rgnldo
Very Senior Member
Enjoy the benefits of TFO, since it is enabled in unbound/entware. https://dnsprivacy.org/wiki/display/DP/TCP+Fast+Open
Unbound - Authoritative Recursive Caching DNS Server
- Thread starter rgnldo
- Start date
- Status
SolluxCaptor
Regular Contributor
Excellent. Also, I was curious, how can we see the parameters which Entware packages were compiled? For example, how can I check if Unbound was compiled (this time) with Libevent support?
dave14305
Part of the Furniture
Code:
unbound -V
L&LD
Part of the Furniture
Code:
RT-AX88U-ACA0:/tmp/home/root# unbound -V
Version 1.9.6
Configure line: --target=aarch64-openwrt-linux --host=aarch64-openwrt-linux --build=x86_64-pc-linux-gnu --program-prefit
Linked libs: pluggable-event internal (it uses select), OpenSSL 1.1.1d 10 Sep 2019
Linked modules: dns64 respip validator iterator
TCP Fastopen feature available
BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues
kernol
Very Senior Member
Awesome ... great job @Martineau ... now that the dust has settled - confusing Githubs cleared up - V2.03 with its 2.5+k lines of code fully documented ... I had the courage to take the plunge into the "unbound" world ... and am blown away by the performance improvement. Probably particularly relevant for those of us at the Southern tip of Africa ... far removed from the primary DNS servers you 1st Worlder's enjoy.
Running on my RT-AC86U with all add-ons per signature - and zero ill-effects.
Martineau
Part of the Furniture
I will take credit for the unbound_manager script, but credit where credit is due....Awesome ... great job @Martineau ... now that the dust has settled - confusing Githubs cleared up - V2.03 with its 2.5+k lines of code fully documented ... I had the courage to take the plunge into the "unbound" world ... and am blown away by the performance improvement. Probably particularly relevant for those of us at the Southern tip of Africa ... far removed from the primary DNS servers you 1st Worlder's enjoy.
Running on my RT-AC86U with all add-ons per signature - and zero ill-effects.
@rgnldo was the passionate driving force for the adoption of unbound to replace dnsmasq on ASUS routers, so hopefully the script allows non-techies to give unbound a completely risk-free trial, and can decide for themselves if they too are impressed by the performance gains.
rgnldo
Very Senior Member
Unfortunately, I can't help much because there are routers with different configurations and kernels. I can only confirm from my AC86U. Anyone who has experience in the ASUS environment, with other routers, can help other models.
I organized the final unbound.conf (initial post) after much consultation and adapted to the corrections of version 1.9.6 of unbound. It is not having memory and a long cache, but efficiency and security. This is a never-ending debate, but the consensus is for less memory and cache lifetime. Even in dnsmasq, I prefer, cache-size=512. Well, I will not enter this debate.
For those who have the AC86U (I don't know of other models) going forward, due to the kernel, you can benefit from TCP Fast Open (https://dnsprivacy.org/wiki/display/DP/TCP+Fast+Open) by adding this line to the stuning script.
Another feature enabled in unbound is the DNS64 validator (initial post) . For those who enable IPV6, it is useful. You can check this out here: https://ecdysis.viagenie.ca/instructions.html
Consider it useful or disregard it.
The installer script will be useful and I hope it will continue to help others with less knowledge.
My contributions will be in this profile. There are other commitments that prevent me from helping with more emphasis.
I organized the final unbound.conf (initial post) after much consultation and adapted to the corrections of version 1.9.6 of unbound. It is not having memory and a long cache, but efficiency and security. This is a never-ending debate, but the consensus is for less memory and cache lifetime. Even in dnsmasq, I prefer, cache-size=512. Well, I will not enter this debate.
For those who have the AC86U (I don't know of other models) going forward, due to the kernel, you can benefit from TCP Fast Open (https://dnsprivacy.org/wiki/display/DP/TCP+Fast+Open) by adding this line to the stuning script.
Code:
# Enable TCP Fast Open
echo 3 > /proc/sys/net/ipv4/tcp_fastopenConsider it useful or disregard it.
The installer script will be useful and I hope it will continue to help others with less knowledge.
My contributions will be in this profile. There are other commitments that prevent me from helping with more emphasis.
Last edited:
L&LD
Part of the Furniture
@rgnldo, thank you for these tips.
Everyone,
I have the RT-AX88U (same as RT-AC86U with 2x more RAM and 4 cores) and did find the stuning script in /jffs/addons/unbound.
However, I am not sure where to insert the code to enable TCP Fast Open.
Similarly, I use IPv6 but am at a loss on how to implement the instructions linked to my router without messing up bad.
Is it possible to have these options available during install @Martineau?
Thanks to anyone who can make this easier or more accessible to non-scripters like myself.
Everyone,
I have the RT-AX88U (same as RT-AC86U with 2x more RAM and 4 cores) and did find the stuning script in /jffs/addons/unbound.
However, I am not sure where to insert the code to enable TCP Fast Open.
Similarly, I use IPv6 but am at a loss on how to implement the instructions linked to my router without messing up bad.
Is it possible to have these options available during install @Martineau?
Thanks to anyone who can make this easier or more accessible to non-scripters like myself.
Treadler
Very Senior Member
@rgnldo, thank you for these tips.
Everyone,
I have the RT-AX88U (same as RT-AC86U with 2x more RAM and 4 cores) and did find the stuning script in /jffs/addons/unbound.
However, I am not sure where to insert the code to enable TCP Fast Open.
Similarly, I use IPv6 but am at a loss on how to implement the instructions linked to my router without messing up bad.
Is it possible to have these options available during install @Martineau?
Thanks to anyone who can make this easier or more accessible to non-scripters like myself.
+1
I too would like the option to easily try these modifications.
If they have a tangible benefit, great, if not, the ability to ‘untry’ them would be great as well!
@rgnldo, thank you for these tips.
Everyone,
I have the RT-AX88U (same as RT-AC86U with 2x more RAM and 4 cores) and did find the stuning script in /jffs/addons/unbound.
However, I am not sure where to insert the code to enable TCP Fast Open.
Similarly, I use IPv6 but am at a loss on how to implement the instructions linked to my router without messing up bad.
Is it possible to have these options available during install @Martineau?
Thanks to anyone who can make this easier or more accessible to non-scripters like myself.
@L&LD, great question. I use WinSCP and I was going to manually update the scripts per the instructions on pg. 1 but I have a feeling I might screw something up haha!
rgnldo
Very Senior Member
Although they disagree, I use stuning and for my reality and router is another level and experience of use.
I believe that to help the maintainer of the script-installer, any addition or removal must be related to technical feasibility studies. Organization is everything. In a while the script-installer will be more mature and clean.
You can add this option at:
nano /jffs/scripts/init-start
Code:
# Enable TCP Fast Open
echo 3 > /proc/sys/net/ipv4/tcp_fastopenecho 3 > /proc/sys/net/ipv4/tcp_fastopen
Add to unbound.conf
Code:
module-config: "dns64 validator iterator"
dns64-prefix: 64:FF9B::/96Use the unbound.conf proposed at the beginning of the post and return me here to report.
It is stable and excellent for me. Using Adblock/Unbound.
L&LD
Part of the Furniture
@rgnldo I am using Auth-zone successfully already.
I added the
to the end of the unbound.conf file and when I run unbound_manager it shows there are syntax errors in /opt/var/lib/unbound/unbound.conf. It suggests to use 'vx' correct the file but I don't know what I need to correct.
For now, I just entered the
into the command prompt and received no error or confirmation. Is this enough to test with?
I added the
Code:
module-config: "dns64 validator iterator"
dns64-prefix: 64:FF9B::/96For now, I just entered the
Code:
echo 3 > /proc/sys/net/ipv4/tcp_fastopenrgnldo
Very Senior Member
For me, everything is fine.
Code:
@rgnldo:/tmp/home/root# unbound-checkconf -f /opt/var/lib/unbound/unbound.conf
unbound-checkconf: no errors in /opt/var/lib/unbound/unbound.confuse this my unbound.conf
Code:
server:
interface: 127.0.0.1@53535
access-control: 127.0.0.1/32 allow
access-control: 192.168.1.1/24 allow
access-control: 172.16.0.0/12 allow
access-control: 10.0.0.0/8 allow
access-control: ::0/0 refuse
access-control: ::1 allow
# RFC1918 private IP address - Protects against DNS Rebinding
private-address: 10.0.0.0/8
private-address: ::ffff:a00:0/104
private-address: 172.16.0.0/12
private-address: ::ffff:ac10:0/108
private-address: 169.254.0.0/16
private-address: ::ffff:a9fe:0/112
private-address: 192.168.0.0/16
private-address: ::ffff:c0a8:0/112
private-address: fd00::/8
private-address: fe80::/10
# perform a query against AAAA record exists
module-config: "dns64 validator iterator"
dns64-prefix: 64:FF9B::/96
# Memory cache and responsive performance
num-threads: 1
key-cache-size: 4m
msg-cache-size: 4m
rrset-cache-size: 8m
cache-max-ttl: 21600
cache-min-ttl: 5
prefetch: yes
prefetch-key: yes
serve-expired: yes
serve-expired-ttl: 3600
ip-ratelimit: 100
neg-cache-size: 4M
edns-buffer-size: 1472
ratelimit: 1000
unwanted-reply-threshold: 10000
# Privacy & security
hide-version: yes
hide-identity: yes
harden-algo-downgrade: yes
harden-below-nxdomain: yes
harden-dnssec-stripped: yes
harden-large-queries: yes
harden-short-bufsize: yes
harden-glue: yes
do-not-query-localhost: no
qname-minimisation: yes
minimal-responses: yes
rrset-roundrobin: yes
do-daemonize: no
val-clean-additional: yes
# Self jail Unbound with user "unbound" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"
# The pid file
pidfile: "/opt/var/run/unbound.pid"
# ROOT Server's
root-hints: "root.hints"
# DNSSEC
module-config: "validator iterator"
auto-trust-anchor-file: "root.key"
remote-control:
control-enable: yes
control-interface: 127.0.0.1
auth-zone:
name: "."
url: "https://www.internic.net/domain/root.zone"
fallback-enabled: yes
for-downstream: no
for-upstream: yes
zonefile: root.zone
Last edited:
rgnldo
Very Senior Member
Do not know. I only use Termius software on the MacBook. When I edit the nano or the VI. On the Mac, I use the Atom editor. But it's easy.
Smokey613
Very Senior Member
Can you elaborate on these settings?
key-cache-size: 4
msg-cache-size: 4
rrset-cache-size: 8
dave14305
Part of the Furniture
It's oddly 4 bytes and 8 bytes of cache, since there is no k, m or g following.
- Status
Similar threads
Similar threads
| Thread starter | Title | Forum | Replies | Date |
|---|---|---|---|---|
| L | Unbound + Wireguard: is this combination possible at all? | Asuswrt-Merlin | 6 | |
| J | DNS rewrite for internal clients to resolve hostname via adguard home and unbound | Asuswrt-Merlin | 12 |
Similar threads
-
Unbound + Wireguard: is this combination possible at all?
- Started by louisschneider
- Replies: 6
-
DNS rewrite for internal clients to resolve hostname via adguard home and unbound
- Started by jata
- Replies: 12