Unbound - Authoritative Recursive Caching DNS Server

[dave14305]

v1.16 now uncomments the 'if' clause in 'unbound.postconf', however, I could not get unbound to work when it attempts to use the dynamiclly retrieved $UNBOUNDLISTENADDR rather than the static "127.0.0.1#53535"

Since @rgnldo's unbound.conf on Github allows all interfaces to listen, you have to limit the netstat output to the 127.0.0.1 lines. Plus my method assumes that S61unbound has a "service restart_dnsmasq" POSTCMD included. Which it doesn't anymore on Github. That way dnsmasq is only modified after unbound is successfully started.

 

[rgnldo]

Since @rgnldo's unbound.conf on Github allows all interfaces to listen, you have to limit the netstat output to the 127.0.0.1 lines. Plus my method assumes that S61unbound has a "service restart_dnsmasq" POSTCMD included. Which it doesn't anymore on Github. That way dnsmasq is only modified after unbound is successfully started.

I understand you. I performed several tests. I had mentioned earlier, the less we use resources for dnsmasq, the less unbound we have as dns server. It has been verified with @Martineau in practice what I am describing. It is possible to live with Diversion and other dnsmasq dependent software, but less will have unbound. Even the cache is affected, confusing UDP query routes. The more we leave dnsmasq as DHCP and use nothing bound, the more unbound we get.

 

[rgnldo]

 

[rgnldo]

@Martineau I need to add a new list with CNAME adblock support, but the package comes zipped in the script.

To make adblock script enhancement more free, I added the files in a folder. This makes it easier for @Martineau and others to collaborate.
https://github.com/rgnldo/Unbound-Asuswrt-Merlin/tree/master/adblock

 

[Seij]

Newest script v1.16 fails if you do a fresh install and attempt to enable ad block.

unbound[6071:0] error: Could not open logfile /unbound.log: Permission denied
fatal error: could not open autotrust file for writing, /root.key.6071-0-15b7d8: Permission denied

 

[rgnldo]

Newest script v1.16 fails if you do a fresh install and attempt to enable ad block.
unbound[6071:0] error: Could not open logfile /unbound.log: Permission denied
fatal error: could not open autotrust file for writing, /root.key.6071-0-15b7d8: Permission denied

I needed to improve the adblock files. The installer script is dependent on the zip package, where it extracts and writes the lines. This is not good. It was a planning error. Let's fix it.

Change directory ownership to nobody, in case you want to drop daemon privileges from root to nobody

chown nobody /opt/var/lib/unbound

Make sure adblock folder is created
cd /opt/var/lib/unbound/adblock
Get files:
https://raw.githubusercontent.com/rgnldo/Unbound-Asuswrt-Merlin/master/adblock/blockhost
https://raw.githubusercontent.com/rgnldo/Unbound-Asuswrt-Merlin/master/adblock/gen_adblock.sh
https://raw.githubusercontent.com/rgnldo/Unbound-Asuswrt-Merlin/master/adblock/permlist
chmod +x /opt/var/lib/unbound/adblock/gen_adblock.sh
service restart_dnsmasq
sh /opt/var/lib/unbound/adblock/gen_adblock.sh

 

[SomeWhereOverTheRainBow]

someone run this and tell me the out put to the file called mytest is

curl --progress-bar https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> mytest

 

[dave14305]

someone run this and tell me the out put to the file called mytest is

curl --progress-bar https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> mytest

It’s just a list of domains, so your $2 isn’t getting anything. Try $NF. But it’s too much work for a non-hosts file.

 

[SomeWhereOverTheRainBow]

adding | awk '{print $1}' | to the string fixes the issue.

 

[SomeWhereOverTheRainBow]

It’s just a list of domains, so your $2 isn’t getting anything. Try $NF. But it’s too much work for a non-hosts file.

yea i figured this out on my own by changing the $2 to $1 i was about to respond once you responded.

the reason why i brought this up is because @rgnldo is offering a adblock generation script with this list of domains present using these strings for his curl command, it is generating blank lines for those domains. where as the $2 would be specifically needed for actual Host files.

as you point out $NF is the most suitable option for any defined list. @dave14305

 

[SomeWhereOverTheRainBow]

Ad and tracker's blocking options available on Unbound. Not only the block is enough, but the answer of this block. The native adblock script installer uses the static option.

refuse
Send an error message reply, with rcode REFUSED. If there is
a match from local data, the query is answered.

static
If there is a match from local data, the query is answered.
Otherwise, the query is answered with nodata or nxdomain.
For a negative answer a SOA is included in the answer if
present as local-data for the zone apex domain.

always_nxdomain
Like static, but ignores local data and returns nxdomain for
the query.

what is the difference in these and

local-zone: "some.domain" redirect
local-data: "some.domain A 0.0.0.0"
local-data: "some.domain AAAA ::"

 

[rgnldo]

I needed to improve the adblock files. The installer script is dependent on the zip package, where it extracts and writes the lines. This is not good. It was a planning error. Let's fix it.

Change directory ownership to nobody, in case you want to drop daemon privileges from root to nobody

chown nobody /opt/var/lib/unbound

Make sure adblock folder is created
cd /opt/var/lib/unbound/adblock
Get files:
https://raw.githubusercontent.com/rgnldo/Unbound-Asuswrt-Merlin/master/adblock/blockhost
https://raw.githubusercontent.com/rgnldo/Unbound-Asuswrt-Merlin/master/adblock/gen_adblock.sh
https://raw.githubusercontent.com/rgnldo/Unbound-Asuswrt-Merlin/master/adblock/permlist
chmod +x /opt/var/lib/unbound/adblock/gen_adblock.sh
service restart_dnsmasq
sh /opt/var/lib/unbound/adblock/gen_adblock.sh

You can download the file and rebuild it. The blockhost file is where the user adds their own urls as well as containing wildcard domains not found in other lists. The permlist file is the user-added allowed urls file. Rebuild and do the simulation. Be free.

 

[rgnldo]

Not recommended unbound with NextDNS

I do not recommend using unbound with NextDNS (or even as a caching stub in general) because of this issue: https://github.com/NLnetLabs/unbound/issues/132

has been added to some anti-tracker blocklists, resulting in the blocking of large sites like apple.com, airbnb.com, ebay.com when used with unbound.

... and facebook.com. This occurs with NextDNS forwarding.
Yes. I checked this. For this reason we are organizing something similar using another method.

 

[Martineau]

Unbound Installer v1.17 available

Newest script v1.16 fails if you do a fresh install and attempt to enable ad block.

]unbound[6071:0] error: Could not open logfile /unbound.log: Permission denied[/COLOR][/FONT][/LEFT][/COLOR][/FONT][/LEFT][/COLOR][/FONT][/LEFT][/COLOR][/FONT][/LEFT]
[FONT=Georgia][COLOR=rgb(20, 20, 20)]
[LEFT][FONT=Georgia][COLOR=rgb(20, 20, 20)]
[LEFT][FONT=Georgia][COLOR=rgb(20, 20, 20)]
[LEFT][FONT=Georgia][COLOR=rgb(20, 20, 20)]
[LEFT]fatal error: could not open autotrust file for writing, /root.key.6071-0-15b7d8: Permission denied

​

I needed to improve the adblock files. The installer script is dependent on the zip package, where it extracts and writes the lines. This is not good. It was a planning error. Let's fix it.

​

Fix Download individual Ad and Tracker files from @rgnldo Github rather than original combined .zip package.

Fix Stubby integration during install (broken in v1.16 if recommended REBOOT skipped)
Add new menu Options: '? = About Configuration' and 'vh=View Example Configuration'
For Advanced Users; Allow 'rl new_unbound_config_file' to be loaded. (/jffs/configs/ will be prefixed if file 'new_unbound_config_file' doesn't have a '/' path prefix)

Minor fixes/code tidy-up/message tweaks etc.

 

[rgnldo]

Unbound Installer v1.17 available

​

Fix Download individual Ad and Tracker files from @rgnldo Github rather than original combined .zip package.

Fix Stubby integration during install (broken in v1.16 if recommended REBOOT skipped)
Add new menu Options: '? = About Configuration' and 'vh=View Example Configuration'
For Advanced Users; Allow 'rl new_unbound_config_file' to be loaded. (/jffs/configs/ will be prefixed if file 'new_unbound_config_file' doesn't have a '/' path prefix)

Minor fixes/code tidy-up/message tweaks etc.

Very good. Soon we will have news. Zabbix monitoring report and an extra privacy solution for unbound. Performance enhancement....

 

[rgnldo]

Performed complete uninstallation with reboot. Reinstallation complete. Tested. No problems found.

Unbound Installer v1.17 available

By design, if GUI DNSSEC ENABLED then attempt to modify 'cache-size=0' results in dnsmasq start-up fail loop

if GUI stop-dns-rebind ENABLED - the same problem may happen. The unbound does this function.

        Router Configuration pre-reqs status:

        [✔] Swapfile=2097148 kB
        [✔] DNS Filter=ON
        [✔] DNS Filter=ROUTER
        [✔] WAN: Use local caching DNS server as system resolver=NO
        [✔] Enable local NTP server=YES
        [✔] Enable DNSSEC support=NO

[✔] Enable STOP-DNS-REBIND support=NO

I suggest that this configuration pre-reqs information is right at the opening of the script. The script will parse router configuration pre-reqs before installing unbound.

 

[rgnldo]

Added support for disable Firefox's automatic switch to DoH. Mozilla - Canary domain
Added support for update root server's on cron

@Martineau
Like the FW GUI, with the option to enable or disable DoH in Firefox, the script should prompt the user for the option. Uncommenting the include option and downloading the file.

#########################################
# Adblock blacklist
#include: /opt/var/lib/unbound/adblock/adservers
#include: /opt/var/lib/unbound/adblock/firefox_DOH
#########################################

add on cron update root server's /jffs/scripts/services-start

cru a root_servers  "0 2 */15 * * curl -o /opt/var/lib/unbound/root.hints https://www.internic.net/domain/named.cache"

It will be removed from the adlbock script . If the user does not want to install native adblock.

 

[rgnldo]

@Martineau on reboot unbound.postconf cannot change the /etc/dnsmasq.conf files. Running manual

service restart_dnsmasq

triggers.

So far I could not understand the need for this solution. If unbound is already set on port 53535, just know if it is active.

  UNBOUNDLISTENADDR="127.0.0.1#53535"
#       UNBOUNDLISTENADDR="$(netstat -nlup | awk '/unbound/ { print $4 } ' | tr ':' '#')"       # unbound_installer
        pc_append "server=$UNBOUNDLISTENADDR" $CONFIG

 

[dave14305]

@Martineau on reboot unbound.postconf cannot change the /etc/dnsmasq.conf files. Running manual

service restart_dnsmasq

triggers.

This is why you need the POSTCMD="service restart_dnsmasq" in S61unbound.

 

[rgnldo]

POSTCMD="service restart_dnsmasq"

There is no need to relaunch dnsmasq pid