Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

  • ATTENTION! You'll notice a Prefix dropdown when you create a thread. If your post applies to one of the topics listed, please use that Prefix for your post. When browsing the thread list you can use the Prefix to filter the view.
  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Martineau

Part of the Furniture
This thread is for the discussion topic : unbound_manager script.

upload_2020-4-15_13-20-48.png

As per the GitHub Hints/Tips: Differences between the operational modes​


'Easy' mode - you have limited Install options:

i.e. Advanced Options
  • Stubby Integration
  • DoT installs
are not available
'Advanced' mode - you can fully customise the choice of options implemented.


'Advanced' mode

upload_2020-4-14_16-59-52.png


'Easy' mode (This is the default)

upload_2020-4-14_16-57-49.png



INSTALLATION

Pre-reqs:

  • Asus Router running the RMerlin firmware (see AsusWRT-Merlin)
  • Entware must be installed (Many popular 3rd Party scripts now require Entware e.g. amtm)
Recommended unbound compatible Router Settings pre-reqs:

[✔] Swapfile=262140 kB (min 256 MB)
[✔] DNS Filter=ON
[✔] DNS Filter=ROUTER
[✔] WAN: Use local caching DNS server as system resolver=NO
[✔] Enable local NTP server=YES
[✔] Enable DNS Rebind protection=NO
[✔] Enable DNSSEC support=NO

If the router settings do not match the above, a hyperlink will be shown to assist

e.g.
[❌] ***ERROR WAN: Use local caching DNS server as system resolver=YES
see http://192.168.1.1/Tools_OtherSettings.asp ->Advanced Tweaks and Hacks​

Manual installation of unbound - like most tasks - is easy once you know how, but for non-techies, why spend time frustratingly typing in cryptic directives/commands into the router when you could simply let someone else facilitate the task, who will remain accountable when it goes wrong! ;)

The goal of unbound_manager is to seamlessly integrate unbound with the inherent dnsmasq but to ensure that unbound_manager can always be used to instantly remove unbound in seconds, i.e. a REBOOT (whilst recommended) isn't mandatory during the installation, nor for an uninstall.

Furthermore, the script provides useful features via simple menu options, that do not intimidate non-techies, but allows then to investigate (and for the adventurous) tweak the unbound configuration without any drama.

If you are running amtm >v3.1.2

upload_2020-4-14_16-46-0.png


then use item '7', otherwise see the one-line command unbound_manager Manual Installation

The unbound_manager.sh script is hosted on GitHub, and you can follow the development history here.
 
Last edited:

Martineau

Part of the Furniture
Known Issues

Issue: Sev4 v2.06 Typo reported :oops:
Fixed: 7th Feb. 2020 Simply rerun v2.06 'i = Update unbound configuration' to retrieve 'unbound.conf' v1.03 Hotfix​
Issue: 10th Apr. 2020. Upgrade from unbound v1.96.0 to v1.10.0 fails. (Entware borked:rolleyes:)​
Fixed: issue or if the one-line command doesn't work see instructions
Code:
opkg remove --force-depends libunbound
then 'i = Update unbound configuration'​
Issue: 13th Sep. 2020. Entware Update borked: Thanks @bluzfanmr1 and @Linux_Chemist
Fixed: issue the one-line command​
Code:
opkg remove libunbound-light --force-depends && opkg install libunbound
then restart unbound or (worst-case scenario) 'i = Update unbound configuration'​
 
Last edited:

Martineau

Part of the Furniture
Q&A

Q. Do I need (Official Website) unbound?
A. Well... it depends - However, using this script you should be able to perform a truly transparent risk-free trial to decide for yourself i.e. usually no need for a REBOOT.​

Q. dnsmasq (Trusted/mature/familiar and feature-rich) is included by default in the RMerlin firmware, is there a comparison list of features that dnsmasq has that aren't (yet) available in unbound?
A. Not that I know of (unless proven wrong! ;)) but diversion/x3mRouting rely heavily on dnsmasq for certain features.​

Q. Can I run unbound+dnsmasq+diversion together?
A. Yes. However, unbound+Ad Block+diversion is NOT recommended, simply because Ad Block and diversion essentially perform the same function so a duplication of effort is wasteful. Also, the domains must be stored in memory, so if you have both Ad Block and diversion installed (issue the 'ad' command to see how many entries are in use) one set may simply not be referenced but still occupies memory.​

Q. Can I run unbound with IPv6?
A. Yes, but with caveats. I have no way of testing IPv6, but some use it successfully, while others have hit snags, but I believe the script does work for basic/simple IPv6 environments.

Q. Do I need Stubby Integration?
A. Well...Stubby encrypts your DNS traffic to an upstream DNS service. Normally you are forced to trust the upstream DNS provider/your ISP. unbound communicates directly with the authoritative name servers, thereby eliminating snooping by any upstream "middle-men" such as Google, Cloudflare, Quad9 etc.
So, if you want to remain as your own trusted recursive DNS resolver then the answer is No.

Q. Can unbound run with DNSSEC ENABLED?
A. Yes. The script configures unbound to perform DNSSEC validation (see howto) hence the recommendation in the Router Settings pre-reqs to DISABLE it in the router.

Q. Do I need to opt for the 'Customise the CPU/Memory' option?
A. Yes. i.e. the kernel tweaks don't cause any noticeable negative effect, and HND router owners will also have the TCP Fast Open tweak applied. (see script '/jffs/addons/unbound/stuning')

Q. Why are DSA and GOST NOT validated, when I click on the hyperlink 'Click https://rootcanary.org/test.html to view Web DNSSEC Test' displayed by the '? = About Configuration' command?
A. Deprecated i.e. unbound explicitly disables support e.g. unbound -V shows compile options '--disable-dsa' and '--disable-gost'

Q. Does unbound support DoT
A.
@dave14305 replied: "unbound does not use any encrypted traffic as a 'recursive resolver'. It can’t make 'recursive queries' using encryption. You can reconfigure unbound to become a forwarder (like dnsmasq and Stubby) and use DoT, but what’s the value of unbound then as just another forwarder? when dnsmasq+Stubby already do that well enough."

NOTE: For completeness/freedom of choice, v2.12 now does allow unbound DoT to be configured using both Cloudflare & Quad9 IPv4/IPv6 servers.

Q. Why does a DNS Leak test show my ISP assigned IP Address?
A. You are now your own recursive DNS resolver! - what other IP could possibly be shown? Unless you have configured unbound to use DoT or Stubby Integration you are no longer using any 3rd-party DNS such as Google's 8.8.8.8 or Quad9's 9.9.9.9. However, if you use a VPN Client, then you may opt to force unbound to bind to the VPN tunnel, so all unbound's DNS requests will be via the tunnel, so now your VPN assigned IP will be shown in a DNS Leak test.​
 
Last edited:

skeal

Part of the Furniture

Kingp1n

Very Senior Member
I think I know the answer but IPV6 can be enabled with the current unbound script correct?
 

heysoundude

Very Senior Member
Known Issues
I tried clicking on this as if it were a link, to no avail; I take it that means it’s awfully new and un-installed as yet, since there are no issues listed.
It’ll be interesting to see who makes the switch and why, and how it works out for them...

Is this getting added to amtm?


Sent from my iPhone using Tapatalk
 

Martineau

Part of the Furniture
I tried clicking on this as if it were a link, to no avail; I take it that means it’s awfully new and un-installed as yet, since there are no issues listed.
Hyperlinks appear underlined in blue? in posts, and if you hover over them with a mouse, then the target URL appears usually in the bottom left corner of your browser.

So no, currently v2.06 and no-one has reported any script issues such as crashes/syntax errors/illogical/unexpected mangling of 'unbound.conf' or typos (even in in comments! - and Yes this has happened to me in the past by pedantic w*nk*rs :mad:)

….or any new feature requests.
Is this getting added to amtm?
Don't know... gave my consent a while back, was forced to rewrite (hence v2.xx) to comply - I'm not holding my breath.
 
Last edited:

L&LD

Part of the Furniture
My spidey-senses tell me amtm and Diversion are due for a major overhaul (at least under the hood) before RMerlin 384.15 final is released. I am also very hopeful that unbound_manager will be included when RMerlin 384.15_0 release lands. :)

Sorry, I'm going to be one of those 'pedantic w*nk*rs' to you. (That means winkers, correct? ;) ). lol... :D

Code:
# Self jail Unbound with user "unbound" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"
Should the comment be 'with user "nobody" to /var/lib/unbound? Or, am I reading the script wrong (again!)? :)
 

Martineau

Part of the Furniture
My spidey-senses tell me amtm and Diversion are due for a major overhaul (at least under the hood) before RMerlin 384.15 final is released. I am also very hopeful that unbound_manager will be included when RMerlin 384.15_0 release lands. :)

Sorry, I'm going to be one of those 'pedantic w*nk*rs' to you. (That means winkers, correct? ;) ). lol... :D

Code:
# Self jail Unbound with user "unbound" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"
Should the comment be 'with user "nobody" to /var/lib/unbound? Or, am I reading the script wrong (again!)? :)
:oops: ….and we have a winner! - just knew someone couldn't resist! :p
 

L&LD

Part of the Furniture
v.207 unbound_manager is now downloading... :D
 

skeal

Part of the Furniture
Can someone explain the memory and cpu advanced menu options? Or is this something to stay away from for the average SOHO user?
 

L&LD

Part of the Furniture
@skeal, I can't explain it well, but with a 4 core CPU (RT-AX88U), I thought I would see if the defaults were too conservative. :)

Code:
# no threads and no memory slabs for threads
num-threads: 4                                  # v1.01 as per @L&LD (default 1)
msg-cache-slabs: 8                            #v1.01 as per @L&LD (default 2)
rrset-cache-slabs: 8                           #v1.01 as per @L&LD (default 2)
infra-cache-slabs: 8                           #v1.01 as per @L&LD (default 2)
key-cache-slabs: 8                             #v1.01 as per @L&LD (default 2)

# tiny memory cache
key-cache-size: 16m                           #v1.01 as per @L&LD (default 8m)
msg-cache-size: 16m                          #v1.01 as per @L&LD (default 8m)
rrset-cache-size: 32m                        #v1.01 as per @L&LD (default 16m)
cache-max-ttl: 21600
cache-min-ttl: 5
prefetch: yes
prefetch-key: yes
serve-expired: yes
serve-expired-ttl: 3600
incoming-num-tcp: 600
outgoing-num-tcp: 100
ip-ratelimit: 100
edns-buffer-size: 1472                           # v1.01 as per @dave14305 minimal config
This is what my router has been running for at least 4 hours now with no issues so far.

After I made the changes from the defaults above, I issued an 'rs' command and could immediately see an increase in responsiveness from surfing to running amtm and the 'u' and 'uu' commands to accessing my NAS too.

I can't guess what the other settings in tiny memory cache do, so I don't think I will be fooling around with those (yet!).

Seeing as you have the same AX model as me, maybe you'd like to try these settings (edit carefully!) and see if you see the same improvements too.

Interestingly, the 's' command in unbound_manager now only shows 37% (with light network usage), but it feels faster than when it was in the 90% range with the previous settings. :)
 

Mutzli

Very Senior Member
Looks like a busy weekend ahead testing out this new script. I was trying out unbound a couple of months ago and had to uninstall it again because it wasn't working right. How is it now?
 

L&LD

Part of the Furniture
@JemTheWire, I can't tell if you're just being funny? :)

I only posted that in jest because of the insignificant 'error' I found in the comments. :)
 

L&LD

Part of the Furniture
@Mutzli, depending on what you have running on your router currently, it works great. :)
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top