).
     
    dmillerzx and L&LD like this.
  20. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    11,432
    I did too temporarily and missed the information/control/graphs too much!

    After noticing that the 'i' option specifically said that the above warnings may be ignored? I just ignore it now!

    And @Jack Yaz's ntpMerlin is back, baby! :)
     
    QuikSilver likes this.