Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[dave14305]

@dave14305 found that a single 'local-zone' record for pixelserv-tls redirection uses less memory than the original formal 'redirect/local-data' pair of records.

You can see the commented code in my script! (just a few lines below where you found the 'merge' feature)

Just to clarify, local-data alone uses less memory than a local-zone. Your code is correct, but the comment in the code is misquoted.
Unbound - Authoritative Recursive Caching DNS Server

 

[Slawek P]

Thanks. It is not networking monitoring - both are disabled. And indeed - common generates some traffic when I chose name rather than IP for pings. But that's not what it is. I had DoT DNS to 1.1.1.3 before Unbound indeed. Perhaps Diversion generates something, not Unbound.
In tcpdump anything related to filters does not apear to work. So first one dumps data, but others do not
tcpdump -i eth0 -n
tcpdump -i eth0 -n port 53
tcpdump -i eth0 -n -X icp
tcpdump -i eth0 -n host 1.1.1.3

Started using grep as a workaroung, as I do not know how to investigate broken tcpdump. Perhaps it is router specific if nobdy else has this issue. I will search how to downgrade the version later.

Constant DNS connection appears as to be Network Monitoring indeed inline with @dave14305 suggetion and this article.
https://discourse.pi-hole.net/t/exc...s-queries-originating-from-asus-router/3157/2

But I have a flag disabled. Clearly it is a bug as confirmed here also - going to to try this workaround to stop dns probing.
https://www.reddit.com/r/pihole/comments/b0cjn1/why_is_my_router_19218611_looking_up/
Perhaps on the wish list already @RMerlin

 

[Martineau]

Martineau,
Mea culpa, mea culpa, mea maxima culpa !!! .....

Abject apologies for 'running amok' in your code !!!
(Do usually keep quiet about the 'hacks' so as to avoid creating problems for the original authors with 'unsupported software', as you noted )

non forsit!

It is useful if you are trying to replicate the blocking etc that you have in Diversion.

It does appear to work ..... yes really

I am trying to run unbound with the same blocking/whitelist/etc as Diversion, hence the 'unauthorised' hack to activate 'merge'.

I want to contrast 'unbound with Diversion' vs 'Ad-Blocking with unbound ONLY'.

The hidden feature was intended as a one-off migration tool, but please report any useful observations/findings/metrics as a result of your comparison.

P.S. I wouldn't rely on my scripts to teach you anything, apart from untidy/ugly coding practices and brain-dead logic!

 

[Martineau]

Clearly it is a bug as confirmed here also - going to to try this workaround to stop dns probing.
https://www.reddit.com/r/pihole/comments/b0cjn1/why_is_my_router_19218611_looking_up/
Perhaps on the wish list already @RMerlin

see Network flooded by dns.msftncsi.com requests

 

[Slawek P]

Wow that is a strange behaviour. No idea of the purpose of this sites, but found this unbound.log.
Clearly it should be at zone msedge.net instead of q-msedge.net. Unbound bug or config?
May 15 13:58:34 unbound[3070:0] error: SERVFAIL <q-ring.msedge.net. A IN>: all servers for this domain failed, at zone q-msedge.net.
May 15 13:58:34 unbound[3070:0] error: SERVFAIL <q-ring.msedge.net. AAAA IN>: all servers for this domain failed, at zone q-msedge.net.
May 15 13:59:42 unbound[3070:0] error: SERVFAIL <q-ring.msedge.net. AAAA IN>: all servers for this domain failed, at zone q-msedge.net.
May 15 13:59:42 unbound[3070:0] error: SERVFAIL <q-ring.msedge.net. A IN>: all servers for this domain failed, at zone q-msedge.net.

 

[dave14305]

But I have a flag disabled. Clearly it is a bug as confirmed here also - going to to try this workaround to stop dns probing.

Merlin already fixed disabling of the DNS probes in wanduck when monitoring is disabled.

https://github.com/RMerl/asuswrt-merlin.ng/commit/8943404b78901f32954d93c4e27a92c998b725c6

 

[Martineau]

Wow that is a strange behaviour. No idea of the purpose of this sites, but found this unbound.log.
Clearly it should be at zone msedge.net instead of q-msedge.net. Unbound bug or config?
May 15 13:58:34 unbound[3070:0] error: SERVFAIL <q-ring.msedge.net. A IN>: all servers for this domain failed, at zone q-msedge.net.
May 15 13:58:34 unbound[3070:0] error: SERVFAIL <q-ring.msedge.net. AAAA IN>: all servers for this domain failed, at zone q-msedge.net.
May 15 13:59:42 unbound[3070:0] error: SERVFAIL <q-ring.msedge.net. AAAA IN>: all servers for this domain failed, at zone q-msedge.net.
May 15 13:59:42 unbound[3070:0] error: SERVFAIL <q-ring.msedge.net. A IN>: all servers for this domain failed, at zone q-msedge.net.

Not sure why you get SERVFAIL

unbound seems to resolve it fine

e  = Exit Script [?]

A:Option ==> dig q-ring.msedge.net.


; <<>> DiG 9.14.8 <<>> txt q-ring.msedge.net.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39557
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;q-ring.msedge.net.        IN    TXT

;; ANSWER SECTION:
q-ring.msedge.net.    874    IN    CNAME    q-ring.q-9999.q-msedge.net.
q-ring.q-9999.q-msedge.net. 874    IN    CNAME    q-9999.q-msedge.net.

;; AUTHORITY SECTION:
q-msedge.net.        874    IN    SOA    ns1.q-msedge.net. msnhst.microsoft.com. 2018012401 1800 900 2419200 240

;; Query time: 28 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat May 16 14:49:39 UTC 2020
;; MSG SIZE  rcvd: 157


; <<>> DiG 9.14.8 <<>> q-ring.msedge.net. @127.0.0.1 -p 53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60780
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;q-ring.msedge.net.        IN    A

;; ANSWER SECTION:
q-ring.msedge.net.    874    IN    CNAME    q-ring.q-9999.q-msedge.net.
q-ring.q-9999.q-msedge.net. 874    IN    CNAME    q-9999.q-msedge.net.
q-9999.q-msedge.net.    874    IN    A    13.107.49.254

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat May 16 14:49:39 UTC 2020
;; MSG SIZE  rcvd: 113

 

[Slawek P]

Switching DNS flag still does not disable DNS probe as per conclusion in this thread Network flooded by dns.msftncsi.com requests wrt 384.15 and I have just double checked just now on 384.17.
Instead of nvram what I have jsut done - I put empty string and 0.0.0.0 when the switch was on, applied. And then switched DNS probe off. Does the trick - nothing comes up on tcpdump anymore.

Next investigation for me - why spdMerlin bypasses unbound and goes straight to external recursive DNS. I suspect this is due the flag Wan: Use local caching DNS server as system resolver (default: No and I have No) from Tools / Other Settings.
The real question what will brak if I flick this flag to Yes - for example will Diversion or Unbound end up in endless loop.

And I still need to figure out why not replace Diversion with Unbound ad-blocking.

And another discovery - some Youtube adds do not get blocked by YTblock, no idea why. Just saw an example on the iPhone's Safari.

Lovely Saturday everyone!

 

[Slawek P]

Thanks - I only just discovered advanced option one hour ago and wonder what dig is for. I must apologise for suspect a bug in unbound, clearly it messed up by Microsoft DNS.

Not sure why you get SERVFAIL

unbound seems to resolve it fine

e  = Exit Script [?]

A:Option ==> dig q-ring.msedge.net.


; <<>> DiG 9.14.8 <<>> txt q-ring.msedge.net.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39557
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;q-ring.msedge.net.        IN    TXT

;; ANSWER SECTION:
q-ring.msedge.net.    874    IN    CNAME    q-ring.q-9999.q-msedge.net.
q-ring.q-9999.q-msedge.net. 874    IN    CNAME    q-9999.q-msedge.net.

;; AUTHORITY SECTION:
q-msedge.net.        874    IN    SOA    ns1.q-msedge.net. msnhst.microsoft.com. 2018012401 1800 900 2419200 240

;; Query time: 28 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat May 16 14:49:39 UTC 2020
;; MSG SIZE  rcvd: 157


; <<>> DiG 9.14.8 <<>> q-ring.msedge.net. @127.0.0.1 -p 53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60780
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;q-ring.msedge.net.        IN    A

;; ANSWER SECTION:
q-ring.msedge.net.    874    IN    CNAME    q-ring.q-9999.q-msedge.net.
q-ring.q-9999.q-msedge.net. 874    IN    CNAME    q-9999.q-msedge.net.
q-9999.q-msedge.net.    874    IN    A    13.107.49.254

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat May 16 14:49:39 UTC 2020
;; MSG SIZE  rcvd: 113

 

[dave14305]

Thanks - I only just discovered advanced option one hour ago and wonder what dig is for. I must apologise for suspect a bug in unbound, clearly it messed up by Microsoft DNS.

Check that Skynet isn’t blocking any outbound DNS queries for you. I just noticed my ISP DNS 75.75.75.75 is now in the public blocklist. So it’s not unheard of.

 

[Martineau]

Next investigation for me - why spdMerlin bypasses unbound and goes straight to external recursive DNS. I suspect this is due the flag Wan: Use local caching DNS server as system resolver (default: No and I have No) from Tools / Other Settings.

The real question what will brak if I flick this flag to Yes - for example will Diversion or Unbound end up in endless loop.

unbound doesn't loop here, no idea about Diversion as I don't use it.

    Version=3.14
    Local                                       md5=bdb9d03f2cffeba2d9d893f84a55dda9
    Github                                      md5=88e48deea3afb4ef38f3d4399dacae1d
    /jffs/addons/unbound/unbound_manager.md5    md5=88e48deea3afb4ef38f3d4399dacae1d

    Router Configuration recommended pre-reqs status:

    [✔] Swapfile=1048572 kB
    [✔] DNS Filter=ON
    [✔] DNS Filter=ROUTER
    [✖] Warning WAN: Use local caching DNS server as system resolver=YES          see http://10.88.8.1:80/Tools_OtherSettings.asp ->Advanced Tweaks and Hacks
    [✔] Entware NTP server is running
    [✔] Enable DNS Rebind protection=NO
    [✔] Enable DNSSEC support=NO

    Options: Auto Reply='y' for User Selectable Options ('1 4') unbound Logging,Performance Tweaks

    [✔] unbound Logging
    [✔] unbound CPU/Memory Performance tweaks
    [✔] Router Graphical GUI statistics TAB installed
    [✔] unbound-control FAST response ENABLED
    [✔] DNS Firewall ENABLED
    [✔] Unbound is the Primary DNS for ALL LAN Clients (dnsmaq DNS features DISABLED e.g. IPSET auto-populate)
    [✔] YouTube Ad Blocking (Forcing to use YT IP 74.125.166.169, No. of YouTube Video Ad domains=14)

 

[klingon888]

Not sure if I have everything set up correctly for Unbound. No errors in the install. When I do a dig, why do I see 2 DNS queries with 2 different DNS SERVERS in 2 ANSWER sections - 208.67.222.222#53 and 127.0.0.1#53535? Is this because I have DNS 208.67.222.222 configured in my router under the WAN section?

A:Option ==> ?

        Version=3.13
        Local                                           md5=88e48deea3afb4ef38f3d4399dacae1d
        Github                                          md5=88e48deea3afb4ef38f3d4399dacae1d
        /jffs/addons/unbound/unbound_manager.md5        md5=88e48deea3afb4ef38f3d4399dacae1d

        Router Configuration recommended pre-reqs status:

        [✔] Swapfile=258960 kB
        [✔] DNS Filter=ON
        [✔] DNS Filter=ROUTER
        [✔] WAN: Use local caching DNS server as system resolver=NO
        [✔] Enable local NTP server=YES
        [✔] Enable DNS Rebind protection=NO
        [✔] Enable DNSSEC support=NO

        Options: Auto Reply='y' for User Selectable Options ('4') Performance Tweaks

        [✔] unbound CPU/Memory Performance tweaks
        [✔] Router Graphical GUI statistics TAB installed
        [✔] unbound-control FAST response ENABLED

A:Option ==> dig sigok.verteiltesysteme.net

; <<>> DiG 9.14.8 <<>> txt sigok.verteiltesysteme.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25635
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;sigok.verteiltesysteme.net.    IN      TXT

;; AUTHORITY SECTION:
verteiltesysteme.net.   3600    IN      SOA     ns1.verteiltesysteme.net. dnssec.vs.uni-due.de. 95 43200 7200 3600000 3600

;; Query time: 220 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Sat May 16 15:19:40 UTC 2020
;; MSG SIZE  rcvd: 115


; <<>> DiG 9.14.8 <<>> sigok.verteiltesysteme.net @127.0.0.1 -p 53535
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9742
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;sigok.verteiltesysteme.net.    IN      A

;; ANSWER SECTION:
sigok.verteiltesysteme.net. 1200 IN     A       134.91.78.139

;; Query time: 129 msec
;; SERVER: 127.0.0.1#53535(127.0.0.1)
;; WHEN: Sat May 16 15:19:40 UTC 2020
;; MSG SIZE  rcvd: 71

I also see a bunch of errors in the log... is this normal?

May 16 11:12:36 unbound[1314:0] error: SERVFAIL <config.rcs.mnc410.mcc310.pub.3gppnetwork.org. A IN>: all servers for this domain failed, at zone gslb.mnc410.mcc310.pub.3gppnetwork.org.

 

[Martineau]

Not sure if I have everything set up correctly for Unbound. No errors in the install. When I do a dig, why do I see 2 DNS queries with 2 different DNS SERVERS in 2 ANSWER sections - 208.67.222.222#53 and 127.0.0.1#53535? Is this because I have DNS 208.67.222.222 configured in my router under the WAN section?

The 'dig' command is issued twice, with the second explicitly requesting unbound to reply.

Clearly the first dig command used a third party DNS forwarder....perhaps a DoT/Stubby configuration?

I also see a bunch of errors in the log... is this normal?

May 16 11:12:36 unbound[1314:0] error: SERVFAIL <config.rcs.mnc410.mcc310.pub.3gppnetwork.org. A IN>: all servers for this domain failed, at zone gslb.mnc410.mcc310.pub.3gppnetwork.org.

Google says 'pub.3gppnetwork.org' is Telstra (Aussie telco) so obviously I can't dig those sub-domains as presumably they are internal and only available to Telstra subscribers?

 

[klingon888]

The 'dig' command is issued twice, with the second explicitly requesting unbound to reply.

Clearly the first dig command used a third party DNS forwarder....perhaps a DoT/Stubby configuration?

So, is my Unbound working correctly then? Just want to make sure I hv not messed anything up! I have AC68 with std config. I have not configured anything for DoT - see attached WAN settings. And my DNSFilter is set to Router.

Google says 'pub.3gppnetwork.org' is Telstra (Aussie telco) so obviously I can't dig those sub-domains as presumably they are internal and only available to Telstra subscribers?

This is strange as I'm in US and nothing in my system connects to Telstra. Time to investigate! Thanks!

 

[Martineau]

So, is my Unbound working correctly then? I have AC68 with std config. I have not configured anything for DoT - see attached WAN settings. And my DNSFilter is set to Router.

View attachment 23519

This is strange as I'm in US and nothing in my system connects to Telstra. Time to investigate! Thanks!

So Google got it wrong? https://ipduh.com/dns/?3gppnetwork.org

 

[dave14305]

So Google got it wrong? https://ipduh.com/dns/?3gppnetwork.org

The subdomain is delegated to AT&T/Cingular it seems.
https://ipduh.com/dns/?mnc410.mcc310.pub.3gppnetwork.org

 

[Martineau]

So, is my Unbound working correctly then? Just want to make sure I hv not messed anything up! I have AC68 with std config. I have not configured anything for DoT - see attached WAN settings. And my DNSFilter is set to Router.

What do you have for

cat /etc/resolv.conf

 

[klingon888]

What do you have for

cat /etc/resolv.conf

nameserver 208.67.222.222
nameserver 208.67.220.220

 

[Martineau]

nameserver 208.67.222.222
nameserver 208.67.220.220

So that explains why 'dig' used '208.67.222.222' as the Primary DNS server rather than unbound.

You will hopefully identify the usual suspects.

 

[immi803]

So that explains why 'dig' used '208.67.222.222' as the Primary DNS server rather than unbound.

You will hopefully identify the usual suspects.

Using unbound what should be outcome for

cat /etc/resolv.conf

??