Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[QuikSilver]

Then congratulations - your network is optimally configured!

Thanks?!? May be the placebo effect but will see....I replaced the patriot USB3 thumb drive with a SSD. So far the queries seem to be back to being snappier, and quicker. Sometimes I used to have to reload the page to get it to come up. Went ahead and reinstalled UiDivstats as well. Going on a hunch that less than 20 clients work fine with a faster USB3 drive like the patriot but when doubling that (40+ clients) something like a SSD may be better.

 

[heysoundude]

Thanks?!? May be the placebo effect but will see....I replaced the patriot USB3 thumb drive with a SSD. So far the queries seem to be back to being snappier, and quicker. Sometimes I used to have to reload the page to get it to come up. Went ahead and reinstalled UiDivstats as well. Going on a hunch that less than 20 clients work fine with a faster USB3 drive like the patriot but when doubling that (40+ clients) something like a SSD may be better.

Please keep us posted on your results

 

[Wycleff]

Currently trying to return to Skynet + Diversion with pixelserv + Unbound combination.

Here are my notes that I made during an earlier installation and I want to know if they are correct or somehow wrong.

Installed Skynet + Diversion + Unbound via atm.
In Skynet I used the IOT BAN Function.
Excluded this lists -> blocklist_net_ua.ipset|firehol_level3.netset

In Diversion I enabled pixelserv and changed the Blockfile to Medium.

In Unbound I only enabled the yt-adblock and disabled dnsmasq to use Unbound only.

Is this still a good and valid Setup ?
or did I messed something up ?
Even now I'm not really sure if it's okay to disable dnsmasq in Unbound or just let it do its thing.

And in Unbound dns firewall and adblock disabled seems okay as long as Skynet and Diversion with pixelserv is installed ?

My Goal is to have a secure DNS Unbound Setup without Ads and with firewall protection.

 

[dave14305]

Currently trying to return to Skynet + Diversion with pixelserv + Unbound combination.

Here are my notes that I made during an earlier installation and I want to know if they are correct or somehow wrong.

Installed Skynet + Diversion + Unbound via atm.
In Skynet I used the IOT BAN Function.
Excluded this lists -> blocklist_net_ua.ipset|firehol_level3.netset

In Diversion I enabled pixelserv and changed the Blockfile to Medium.

In Unbound I only enabled the yt-adblock and disabled dnsmasq to use Unbound only.

Is this still valid stuff or did I something wrong in my earlier installation ?

Disabling dnsmasq in Unbound Manager makes installing Diversion useless since it does it’s blocking within dnsmasq.

 

[Wycleff]

Disabling dnsmasq in Unbound Manager makes installing Diversion useless since it does it’s blocking within dnsmasq.

So what's more recommended in your opinion ?

Skynet + Diversion (pixelserv) + Unbound (enabled yt-adblock and enabled dnsmasq)

Or

Skynet + Unbound (enabled yt-adblock, enabled adblock and disabled dnsmasq)

?

Thanks for answering !

 

[dave14305]

Skynet + Diversion (pixelserv) + Unbound (enabled yt-adblock and enabled dnsmasq)

Skynet + Diversion (pixelserv + yt-adblock) + Unbound

Diversion does YouTube blocking too.

 

[heysoundude]

Skynet + Diversion (pixelserv + yt-adblock) + Unbound

Diversion does YouTube blocking too.

YT blocking works better for me when enabled in Unbound rather than Diversion - something @Wycleff might want to play with as well.

 

[Torson]

unbound cannot/does not modify any router configuration.

unbound_manager.sh on the other hand does invoke @juched's script to modify '/tmp/menuTree.js' if you have explicitly requested the install/uninstall of the optional 'Graphical Statistics GUI Add-on TAB'

Check the router

grep -E "url:.*user[1-9]" /tmp/menuTree.js

to see if the expected addons tabs are defined in '/tmp/menuTree.js' - before and after the reboot.

Well, this is after a nuclear reset of the AC86U accomplished in an immaculate @L&LD manner...

asmin@RT-AC86U-AB10:/tmp/mnt/asus/conf# grep -E "url:.*user[1-9]" /tmp/menuTree.js
{url: "user1.asp", tabName: "Diversion"},
{url: "user3.asp", tabName: "Skynet"},
{url: "user2.asp", tabName: "Unbound"},

Diversion and Skynet which are on the LAN and Firewall main GUI tabs are in place. However, the Unbound tab is there but shows no data after a reboot and the Help & Support tab on the same Addons GUI tab is empty too (actually a 403 on a pink space.)

Running "sgui" in unbound_manager fixes both tabs on the Addons GUI Tab.
The menuTree.js grep looks the same as pasted above before and after a reboot.

I haven't seen this issue before the nuclear reset and I'm using Unbound since @Martineau's variant get-go.
Also, I noticed on the 384.19 change log that there is a change related to the mount point for addon APIs. Could it be related?

 

[websauce]

I installed unbound through the unbound_manager and everything went well. I believe DNSSEC is on by default. How do I now add DoT? I am assuming I need to edit the unbound.conf file. Does anyone have an example so I do not mess anything up? Also, where can I add cloudflare upstream dns to unbound? Thanks!

 

[Martineau]

I installed unbound through the unbound_manager and everything went well. I believe DNSSEC is on by default. How do I now add DoT? I am assuming I need to edit the unbound.conf file. Does anyone have an example so I do not mess anything up? Also, where can I add cloudflare upstream dns to unbound? Thanks!

I suggest you read the FAQ, then decide if unbound+DoT is still applicable for your use-case....

However, you can use the Advanced menu 'DoT' command to manage appropriate/sample 'DoT' 'unbound.config' directives

+======================================================================+
|  Welcome to the unbound Manager/Installation script (Asuswrt-Merlin) |
|                                                                      |
|                      Version 3.19 by Martineau                       |
|                                                                      |
+======================================================================+


unbound (pid 19888) is running... uptime: 1 days 04:19:57 version: 1.10.1 # rgnldo Github Version=v1.10 Martineau update (Date Loaded by unbound_manager Sat Sep 5 17:01:44 DST 2020)

i  = Update unbound and configuration ('/opt/var/lib/unbound/')     l  = Show unbound LIVE (Loglevel=1) log entries (lx=Disable Logging)
z  = Remove unbound/unbound_manager                                 v  = View ('/opt/var/lib/unbound/') unbound Configuration (vx=Edit;vh=help)
3  = Advanced Tools                                                 rl = Reload Configuration (Doesn't halt unbound) e.g. 'rl test1[.conf]' (Recovery use 'rl reset/user')
?  = About Configuration                                            oq = Query unbound Configuration option e.g 'oq verbosity' (ox=Set) e.g. 'ox log-queries yes'

rs = Restart (or Start) unbound (use 'rs nocache' to flush cache)   s  = Show unbound Extended statistics (s=Summary Totals; sa=All; http://10.88.8.1:80/)

e  = Exit Script [?]

A:Option ==> 3



unbound (pid 19888) is running... uptime: 1 days 04:20:12 version: 1.10.1 # rgnldo Github Version=v1.10 Martineau update (Date Loaded by unbound_manager Sat Sep 5 17:01:44 DST 2020)

i  = Update unbound and configuration ('/opt/var/lib/unbound/')     l  = Show unbound LIVE (Loglevel=1) log entries (lx=Disable Logging)
z  = Remove unbound/unbound_manager                                 v  = View ('/opt/var/lib/unbound/') unbound Configuration (vx=Edit;vh=help)
x  = Stop unbound                                                   vb = Backup current (/opt/var/lib/unbound/unbound.conf) Configuration
                                                                    rl = Reload Configuration (Doesn't halt unbound) e.g. 'rl test1[.conf]' (Recovery use 'rl reset/user')
?  = About Configuration                                            oq = Query unbound Configuration option e.g 'oq verbosity' (ox=Set) e.g. 'ox log-queries yes'
sd = Show dnsmasq Statistics/Cache Size                             s  = Show unbound Extended statistics (s=Summary Totals; sa=All; http://10.88.8.1:80/)
                                                                    adblock = Install Ad Block [uninstall | update | track]
DisableFirefoxDoH = Disable Firefox DoH [yes | no]                  youtube = Install YouTube Ad Block [uninstall | update]
Stubby = Enable Stubby Integration                                  DoT = Enable DNS-over-TLS
                                                                    firewall = Enable DNS Firewall [disable | ?]
bind = BIND unbound to WAN [debug | disable | debug show]           vpn = BIND unbound to VPN {vpnid [debug]} | [disable | debug show] e.g. vpn 1

scribe = Enable scribe (syslog-ng) unbound logging                  ad = Analyse Diversion White/Block lists ([ file_name [type=adblock] ])
dnsmasq = Disable dnsmasq [disable | interfaces | nointerfaces]     ea = Edit Ad Block Allowlist (eb=Blocklist; eca=Config-AllowSites; ecb=Config-BlockSites; el {Ad Block file})
dumpcache = [bootrest] (or Manually use restorecache after REBOOT)  ca = Cache Size Optimisation [ min | calc ]
                                                                    views = [? | uninstall] | {view_name [? | remove]} | {view_name [[type] domain_name[...] | IP_address[...]] [del]} ]

dig = {domain} [time] Show dig info e.g. dig asciiart.com           lookup = {domain} Show the name servers used for domain e.g. lookup asciiart.eu
dnsinfo = {dns} Show DNS Server e.g. dnsinfo                        dnssec = {url} Show DNSSEC Validation Chain e.g. dnssec www.snbforums.com
links = Show list of external URL links


[Enter] Leave Advanced Tools Menu

e  = Exit Script [?]

A:Option ==>

 

[websauce]

I suggest you read the FAQ, then decide if unbound+DoT is still applicable for your use-case....

Thanks for the reply. I guess I was a bit confused on how unbound updated the cache and was just looking to add additional privacy, but it looks like I do not need to since it shouldn't have any additional hops before resolution.

However, you can use the Advanced menu 'DoT' command to manage appropriate/sample 'DoT' 'unbound.config' directives

It looks like I installed the 'basic' version of unbound-manager and it does not have that option. Is there a way to switch from basic to advanced menu without uninstalling/reinstalling unbound? I don't need to change the DoT settings, but there are others that seem useful.

The FAQ also mention that unbound+diversion+adblock is not recommended. What about the youtube ads option that is different from the ad-block selection? I am also in the process of setting up pixelsrv-tls so I do not know if that will already take care of those ads since I have not yet finished adding the certs.

Thanks!

 

[Centrifuge]

s there a way to switch from basic to advanced menu

at the prompt unbound_manager advanced

 

[TonyK132]

Sorry if this question was asked and answered but I could find it. I previously installed Unbound and told it to use the USB for storage of its log files. But when I look at the graphs, I do not see any data. Do I need to do something else to make that config work?

Actually I now went to look for the option to select USB as the storage device but could not find it. I did an Update thinking it would ask me for the log location but all it asked is if I wanted logging to be enabled (I said y).

Lastly, what is the the option to enable the DNS firewall? Is that the same as DoT or stubby? I see in the logs where, when I updated Unbound, that stubby went to look for its config. But I thought I did not need stubby with Unbound. So I'm confused about the correct config.

 

[Martineau]

I previously installed Unbound and told it to use the USB for storage of its log files.

I now went to look for the option to select USB as the storage device but could not find it. I did an Update thinking it would ask me for the log location but all it asked is if I wanted logging to be enabled (I said y).

unbound logging is always to the USB Entware '/opt' mount point...I wasn't aware you were given a choice?

i.e.

/opt/var/lib/unbound/unbound.log

or if you opt to use the 'scribe' command to use syslog-ng then

/opt/var/log/unbound.log

What is the the option to enable the DNS firewall?

Use the appropriate menu option....

'Easy' mode menu - option 7

1  = Update unbound files and configuration                             5  = Install Ad and Tracker blocker (Ad Block)
2  = Remove unbound/unbound_manager                                     6  = Install Graphical Statistics GUI Add-on TAB
3  = Stop unbound                                                       7  = Enable   DNS Firewall [?]
4  = Show unbound statistics                                            8  = Install YouTube Ad blocker

?  = About Configuration                 
v  = View ('/opt/var/lib/unbound/'unbound.conf)  

e  = Exit Script [?]

E:Option ==>

'Advanced' mode menu use 'firewall'

i  = Update unbound and configuration ('/opt/var/lib/unbound/')             l  = Show unbound LIVE (Loglevel=1) log entries (lx=Disable Logging)
z  = Remove unbound/unbound_manager                                         v  = View ('/opt/var/lib/unbound/') unbound Configuration (vx=Edit;vh=help)
x  = Stop unbound                                                           vb = Backup current (/opt/var/lib/unbound/unbound.conf) Configuration
                                                                            rl = Reload Configuration (Doesn't halt unbound) e.g. 'rl test1[.conf]' (Recovery use 'rl reset/user')
?  = About Configuration                                                    oq = Query unbound Configuration option e.g 'oq verbosity' (ox=Set) e.g. 'ox log-queries yes'
sd = Show dnsmasq Statistics/Cache Size                                     s  = Show unbound Extended statistics (s=Summary Totals; sa=All; http://10.88.8.1:80/)
                                                                            adblock = Install Ad Block [uninstall | update | track]
DisableFirefoxDoH = Disable Firefox DoH [yes | no]                          youtube = Install YouTube Ad Block [uninstall | update]
Stubby = Enable Stubby Integration                                          DoT = Enable DNS-over-TLS
                                                                            firewall = Enable DNS Firewall [disable | ?]
bind = BIND unbound to WAN [debug | disable | debug show]                   vpn = BIND unbound to VPN {vpnid [debug]} | [disable | debug show] e.g. vpn 1

scribe = Enable scribe (syslog-ng) unbound logging                          ad = Analyse Diversion White/Block lists ([ file_name [type=adblock] ])
dnsmasq = Disable dnsmasq [disable | interfaces | nointerfaces]             ea = Edit Ad Block Allowlist (eb=Blocklist; eca=Config-AllowSites; ecb=Config-BlockSites; el {Ad Block file})
dumpcache = [bootrest] (or Manually use restorecache after REBOOT)          ca = Cache Size Optimisation [ min | calc ]
                                                                            views = [? | uninstall] | {view_name [? | remove]} | {view_name [[type] domain_name[...] | IP_address[...]] [del]} ]

dig = {domain} [time] Show dig info e.g. dig asciiart.com                   lookup = {domain} Show the name servers used for domain e.g. lookup asciiart.eu
dnsinfo = {dns} Show DNS Server e.g. dnsinfo                                dnssec = {url} Show DNSSEC Validation Chain e.g. dnssec www.snbforums.com
links = Show list of external URL links


[Enter] Leave Advanced Tools Menu

e  = Exit Script [?]

A:Option ==>

 

[TonyK132]

I rebooted, that fixed my display problem. Thanks for the info.

 

[jrmtz85]

Hi there, have tried searching and think I may have my answer, but wanted to confirm. Upon the advice of the forum, I started dabbling into putting unbound on my AX88U. Currently running Diversion and Skynet. My WAN setup was using cloud flare as DNS, and DOT with cloudlflare as main and Google as backup. To get unbound going, I followed the procedures for the easy install and it seems to have gone well. However, I'm not sure what to do with those DNS and DOT settings.

Also will soon try to setup the router as a VPN server for when I'm out. Will unbound affect this?

Please note that while I'm more technically proficient than the average grandmother asking what wifi is, I'm still trying to rationalize what recursive DNS is. So its probably a complete dumb question, but I'd still like to get my setup right if I can.

Thanks!

 

[Deleted member 62525]

Noticed for the first time that when entering multiple private-domains in unbound.conf the unbound_manager validation fails with an error. However going by offical Unbound documentation this should be perfectly normal and it is supported. I was able to confirm that by entering 2 private-domain entries and then running unbound-checkconf without issue. Followed by ubound-control and it started just fine. If anyone has to enter multiple private domains keep that in mind.

 

[heysoundude]

Also will soon try to setup the router as a VPN server for when I'm out. Will unbound affect this?

Please note that while I'm more technically proficient than the average grandmother asking what wifi is, I'm still trying to rationalize what recursive DNS is. So its probably a complete dumb question, but I'd still like to get my setup right if I can.

Thanks!

First, your DNS question as it pertains to unbound:

What is the difference between authoritative and recursive DNS nameservers?

Which type of domain name system (DNS) servers form the foundation of the internet? Why is DNS called the "phone book" of the internet? Read on to find out

umbrella.cisco.com

Recursive DNS: What It Is And Why You Should Care | Neustar Blog

Recursive DNS is the middle-man between the consumer and Authoritative DNS servers hosting a company’s domains and IP addresses associated with a domain name.

www.home.neustar

unbound caches your DNS lookups, so that it doesn't have to go looking outside your network. that makes it fast, and can make it more private.

and your VPN question - if you have devices connect through a tunnel to your router rather than using the internet at large, that protects them in the same way that your router protects them at home.
Since you've got unbound running at home for devices connected to it, I don't see why those coming into your VPN server on the router wouldn't be treated to the same convenience

 

[jrmtz85]

First, your DNS question as it pertains to unbound:

What is the difference between authoritative and recursive DNS nameservers?

Which type of domain name system (DNS) servers form the foundation of the internet? Why is DNS called the "phone book" of the internet? Read on to find out

umbrella.cisco.com

Recursive DNS: What It Is And Why You Should Care | Neustar Blog

Recursive DNS is the middle-man between the consumer and Authoritative DNS servers hosting a company’s domains and IP addresses associated with a domain name.

www.home.neustar

unbound caches your DNS lookups, so that it doesn't have to go looking outside your network. that makes it fast, and can make it more private.

and your VPN question - if you have devices connect through a tunnel to your router rather than using the internet at large, that protects them in the same way that your router protects them at home.
Since you've got unbound running at home for devices connected to it, I don't see why those coming into your VPN server on the router wouldn't be treated to the same convenience

Thank you.the reading were quite informative. I at least understand a bit more about what it all does now. Also successfully created the VPN server, and that seems to be going well.

And to confirm my last bit, I guess I don't need DOT anymore since I expect the bulk of my DNS requests to be local, correct?

 

[heysoundude]

Thank you.the reading were quite informative. I at least understand a bit more about what it all does now. Also successfully created the VPN server, and that seems to be going well.

And to confirm my last bit, I guess I don't need DOT anymore since I expect the bulk of my DNS requests to be local, correct?

You're most welcome, and that's exactly correct.
Feels nice to be in control of your privacy, doesn't it?

I don't know what your connection speeds/details are like, but consider IPv6 (if your provider gives you a Native option there) and using cake-qos. Those will give you network-wide benefits.