Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[AntonK]

Hi,

Can somebody give me a brief description of what a DNS Firewall does above or beyond the base router firewall, or point me to a discussion that would explain it as it related to this Unbound?

Thanks,
Anton

 

[AntonK]

Now that I'm using Unbound, my previous choice of DNS servers (Quad9, Cloudflare), though still configured in the router GUI, are not longer the servers I'm reaching. do a "what's my DNS server" type test shows me as using my ISP's DNS servers now. Is that normal?

Thanks.

 

[dave14305]

Now that I'm using Unbound, my previous choice of DNS servers (Quad9, Cloudflare), though still configured in the router GUI, are not longer the servers I'm reaching. do a "what's my DNS server" type test shows me as using my ISP's DNS servers now. Is that normal?

Thanks.

Yes, that's the whole purpose of Unbound as a recursive resolver. It does the same work that Quad9 or Cloudflare would do with your queries. But the difference is that it isn't your ISP's DNS servers you're seeing; it should be your own WAN IP address (from your ISP) that shows up as the detected DNS server. Big but subtle difference.

 

[AntonK]

Yes, that's the whole purpose of Unbound as a recursive resolver. It does the same work that Quad9 or Cloudflare would do with your queries. But the difference is that it isn't your ISP's DNS servers you're seeing; it should be your own WAN IP address (from your ISP) that shows up as the detected DNS server. Big but subtle difference.

Yes! I see that now. Thanks for the explanation.

Anton

 

[ttgapers]

Baby steps etc. i.e. how widespread is the use of unbound as the Primary DNS for the LAN?

In the interim, I suggest you place your custom mods in 'unbound.conf.add', rather than 'unbound.conf.localhosts' as when switching between unbound/dnsmasq, 'unbound.conf.localhosts' will get flushed/rebuilt, but the contents of 'unbound.conf.add' will not be altered but will be added on every unbound startup.

P.S. You're welcome to provide examples (or write the code and submit a pull request!)

Hey,
Saw your previous note. Got busy with work-work. Quick updates, then one issue that might be a biggy with cnames.

1. I tried unbound.conf.add and it was not read. No biggy.
2. Thought about a strategy for multiple S2S VPNs setup with dns sub-domains and Merlin powered routers (router1.site1.contoso.com, router2.site2.constoso.com etc.), and have been thinking the .zone strategy you are using for rpz etc. might be best? Thoughts?
3. Been testing with combinations of local-zone and local-data for the records migration thus far...

I have been reading up about these things and also been using: https://www.bentasker.co.uk/documentation/linux/279-unbound-adding-custom-dns-records

Key from there:

You can add a CNAME entry in local-data, however as Unbound isn't an Authoritative resolver it won't expand it. If a client makes a query for an A record they won't receive the CNAME in response.

That blog references (from 10 years ago): https://lists.nlnetlabs.nl/pipermail/unbound-users/2009-March/000509.html

So, no sure if the above is also still true, but I agree, baby steps...

I am curious on your thought about the above.

 

[gspannu]

This thread is for the discussion topic : unbound_manager script.

View attachment 22695​

As per the GitHub Hints/Tips: Differences between the operational modes​

Easy mode
Advanced Mode​

'Easy' mode - you have limited Install options:

i.e. Advanced Options

• Stubby Integration
• DoT installs

are not available
​

'Advanced' mode - you can fully customise the choice of options implemented.

​

'Advanced' mode

View attachment 22680

'Easy' mode (This is the default when invoked from amtm)

View attachment 22679


INSTALLATION NOTE: If you wish to manually install unbound (or understand the necessary steps) see the instructions here

Pre-reqs: ​

• Asus Router running the RMerlin firmware (see AsusWRT-Merlin)
  
• Entware must be installed (Many popular 3rd Party scripts now require Entware e.g. amtm)

Recommended unbound compatible Router Settings pre-reqs:

[✔] Swapfile=262140 kB (min 256 MB)
[✔] DNS Filter=ON
[✔] DNS Filter=ROUTER
[✔] WAN: Use local caching DNS server as system resolver=NO
[✔] Enable local NTP server=YES
[✔] Enable DNS Rebind protection=NO
[✔] Enable DNSSEC support=NO

If the router settings do not match the above, a hyperlink will be shown to assist

e.g.
[] ***ERROR WAN: Use local caching DNS server as system resolver=YES

see http://192.168.1.1/Tools_OtherSettings.asp ->Advanced Tweaks and Hacks​

Manual installation of unbound - like most tasks - is easy once you know how, but for non-techies, why spend time frustratingly typing in cryptic directives/commands into the router when you could simply let someone else facilitate the task, who will remain accountable when it goes wrong!

The goal of unbound_manager is to seamlessly integrate unbound with the inherent dnsmasq but to ensure that unbound_manager can always be used to instantly remove unbound in seconds, i.e. a REBOOT (whilst recommended) isn't mandatory during the installation, nor for an uninstall.

Furthermore, the script provides useful features via simple menu options, that do not intimidate non-techies, but allows then to investigate (and for the adventurous) tweak the unbound configuration without any drama.

If you are running amtm >v3.1.2

View attachment 22673

then use item '7', otherwise see the one-line command unbound_manager Manual Installation

The unbound_manager.sh script is hosted on GitHub, and you can follow the development history here.

Looking for some advice here...

Which one is better suited to run on AX88U?

1. DNSCrypt + Diversion
2. Unbound + Diversion
3. Unbound + Unbound-Adblocking
4. DNSCrypt (anonymised relays) + Diversion

TBH, I haven't been able to figure out the main difference between DNSCrypt & Unbound (and that is the core of my confusion).
I guess once that I can get that bit sorted, the next question of which ad-blocking may become easier to resolve.

Any direct answers, links to forum posts or independent reading would be much appreciated.

 

[Martineau]

I took a plunge and switched over to unbound ad-blocking and blacklisting. Option ad shows some diffs, but have not found yet the script to synchronise lists yet. Left pixelserv alone for time being. Not sure why its future is in doubt? Returning one pixel was always meant to be faster... But to be fair, do not miss it just yet



I switched off dnsmasq from the menu as per below and have observed that aliases of my router that worked with dnsmasq will now work with unbound without dnsmasq. Presumably by choice, but worth checking... So I have as follows:

These names are all fine
myasus
myasus.local
RT-AX88U-6D88
RT-AX88U-6D88.local

These two do not work anymore, while all local hosts work ok with mydomain - in my view it is inconsistent, any reason?
myasus.mydomain
RT-AX88U-6D88.mydomain

These three do not resolve anymore to my local router as they did before. One can wonder why ASUS put them in first place, perhaps there's some internal logic. Maybe Mesh will stop working (I am not using it) or something else from the closed code.
router.asus.com
www.asusnetwork.net
www.asusrouter.com

Views?

@Slawek P

I've uploaded v3.15b beta to GitHub dev branch.

If you have time could you please test it to see if it correctly migrates your '/etc /hosts' to unbound format 'opt/share/unbound/configs/unbound.conf'.

e  = Exit Script [?]

A:Option ==> dnsmasq disable

    If you currently use or rely on dnsmasq features such as Diversion/x3mRouting etc., then re-consider.

    Do you still want to DISABLE dnsmasq?

    Reply 'y' or press [Enter]  to skip
y

13:31:16 Configuring unbound to be the primary DNS for ALL LAN Clients.....


13:31:16 Converting '/etc /hosts.dnsmasq' local hosts to 'unbound'.....
13:31:20 Converting '/etc /hosts' local hosts to 'unbound'.....

13:31:21 Converting dnsmasq 'address=/' and 'server=/' directives to 'unbound'.....

<snip>

 

[Martineau]

Saw your previous note. Got busy with work-work.

No problem - just wanted useful real-world feedback regarding the possible combinations of potentially complex dnsmasq directives that need to be parsed into their unbound equivalents.

1. I tried unbound.conf.add and it was not read. No biggy.

The feature should work... if the 'include:' directive appears in 'unbound.conf' ?

3. Been testing with combinations of local-zone and local-data for the records migration thus far...

I've uploaded v3.15b beta to GitHub dev branch.

If you have time could you please test it to see if it correctly migrates your custom 'address=/' and 'server=/' directives to unbound format 'opt/share/unbound/configs/unbound.conf'.

e  = Exit Script [?]

A:Option ==> dnsmasq disable

   If you currently use or rely on dnsmasq features such as Diversion/x3mRouting etc., then re-consider.

   Do you still want to DISABLE dnsmasq?

   Reply 'y' or press [Enter]  to skip
y

13:31:16 Configuring unbound to be the primary DNS for ALL LAN Clients.....


13:31:16 Converting '/et c /hosts.dnsmasq' local hosts to 'unbound'.....
13:31:20 Converting '/et c /hosts' local hosts to 'unbound'.....

13:31:21 Converting dnsmasq 'address=/' and 'server=/' directives to 'unbound'.....

<snip>

 

[tomsk]

With V 3.15B

/opt/share/unbound/configs/unbound.conf.localhosts:67: error: unknown keyword 'yes'

read /opt/var/lib/unbound/unbound.conf failed: 1 errors in configuration file


***ERROR requested re(Start) of unbound ABORTed! - use option 'vx' to correct 'unbound.conf' or 'rl' to load a valid configuration file

tOmsK@RT-AC68U-4690:/tmp/home/root# unbound -dv
[1589807558] unbound[14561:0] notice: Start of unbound 1.10.0.
/opt/share/unbound/configs/unbound.conf.localhosts:67: error: unknown keyword 'yes'
read /opt/var/lib/unbound/unbound.conf failed: 1 errors in configuration file
[1589807558] unbound[14561:0] fatal error: Could not read config file: /opt/var/lib/unbound/unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf

# Replicate 'address=/  directives

local-zone: "use-application-dns.net A " static


# Replicate 'server=/  directives

forward-zone:
    name: ""
    forward-addr:
    forward-first: yes

 

[Mutzli]

Looking for some advice here...

Which one is better suited to run on AX88U?

1. DNSCrypt + Diversion
2. Unbound + Diversion
3. Unbound + Unbound-Adblocking
4. DNSCrypt (anonymised relays) + Diversion

TBH, I haven't been able to figure out the main difference between DNSCrypt & Unbound (and that is the core of my confusion).
I guess once that I can get that bit sorted, the next question of which ad-blocking may become easier to resolve.

Any direct answers, links to forum posts or independent reading would be much appreciated.

IMO the AX88U has enough resources to run Unbound + Diversion; I would go for that. Diversion still offers you the most customization for ad-blocking and Unbound does an excellent job as a recursive DNS server. At least that's what I'm running successfully now for several months.

 

[Martineau]

With V 3.15B

tOmsK@RT-AC68U-4690:/tmp/home/root# unbound -dv
[1589807558] unbound[14561:0] notice: Start of unbound 1.10.0.
/opt/share/unbound/configs/unbound.conf.localhosts:67: error: unknown keyword 'yes'
read /opt/var/lib/unbound/unbound.conf failed: 1 errors in configuration file
[1589807558] unbound[14561:0] fatal error: Could not read config file: /opt/var/lib/unbound/unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf

Why not post what the syntax error actually is?

 

[tomsk]

Why not post what the syntax error actually is?

Because i'm not sure how to do that..... sorry if im not being helpful... i'll wind my neck in

# Replicate 'server=/  directives

forward-zone:
    name: ""
    forward-addr:
    forward-first: yes

 

[Martineau]

With V 3.15B

tOmsK@RT-AC68U-4690:/tmp/home/root# unbound -dv
[1589807558] unbound[14561:0] notice: Start of unbound 1.10.0.
/opt/share/unbound/configs/unbound.conf.localhosts:67: error: unknown keyword 'yes'
read /opt/var/lib/unbound/unbound.conf failed: 1 errors in configuration file
[1589807558] unbound[14561:0] fatal error: Could not read config file: /opt/var/lib/unbound/unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf

# Replicate 'address=/  directives

local-zone: "use-application-dns.net A " static


# Replicate 'server=/  directives

forward-zone:
    name: ""
    forward-addr:
    forward-first: yes

You will need to provide diagnostic output of your custom dnsmasq directives

e.g. the following two dnsmasq directives

awk '/^server/ || /^address/ {print $0}' /e tc/hosts/dnsmasq.conf

server=/pool.ntp.org/1.1.1.1

address=/sitex.com/127.0.0.1

should be converted to unbound format

# Replicate 'address=/  directives

local-zone: "sitex.com A 127.0.0.1" static

# Replicate 'server=/  directives

forward-zone:
    name: "pool.ntp.org"
    forward-addr: 1.1.1.1
    forward-first: yes

 

[tomsk]

You will need to provide diagnostic output of your custom dnsmasq directives

e.g. the following two dnsmasq directives

awk '/^server/ || /^address/ {print $0}' /e tc/hosts/dnsmasq.conf

server=/pool.ntp.org/1.1.1.1

address=/sitex.com/127.0.0.1

should be converted to unbound format

# Replicate 'address=/  directives

local-zone: "sitex.com A 127.0.0.1" static

# Replicate 'server=/  directives

forward-zone:
    name: "pool.ntp.org"
    forward-addr: 1.1.1.1
    forward-first: yes

I don't have any server directives... but i do have a strange looking address in there

address=/use-application-dns.net/

 

[Martineau]

I don't have any server directives... but i do have a strange looking address in there

address=/use-application-dns.net/

OK thanks.

v3.15b was intended for the OP with apparently multiple 'address=/' and 'server=/' directives, so I suspect v3.15b blindly assumes both are always present.

 

[tomsk]

OK thanks.

v3.15b was intended for the OP with apparently multiple 'address=/' and 'server=/' directives, so I suspect v3.15b blindly assumes both are always present.

Ah ok ... sorry i'm not really helpful in that case... but better to trip over that one now i guess before your intended OP says .. "its all good" and later you get my scenario.

 

[Martineau]

Ah ok ... sorry i'm not really helpful in that case... but better to trip over that one now i guess before your intended OP says .. "its all good" and later you get my scenario.

I've updated v3.15b, so hopefully it should no longer attempt to migrate non-existent 'server=/' directives, but I personally hadn't noticed

address=/use-application-dns.net/

so I suspect the unbound directive currently generated for the above is also garbage but non fatal,

EDIT: see Mozilla Canary Domain
I suspect it should be converted to

local-zone: "use-application-dns.net" always_nxdomain

 

[dave14305]

I've updated v3.15b, so hopefully it should no longer attempt to migrate non-existent 'server=/' directives, but I personally hadn't noticed

address=/use-application-dns.net/

so I suspect the unbound directive generated for the above is also garbage but non fatal, but not sure why it is there

You probably want to be mindful of "incomplete" but "valid" server or address directives that do not contain an IP after the domain name, which is used as a way to force an NXDOMAIN for a domain within dnsmasq, such as the Firefox DoH example in your post.

 

[tomsk]

You probably want to be mindful of "incomplete" but "valid" server or address directives that do not contain an IP after the domain name, which is used as a way to force an NXDOMAIN for a domain within dnsmasq, such as the Firefox DoH example in your post.

So this directive would have been added by the firmware itself using the "prevent client auto DoH" in the GUI WAN page?

 

[heysoundude]

It does, but it changes unbound from a recursive resolver to just another forwarder like stubby.

EDIT: with this my 2,000th post, I am now part of the furniture. Please remember me as I was, not as a nice Chesterfield or an ottoman.

As you wish. Barenaked Lady it is, then.