Unbound - Authoritative Recursive Caching DNS Server

[dave14305]

What are the recommended DNS settings on the WAN page if one wants to use Unbound?

Generally it doesn’t matter because the dnsmasq.postconf will replace the GUI config with the necessary config for Unbound. No permanent nvram changes get made.

What about Tools / Other Settings page “Wan: Use local caching DNS server as system resolver (default: No)”? Is it No?

 

[rgnldo]

DNS settings on the WAN

ISP WAN dns. The only interference I make on FW Merlin is in the DHCP IP range. Unbound for me is a host. I use only Entware services.

 

[Xentrk]

Generally it doesn’t matter because the dnsmasq.postconf will replace the GUI config with the necessary config for Unbound. No permanent nvram changes get made.

What about Tools / Other Settings page “Wan: Use local caching DNS server as system resolver (default: No)”? Is it No?

Thanks for the reply. Yes, I had set local caching to No before installing. What I'll try is to make the changes recommended by the "?" option, then reboot before installing Unbound. That may help clear up any conflicts.

 

[rgnldo]

I hardly use the resources of FW Merlin. I use enough to run Entware, Unbound, Suricata and Clamav.

 

[RacerRon]

You might also need a line added to /jffs/configs/dnsmasq.conf.add:

rebind-domain-ok=/plex.direct/

This was needed to make both plex servers work as well as the
private-domain: "plex.direct" in unbound config.
Thank you

 

[Xentrk]

Added support adblock whitelist for x3mRouting using the IPSET Shell Scripts Method. Excellent solution with IPSET. Available on AMTM.

The shared-whitelists folder has changed in the 384.15 release:

/jffs/addons/shared-whitelists/

 

[L&LD]

Updated RT-AX88U to 384.15 Beta 1 and everything is working fine except for the System Log page in the GUI. The page would just hang/freeze. Not possible to navigate away by clicking anywhere and no logs were shown or accessible.

Excluded unbound in Scribe and all is well again. But, I would like to have Unbound logging back in the GUI again soon!

 

[Martineau]

@rgnldo

You are again guessing which unbound parameters might be 'correct', but sneakily using the community as unwittingly exposed guinea pigs without the users' permission - suppose your tweaks are not valid on the target router?

e.g.

i.e. depending on when someone installs unbound, they may actually have any of the following:

edns-buffer-size: 1472
edns-buffer-size: 1232
incoming-num-tcp: 1000
incoming-num-tcp: 600
outgoing-num-tcp: 100

Most do not understand the consequences nor indeed what the actual parameters mean, so you need to have a sense of responsibility and open disclosure.

You are abusing the trust of users that wish to use my script to install unbound

THIS IS UNACCEPTABLE.

Add the rqeuested version header in 'unbound.conf' hosted on your GitHub together with a description of the change, so the script can advise if it may be necessary to review the changes you are testing.

...or do you still think your attitude is acceptable?

 

[Smokey613]

Just fyi, Unbound logging still working great on my RT-AC86U!

 

[Martineau]

Just fyi, Unbound logging still working great on my RT-AC86U!

Is that the native unbound logging or syslog-ng/scribe logging?

 

[Smokey613]

Is that the native unbound logging or syslog-ng/scribe logging?

Sorry, it's the syslog-ng/scribe logging.

 

[Smokey613]

Sorry, it's the syslog-ng/scribe logging.

I stand corrected. It appeared to be working okay shortly after the beta1 install but now, I too am getting the errors in the scribe log.

Feb 1 10:00:01 RT-AC86U syslog-ng[2203]: Follow-mode file source not found, deferring open; filename='/var/lib/logrotate.status'
Feb 1 10:00:01 RT-AC86U syslog-ng[2203]: Configuration reload request received, reloading configuration;
Feb 1 10:00:01 RT-AC86U syslog-ng[2203]: Configuration reload finished;

 

[Smokey613]

Okay, I completely uninstalled Unbound, rebooted, reinstalled Unbound using:

mkdir /jffs/addons 2>/dev/null;mkdir /jffs/addons/unbound 2>/dev/null; curl --retry 3 "https://raw.githubusercontent.com/MartineauUK/Unbound-Asuswrt-Merlin/master/unbound_manager.sh" -o "/jffs/addons/unbound/unbound_manager.sh" && chmod 755 "/jffs/addons/unbound/unbound_manager.sh" && /jffs/addons/unbound/unbound_manager.sh

Now my Unbound scribe log looks clean.

Feb 1 10:53:11 RT-AC86U (unbound_manager.sh): 16517 Starting Script Execution (menu)
Feb 1 10:54:04 RT-AC86U S61unbound: Starting Unbound DNS server /opt/etc/init.d/S61unbound


This is the result using the l command from the Unbound menu:

Feb 01 11:03:10 unbound[17417:0] info: 127.0.0.1 star.c10r.facebook.com. A IN
Feb 01 11:03:10 unbound[17417:0] info: resolving star.c10r.facebook.com. A IN
Feb 01 11:03:10 unbound[17417:0] info: 127.0.0.1 star.c10r.facebook.com. A IN NOERROR 0.000000 1 56
Feb 01 11:03:10 unbound[17417:0] info: response for star.c10r.facebook.com. A IN
Feb 01 11:03:10 unbound[17417:0] info: reply from <c10r.facebook.com.> 185.89.219.11#53
Feb 01 11:03:10 unbound[17417:0] info: query response was ANSWER
Feb 01 11:03:10 unbound[17417:0] info: resolving facebook.com. DS IN
Feb 01 11:03:10 unbound[17417:0] info: NSEC3s for the referral proved no DS.
Feb 01 11:03:10 unbound[17417:0] info: Verified that unsigned response is INSECURE
Feb 01 11:03:10 unbound[17417:0] info: control cmd: get_option use-syslog

 

[Martineau]

I stand corrected. It appeared to be working okay shortly after the beta1 install but now, I too am getting the errors in the scribe log.

Feb 1 10:00:01 RT-AC86U syslog-ng[2203]: Follow-mode file source not found, deferring open; filename='/var/lib/logrotate.status'
Feb 1 10:00:01 RT-AC86U syslog-ng[2203]: Configuration reload request received, reloading configuration;
Feb 1 10:00:01 RT-AC86U syslog-ng[2203]: Configuration reload finished;

You will need to post this in the scribe thread.

If requested, I simply enable syslog-ng logging, and as a convenience, I only create '/opt/etc/syslog-ng.d/unbound' (since there isn't one provided by the scribe package).

NOTE: I assumed that as syslog-ng/scribe was already installed that the user would want to decide how to manage the logrotate process.

 

[SolluxCaptor]

Just a heads up - it looks like we got an Entware package update to Unbound 1.9.6 today! Run AMTM and U to update packages. Fantastic news, closes remaining security holes and brings us up to date!

 

[SolluxCaptor]

@rgnldo

You are again guessing which unbound parameters might be 'correct', but sneakily using the community as unwittingly exposed guinea pigs without the users' permission - suppose your tweaks are not valid on the target router?

e.g.

View attachment 21153

i.e. depending on when someone installs unbound, they may actually have any of the following:

edns-buffer-size: 1472
edns-buffer-size: 1232
incoming-num-tcp: 1000
incoming-num-tcp: 600
outgoing-num-tcp: 100

Most do not understand the consequences nor indeed what the actual parameters mean, so you need to have a sense of responsibility and open disclosure.

You are abusing the trust of users that wish to use my script to install unbound

THIS IS UNACCEPTABLE.

Add the rqeuested version header in 'unbound.conf' hosted on your GitHub together with a description of the change, so the script can advise if it may be necessary to review the changes you are testing.

...or do you still think your attitude is acceptable?

I know you don't need my opinion - but I completely agree with you. Throughout the project I was noticing occasionally an update changed my .conf file and added / changed these parameters. I did not have the time then to look into them, but wrongly assumed they must be helpful - it would be great to get explanations if anything is changed and form a consensus first. Slow and steady can benefit us all - that's why Linux distros (depending on choice) often lag behind the official packages in their OS repos. Testing and consensus make any project stronger and safer.

 

[JemTheWire]

I am pretty new to this stuff, but can follow instructions, Lol.

I have installed Unbound on my AX88U using the script. I am running Merlin 384.15.0 beta 1. The installation went well. However, when I use DNS Leak Test (https://www.dnsleaktest.com), it says that my DNS server is my ISP's. I am concerned as I set up Cloudflare in my router. Before I installed Unbound, the same test confirmed that I was using Cloudflare as my DNS servers.

Am I misunderstanding the concept here?

 

[dave14305]

I am pretty new to this stuff, but can follow instructions, Lol.

I have installed Unbound on my AX88U using the script. I am running Merlin 384.15.0 beta 1. The installation went well. However, when I use DNS Leak Test (https://www.dnsleaktest.com), it says that my DNS server is my ISP's. I am concerned as I set up Cloudflare in my router. Before I installed Unbound, the same test confirmed that I was using Cloudflare as my DNS servers.

Am I misunderstanding the concept here?

See if this post explains it:
Unbound - Authoritative Recursive Caching DNS Server

 

[dave14305]

Just a heads up - it looks like we got an Entware package update to Unbound 1.9.6 today! Run AMTM and U to update packages. Fantastic news, closes remaining security holes and brings us up to date!

The opkg upgrade overwrote the custom S61unbound file, so beware and backup that file before upgrading. Otherwise you lose the dnsmasq restart that will actually enable the forwarding from dnsmasq to unbound.

EDIT: and my /opt/var/lib/unbound directory ownership reverted from nobody to my admin ID.

 

[dave14305]

So if you upgrade, I would suggest these steps:

/opt/etc/init.d/S61unbound stop
service restart_dnsmasq
cp -p /opt/etc/init.d/S61unbound /opt/etc/init.d/xS61unbound.bak
opkg update
opkg upgrade
chown nobody /opt/var/lib/unbound
mv -f /opt/etc/init.d/xS61unbound.bak /opt/etc/init.d/S61unbound
/opt/etc/init.d/S61unbound start

There is also the return of the unbound-checkconf utility. install it with:

opkg install unbound-checkconf