Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server) - General questions / discussion thread 2

Martineau

Part of the Furniture
Code:
e  = Exit Script [?]
E:Option ==> dumpcache bootrest
Invalid Option "dumpcache bootrest" Please enter a valid option
Sorry you need to be running Advanced Mode

Start unbound_manager as follows:
Code:
unbound_manager advanced
 

pinkgrae

Regular Contributor

archiel

Senior Member
Just getting started running unbound (and possibly Diversion) on my AX86U, 386.4 RMerlin code. Installed via amtm and seems to be working OK, but I have questions about what I am seeing, and I hope someone can help a new user :)

1. In the dnsmasq and unbound logs, I see a fairly high rate of queries for names on my local lan. The A queries are answered by dnsmasq as expected, but the AAAA queries seem to be forwarded from dnsmasq to unbound and upwards to the root servers, getting an (expected) NXDOMAIN reply. My understanding was that dnsmasq would not forward queries to the local lan devices? Is that behavior different or expected for these IPv6 address queries? Is there a setting or config in dnsmasq to prevent this?
2. nslookups to local lan devices only show IPv4 address, not IPv6. Is that expected or related to #1 above?
3. unbound cache hit rates are kind of low, around 58%, is that also an artifact of this "extra" local AAAA query traffic?
4. Is there any definitive guidance about how to set the basic router GUI DNS settings for unbound? I have read MANY postings here, but still wonder if I have something set wrong to cause this. IPv6 DNS server? WAN DNS server? LAN DHCP DNS? I have tried to follow all the threads, and also thought many of these are not relevant once unbound takes control.
5. Is there a description of the data flows for DNS requests when
Following from this I have the same observations / questions

I am running IPv6 (native, DHCP-PD, Stateless) and I see regular external DNS requests in unbound for queries for some (not all) local devices.
Looking at tcpdump on port 53, these requests are only over IPv6, so I am guessing that dnsmasq is failing to recognise these as local names and passing them on to unbound.
As these requests are very regular and always get NXDOMAIN this pushes the cache hit rate down (typically around 80%) [I am assuming that this is the reason]

While this the level of lookups is very unlikely to impact on the performance on the router, it would be nice if these local device requests could be stopped and I would like to understand how / if this can be done.

Can this be done
  • by adding something to dnsmasq (say though dnsmasq.post.conf) to flag the devices as local and preventing the DNS request being forwarded to unbound, or
  • by adding something to unbound (say through unbound.conf.add) to stop the request being sent externally.
or in another manner, and if so how.
 

jfree23

Occasional Visitor
I added these lines to unbound.conf

Code:
server:
local-zone: "my_local_domain_name." static

I believe this might prevent the upstream queries and force unbound to answer with NXDOMAIN? I don''t know how to verify this, but the log entries with log level 2 do imply this. [edit] actually don't need level 2, but do need log-local-actions: yes in unbound-conf.

I still believe that dnsmasq is really the cause of this, and it should be answering the local queries. I believe my dnsmasq.conf is set up correctly with
Code:
domain=my_local_domain_name
local=/my_local_domain_name/

so dnsmasq should know the local subnet and answer queries for it, but it seems like dnsmasq is only answering queries where it knows the address. If it does not know the address, for either A or AAAA queries, it forwards the query upwards to unbound. It generally does not know IPv6 addresses for the local subnet, that might be a different issue. nslookup only shows me the IPv4 address for local devices. I am running IPv6 stateless, so addresses are generated by SLAAC?
 
Last edited:

archiel

Senior Member
The problem (at least on my network) appears to be actually two issues, the first is wpad related

Each or the windows devices is sending wpad.<domain> lookup requests and as there is no wpad configuration in the network, these go to the router, which cannot find this (non-existant) device locally and so passes the request to unbound that then checks externally, with the expected NXDOMAIN result.

In lieu of a better solution I have added the following to hosts.add (in /jffs/configs)
Code:
0.0.0.0 wpad wpad.<local-domain>
:: wpad wpad.<local-domain>
and then running
Code:
service restart_dnsmasq

The second is in relation to a device that is on the network, but is a Ubuntu VM running on Hyper-V. Here the lookup requests were AAAA only. I initially thought that this might be related to the VM having IPv6 disabled (to prevent OpenVPN leaks), but re-enabling and restarting the VM made no difference. For now, as there is no need for an external IPv6 address i have also added
Code:
:: <device> <device>.<local-domain>
to hosts.add

The result is that there are no more wpad.<local-domain> or <device>.<local-domain> queries showing up in unbound.
 
Last edited:

pinkgrae

Regular Contributor
Agreed - advanced mode adds a new dimension that I never knew about.
 

Swistheater

Very Senior Member
Following from this I have the same observations / questions

I am running IPv6 (native, DHCP-PD, Stateless) and I see regular external DNS requests in unbound for queries for some (not all) local devices.
Looking at tcpdump on port 53, these requests are only over IPv6, so I am guessing that dnsmasq is failing to recognise these as local names and passing them on to unbound.
As these requests are very regular and always get NXDOMAIN this pushes the cache hit rate down (typically around 80%) [I am assuming that this is the reason]

While this the level of lookups is very unlikely to impact on the performance on the router, it would be nice if these local device requests could be stopped and I would like to understand how / if this can be done.

Can this be done
  • by adding something to dnsmasq (say though dnsmasq.post.conf) to flag the devices as local and preventing the DNS request being forwarded to unbound, or
  • by adding something to unbound (say through unbound.conf.add) to stop the request being sent externally.
or in another manner, and if so how.
That is weird, I have dual stack and for the life of me, I cannot get IPV6 to work at all. I thought unbound manager enabled this by default if it saw ipv6 was enabled.
 

archiel

Senior Member

Swistheater

Very Senior Member
What to you mean by 'cannot get IPv6 to work at all'. Are you not seeing AAAA searches & results, are you failing test sites like https://ipv6test.google.com/, https://ipv6-test.com/ or something else?
Okay so,

Ipleak.net
Shows no ipv6 dns addresses, or ipv6 address. The test sites you posted all say I failed for ipv6.
I uninstall unbound, then everything works again.
I have ipv6 dns and address during leaktest. I am able to use both ipv6 test sites and pass.
 

Martineau

Part of the Furniture
That is weird, I thought unbound manager enabled this by default if it saw ipv6 was enabled.
Maybe it does; maybe it doesn't.

I have no way of testing IPv6, so I simply assume an IPv6 environment if the appropriate IPv6 NVAM variable is not 'disabled'

i.e. it could actually be any of the following
  • native
  • ipv6pt
  • dhcp6
  • 6to4
  • 6in4
  • 6rd
and given the nuances of each mode 6to4 etc. could be entirely an incorrect assumption.
 
Last edited:

Swistheater

Very Senior Member
Maybe it does; maybe it doesn't.

I have no way of testing IPv6, so I simply assume an IPv6 environment if the appropriate IPv6 NVAM variable is not 'disabled'

i.e. it could actually be any of the following
  • native
  • ipv6pt
  • dhcp6
  • 6to4
  • 6in4
  • 6rd
and given the nuances of each mode 6to4 etc. could be entirely an incorrect assumption.
It is native, and it use to work with unbound manager, so it definitely isn't something you have done.

Has unbound recently added any new directives that may be effecting the running of ipv6?
 

Martineau

Part of the Furniture
It is native, and it use to work with unbound manager, so it definitely isn't something you have done.

Has unbound recently added any new directives that may be effecting the running of ipv6?
  • v3.22 was last updated Feb 22 201
  • v3.23bD Beta was most recently updated 22 days ago, but the patches during the last year are mostly minor typos and menu fixes etc,
So no
 

ZebMcKayhan

Very Senior Member
Okay so,

Ipleak.net
Shows no ipv6 dns addresses, or ipv6 address. The test sites you posted all say I failed for ipv6.
I uninstall unbound, then everything works again.
I have ipv6 dns and address during leaktest. I am able to use both ipv6 test sites and pass.
I recently enabled ipv6 over wireguard so running ipv6 ULA at my lan, and changing ipv6 section in unbound.conf to
Code:
######################################### # integration IPV6 #
# do-ip6: no
# private-address: ::/0
do-ip6: yes
# edns-buffer-size: 1232
interface: ::0
# access-control: ::0/0 refuse 
access-control: ::1 allow
# private-address: fd00::/8
# private-address: fe80::/10
#########################################
#module-config: "dns64 respip validator iterator"
#dns64-prefix: 64:FF9B::/96

But really, nothing unbound is doing should prevent you from surfing ipv6 internet since ipv4 lookup ipv6 adresses aswell and you should see your ipv6 ip.
 

Swistheater

Very Senior Member
I recently enabled ipv6 over wireguard so running ipv6 ULA at my lan, and changing ipv6 section in unbound.conf to
Code:
######################################### # integration IPV6 #
# do-ip6: no
# private-address: ::/0
do-ip6: yes
# edns-buffer-size: 1232
interface: ::0
# access-control: ::0/0 refuse
access-control: ::1 allow
# private-address: fd00::/8
# private-address: fe80::/10
#########################################
#module-config: "dns64 respip validator iterator"
#dns64-prefix: 64:FF9B::/96

But really, nothing unbound is doing should prevent you from surfing ipv6 internet since ipv4 lookup ipv6 adresses aswell and you should see your ipv6 ip.
So when ipv6 is enabled
Code:
do-ip6: yes
edns-buffer-size: 1232
interface: ::0
access-control: ::0/0 refuse
access-control: ::1 allow
private-address: fd00::/8
private-address: fe80::/10

Is all uncommented
 

archiel

Senior Member
I have the same unbound settings
do-ip6: yes
edns-buffer-size: 1232
interface: ::0
access-control: ::0/0 refuse
access-control: ::1 allow
private-address: fd00::/8
private-address: fe80::/10
IPv6 Native, DHCP-PD and IPv6 is fine. However looking at your signature I see that while we have the same router you are running 384.19 and I am running 386.4, so not really comparing like with like. I do not know enough to troubleshoot this any further.
 

archiel

Senior Member
Cache Misses

Can anyone help with how I can track cache misses? I get a steady rate of hits at around 90%, but as it is normally the same people on the same machines (or automated calls from devices) I would have expected to be higher.

I would like to see (1) what site enquires are generating the cache misses and (2) if they are connected with any particular devices.

Thanks in advance for any ideas.
 

unrealliving

Occasional Visitor
Hello to everybody, I have a few questions. The thing is that I am about 2 weeks in googling and tweaking ASUS RT-AC68U router. I am not IT specialist but I like to know whats going on and what abilities we have and especially when it comes to our privacy, because theses days more and more complexity is to use internet safe. Ok, let's go to the main question:

1) Does Unbound is almost the same as Diversion+Skynet together? I mean if Unbound is installed, and in the Unbound_manager menu you can install AdBlock, DNS firewall and even there is AdBlock for youtube (which is not working or needed to configure correctly Unbound to bypass third DNS service provider or something like that...)

2) For example first of all I decided to use Diversion+Skynet and configure it correctly. I manage to run Diversion with pixelserv-tls and use Standard settings. Not sure for Skynet settings because as I understand it has abilities to configure firewall more specific but it should be done only using comands in PuTTy and for simple USE and FORGET logic not very attractive (Maybe i don't know how to manage it using WEB'UI?) so only for the statistics graph may not worth because of resources, which ASUS RT-AC68U is limited (CPU and RAM).

3) My experiment started when I read a lot of post with different opinions while some one uses all together (Unbound+Diversio+skynet) other is saying it's not worth because more or the less all are the same, I mean FireWall on ASUS RT-AC68U or Skynet or Unbound enabled FireWall with default settings are pretty the same security level. So I installed them three by myself and noticed that Diversion+Skynet was easy install and use it. I did a little configuration to use DNS-over-TLS(DOT) (not exactly sure if it very worth of it, may someone could suggest something about that) and tested with various sites to open. It seems that Diversion AdBlock does a little job and because it's free it might is enough and OK, but simple AdBlocker in firefox blocks more ads and pop-up videos then just plane Diversion. But after theses simple configurations I run test for DNS leaks, tried some sites to see how it works and because of not so much experience with blocking things I tried Unbound.

4) Using amtm in PuTTy it was really very easy to install Unbound. I like that it shows some notification when you need to set some settings in main router WEB'ui and you are done. Then you should add or enable additional functions like DNS FireWall, AdBlockers... and so on. Then of course tested some sites and the result compering with FireFox Adblocker was the same. So no more or less is blocking when I turned ON all together Unbound+Diversion+Skynet and/or separate. The only thing what I noticed that using Unbound I got DNS leaks. So then I thought that Unbound can't be installed simply as default with all addons because without additional configuration some of your data leaks.

So in conclusion if someone could share real example how correctly to use and configure those add-ons Unbound+Diversion+Skynet it would be very nice, because I think I am not the one which is looking the same information how correctly configure and enjoy the benefits. Please bear in mind that ASUS RT-AC68U is not very powerful and when I installed Unbound+Diversion+Skynet+uiDivStats the RAM usage is 70% and CPU doing operations fluctuate to MAX. So if correctly configured Unbound is almost the same as Diversion+Skynet together then how to do that step by step configuration and then not use Diversion+Skynet? Unbound has WEB'ui on the router with some statistics so there would be no need to install additional add-nos like using Diversion uiDivStats and so on.

I marked 1) 2) 3) 4) paragraph for the reason if someone could give me more practical information only on the specific point on my experimenting and my thoughts.

Thanks.
 

L&LD

Part of the Furniture
Default RMerlin firmware, Unbound, Skynet, and/or Diversion, separately or in any combination, are not similar in what they provide.

I suggest running all, together. Others may have the time to provide details.

Maybe the following may help?

Order of installing popular scripts | SmallNetBuilder Forums

amtm Step-by-Step https://www.snbforums.com/threads/amtm-step-by-step-install-guide-l-ld.56237/#post-483421
(Note, you do not need to 'install' amtm anymore with current RMerlin firmware. Simply skip those specific steps).
 

unrealliving

Occasional Visitor
Default RMerlin firmware, Unbound, Skynet, and/or Diversion, separately or in any combination, are not similar in what they provide.

I suggest running all, together. Others may have the time to provide details.

Maybe the following may help?

Order of installing popular scripts | SmallNetBuilder Forums

amtm Step-by-Step https://www.snbforums.com/threads/amtm-step-by-step-install-guide-l-ld.56237/#post-483421
(Note, you do not need to 'install' amtm anymore with current RMerlin firmware. Simply skip those specific steps).
Thanks for replay. The links you provided one of them is almost 2 years old, and other link is not exactly what I was looking for, but one answer which I got from you is that I need to configure correctly them ALL together. So how to do that? Because Unbound has firewall and AdBlocking add-ons too, so it seems just disable it?
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top