Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server) - General questions / discussion thread 2

Mathieu

Regular Contributor
Hello
Anyone knows cases where Unbound might take precedence over VPN client DNS rules (set to Strict/Exclusive)?
That is, would the Open VPN DNS rules still be enforced for relevant clients where Unbound is the default DNS resolver?
Is that were the case, should specific rules be specified by way of user script? Any lead?

Thanks.
 

chongnt

Senior Member
Hello
Anyone knows cases where Unbound might take precedence over VPN client DNS rules (set to Strict/Exclusive)?
That is, would the Open VPN DNS rules still be enforced for relevant clients where Unbound is the default DNS resolver?
Is that were the case, should specific rules be specified by way of user script? Any lead?

Thanks.
In my configuration, I set accept DNS configuration to disabled in VPN client. In this setup, VPN client still use unbound which is what I wanted. I have tried other strict and exclusive before but I couldn't remember exactly what's the behavior. Did you get your desired DNS resolver to work? I can test it out for you on my device.
Edit: I just did a quick test. With strict, my pc still resolve with unbound. With exclusive, my pc resolve using VPN DNS. All these is done with DNS filter set to router.
 
Last edited:

Mathieu

Regular Contributor
In my configuration, I set accept DNS configuration to disabled in VPN client. In this setup, VPN client still use unbound which is what I wanted. I have tried other strict and exclusive before but I couldn't remember exactly what's the behavior. Did you get your desired DNS resolver to work? I can test it out for you on my device.
Edit: I just did a quick test. With strict, my pc still resolve with unbound. With exclusive, my pc resolve using VPN DNS. All these is done with DNS filter set to router.
Thank you
My intentions are probably different from yours, as I would like all clients to resolve through Unbound, save for those devices specifically routed through the tunnel.
I found with a prior setup that using VPN / Relaxed DNS config would result in TLS handshake errors. I assume that was because of 'inconsistency' between the VPN-assigned IP address and the Unbound DNS.
I will try the setup per your Edit and see if Unbound and VPN DNS can coexist peacefully.
Cheers
 

DocUmibozu

Occasional Visitor
Any news about this?


It seems that haveged is deprecated....
 

SomeWhereOverTheRainBow

Part of the Furniture
Any news about this?


It seems that haveged is deprecated....
That is assuming that haveged is the cause of the issue with Jitterentropy-rngd. that user just stated they had jitterentropy-rngd causing high cpu spikes. nothing actually showing haveged causing the problem.
 

DocUmibozu

Occasional Visitor
That is assuming that haveged is the cause of the issue with Jitterentropy-rngd. that user just stated they had jitterentropy-rngd causing high cpu spikes. nothing actually showing haveged causing the problem.
Sorry but you totally missed the point.
In the thread Merlin said to inform scripts developers to remove haveged from the scripts, because jitterentropy does the same thing.
See post #9 in the thread I mentioned...
 
Last edited:

SomeWhereOverTheRainBow

Part of the Furniture
Sorry but you totally missed the point.
In the thread Merlin said to inform scripts developers to remove haveged from the scripts, because jitterentropy does the same thing.
See post #9 in the thread I mentioned...
I get what you are saying , but I would leave it until it is determined there is not some underlying issue with jitterentropy-rngd. As you can see from that OP , the issue was still open as to why that user had cpu spikes. It brings in to question the full effectiveness of jitterentropy-rngd on some model routers.
 

New2This

Senior Member
Unbound, meaning my router, is my DNS, and if it can't serve the IP that's queried, it goes to the Auth servers maintained by iCANN (just like CF, Google etc).
that's assuming unbound is up and running - if for some reason it hasn't launched in a reboot or otherwise fails, I've pointed my router to Canadian Shield (i'm within that jurisdiction), with CF as a backup in case they're down. surely at some point my ISP sees some of this (CF may be under the same roof as my ISP's servers), but for the hopefully brief moments of time that this might be the case, I'm surely not transmitting/receiving anything on my network's end that could be compromising.
I have my unbound traffic running through my VPN
 

TonyK132

Senior Member
I did an auto-Reboot at 3am this morning, but when I looked at the Unbound stats, it had not restarted at that time. I did a Refresh stats from the GUI and that got the stats going again. I did not think to check from AMTM if Unbound was running.

Update: I just checked amtm, and Unbound says its been running for 6+ hrs, which corresponds to the reboot, so only the stats did not start.
 
Last edited:

heysoundude

Part of the Furniture
I'm having fairly regular power fluctuations in my area of late (as the grid learns to compensate for Air conditioners, I presume) and anytime it does, I lose the GUI for the addons I run. this is a problem since updating to v386 for me - If someone can point me in the direction of resolving this (other than a factory reset), I'd be very appreciative.
 

SomeWhereOverTheRainBow

Part of the Furniture
I'm having fairly regular power fluctuations in my area of late (as the grid learns to compensate for Air conditioners, I presume) and anytime it does, I lose the GUI for the addons I run. this is a problem since updating to v386 for me - If someone can point me in the direction of resolving this (other than a factory reset), I'd be very appreciative.
Scheduled reboots during times you are not actively online may help alittle.
 

gattaca

Senior Member
Hi started playing around with ubound on my hot-spare router using 386.2_4. I did the AMTM install, diversion to get entware, then disabled diversion. Then I installed unbound by defaults. I did some prelim testing and no vids on YT would run. I removed ubound, rebooted the router and YT vids played fine. Any thoughts? Thanks.
 

chongnt

Senior Member
I'm having fairly regular power fluctuations in my area of late (as the grid learns to compensate for Air conditioners, I presume) and anytime it does, I lose the GUI for the addons I run. this is a problem since updating to v386 for me - If someone can point me in the direction of resolving this (other than a factory reset), I'd be very appreciative.
I used to add some delay in post-mount script before unbound but not anymore. Not sure if this will help.
 

TonyK132

Senior Member
I thought I would post this here hoping for an answer.

I'm running unbound in addition to dnsmasq in Merlin 384_19. For this config, are the dnsmasq vulnerabilities in 384 an issue? I thought that for a dns query, dnsmasq resolves from its cache, but if not there, it goes to unbound, and that dnsmasq does not go out to the big, bad, internet itself. If that is right, then it's unbound's job to protect against the baddies not dnsmasq. Have I got that right? I'm using the default config files for unbound and dnsmasq.
 

MatteoPV

Senior Member
I have a question. On my router I am using practically all the addons present in AMTM. You use them all except x3mRouting, unbound, dnscrypt and pixelserv. I always use the VPN 24h and all my traffic goes through the VPN. In the past I had tried Unbound but it gave me DNS leak problems which could then be solved by passing all DNS requests in the VPN tunnel, I have scripts that I found here on the forum that solve the problem. The questions are these:

1) Should I also install Unbound even though I already have Diversion on board?

2) I am using the VPN_Failover script which restarts the VPN if the VPN tunnel fails. If I used Unbound with DNS requests routed in the VPN tunnel, in case VPN_Failover needs to restart the VPN, then would I have the DNS exposed or would everything be ok as before?

I ask these questions because if I install Unbound then it is not so easy to remove it from the router, the last time I had to do a factory reset
 

archiel

Senior Member
Following the updated versions of unbound added to entware

unbound-anchor - 1.13.1-2
unbound-checkconf - 1.13.1-2
unbound-control - 1.13.1-2
unbound-daemon - 1.13.1-2

the unbound script is to longer completing
Code:
[1626008669] unbound-control[29323:0] error: connect: Connection refused for 127.0.0.1 port 953
        'key-cache-size:'        (N/A)
[1626008669] unbound-control[29329:0] error: connect: Connection refused for 127.0.0.1 port 953
[1626008669] unbound-control[29331:0] error: connect: Connection refused for 127.0.0.1 port 953
        'msg-cache-size:'        (N/A)  0% used         (N/A)
[1626008669] unbound-control[29346:0] error: connect: Connection refused for 127.0.0.1 port 953
[1626008669] unbound-control[29348:0] error: connect: Connection refused for 127.0.0.1 port 953
        'rrset-cache-size:'      (N/A)  0% used         (N/A)
 

netware5

Very Senior Member
Following the updated versions of unbound added to entware

unbound-anchor - 1.13.1-2
unbound-checkconf - 1.13.1-2
unbound-control - 1.13.1-2
unbound-daemon - 1.13.1-2

the unbound script is to longer completing
Code:
[1626008669] unbound-control[29323:0] error: connect: Connection refused for 127.0.0.1 port 953
        'key-cache-size:'        (N/A)
[1626008669] unbound-control[29329:0] error: connect: Connection refused for 127.0.0.1 port 953
[1626008669] unbound-control[29331:0] error: connect: Connection refused for 127.0.0.1 port 953
        'msg-cache-size:'        (N/A)  0% used         (N/A)
[1626008669] unbound-control[29346:0] error: connect: Connection refused for 127.0.0.1 port 953
[1626008669] unbound-control[29348:0] error: connect: Connection refused for 127.0.0.1 port 953
        'rrset-cache-size:'      (N/A)  0% used         (N/A)
Seems to be we have again problems with Unbound after Entware upgrade. I will wait until the update of Unbound is available via amtm script.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top