Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[^Tripper^]

Curious about what your ISP connection is? Could it be a possible issue with a Fibre vs. Cable or a DSL connection issue? Or something else, somewhat related?

I’m on fibre and am running a dual wan setup with another fibre line thou I have kept my secondary wan/fibre turned off while testing 384.15 and unbound. As for scripts, the usual; diversion, skynet, udivstats. Everything’s been updated to the latest shiny versions.

 

[L&LD]

@^Tripper^, maybe the Dual Wan is not really 'off'? Did you reboot after changing its status? I'm also assuming you pulled the Ethernet cable out too.

 

[New2This]

I have dual WAN running here, cable and DSL, but I have them running load balance...I could try and see

 

[^Tripper^]

@^Tripper^, maybe the Dual Wan is not really 'off'? Did you reboot after changing its status? I'm also assuming you pulled the Ethernet cable out too.

I believe in the “L&LD doctrine”; changed status, waited for 5 mins, turned off the ONT, waited another 5 mins, rebooted, waited for....))

I’ll monitor how it goes for today with the defaults and dual wan turned on as a test and if all’s good, then try your tweaks again. That’ll perhaps narrow down if the issue is with unbound (on default settings) and dual wan or the tweaks.

EDIT; my dual wan is on “failover”. (Thanks @New2This for reminding me to mention this.

 

[kfahoo]

I have noticed issue regarding integrating with stubby,
it downloads and installs stubby from entware and after that 2 instances of stubby are running and for resolving are used settings from gui
is it really needed to install stubby again since it is build into asuswrt?

 

[Martineau]

@Jack Yaz With hindsight and generous sound technical input from forum members, I would like to think I have written a script that is actually useful, truly robust and feature-rich for ALL, despite its questionable original strict design requirements - specific to a single user and router model (RT-AC86U), plus the revelation that it was apparently never meant for the community or amtm.

No doubt it isn't a patch on the unbound script you stated (in an old post) you were to going to write (when you dabbled with unbound previously), but I have given it my best shot.

 

[thiggins]

@Martineau Refrain from personal attacks and don't assume someone's intent or tone. If you have a problem with a member's behavior, report it.
@Jack Yaz If you have a comment, be direct, but respectful and courteous.

 

[Mutzli]

Just REBOOTED, and logged into SSH and started unbound_mangler.

FYI @Mutzli just to add a datapoint that unbound does (for me) correctly auto-restart after a REBOOT.

Of course now I can't replicate the problem. I even pulled the power plug from the router to see if it wouldn't start. Everything looks good and for now I consider the problem fixed. Thank you.

Btw. the time looks correct on both of my routers:
unbound (pid 2131) is running... uptime: 0 Days, 02:04:55 version: 1.9.6 # rgnldo Github Version=v1.03 Martineau update
(Date Loaded by unbound_manager Mon Feb 10 09:42:51 EST 2020)

 

[kernol]

@Martineau Refrain from personal attacks and don't assume someone's intent or tone. If you have a problem with a member's behavior, report it.
@Jack Yaz If you have a comment, be direct, but respectful and courteous.

+1
the prior unbound thread became "infected" with personal attacks and it is sincerely hoped that the new one can be maintained in the truly amicable spirit of this great community of enthusiasts.
@Martineau has done a wonderful job with his script so far - and like every other script which is part of the amtm stable ...it will evolve and improve over time with input and suggestions from the community.

 

[dave14305]

I have noticed issue regarding integrating with stubby,
it downloads and installs stubby from entware and after that 2 instances of stubby are running and for resolving are used settings from gui
is it really needed to install stubby again since it is build into asuswrt?

@Martineau I've tried to adapt the Stubby_Integration function to detect the built-in firmware support for Stubby before downloading from Entware. Please take a look in this commit in my fork to see if you want to include it. I'm not that good a scripter and I don't pretend the code works, but the ideas are there to support both Merlin and John's fork implementations of Stubby.

https://github.com/dave14305/Unbound-Asuswrt-Merlin/commit/0132e5424a950fad2f8ce476c63a88082b8725a9

 

[dmillerzx]

I ended up removing my unbound setup last night. Something went terribly wrong after a reboot and I wasn't able to resolve DNS at all -_- probably something stupid on my end but figured I'd try it again later when I have more time. What is the best way to verify that Unbound is working, I saw a couple of users posts that a DNS leak test should report your routers WAN IP address if unbound is working? This was never the case for me must have done something wrong. Really appreciate everyone's support on this thread. Also is the general consensus that stubby integration is 'recommend' but not require?

 

[dave14305]

Also is the general consensus that stubby integration is 'recommend' but not require?

My opinion is that Stubby integration is not recommended and not required for Unbound as a recursive resolver (its main purpose). If you want DoT, stick with dnsmasq and Stubby in the firmware. That's just my opinion, and your needs may be different than mine.

 

[Martineau]

I've uploaded v2.07

Fix: Analyse diversion 'ad' command for diversion lists...it failed if Ad Block isn't ENABLED! - doh!
Add: Allow variable name filter to be specifed on 's'/'sa' commands

e.g. ensure 's+' Enhanced Statistics is ENABLED; then 's thread' will cause 'thread*' variable stats to be also displayed.​

Change: The URLs displayed (to assist in setting the pre-reqs) will now honour HTTP/HTTPS and HTTP/HTTPS Custom Port @kfahoo
Change: amtm starts unbound_manger by default in 'easy' mode, if you prefer 'advanced' mode then issue 'adv' (or 'advanced') and unbound_manager (amtm) will 'remember' your preferred mode. @L&LD / @kernol
Change: The NTP Server pre-req will now accept either the native RMerlin NTP Server or the Entware NTP Server, but at least one must be ACTIVE.
Change: Easy mode still retains the two Install/Update options (1 & 2), but I have now decided the original SME brain-dead design should be changed, so option 2 will now only install logging and the simple Performance tweak, as they are now proven to work without fuss or drama.
Change: I have made the option Stubby-Integration refer to @dave14305's excellent synopsis of the need for Stubby-Integration.
i.e. a clickable link allows the user to read it and should deter them from opting for the Stubby-Integration.

(Not sure if this redundant option should eventually be removed?)

 

[dave14305]

(Not sure if this redundant option should eventually be removed?)

Stubby? I vote to remove it. But I think my endless whining about it is already evident.

 

[Martineau]

I ended up removing my unbound setup last night. Something went terribly wrong after a reboot and I wasn't able to resolve DNS at all -_- probably something stupid on my end but figured I'd try it again later when I have more time. What is the best way to verify that Unbound is working

Well unbound_manager will display the header box, then seemingly fail to display the prompt

e  = Exit Script

E:Option ==>

if the unbound installation isn't successful...before the REBOOT.

Obviously if you enable logging, then if you can open Web pages, you should see the query/reply pair for the domains

e.g. I browsed to www.ibm.com

e  = Exit Script

E:Option ==> l

/opt/var/lib/unbound/unbound.log        Press CTRL-C to stop

Feb 10 20:05:34 unbound[22389:0] query: 127.0.0.1 play.google.com. A IN
Feb 10 20:05:34 unbound[22389:0] reply: 127.0.0.1 play.google.com. A IN NOERROR 0.000000 1 49
Feb 10 20:05:36 unbound[22389:0] query: 127.0.0.1 www.ibm.com. A IN
Feb 10 20:05:36 unbound[22389:0] query: 127.0.0.1 www.ibm.com. A IN
Feb 10 20:05:37 unbound[22389:0] reply: 127.0.0.1 www.ibm.com. A IN NOERROR 0.701922 0 229
Feb 10 20:05:37 unbound[22389:0] reply: 127.0.0.1 www.ibm.com. A IN NOERROR 0.795087 0 229
Feb 10 20:05:37 unbound[22389:0] query: 127.0.0.1 1.cms.s81c.com. A IN
Feb 10 20:05:37 unbound[22389:0] query: 127.0.0.1 1.www.s81c.com. A IN
Feb 10 20:05:37 unbound[22389:0] query: 127.0.0.1 1.cms.s81c.com. A IN
Feb 10 20:05:37 unbound[22389:0] reply: 127.0.0.1 1.www.s81c.com. A IN NOERROR 0.049298 0 200
Feb 10 20:05:37 unbound[22389:0] reply: 127.0.0.1 1.cms.s81c.com. A IN NOERROR 0.276297 0 200
Feb 10 20:05:37 unbound[22389:0] reply: 127.0.0.1 1.cms.s81c.com. A IN NOERROR 0.366111 0 200
Feb 10 20:05:38 unbound[22389:0] query: 127.0.0.1 cloud.ibm.com. A IN
Feb 10 20:05:38 unbound[22389:0] query: 127.0.0.1 1.dam.s81c.com. A IN
Feb 10 20:05:38 unbound[22389:0] query: 127.0.0.1 api.www.s81c.com. A IN
Feb 10 20:05:38 unbound[22389:0] query: 127.0.0.1 www-api.ibm.com. A IN
Feb 10 20:05:38 unbound[22389:0] query: 127.0.0.1 cloud.ibm.com. A IN
Feb 10 20:05:38 unbound[22389:0] query: 127.0.0.1 1.dam.s81c.com. A IN
Feb 10 20:05:38 unbound[22389:0] query: 127.0.0.1 api.www.s81c.com. A IN
Feb 10 20:05:38 unbound[22389:0] query: 127.0.0.1 ibm.co. A IN
Feb 10 20:05:38 unbound[22389:0] query: 127.0.0.1 www-api.ibm.com. A IN

If there are no errors shown in Syslog, then you would have to investigate further.

FYI @Mutzli reported a REBOOT issue but it seems to have been a one-off?

 

[Kingp1n]

I've updated and I'm getting this msg (bold) below...any ideas?

[✔] Swapfile=2097148 kB
[✔] DNS Filter=ON
[✔] DNS Filter=ROUTER
[✔] WAN: Use local caching DNS server as system resolver=NO
/jffs/addons/unbound/unbound_manager.sh: line 2403: /opt/etc/init.d/S77ntpd: not found
[✔] Entware NTP server is running
[✔] Enable DNS Rebind protection=NO
[✔] Enable DNSSEC support=NO

 

[Martineau]

I've updated and I'm getting this msg (bold) below...any ideas?

[✔] Swapfile=2097148 kB
[✔] DNS Filter=ON
[✔] DNS Filter=ROUTER
[✔] WAN: Use local caching DNS server as system resolver=NO
/jffs/addons/unbound/unbound_manager.sh: line 2403: /opt/etc/init.d/S77ntpd: not found
[✔] Entware NTP server is running
[✔] Enable DNS Rebind protection=NO
[✔] Enable DNSSEC support=NO

Can you issue the following:

which ntpd

 

[Kingp1n]

Can you issue the following:

which ntpd

I'm using the native RMerlin NTP Server (pool.ntp.org)..is this what you're inquiring about?

 

[JemTheWire]

I am getting the same 'not found' line too. I use Merlin's ntp.

The output of 'which ntpd' is:
/usr/sbin/ntpd

 

[SuperDuke]

Stubby? I vote to remove it. But I think my endless whining about it is already evident.

I second this request FWIW....as @dave14305 has coached me, until such a time where our requests to the name servers can be encrypted directly, having anything DoT with Unbound seems pointless.....hey, I'm starting to sound smart....it's all fake though....