Unbound Unbound DNS VPN Client w/policy rules

  • ATTENTION! You'll notice a Prefix dropdown when you create a thread. If your post applies to one of the topics listed, please use that Prefix for your post. When browsing the thread list you can use the Prefix to filter the view.
  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Markster

Senior Member
I have been using Unbound DNS for a long time as my primary DNS on my local network. Some of my client devices use NordVPN with Unbound as DNS.
I have been wondering recently if Unbound can be configured so all DNS traffic for those specific VPN devices traverses over VPN interface/tunnel.
As I was reading the Unbound documentation it is possible to specify multiple interfaces in unbund.conf. One of these can be the VPN interface. We can also force VPN clients to use specific DNS IP/interface declared in the VPN client configuration. It got me thinking but I have not yet experimented with it yet.
Looking for ideas and feedback if this is even possible.

-cheers
 

kernol

Very Senior Member
I have been using Unbound DNS for a long time as my primary DNS on my local network. Some of my client devices use NordVPN with Unbound as DNS.
I have been wondering recently if Unbound can be configured so all DNS traffic for those specific VPN devices traverses over VPN interface/tunnel.
As I was reading the Unbound documentation it is possible to specify multiple interfaces in unbund.conf. One of these can be the VPN interface. We can also force VPN clients to use specific DNS IP/interface declared in the VPN client configuration. It got me thinking but I have not yet experimented with it yet.
Looking for ideas and feedback if this is even possible.

-cheers
You have placed this thread in the wrong sub-forum. All "add-ons" like unbound etc have been moved OUT of the Rmerlin Forum into a stand-alone forum on their own which you won't find unless you dig up one forum level to Asus Wireless - then down again to "Asuswrt-Merlin Addons"
NOT your fault - somewhat controversial structural change made recently!

To make life easier for you here's a link ...
https://www.snbforums.com/forums/asuswrt-merlin-addons.60/

No idea why they can't simply provide a link to the sub-form within the RMerlin one to help folks to easily navigate to the extended magic of Merlin-Ware ???
 

Swinson

Occasional Visitor
I’m also looking to set up some policy rules for unbound. Does anyone already have anything available for this? Possibly a nice little one line x3mRouting command that does everything?
 

Swinson

Occasional Visitor
Updated: new rules at the bottom
Okay so here is what I’ve got. You need to have x3mRouting installed and at least set up a dummy. You can then go through and configure unbound with the by running
Code:
unbound_manager vpn=X
Then you will need to add these lines for the vpnevent script

vpnclientX-route-up
Code:
jffs/addons/unbound/unbound_manager.sh vpn=X delay=9 &
vpnclientX-route-pre-down
Code:
/jffs/addons/unbound/unbound_manager.sh vpn=disable
Finally I added these lines to my services-start file so anything going to port 53 will piggy back off the rules x3mRouting has setup
Code:
iptables -t mangle -D OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -D OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
I’m still learning and figuring stuff out so if anything is wrong here feel free to let me know but it looks like all my dns lookup will now be forced through the vpn

(11/22/2020) edit:
Still running into a few issues. I’m working on getting it set up to run in route-up and pre-down rather than services-start because I don’t think it really belongs there and firewall-start won’t work either because I’m pretty sure putting it that early would break the boot up.

(11/23/2020) Rule update:
(1) setup WAN_DNS to go to wan0 and mark all other dns packets to go to vpn
(2) move everything into route-up/route-pre-down


/jffs/scripts/x3mRouting/vpnclientX-route-up
Code:
# WAN DNS requests to Wan0 #
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000

iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000

iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000

iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
# WAN DNS requests to Wan0 #

# Default DNS requests to VPN_Client 1 #
iptables -t mangle -D OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -D OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000

iptables -t mangle -A OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
# Default DNS requests to VPN_Client 1 #

jffs/addons/unbound/unbound_manager.sh vpn=X delay=5 &

/jffs/scripts/x3mRouting/vpnclientX-route-pre-down
Code:
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000

iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000


iptables -t mangle -D OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -D OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000

/jffs/addons/unbound/unbound_manager.sh vpn=disable
 
Last edited:

Swinson

Occasional Visitor
Can anyone confirm that both unbound and Merlin only use UDP on 53 for DNS lookups and doesn’t ever use TCP for anything.
283F225B-832A-4FB0-A902-08F4A679BF06.jpeg

I’m also wondering if anyone knows if it’s better to use “wan_dns” or “wan0_dns” from nvram. I’m guessing wan0 and wan1 are used to hold isp dns while wan is for user settings but I’m not really sure so if anyone can confirm that would be great.
 

dave14305

Part of the Furniture
Can anyone confirm that both unbound and Merlin only use UDP on 53 for DNS lookups and doesn’t ever use TCP for anything.
TCP is used if the response is too large for a UDP packet. So you can’t say “never” but probably “occasionally.”

If you don’t use Dual WAN, I would just use wan0_dns.
 

Swinson

Occasional Visitor
TCP is used if the response is too large for a UDP packet. So you can’t say “never” but probably “occasionally.”

If you don’t use Dual WAN, I would just use wan0_dns.
Okay I’ll definitely keep TCP rules then. I figured it might be used on occasion but I hadn’t noticed anything so I figured it was worth asking about.

So I know dual wan is a thing and I think it’s clear that wan1 would be used for the second one but wan0/wan is kind of ambitious. I do not use dual wan and “wan_dns” as well as “wan0_dns” are both populated. Do you know how they are used when dual wan is in use? Like I said I assume wan1 would be used for dns pulled/set for your second interface but is “wan_dns” the counterpart to wan1 or is it wan0?

let’s say your primary is “wan0_dns” and your secondary is “wan1_dns” what is “wan_dns”? Does that represent the dns to be used when dual wan is implemented or does that represent the what is set in the webUI? @RMerlin do you have any insight into the specific function of these vars?
 
Last edited:

Swinson

Occasional Visitor
@dave14305 went ahead and changed it from “wan_dns” to “wan0_dns” as per your suggestion. Everything looks good after doing a couple reboots so I went a head and updated my post to reflect the change. Thanks for the input.
C2821719-336E-4970-B65A-3459B147F36B.jpeg

I’m also seeing a handful of tcp packets from unbound but still nothing from the router. Going to keep an eye on it though
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top