Unbound - Authoritative Recursive Caching DNS Server

[rgnldo]

I would like to know what options he is setting to dnsmasq to have it forwarding to unbound.

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_delete "no-negcache" $CONFIG
pc_replace "cache-size=1500" "cache-size=0" $CONFIG
pc_append "port=0" $CONFIG
pc_append "dhcp-option=6,IPDNSROUTER" $CONFIG

The problem is that Diversion needs dnsmasq's DNS forwarding. With this, the query traffic will be split with unbound, not getting full operation of unbound privacy. The forward-zone option adds more privacy by eliminating name resolution by the ISP.

 

[rgnldo]

Without Diversion, I can reduce 30% of memory in the FW. With the adblock script I organized, a NXDOMAIN redirect list is generated, not requiring pixelserv. I still use Skynet.

 

[SomeWhereOverTheRainBow]

Without Diversion, I can reduce 30% of memory in the FW. With the adblock script I organized, a NXDOMAIN redirect list is generated, not requiring pixelserv. I still use Skynet.

Yea the memory reduction comes from the lack of using diversion plus host that links with skynet.

 

[rgnldo]

This way, unbound will not interfere with any VPN solution etc on the FW. Honestly, by my tests, you don't even need a VPN.

 

[rgnldo]

@SomeWhereOverTheRainBow I need you to organize tests and improvements. My knowledge is limited. We need to improve adblock scripting and more better performance settings and unbound integration with FW Merlin. Diversion can block the javascript adblock detector on websites. I need this feature in unbound.

 

[SomeWhereOverTheRainBow]

@SomeWhereOverTheRainBow I need you to organize tests and improvements. My knowledge is limited. We need to improve adblock scripting and more better performance settings and unbound integration with FW Merlin. Diversion can block the javascript adblock detector on websites. I need this feature in unbound.

At I am fully researching unbound as it has many ways it can be configured. The ad block script will work great.

 

[dave14305]

What are the options you are setting for dnsmasq to have it forward to unbound?.

Adapted from post #28 by @rgnldo for dnsmasq.postconf:

pc_delete "servers-file" $CONFIG
pc_append "server=127.0.1.1#53" $CONFIG

Also assumes Unbound is configured for:

port: 53
interface: 127.0.1.1

I'm not doing anything too different from rgnldo, I'm just taking baby steps through what he's already tried.

The forward-zone option adds more privacy by eliminating name resolution by the ISP.

Without the forward-zone, no queries are made to the ISP DNS, only root servers and authoritative nameservers for requested domains. Or else I misunderstand you, which I have in the past.

 

[SomeWhereOverTheRainBow]

Adapted from post #28 by @rgnldo for dnsmasq.postconf:

pc_delete "servers-file" $CONFIG
pc_append "server=127.0.1.1#53" $CONFIG

Also assumes Unbound is configured for:

port: 53
interface: 127.0.1.1

I'm not doing anything too different from rgnldo, I'm just taking baby steps through what he's already tried.

Without the forward-zone, no queries are made to the ISP DNS, only root servers and authoritative nameservers for requested domains. Or else I misunderstand you, which I have

thank you

 

[rgnldo]

servers-file

I did not understand.

Without the forward-zone, no queries are made to the ISP DNS, only root servers and authoritative nameservers for requested domains. Or else I misunderstand you, which I have in the past.

Test forward-zone without diversion by disabling dnsmasq DNS.

 

[SomeWhereOverTheRainBow]

This reflects if unbound was to be used on port 53 and you set dnsmasq to port=5353
it allows dnsmasq to only be used for local request.

do-not-query-localhost: no
private-domain: "local."
domain-insecure: "local."
private-domain: "192.168.1.in-addr.arpa."
domain-insecure: "192.168.1.in-addr.arpa."
local-zone: "192.168.1.in-addr.arpa" transparent

forward-zone:
name: "local."
forward-addr: 127.0.1.1@5353

forward-zone:
name: "192.168.1.in-addr.arpa."
forward-addr: 127.0.1.1@5353

 

[SomeWhereOverTheRainBow]

obviously you would then set port 5353 in dnsmasq
and make sure your etc/host is set as .local. or whatever domain you have set you would need to change it to reflect that within your Unbound settings listed above.

so instead of "local."

"yourdomain."

local=/local/

port=5353

assuming ip-range 192.168.1.0/24

 

[rgnldo]

etc/host is set as .local.

The solution is to organize via verification script with self tests

 

[rgnldo]

do-not-query-localhost: no private-domain: "local." domain-insecure: "local." private-domain: "192.168.1.in-addr.arpa." domain-insecure: "192.168.1.in-addr.arpa." local-zone: "192.168.1.in-addr.arpa" transparent forward-zone: name: "local." forward-addr: 127.0.1.1@5353 forward-zone: name: "192.168.1.in-addr.arpa." forward-addr: 127.0.1.1@5353

I liked the proposal. Is this to work in conjunction with dnsmasq?

 

[SomeWhereOverTheRainBow]

yes it obviously needs to be configured to reflect your setup as far as what domain you have listed in your /etc/host and whatever IP range you use locally though. this assumes you are using 192.168.1.0 range and that your /etc/host list local. as your domain.
for example /etc/host/ shows for me

127.0.0.1 localhost.localdomain localhost
192.168.1.1 router.asus.com
192.168.1.1 www.asusnetwork.net
192.168.1.1 www.asusrouter.com
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

 

[rgnldo]

yes it obviously needs to be configured to reflect your setup as far as what domain you have listed in your /etc/host and whatever IP range you use locally though. this assumes you are using 192.168.1.0 range and that your /etc/host list local. as your domain.
for example /etc/host/ shows for me

127.0.0.1 localhost.localdomain localhost
192.168.1.1 router.asus.com
192.168.1.1 www.asusnetwork.net
192.168.1.1 www.asusrouter.com
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

This setting is for working together, dnsmasq and unbound?

 

[SomeWhereOverTheRainBow]

yes it allows for dnsmasq to handle a local dns resolution, and unbound does the rest. keep in mind it requires for the forward zones to be fully configured per /etc/host configuration.

 

[rgnldo]

for the forward zones to be fully configured per /etc/host configuration.

I will wait for your test and settings.

 

[SomeWhereOverTheRainBow]

I will wait for your test and settings.

the only tedious thing about it is that not everyone will have the same /etc/host/, so it is hard to streamline that.I will be going to work soon, but I will have a deeper read on it when I get home.

 

[dave14305]

I did not understand.

The servers-file points to the WAN DNS servers, so I want that deleted from the dnsmasq.conf so that it can only see the Unbound IP.

 

[rgnldo]

the only tedious thing about it is that not everyone will have the same /etc/host/

I had noticed this problem. But nothing that the fgrep or cat /etc /host command does not resolve.