Use menu option 'ecb' to edit/add Ad Block listsThis there a way I can more blocklist to the Ad and tracker blocking?
unbound (pid 31108) is running... uptime: 0 Days, 18:59:31 version: 1.10.1 # rgnldo Github Version=v1.10 Martineau update (Date Loaded by unbound_manager Sun Aug 2 13:03:16 DST 2020)
i = Update unbound and configuration ('/opt/var/lib/unbound/') l = Show unbound LIVE (Loglevel=1) log entries (lx=Disable Logging)
z = Remove unbound/unbound_manager v = View ('/opt/var/lib/unbound/') unbound Configuration (vx=Edit;vh=help)
x = Stop unbound vb = Backup current (/opt/var/lib/unbound/unbound.conf) Configuration
rl = Reload Configuration (Doesn't halt unbound) e.g. 'rl test1[.conf]' (Recovery use 'rl reset/user')
? = About Configuration oq = Query unbound Configuration option e.g 'oq verbosity' (ox=Set) e.g. 'ox log-queries yes'
sd = Show dnsmasq Statistics/Cache Size s = Show unbound Extended statistics (s=Summary Totals; sa=All; http://10.88.8.1:80/user5.asp)
adblock = Install Ad Block [uninstall | update | track]
DisableFirefoxDoH = Disable Firefox DoH [yes | no] youtube = Install YouTube Ad Block [uninstall | update]
Stubby = Enable Stubby Integration DoT = Enable DNS-over-TLS
firewall = Enable DNS Firewall [disable | ?]
bind = BIND unbound to WAN [debug | disable | debug show] vpn = BIND unbound to VPN {vpnid [debug]} | [disable | debug show] e.g. vpn 1
scribe = Enable scribe (syslog-ng) unbound logging ad = Analyse Diversion White/Block lists ([ file_name [type=adblock] ])
dnsmasq = Disable dnsmasq [disable | interfaces | nointerfaces] ea = Edit Ad Block Allowlist (eb=Blocklist; eca=Config-AllowSites; ecb=Config-BlockSites; el {Ad Block file})
dumpcache = [bootrest] (or Manually use restorecache after REBOOT) ca = Cache Size Optimisation [ min | calc ]
views = [? | uninstall] | {view_name [? | remove]} | {view_name [[type] domain_name[...] | IP_address[...]] [del]} ]
dig = {domain} [time] Show dig info e.g. dig asciiart.com lookup = {domain} Show the name servers used for domain e.g. lookup asciiart.eu
dnsinfo = {dns} Show DNS Server e.g. dnsinfo dnssec = {url} Show DNSSEC Validation Chain e.g. dnssec www.snbforums.com
links = Show list of external URL links
[Enter] Leave Advanced Tools Menu
e = Exit Script [?]
A:Option ==> ecb
Ad Block file '/opt/share/unbound/configs/blocksites' NOT changed....Ad Block update skipped
Works fine for me...Problems with unbound I've faced during the test, the VPN bind does not work correctly, it will always force bind to WAN the only way is to change the config directly and input the VPN IP.
A:Option ==> vpn 1 debug
Do you want to route unbound requests through VPN Client '1' tunnel?
Reply 'y' or press [Enter] to skip
y
unbound requests via VPN Client 1 (100.120.136.44) tunnel ENABLED, and tracked in Syslog
08:34:08 Checking 'unbound.conf' for valid Syntax.....
08:34:15 Saving unbound cache to '/opt/share/unbound/configs/cache.txt' msg.cache=2971/592 rrset.cache=8484/3437
08:34:15 Requesting unbound (S61unbound) restart.....
Shutting down unbound... done.
Starting unbound... done.
08:34:21 Checking status, please wait.....
08:34:28 Restoring unbound cache from '/opt/share/unbound/configs/cache.txt' (2020-08-03 08:34:13) msg.cache=9/592 rrset.cache=333/3437
08:34:31 unbound OK
grep -E "^[#]*outgoing-interface" /opt/var/lib/unbound/unbound.conf
outgoing-interface: 100.120.136.44 # v1.08 Martineau Use VPN tunnel to hide Root server queries from ISP (or force WAN ONLY)
e = Exit Script [?]
A:Option ==> vpn debug show
Aug 3 08:34:23 RT-AC68U kernel: IN= OUT=vlan2 SRC=100.120.136.44 DST=xxx.xxx.xxx.xxx UDP SPT=55553 DPT=53
Aug 3 08:34:23 RT-AC68U kernel: IN= OUT=vlan2 SRC=100.120.136.44 DST=xxx.xxx.xxx.xxx UDP SPT=12287 DPT=53
Aug 3 08:34:23 RT-AC68U kernel: IN= OUT=vlan2 SRC=100.120.136.44 DST=xxx.xxx.xxx.xxx SPT=21707 DPT=53
Aug 3 08:34:23 RT-AC68U kernel: IN= OUT=vlan2 SRC=100.120.136.44 DST=xxx.xxx.xxx.xxx SPT=25982 DPT=53
Aug 3 08:34:23 RT-AC68U kernel: IN= OUT=vlan2 SRC=100.120.136.44 DST=xxx.xxx.xxx.xxx UDP SPT=23390 DPT=53
Aug 3 08:34:23 RT-AC68U kernel: IN= OUT=vlan2 SRC=100.120.136.44 DST=xxx.xxx.xxx.xxx UDP SPT=39377 DPT=53
<snip>
You need to ensure that the current VPN IP is used in 'unbound.conf' depending on the UP state of the VPN client using the appropriate scripts.Even if I input the correct IP from my VPN, it does not update automatically once the VPN IP changes. Not sure if it's meant to be this way.
If the authoritative server for a domain you’re querying resides in the IP space of a banned country, the query will fail for no valid reason other than you decided to ban the country. If a DNS query was blocked because the authoritative server IP also happened to be banned as a known malware IP, then that would be useful. But country-level bans make no such distinction.Has anyone seen an issue with country banning within skynet AND using unbound? I know the installer alerts you to it but what kind of issues would be seen? I do notice a "hiccup" every now and then but nothing I'd say would be a deal breaker. Wonder if country block would be part of issue though.
Ah ok, thanks @dave14305. I reside in America so I hope my queries aren't going overseas.If the authoritative server for a domain you’re querying resides in the IP space of a banned country, the query will fail for no valid reason other than you decided to ban the country. If a DNS query was blocked because the authoritative server IP also happened to be banned as a known malware IP, then that would be useful. But country-level bans make no such distinction.
Your DNS queries with Unbound will go wherever the requested domain has their authoritative name server. This is a bad example since Skynet whitelists diversion.ch, but the authoritative NS for diversion.ch is hosted in Switzerland. If you decided to ban Switzerland (who doesn't love Switzerland?) then you wouldn't be able to resolve diversion.ch through Unbound because the recursive query to the DNS server in Switzerland would be blocked.Ah ok, thanks @dave14305. I reside in America so I hope my queries aren't going overseas.![]()
Your DNS queries with Unbound will go wherever the requested domain has their authoritative name server. This is a bad example since Skynet whitelists diversion.ch, but the authoritative NS for diversion.ch is hosted in Switzerland. If you decided to ban Switzerland (who doesn't love Switzerland?) then you wouldn't be able to resolve diversion.ch through Unbound because the recursive query to the DNS server in Switzerland would be blocked.
Thanks! I guess I should have worded my thoughts better. I don't expect to surf to sites hosted by what I deem dangerous countries (China, Russia, etc...) Thanks for the explanation.@QuikSilver
For what it's worth, I also ban a couple of countries with Skynet (China and Russia), but have not seen any ill effects from doing this for the last several months. Obviously, YMMV, depending on what sites and services you use and expect to work. Clearly, we have been warned NOT to use the Skynet country bans when installing Unbound, so I will accept any negative consequences from doing so.
DNS Firewall has no impact on your ping to IPs or throughput.heyy
What settings do you recommend for unbound to get the best performance for gaming ? do you enable dns firewall
It needs to be a valid and redundant set of DNS servers for the router’s own functionality to be assured. Clients won’t use it once Unbound starts, but the router will.Does it matter what is placed in the DNS Server fields now that I use unbound? I have been a Q9 user for a while so 9.9.9.9 is in DNS 1, and 2 is still empty. Always with DNS filter set to ON and Router.
I wouldn’t be hasty to change it back to .2 until you’re sure you don’t want to go back to Diversion. That said, I use Unbound with Diversion, but not Pixelserv. But I still have my DHCP scope set to start at .3 just in case I ever change my mind.Leave the IP Pool starting address alone (default 192.168.50.2)? I assume this since no mention was made. I had changed it to .3 for Diversion/Pixelserv which is gone now.
So, Diversion LIte to avoid Pixelserv then?It needs to be a valid and redundant set of DNS servers for the router’s own functionality to be assured. Clients won’t use it once Unbound starts, but the router will.
I wouldn’t be hasty to change it back to .2 until you’re sure you don’t want to go back to Diversion. That said, I use Unbound with Diversion, but not Pixelserv. But I still have my DHCP scope set to start at .3 just in case I ever change my mind.
Any particular treasons why you don’t use PixelServ in your combination? (Unbound + Diversion w/o PixelServ)It needs to be a valid and redundant set of DNS servers for the router’s own functionality to be assured. Clients won’t use it once Unbound starts, but the router will.
I wouldn’t be hasty to change it back to .2 until you’re sure you don’t want to go back to Diversion. That said, I use Unbound with Diversion, but not Pixelserv. But I still have my DHCP scope set to start at .3 just in case I ever change my mind.
I can confirm that the graphs survive a reflash / reboot. However, the metrics only to certain degree - here is @Martineau's explanation:without sifting through 142 pages of this post, can anyone point me in a direction to be able to save my unbound metrics so that my graphs survive a reboot (like after a reflash of Merlin), please?
Data for the graphs is written to the USB stick here:without sifting through 142 pages of this post, can anyone point me in a direction to be able to save my unbound metrics so that my graphs survive a reboot (like after a reflash of Merlin), please?
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!