Unbound Unbound Manager COUNTRY exclusion to play nice with Skynet?

stevieosaurus

Occasional Visitor
This is either a question about an existing, hidden setting or a suggestion for a new feature:

Since for some of us using full country(s) BAN on the firewall (Skynet) is a must, and Unbound warns us when setting it up that this will SIGNIFICANTLY reduce performance in DNS look-ups, is it possible to also have a full country ban setting within Unbound Manager, as to avoid this conflict with the Firewall?

Thank you and keep up the great work!
 

Martineau

Part of the Furniture
This is either a question about an existing, hidden setting or a suggestion for a new feature:

Since for some of us using full country(s) BAN on the firewall (Skynet) is a must, and Unbound warns us when setting it up that this will SIGNIFICANTLY reduce performance in DNS look-ups, is it possible to also have a full country ban setting within Unbound Manager, as to avoid this conflict with the Firewall?

Thank you and keep up the great work!
I've never used skynet, but someone reported degraded performance - hence the warning.

Clearly you may still use skynet if the performance is acceptable to you.

However, IIRC.... if unbound_manager Adblock is enabled, you can specify the country domains to be blocked

e.g. you can use command eb to edit '/opt/share/unbound/configs/blockhost' to add countries say 'cn' and 'ru' as two lines
Code:
unbound (pid 16321) is running... uptime: 1 days 20:06:29 version: 1.15.0 # Version=v1.13 Martineau update (Date Loaded by unbound_manager Sat Apr 16 20:27:45 DST 2022)

i  = Update unbound and configuration ('/opt/var/lib/unbound/')     l  = Show unbound LIVE (Loglevel=1) log entries (lx=Disable Logging)
z  = Remove unbound/unbound_manager                                 v  = View ('/opt/var/lib/unbound/') unbound Configuration (vx=Edit;vh=help)
x  = Stop unbound                                                   vb = Backup current (/opt/var/lib/unbound/unbound.conf) Configuration [filename]
                                                                    rl = Reload Configuration (Doesn't halt unbound) e.g. 'rl test1[.conf]' (Recovery use 'rl reset/user')
?  = About Configuration                                            oq = Query unbound Configuration option e.g 'oq verbosity' (ox=Set) e.g. 'ox log-queries yes'
sd = Show dnsmasq Statistics/Cache Size                             s  = Show unbound Extended statistics (s=Summary Totals; sa=All; sgui=Install GUI TAB [all]; s-=Disable Extended Stats)
                                                                    adblock = Install Ad Block [uninstall | update | track]
DisableFirefoxDoH = Disable Firefox DoH [yes | no]                  youtube = Install YouTube Ad Block [uninstall | update]
Stubby = Enable Stubby Integration                                  DoT = Enable DNS-over-TLS
                                                                    firewall = Enable DNS Firewall [disable | ?]
bind = BIND unbound to WAN [debug | disable | debug show]           vpn = BIND unbound to VPN {vpnid [debug]} | [disable | debug show] e.g. vpn 1

scribe = Enable scribe (syslog-ng) unbound logging          
dnsmasq = Disable dnsmasq [disable | interfaces | nointerfaces]     ea = Edit Ad Block Allowlist (eb=Blocklist; eca=Config-AllowSites; ecb=Config-BlockSites; el {Ad Block file})
dumpcache = [bootrest] (or Manually use restorecache after REBOOT)  ca = Cache Size Optimisation [ min | calc ]
                                                                    views = [? | uninstall] | {view_name [? | remove]} | {view_name [[type] domain_name[...] | IP_address[...]] [del]} ]
                                                                    safesearch = Enable Safe Search [disable | status | ? ] e.g. redirect google.com to forcesafesearch.google.com 
                                                                    localhost = Add { domain_name {IP_address | del} }

dig = {domain} [time] Show dig info e.g. dig asciiart.com           lookup = {domain} Show the name servers used for domain e.g. lookup asciiart.eu 
dnsinfo = {dns} Show DNS Server e.g. dnsinfo                        dnssec = {url} Show DNSSEC Validation Chain e.g. dnssec www.snbforums.com
links = Show list of external URL links


[Enter] Leave Advanced Tools Menu

e  = Exit Script [?]

A:Option ==> eb

    Ad Block file '/opt/share/unbound/configs/blockhost' changed....updating Ad Block

                             
 _____   _ _   _         _   
|  _  |_| | |_| |___ ___| |_ 
|     | . | . | | . |  _| '_|
|__|__|___|___|_|___|___|_,_|
(gen_adblock.sh): 15954 @juched - v1.0.8 - Thanks to @SomeWhereOverTheRainBow


Removing possible temporary files..
Downloading list(s) from block site(s) configured...
Attempting to Download 1 of 10 from https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts.
######################################################################## 100.0%

<snip>

Downloading list(s) from allow site(s) configured...
Adding user requested hosts to list...
Removing user requested hosts from list...
Removing required hosts from list...
Removing unnecessary formatting from the domain list...
Generating Unbound adservers file...
(gen_adblock.sh): 15954 Number of adblocked hosts: 402806

Generating Unbound unload/load lists...
Loading/Unload Unbound local-zones to take effect...
removed 402802 zones
added 402806 zones
Removing temporary files...
Adblock update complete!
Code:
cat /opt/share/unbound/configs/blockhost

cn
ru
Code:
e  = Exit Script [?]

A:Option ==> adblock country

    Blocked country domain
local-zone: "cn" always_nxdomain
local-zone: "ru" always_nxdomain
 

stevieosaurus

Occasional Visitor
BRILLIANT! So to clarify, and excuse my ignorance:

If I thous configure Unbound to block a/some countries (via "blockhost") while also to whitelist/allow some domains (via "allowsites") from said countries, will these sites become available or be blocked?

Also, does the DNS resolver ( Unbound ) normally check domains BEFORE the request goes trough the firewall (and thous stalls when attempting to send the request out), or does it attempt it AFTER, and then the firewall blocks the incoming result? Where exactly is the hangup between them, if not both set to block the same thing?

DNS request -> Firewall
or
DNS request -> Response -> Firewall
 

stevieosaurus

Occasional Visitor
Another question - while using the Unbound Manager advanced menu, command "ad" (Analyse Diversion White/Block lists) I get:

Code:
Analysed Diversion file: 'blockinglist'  Type=pixelserv, (Adblock Domains=110652) would add 899161 entries

OK, so how do I add/import these entries? I can't seem to find the command for it?
 

Martineau

Part of the Furniture
Another question - while using the Unbound Manager advanced menu, command "ad" (Analyse Diversion White/Block lists) I get:

Code:
Analysed Diversion file: 'blockinglist'  Type=pixelserv, (Adblock Domains=110652) would add 899161 entries

OK, so how do I add/import these entries? I can't seem to find the command for it?
The ad merge feature was experimental and never formally implemented although changing the appropriate variable in the unbound_manager script might/should (still) work.
(P.S. The feature creates '/opt/tmp/unbound*' files?' which can be viewed?)

IIRC, the base blocking-list was the Steven Black one?, with (at the time) few Blocking-List Hosting sites supporting the necessary AdBlock format.

However, since the original script was written, many Blocking-List hosting sites now host compatible files, so merging the lists shouldn't now be necessary as you can most likely retrieve the lists direct by adding the appropriate URLs to '/opt/share/unbound/configs/blocksites'

Alternatively, you can tweak @juched's AdBlock script to use/import local custom files ..... i.e. either the (diversion) analysed files or even convert say the current Adblock Plus Blocking-List.
 
Last edited:

stevieosaurus

Occasional Visitor
update: ad merge doesn't work.
If there is another way to merge/import lists other than manually, via a command, I would greatly appreciate it.
 

Martineau

Part of the Furniture
update: ad merge doesn't work.
Hmmmm, I didn't say that the ad merge command existed, but a quick search finds a post from May 2020


If there is another way to merge/import lists other than manually, via a command, I would greatly appreciate it.
IIRC (it has been 2 years!), this command should modify unbound_manager to enable/activate the crude merge code;
Code:
sed -i 's/ACTION="Analyze"/ACTION="Merge"/' /jffs/addons/unbound/unbound_manager.sh
but no guarantees that the merging of the lists still works.

To revert/deactivate the crude merge code; use
Code:
sed -i 's/ACTION="Merge"/ACTION="Analyze"/' /jffs/addons/unbound/unbound_manager.sh
 
Last edited:

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top