Unbound - Authoritative Recursive Caching DNS Server

[dave14305]

Hi @dave14305,

I'll have to jump on this project soon once I finish up my current development project. In the x3mRouting project, I use the IPSET feature available in dnsmasq to collect IP addresses for domain names and populate IPSET lists. This feature will probably not work if dnsmasq is disconnected from unbound. It may also have an impact for Diversion users as well since it is tightly integrated with dnsmasq.

Anyway, good to see the contributions of everyone to get Unbound implemented on Asuswrt-Merlin.

My pursuit is more a personal proof-of-concept and not intended for the installer script. I think it’s a high-risk proposition but want to prove so one way or another. There’s quite a scripting dance required to keep dhcp, but swap who listens on br0 port 53 after USB and Entware are started. But also needing to fail safely in case it doesn’t work.

 

[Treadler]

I installed Unbound.

When I do a dns leak test, I find I’m now using my ISP’s dns (I never have, nor are they configured anywhere in my router), + Cloudflare!?

Confusion reigns.....

 

[dave14305]

I installed Unbound.

When I do a dns leak test, I find I’m now using my ISP’s dns (I never have, nor are they configured anywhere in my router), + Cloudflare!?

Confusion reigns.....

It should be leaking your WAN IP as your DNS server, which happens to be owned by your ISP, by definition. Is that what you really see?

 

[dave14305]

Ah yes, + Cloudflare.

Did you choose to integrate Stubby in the installer? That could be the source of Cloudflare. Post your unbound.conf file if unsure.

 

[Treadler]

Did you choose to integrate Stubby in the installer? That could be the source of Cloudflare. Post your unbound.conf file if unsure.

Im away now, I will investigate.

I did integrate stubby, without really understanding the consequences.
I just want unbound to be the recursive server, is stubby integration redundant for that?
[EDIT] Asked & answered.
https://www.snbforums.com/threads/u...-caching-dns-server.58967/page-34#post-541284

(Sorry for all the questions, as you see I’m no expert).

 

[Smokey613]

When I attempt to use the l command within Unbound menu I get the following error. I did select the option to enable logging during setup.


unbound logging '/opt/var/lib/unbound/' NOT ENABLED?

 

[dave14305]

Im away now, I will investigate.

I did integrate stubby, without really understanding the consequences.
I just want unbound to be the recursive server, is stubby integration redundant for that?

(Sorry for all the questions, as you see I’m no expert).

Unbound ends up as a regular forwarder to Stubby in that scenario, no longer doing its own recursive lookups. So now you have two Stubbys on your router: the firmware Stubby and the Entware Stubby. I would dis-integrate Stubby if the installer (unbound_manager) allows. I still don’t understand why there is a need to install Entware Stubby. Maybe I’ll make a suggestion to Martineau on how I would integrate directly with Merlin’s Stubby and leave control in the GUI.

Regardless, integrating with Stubby disables recursive lookups, so it’s not what you wanted.

 

[Treadler]

Unbound ends up as a regular forwarder to Stubby in that scenario, no longer doing its own recursive lookups. So now you have two Stubbys on your router: the firmware Stubby and the Entware Stubby. I would dis-integrate Stubby if the installer (unbound_manager) allows. I still don’t understand why there is a need to install Entware Stubby. Maybe I’ll make a suggestion to Martineau on how I would integrate directly with Merlin’s Stubby and leave control in the GUI.

Regardless, integrating with Stubby disables recursive lookups, so it’s not what you wanted.

Ok, back in the chair.
Unbound removed/reinstalled with stubby excluded from the mix.
My dns server as you suggested, is me! Woo hoo!

Once again, this forum is such a great help. Many thanks for your attention.

 

[dave14305]

Once again, this forum is such a great help. Many thanks for your attention.

Update you signature and spread the word!

 

[joe scian]

should i deinstall dnscrypt proxy before installing unbound?

 

[Treadler]

should i deinstall dnscrypt proxy before installing unbound?

FWIW, I would.

 

[rgnldo]

If it is in disuse, there is no need, simple, in consensus, to remove the Stubby.

I mention again, the integration with Stubby adds TCP/TLS queries to the unbound, it's not just encryption. TCP connections are more reliable and efficient. This feature will be native to the next versions of unbound.

Where Unbound has problems with this. I examined all possible routes. Dnsmasq does its job properly. The interaction of DNS port 53 with DHCP routes is independent of unbound. This solution with dnsmasq does not differ at all from the traditional DHCP server.

To avoid confusion, either remove Stubby and leave this job to advanced users or organize the installer script in a simple way. For me, remove.

 

[rgnldo]

This feature will probably not work if dnsmasq is disconnected from unbound.

Tried to use with unbound-anchor + stubby.

 

[Martineau]

When I attempt to use the l command within Unbound menu I get the following error. I did select the option to enable logging during setup.


unbound logging '/opt/var/lib/unbound/' NOT ENABLED?

Do you have unbound AD Block enabled?

The 'lo/lx' logging ENABLE/DISABLE commands are applied dynamically, i.e. they don't permanently update 'unbound.conf' (unlike if you opt for unbound logging during the install which does save your selection in 'unbound.conf)'

If you have unbound AD Block installed, the daily Ad Block cron update @05:00 deems it acceptable to delete the log file, and restarts unbound.

NOTE: If you have syslog-ng/scribe installed, then you may use the unbound_manager 'scribe' command to have better control over the unbound logs etc.

 

[Martineau]

Unbound is really doing a great job for me!

FYI, to prevent line-wrap clutter see recommended SSH session size

 

[joe scian]

Do you have unbound AD Block enabled?

The 'lo/lx' logging ENABLE/DISABLE commands are applied dynamically, i.e. they don't permanently update 'unbound.conf' (unlike if you opt for unbound logging during the install which does save your selection in 'unbound.conf)'

If you have unbound AD Block installed, the daily Ad Block cron update @05:00 deems it acceptable to delete the log file, and restarts unbound.

NOTE: If you have syslog-ng/scribe installed, then you may use the unbound_manager 'scribe' command to have better control over the unbound logs etc.

Hi Martineau
I get the same issue - I also have unbound AD Block enabled ( as well as Diversion). I did enable logging from the install and indeed the entries below are there. I also just enabled scribe and i now have unbound logs appearing in my syslog. HOWEVER if I press
l from within unbound_manager I still get the "NOT ENABLED" message. Even pressing lo - gives message "unbound logging enabled" however immediately then pressing l - gives the same NOT ENABLED Message. Cheers
BTW brilliant work on the script - congratulations

PS- found another small issue - when entering x to stop unbound

 Invalid Option "x" Please enter a valid option

verbosity: 2
logfile: "/opt/var/lib/unbound/unbound.log"
log-time-ascii: yes
log-queries: yes
log-replies: yes

 

[Smokey613]

FYI, to prevent line-wrap clutter see recommended SSH session size

Yes, I had already read those suggestions. I use an iPad 95% of the time, even for my router gui configurations and router ssh sessions via the Shelly app. I do have the ability to dynamically change font size on the fly in Shelly by simply using two fingers to increase/decrease. It is a pretty good app. I just did not adjust it before taking a screenshot of the Unbound stats. BTW, great work on Unbound!

 

[Smokey613]

Hi Martineau
I get the same issue - I also have unbound AD Block enabled ( as well as Diversion). I did enable logging from the install and indeed the entries below are there. I also just enabled scribe and i now have unbound logs appearing in my syslog. HOWEVER if I press
l from within unbound_manager I still get the "NOT ENABLED" message. Even pressing lo - gives message "unbound logging enabled" however immediately then pressing l - gives the same NOT ENABLED Message. Cheers

verbosity: 2
logfile: "/opt/var/lib/unbound/unbound.log"
log-time-ascii: yes
log-queries: yes
log-replies: yes

I get the same results and I am not running AD Block nor Diversion. Diversion caused too many issues with my wife’s web surfing and I could never tell if AD Block was actually doing anything so I uninstalled it after a couple of days.

[ update ] I do have the Firefox DoH feature enabled so I guess I am running a portion of AD Block.

 

[Smokey613]

Thanks for the scribe info. I ran the command and now have an Unbound log!

 

[rgnldo]

As the logs capture queries and everything, the file expands. To guarantee performance and check for problems, with each adblock update, the LOG file is removed.

Unbound/Adblock updated with the addition of domains and options in Unbound for blocking efficiency. I am implementing the blocking by CNAME Cloaking non ECS. For now, for my false positive tests.