Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[Martineau]

This there a way I can more blocklist to the Ad and tracker blocking?

Use menu option 'ecb' to edit/add Ad Block lists

Spoiler: Advanced menu options

unbound (pid 31108) is running... uptime: 0 Days, 18:59:31 version: 1.10.1 # rgnldo Github Version=v1.10 Martineau update (Date Loaded by unbound_manager Sun Aug 2 13:03:16 DST 2020)

i  = Update unbound and configuration ('/opt/var/lib/unbound/')     l  = Show unbound LIVE (Loglevel=1) log entries (lx=Disable Logging)
z  = Remove unbound/unbound_manager                                 v  = View ('/opt/var/lib/unbound/') unbound Configuration (vx=Edit;vh=help)
x  = Stop unbound                                                   vb = Backup current (/opt/var/lib/unbound/unbound.conf) Configuration
                                                                    rl = Reload Configuration (Doesn't halt unbound) e.g. 'rl test1[.conf]' (Recovery use 'rl reset/user')
?  = About Configuration                                            oq = Query unbound Configuration option e.g 'oq verbosity' (ox=Set) e.g. 'ox log-queries yes'
sd = Show dnsmasq Statistics/Cache Size                             s  = Show unbound Extended statistics (s=Summary Totals; sa=All; http://10.88.8.1:80/user5.asp)
                                                                    adblock = Install Ad Block [uninstall | update | track]
DisableFirefoxDoH = Disable Firefox DoH [yes | no]                  youtube = Install YouTube Ad Block [uninstall | update]
Stubby = Enable Stubby Integration                                  DoT = Enable DNS-over-TLS
                                                                    firewall = Enable DNS Firewall [disable | ?]
bind = BIND unbound to WAN [debug | disable | debug show]           vpn = BIND unbound to VPN {vpnid [debug]} | [disable | debug show] e.g. vpn 1

scribe = Enable scribe (syslog-ng) unbound logging                  ad = Analyse Diversion White/Block lists ([ file_name [type=adblock] ])
dnsmasq = Disable dnsmasq [disable | interfaces | nointerfaces]     ea = Edit Ad Block Allowlist (eb=Blocklist; eca=Config-AllowSites; ecb=Config-BlockSites; el {Ad Block file})
dumpcache = [bootrest] (or Manually use restorecache after REBOOT)  ca = Cache Size Optimisation [ min | calc ]
                                                                    views = [? | uninstall] | {view_name [? | remove]} | {view_name [[type] domain_name[...] | IP_address[...]] [del]} ]

dig = {domain} [time] Show dig info e.g. dig asciiart.com           lookup = {domain} Show the name servers used for domain e.g. lookup asciiart.eu 
dnsinfo = {dns} Show DNS Server e.g. dnsinfo                        dnssec = {url} Show DNSSEC Validation Chain e.g. dnssec www.snbforums.com
links = Show list of external URL links


[Enter] Leave Advanced Tools Menu

e  = Exit Script [?]

A:Option ==> ecb

    Ad Block file '/opt/share/unbound/configs/blocksites' NOT changed....Ad Block update skipped

 

[Martineau]

Problems with unbound I've faced during the test, the VPN bind does not work correctly, it will always force bind to WAN the only way is to change the config directly and input the VPN IP.

Works fine for me...

If you feel the VPN IP is not being correctly identified/configured in 'unbound.conf' then you will need to debug/show what value is being used

A:Option ==> vpn 1 debug

Do you want to route unbound requests through VPN Client '1' tunnel?

    Reply 'y' or press [Enter]  to skip
y

    unbound requests via VPN Client 1 (100.120.136.44) tunnel ENABLED, and tracked in Syslog
    
08:34:08 Checking 'unbound.conf' for valid Syntax.....
08:34:15 Saving unbound cache to '/opt/share/unbound/configs/cache.txt' msg.cache=2971/592 rrset.cache=8484/3437
08:34:15 Requesting unbound (S61unbound) restart.....
 Shutting down unbound...              done. 
 Starting unbound...              done. 
08:34:21 Checking status, please wait..... 
08:34:28 Restoring unbound cache from '/opt/share/unbound/configs/cache.txt' (2020-08-03 08:34:13) msg.cache=9/592 rrset.cache=333/3437
08:34:31 unbound OK

grep -E "^[#]*outgoing-interface" /opt/var/lib/unbound/unbound.conf 

outgoing-interface: 100.120.136.44        # v1.08 Martineau Use VPN tunnel to hide Root server queries from ISP (or force WAN ONLY)

e  = Exit Script [?]

A:Option ==> vpn debug show

Aug  3 08:34:23 RT-AC68U kernel: IN= OUT=vlan2 SRC=100.120.136.44 DST=xxx.xxx.xxx.xxx UDP SPT=55553 DPT=53
Aug  3 08:34:23 RT-AC68U kernel: IN= OUT=vlan2 SRC=100.120.136.44 DST=xxx.xxx.xxx.xxx UDP SPT=12287 DPT=53
Aug  3 08:34:23 RT-AC68U kernel: IN= OUT=vlan2 SRC=100.120.136.44 DST=xxx.xxx.xxx.xxx SPT=21707 DPT=53
Aug  3 08:34:23 RT-AC68U kernel: IN= OUT=vlan2 SRC=100.120.136.44 DST=xxx.xxx.xxx.xxx SPT=25982 DPT=53
Aug  3 08:34:23 RT-AC68U kernel: IN= OUT=vlan2 SRC=100.120.136.44 DST=xxx.xxx.xxx.xxx UDP SPT=23390 DPT=53
Aug  3 08:34:23 RT-AC68U kernel: IN= OUT=vlan2 SRC=100.120.136.44 DST=xxx.xxx.xxx.xxx UDP SPT=39377 DPT=53
<snip>

Even if I input the correct IP from my VPN, it does not update automatically once the VPN IP changes. Not sure if it's meant to be this way.

You need to ensure that the current VPN IP is used in 'unbound.conf' depending on the UP state of the VPN client using the appropriate scripts.

see this post#

Similarly you should reset the 'outgoing-interface' to the WAN when the VPN client terminates, and also during the boot process prior to the start request of the target VPN client.

 

[nzwayne]

Installed 384.19 beta1 at 10pm (EDT) last night, in just a dirty upgrade over Alpha1. Afterwards, all looked ok on a quick peek of Router functions, AMTM 3.1.7 report showed all scripts and release levels. Picked up from the Unbound GUI next morning (10am) that Unbound was having zero cache hits. Powered off/on the Router (as I like to do anyways after a firmware code update) and cache hits started working again. Just posted here in the Unbound Forum as a FYI, in case others have seen the same?
BTW: My cache ratio varies each week between 75-80%. That reads like awesome statistics, and why one should use Unbound!

 

[QuikSilver]

Has anyone seen an issue with country banning within skynet AND using unbound? I know the installer alerts you to it but what kind of issues would be seen? I do notice a "hiccup" every now and then but nothing I'd say would be a deal breaker. Wonder if country block would be part of issue though.

 

[dave14305]

Has anyone seen an issue with country banning within skynet AND using unbound? I know the installer alerts you to it but what kind of issues would be seen? I do notice a "hiccup" every now and then but nothing I'd say would be a deal breaker. Wonder if country block would be part of issue though.

If the authoritative server for a domain you’re querying resides in the IP space of a banned country, the query will fail for no valid reason other than you decided to ban the country. If a DNS query was blocked because the authoritative server IP also happened to be banned as a known malware IP, then that would be useful. But country-level bans make no such distinction.

 

[QuikSilver]

If the authoritative server for a domain you’re querying resides in the IP space of a banned country, the query will fail for no valid reason other than you decided to ban the country. If a DNS query was blocked because the authoritative server IP also happened to be banned as a known malware IP, then that would be useful. But country-level bans make no such distinction.

Ah ok, thanks @dave14305. I reside in America so I hope my queries aren't going overseas.

 

[dave14305]

Ah ok, thanks @dave14305. I reside in America so I hope my queries aren't going overseas.

Your DNS queries with Unbound will go wherever the requested domain has their authoritative name server. This is a bad example since Skynet whitelists diversion.ch, but the authoritative NS for diversion.ch is hosted in Switzerland. If you decided to ban Switzerland (who doesn't love Switzerland?) then you wouldn't be able to resolve diversion.ch through Unbound because the recursive query to the DNS server in Switzerland would be blocked.

 

[jsbeddow]

@QuikSilver
For what it's worth, I also ban a couple of countries with Skynet (China and Russia), but have not seen any ill effects from doing this for the last several months. Obviously, YMMV , depending on what sites and services you use and expect to work. Clearly, we have been warned NOT to use the Skynet country bans when installing Unbound, so I will accept any negative consequences from doing so.

 

[QuikSilver]

Your DNS queries with Unbound will go wherever the requested domain has their authoritative name server. This is a bad example since Skynet whitelists diversion.ch, but the authoritative NS for diversion.ch is hosted in Switzerland. If you decided to ban Switzerland (who doesn't love Switzerland?) then you wouldn't be able to resolve diversion.ch through Unbound because the recursive query to the DNS server in Switzerland would be blocked.

@QuikSilver
For what it's worth, I also ban a couple of countries with Skynet (China and Russia), but have not seen any ill effects from doing this for the last several months. Obviously, YMMV , depending on what sites and services you use and expect to work. Clearly, we have been warned NOT to use the Skynet country bans when installing Unbound, so I will accept any negative consequences from doing so.

Thanks! I guess I should have worded my thoughts better. I don't expect to surf to sites hosted by what I deem dangerous countries (China, Russia, etc...) Thanks for the explanation.

 

[raion969]

heyy

What settings do you recommend for unbound to get the best performance for gaming ? do you enable dns firewall

 

[juched]

heyy

What settings do you recommend for unbound to get the best performance for gaming ? do you enable dns firewall

DNS Firewall has no impact on your ping to IPs or throughput.

 

[raion969]

so should be enabled in unbound or ?

 

[Gar]

I'm a 3 hour veteran of Unbound. These questions have probably been answered but decided to ask anyway despite possible ridicule.

Does it matter what is placed in the DNS Server fields now that I use unbound? I have been a Q9 user for a while so 9.9.9.9 is in DNS 1, and 2 is still empty. Always with DNS filter set to ON and Router.

Will the Stats log fill before the first 24 hours pass? Mine is empty.

Leave the IP Pool starting address alone (default 192.168.50.2)? I assume this since no mention was made. I had changed it to .3 for Diversion/Pixelserv which is gone now.

Thanks.

 

[dave14305]

Does it matter what is placed in the DNS Server fields now that I use unbound? I have been a Q9 user for a while so 9.9.9.9 is in DNS 1, and 2 is still empty. Always with DNS filter set to ON and Router.

It needs to be a valid and redundant set of DNS servers for the router’s own functionality to be assured. Clients won’t use it once Unbound starts, but the router will.

Leave the IP Pool starting address alone (default 192.168.50.2)? I assume this since no mention was made. I had changed it to .3 for Diversion/Pixelserv which is gone now.

I wouldn’t be hasty to change it back to .2 until you’re sure you don’t want to go back to Diversion. That said, I use Unbound with Diversion, but not Pixelserv. But I still have my DHCP scope set to start at .3 just in case I ever change my mind.

 

[Gar]

It needs to be a valid and redundant set of DNS servers for the router’s own functionality to be assured. Clients won’t use it once Unbound starts, but the router will.

I wouldn’t be hasty to change it back to .2 until you’re sure you don’t want to go back to Diversion. That said, I use Unbound with Diversion, but not Pixelserv. But I still have my DHCP scope set to start at .3 just in case I ever change my mind.

So, Diversion LIte to avoid Pixelserv then?

 

[gspannu]

It needs to be a valid and redundant set of DNS servers for the router’s own functionality to be assured. Clients won’t use it once Unbound starts, but the router will.

I wouldn’t be hasty to change it back to .2 until you’re sure you don’t want to go back to Diversion. That said, I use Unbound with Diversion, but not Pixelserv. But I still have my DHCP scope set to start at .3 just in case I ever change my mind.

Any particular treasons why you don’t use PixelServ in your combination? (Unbound + Diversion w/o PixelServ)

 

[heysoundude]

without sifting through 142 pages of this post, can anyone point me in a direction to be able to save my unbound metrics so that my graphs survive a reboot (like after a reflash of Merlin), please?

 

[Torson]

without sifting through 142 pages of this post, can anyone point me in a direction to be able to save my unbound metrics so that my graphs survive a reboot (like after a reflash of Merlin), please?

I can confirm that the graphs survive a reflash / reboot. However, the metrics only to certain degree - here is @Martineau's explanation:

http://www.snbforums.com/threads/re...nbound-recursive-dns-server.61669/post-607211

 

[juched]

without sifting through 142 pages of this post, can anyone point me in a direction to be able to save my unbound metrics so that my graphs survive a reboot (like after a reflash of Merlin), please?

Data for the graphs is written to the USB stick here:
/opt/var/lib/unbound/

 

[MoonPie2000]

I am looking for some help with an issue. I have tried to review this thread and Google for an answer but I am stuck. In a nutshell I use no-ip DDNS to point to my external router address (WAN). I use the DDNS URL to access a server on my local network behind my router (LAN) using a certificate issued to the DDNS URL name. When I try to access the server using the DDNS URL from my internal network behind the router with Unbound running on the router I get a - "DNS_PROBE_FINISHED_NXDOMAIN" - page - I also can not ping the URL from my LAN. When Unbound is NOT running I can successfully access my server using the DDNS URL from my LAN as well as ping the URL name. I can always successfully access the server when using a external network connection regardless of Unbound running or not. If i stop Unbound I can perform all the above tasks with success. I can also access the server from outside the internal network behind my router using the DDNS URL regardless of Unbound running or not on the router. If anyone can help I would appreciate it.