Replacing DNSMasq DNS with Unbound

[Denna]

tomsk,

Entware was setup with the built-in entware-setup.sh and installed to the USB drive under the Admin account.

Would that affect the permissions applied to USB drive ?

Unbound was setup with "opkg install unbound" and DNSCrypt was setup with "opkg install dnscrypt-proxy".

What permissions should rc.func have ?

From the command line, the following error occurs.

 

[tomsk]

Permissions should set themselves up properly using the built in installers. But you do seem to have a permissions issue. Were you in the home directory when you did the install?... that may have had some effect I'm not sure.
did you try setting the permissions 755 on the rc.func? you may be able to get init scripts to run after that.

 

[Denna]

tomsk,

Probably ran the install from /tmp/home/root.

Set permissions on rc.func to 755.

Still causing an error.

 

[Denna]

tomsk,

One thing I noticed was the symbolic link for /opt was invalid. In WinSCP, the link was in red.

I started over by resetting the firmware, reformatting the USB drive and installing Entware from the link below.

https://www.hqt.ro/how-to-install-new-generation-entware/
​

The /opt symbolic link now points to /tmp/opt and appears as a shortcut in WinSCP.

The Entware process also installed a swap file on the USB drive.

Packages installed were:

opkg install unbound

opkg install dnscrypt-proxy
​

Running checks results in the following.

 

[tomsk]

tomsk,

One thing I noticed was the symbolic link for /opt was invalid. In WinSCP, the link was in red.

I started over by resetting the firmware, reformatting the USB drive and installing Entware from the link below.

https://www.hqt.ro/how-to-install-new-generation-entware/
​

The /opt symbolic link now points to /tmp/opt and appears as a shortcut in WinSCP.

The Entware process also installed a swap file on the USB drive.

Packages installed were:

opkg install unbound

opkg install dnscrypt-proxy
​

Running checks results in the following.

View attachment 8549​

Ok thats great.. you can see the symlink creation in the /jffs/scripts/post-mount file ..... so now dnscrypt is running, but unbound is trying to start but failing, most likely because of the configuration, or possibly because it is trying to bind to a port that is already busy doing something else
This is where you are really on your own because i have no experience of unbound at all..... but general advice would be to get a minimal version of it running before you try to connect it to anything else.... i did a brief search on the web and there are simply loads of site which offer configuration advice and examples. Heres the official site
https://unbound.net/documentation/unbound.conf.html
Dont forget you are running it from the entware directory so any paths you set need to reflect that.

Good luck!.... and as always, if you manage to get it going, a post back to the community so we can all benefit is appreciated

 

[Denna]

If would be helpful if there were diagnostics for Entware packages.

 

[tomsk]

Just guessing now.... but did you try specifying a different port than 53 for the interface?

port: <port number>
The port number, default 53, on which the server responds to
queries.

interface: <ip address[@port]>
Interface to use to connect to the network. This interface is
listened to for queries from clients, and answers to clients are
given from it. Can be given multiple times to work on several
interfaces. If none are given the default is to listen to local-
host. The interfaces are not changed on a reload (kill -HUP)
but only on restart. A port number can be specified with @port
(without spaces between interface and port number), if not spec-
ified the default port (from port) is used.

 

[tomsk]

Well, just for the sake of pure curiosity... i installed unbound with entware. I went into the config file and changed the port number. When i tried to restart unbound now i get

unbound: [13290:0] fatal error: unable to chdir to chroot /opt/var/lib/unbound: No such file or directory

so i created the directory and tried again... and got

unbound: [15950:0] notice: init module 0: validator
unbound: [15950:0] notice: init module 1: iterator
kernel: warning: process `unbound' used the deprecated sysctl system call with 1.40.6.
unbound: [15950:0] info: start of service (unbound 1.6.0).

Success! ... doing an /opt/etc/init.d/S61unbound check declares it alive. Hope that points you in the right direction...

 

[Denna]

tomsk,

Thanks for the info !

Managed to disable DNSMasq as a DNS resolver. Add "port=0" to /jffs/configs/dnsmasq.conf.add

I also had to create the /opt/var/lib/unbound directory.

However, this is the current result.

​

Neither top or ps shows Unbound running. Nmap shows nothing is listening to port 53.

I'm probably going to reset the router and start over.

How did you install Entware ? From the built-in entware-setup.sh ?​

 

[tomsk]

tomsk,

Thanks for the info !

Managed to disable DNSMasq as a DNS resolver. Add "port=0" to /jffs/configs/dnsmasq.conf.add

I also had to create the /opt/var/lib/unbound directory.

However, this is the current result.

View attachment 8558
​

Neither top or ps shows Unbound running. Nmap shows nothing is listening to port 53.

I'm probably going to reset the router and start over.

How did you install Entware ? From the built-in entware-setup.sh ?​

My entware install was done ages ago using the HQT tutorial, although i think the result is not that different. Did you change the unbound port? I think dnsmasq has cornered the market on port 53.
Unbound shows running in top for me

28814     1 tOmsK S     8308  3.2   1  0.0 unbound -c /opt/etc/unbound/unbound.conf

 

[tomsk]

These links might be of interest to you
https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1501189
https://blog.josefsson.org/2015/10/26/combining-dnsmasq-and-unbound/
https://fak3r.com/2012/03/14/howto-run-a-secure-caching-dns-server-in-chroot/

 

[Denna]

tomsk,

Thanks for going above and beyond the call for help with the links above.

Unbound now shows as running in top !

Below is a brief summary of what it took to get to this point.

1. Reflashed firmware with current version of Asuswrt-Rmerlin.
   
   
2. Reset default NVRAM values.
   
   
3. Created 4 GB partition (/dev/sda1) formatted with ext4 on an external USB flash drive.
   
   
4. Installed Entware-NG with instructions from "https://www.hqt.ro/how-to-install-new-generation-entware/" onto /dev/sda1.
   
   
5. Skipped creating a swap file since writing to a USB drive will wear it out prematurely.
   
   
6. Installed unbound
   
   1. opkg install unbound
   2. opkg install unbound-anchor
   3. opkg install unbound-control-setup
   
   
7. Created "/jffs/configs/dnsmasq.conf.add" file and added "port=0" line to it. Setting this to zero completely disables DNS function, leaving only DHCP and/or TFTP.
   
   
8. Created "/opt/var/lib/unbound" directory.
   
   
9. Uncommented "port=53" in /mnt/sda1/entware-ng.arm/etc/unbound/unbound.conf"
   
   
10. Further configure /mnt/sda1/entware-ng.arm/etc/unbound/unbound.conf to your needs.
    
    
11. Rebooted the router

Warning !!!

For anyone looking to replace DNSMasq with Unbound, this does not create a working DNS solution yet. It's only to get DNSMasq to stop acting as a DNS server and and to install Unbound.
​

The next step is to install DNSCrypt and have Unbound forward to it. Clients will use Unbound as the DNS cache. For addresses not in Unbound's cache, Unbound will forward to DNSCrypt for resolution. At that point, you will have a working DNS solution for the router and clients.​

 

[swetoast]

So whats the benefit of running unbound ?

 

[Denna]

swetoast,

Personal preference.

From what I've read, unbound compared to DNSMasq, has more security features and more configuration options. It also caches more records which is important over a wireless Internet connection. The router has 512 MB of memory so why not put it to good use ?​

 

[RMerlin]

It also caches more records which is important over a wireless Internet connection. The router has 512 MB of memory so why not put it to good use ?​

A few years ago a couple of users on the forums compared their dnsmasq cache usage, as we were considering increasing it from its default value of 1500 entries. We found out that among us, nobody had managed to run out of cache space with the default value of 1500. Entries were expiring due to reaching the end of their TTL before that happened, indicating that 1500 was enough for everyone (and that value can still be changed if for some weird reason anyone actually needed more).

Feb 19 12:32:36 dnsmasq[4897]: time 1421903
Feb 19 12:32:36 dnsmasq[4897]: cache size 1500, 0/244763 cache insertions re-used unexpired cache entries.
Feb 19 12:32:36 dnsmasq[4897]: queries forwarded 88419, queries answered locally 15421
Feb 19 12:32:36 dnsmasq[4897]: DNSSEC memory in use 4972, max 10472, allocated 149996

In my case, this indicates that zero entries had to be removed before reaching their expiration.

Don't blindly increase caching/buffering without first analyzing what your current usage really is. That available memory can be put to better use elsewhere, such as filesystem caching.

 

[Denna]

In the article below, the author added "dhcp-option=option:dns-server,192.168.1.1" (changed to .1) to what amounts to the "/jffs/configs/dnsmasq.conf.add" file.

https://blog.josefsson.org/2015/10/26/combining-dnsmasq-and-unbound/
​

Without adding this line, the router is currently able to download Entware packages and provides DNS to DHCP clients.

Is this line necessary ?​

 

[tomsk]

this is what the dnsmasq man pages say
-O, --dhcp-option=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-encap:<enterprise>,][vendor:[<vendor-class>],][<opt>|option:<opt-name>|option6:<opt>|option6:<opt-name>],[<value>[,<value>]]
Specify different or extra options to DHCP clients. By default, dnsmasq sends some standard options to DHCP clients, the netmask and broadcast address are set to the same as the host running dnsmasq, and the DNS server and default route are set to the address of the machine running dnsmasq. (Equivalent rules apply for IPv6.) If the domain name option has been set, that is sent. This configuration allows these defaults to be overridden, or other options specified. The option, to be sent may be given as a decimal number or as "option:<option-name>" The option numbers are specified in RFC2132 and subsequent RFCs. The set of option-names known by dnsmasq can be discovered by running "dnsmasq --help dhcp". For example, to set the default route option to 192.168.4.4, do --dhcp-option=3,192.168.4.4 or --dhcp-option = option:router, 192.168.4.4 and to set the time-server address to 192.168.0.4, do --dhcp-option = 42,192.168.0.4 or --dhcp-option = option:ntp-server, 192.168.0.4 The special address 0.0.0.0 is taken to mean "the address of the machine running dnsmasq".

So my guess you will need it if you want to use dnsmasq as your dhcp server and unbound as your dns, as you will want dnsmasq to tell its clients where to look for dns.

 

[Denna]

@tomsk,

Thanks for looking that up.

That explains why it's working without putting that line in.​

 

[Denna]

The unbound man (https://unbound.net/documentation/howto_anchor.html) states "unbound-anchor" should be:

1. Run in the init script
2. After NTP runs
   
3. Before unbound starts

The command line is:

unbound-anchor -a "/opt/etc/unbound/root.key" -c "/opt/etc/unbound/unbound_server.pem" -4 -p 443
​

Should this be placed in the "init-start" or "services-start" script ?

 

[regae]

maybe you can put it on PRECMD command on S61unbound.
can unbound working together with pixelserv-tls ?