Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[dave14305]

I am looking for some help with an issue. I have tried to review this thread and Google for an answer but I am stuck. In a nutshell I use no-ip DDNS to point to my external router address (WAN). I use the DDNS URL to access a server on my local network behind my router (LAN) using a certificate issued to the DDNS URL name. When I try to access the server using the DDNS URL from my internal network behind the router with Unbound running on the router I get a - "DNS_PROBE_FINISHED_NXDOMAIN" - page - I also can not ping the URL from my LAN. When Unbound is NOT running I can successfully access my server using the DDNS URL from my LAN as well as ping the URL name. I can always successfully access the server when using a external network connection regardless of Unbound running or not. If i stop Unbound I can perform all the above tasks with success. I can also access the server from outside the internal network behind my router using the DDNS URL regardless of Unbound running or not on the router. If anyone can help I would appreciate it.

Does the DDNS name resolve from a client on the LAN? Seems no, but post the results after redacting just enough characters so we don’t go trying to access your WAN IP.

 

[MoonPie2000]

dave14305 - I ran several tools from a windows client on the LAN (DIG, PING, NSLOOKUP, TRACERT) with unbound running and not running along with DIG from the router using Unbound advanced tools again with UNBOUND running / not running. If this is not what you are looking for please let me know. I appreciate the help.

 

[dave14305]

dave14305 - I ran several tools from a windows client on the LAN (DIG, PING, NSLOOKUP, TRACERT) with unbound running and not running along with DIG from the router using Unbound advanced tools again with UNBOUND running / not running. If this is not what you are looking for please let me know. I appreciate the help.

View attachment 25590 View attachment 25591 View attachment 25592 View attachment 25593

You’re overredacting. Is there any chance that the IP returned from your DDNS name is a private IP? I’m speculating maybe it’s a DNS rebind issue, but there’s so little to go on with everything redacted. There’s no need to hide LAN IPs, for example. We can’t get there from here.

Also, is there IPv6 enabled?

You can turn on some logging in unbound, or PM the DDNS name if you want a second opinion.

 

[abracadabra11]

Apologies if this was covered upthread - I searched and didn't find an answer.

How do I disable unbound DNS server leaking during DNS leak test when connected to VPN?
I use OpenVPN GUI on a desktop to connect to VPN (i.e. not router VPN client) and when I run a leak test while connected to the VPN both the VPN DNS and unbound DNS are presented.

I understand that unbound DNS will be listed when running a DNS server leak check when not conducted to the VPN, but didn't expect this behavior when connected to the VPN.

 

[dave14305]

Apologies if this was covered upthread - I searched and didn't find an answer.

How do I disable unbound DNS server leaking during DNS leak test when connected to VPN?
I use OpenVPN GUI on a desktop to connect to VPN (i.e. not router VPN client) and when I run a leak test while connected to the VPN both the VPN DNS and unbound DNS are presented.

I understand that unbound DNS will be listed when running a DNS server leak check when not conducted to the VPN, but didn't expect this behavior when connected to the VPN.

The VPN client on the desktop must not be intercepting all DNS traffic if some lookups from the desktop are being sent to the router and Unbound. It's not so much an Unbound issue as an OpenVPN client issue.

 

[abracadabra11]

The VPN client on the desktop must not be intercepting all DNS traffic if some lookups from the desktop are being sent to the router and Unbound. It's not so much an Unbound issue as an OpenVPN client issue.

Thanks Dave. Suspected that was the case - appreciate the feedback.

 

[abracadabra11]

Has anyone done performance testing on an RTAC68U with unbound?

Testing I've done seems to show router DNS using unbound is notably slower than publicly-available options (i.e. Cloudflare, OpenDNS, etc.).

In general, unbound rocks for cached responses (i.e. just under 40% of queries complete under 10ms), but the uncached responses have a much wider distribution than other DNS'.

Row Labels	Min of Duration	Max of Duration2	Average of Duration3	StdDev of Duration4
1.1.1.1	23​	441​	47​	50​
1.0.0.1	23​	837​	48​	67​
OpenDNS	23​	794​	61​	65​
UltraDNS-2	34​	532​	72​	64​
DynGuide	29​	2469​	97​	181​
VPN	22​	2554​	118​	197​
unbound (router)	3​	2582​	178​	288​

Is there a way to improve performance on the 68U? Currently have the CPU/Memory tweaks option as Active.

Thanks.

 

[dave14305]

Testing I've done seems to show router DNS using unbound is notably slower than publicly-available options (i.e. Cloudflare, OpenDNS, etc.).

In general, unbound rocks for cached responses (i.e. just under 40% of queries complete under 10ms), but the uncached responses have a much wider distribution than other DNS'.

Other internet users have usually primed the cache before your query reaches the public resolver. With Unbound, you and your users are the only ones building up the cache. Hard to compare fairly.

 

[abracadabra11]

Other internet users have usually primed the cache before your query reaches the public resolver. With Unbound, you and your users are the only ones building up the cache. Hard to compare fairly.

I considered that. But even when only comparing the uncached responses, unbound is considerably slower. I only installed unbound a few days ago, so I'll give it some time and rerun. But I expect to see similar results (i.e. rocks cached, slow and high variance for uncached).

 

[dave14305]

But even when only comparing the uncached responses, unbound is considerably slower.

Sure, when nothing's cached it has to fetch and validate all the DNSSEC info too. Post an example of this comparison to make sure we're talking apples-to-apples. You don't really know if resolution from a public resolver is cached or uncached unless it's a unique DNS name that no one would ever query before you. And many DNS records have short TTL so leaving it running longer won't necessarily improve the situation if your DNS queries aren't keeping the cache "fresh".

 

[abracadabra11]

Sure, when nothing's cached it has to fetch and validate all the DNSSEC info too. Post an example of this comparison to make sure we're talking apples-to-apples. You don't really know if resolution from a public resolver is cached or uncached unless it's a unique DNS name that no one would ever query before you. And many DNS records have short TTL so leaving it running longer won't necessarily improve the situation if your DNS queries aren't keeping the cache "fresh".

The table I posted above (http://www.snbforums.com/threads/re...nbound-recursive-dns-server.61669/post-613062) is a pivot created from the data output from running namebench using 500 queries per server. That tool doesn't differentiate cached from uncached, but was the easiest to summarize.
I also ran GRC DNS Benchmark (which differentiates between cached and uncached according to the tool) and DNSJumper along with a few others. Below is the GRC data sorted by Uncached Average. Unbound performed much better in this round of testing compared to the namebench testing. Although it's near the bottom of the list, it's performance was on par with Quad9, Cloudflare, and Google DNS. Dotcom performance for Unbound was easily the worst of all the services.

Row Labels	Sum of Cached Avg	Sum of Cached Std	Sum of Uncached Avg	Sum of Uncached Std	Sum of Dotcom Avg	Sum of Dotcom Std
129. 250. 35. 250	26​	2​	54​	45​	29​	3​
208. 67. 222. 220	26​	3​	56​	39​	33​	9​
4. 2. 2. 6	25​	2​	57​	46​	28​	4​
208. 67. 222. 123	26​	3​	58​	43​	34​	12​
4. 2. 2. 2	27​	4​	59​	39​	28​	3​
204. 117. 214. 10	25​	2​	59​	50​	29​	4​
4. 2. 2. 5	26​	4​	59​	42​	28​	3​
204. 194. 232. 200	26​	3​	60​	43​	35​	9​
208. 67. 220. 222	26​	3​	62​	45​	36​	11​
129. 250. 35. 251	27​	5​	63​	56​	32​	8​
204. 194. 234. 200	26​	2​	63​	40​	37​	13​
4. 2. 2. 3	26​	3​	65​	44​	46​	18​
208. 67. 220. 123	26​	3​	68​	60​	36​	12​
208. 67. 220. 220	26​	2​	68​	46​	38​	14​
4. 2. 2. 1	26​	4​	70​	57​	42​	17​
8. 8. 4. 4	24​	2​	71​	47​	28​	3​
4. 2. 2. 4	25​	2​	71​	50​	41​	16​
198. 153. 192. 1	36​	2​	72​	44​	63​	24​
9. 9. 9. 9	27​	4​	72​	58​	31​	3​
204. 97. 212. 10	26​	2​	72​	52​	92​	49​
156. 154. 70. 1	36​	3​	73​	45​	72​	29​
UNBOUND (ROUTER)	3​	1​	73​	54​	121​	51​
VPN	25​	2​	78​	52​	29​	6​
1. 0. 0. 1	27​	3​	80​	66​	41​	26​
1. 1. 1. 1	26​	2​	81​	64​	40​	25​
208. 67. 222. 222	35​	1​	81​	43​	58​	13​
8. 8. 8. 8	25​	3​	83​	62​	29​	5​

 

[heysoundude]

Let me give you some (ok, my) perspective on the magic of this:
I have a Bronx Cheer for your first chart.
On my unbound, the three biggest bars on my "Performance histogram" are the 16ms-131ms buckets, with the next one (131-262ms) being mooted AFAIC by an almost equal length one of 0-1us (a microsecond or less, a millionth of a second or lower!).
Now factor into the equation the time it takes Diversion & Suricata (or SkyNet) and cake-QoS etc to do their work and it's really damned impressive what's happening on my router...especially when it's (presumably...usually) doing that for a bunch of traffic on a bunch of machines/devices simultaneously on the network, and it all ends up going to the right places. Plus, it could be coming from half a world away.
Where's the column for privacy on those charts, friend?
I'm ok with slower initial (non-cached) lookups taking longer when the behemoths (or my own ISP) aren't getting to run that traffic through some algo or another...especially when there are some things in place that are keeping devices on my network protected. YMMV, of course, but speed is not the only consideration.

 

[Mikey Dread]

I run my unbound on an ac-86u running as access point with the only other software running being connmon and have similar namebench results as abracadabra with unbound being the slowest average result. But if I rerun namebench several times in a row it speeds up significantly for a bit. But really, to be honest, I can't tell the difference web browsing at all, so I don't trust the benchmark. I have thought about turning off logging to see if it makes a difference, but I like to see the ad block list which is the whole point of why I am using unbound anyway. So I am happy with the speed.

 

[abracadabra11]

Let me give you some (ok, my) perspective on the magic of this:
I have a Bronx Cheer for your first chart.
On my unbound, the three biggest bars on my "Performance histogram" are the 16ms-131ms buckets, with the next one (131-262ms) being mooted AFAIC by an almost equal length one of 0-1us (a microsecond or less, a millionth of a second or lower!).
Now factor into the equation the time it takes Diversion & Suricata (or SkyNet) and cake-QoS etc to do their work and it's really damned impressive what's happening on my router...especially when it's (presumably...usually) doing that for a bunch of traffic on a bunch of machines/devices simultaneously on the network, and it all ends up going to the right places. Plus, it could be coming from half a world away.
Where's the column for privacy on those charts, friend?
I'm ok with slower initial (non-cached) lookups taking longer when the behemoths (or my own ISP) aren't getting to run that traffic through some algo or another...especially when there are some things in place that are keeping devices on my network protected. YMMV, of course, but speed is not the only consideration.

You're clearly missing the point of the post.
Specific questions in the post were:
1. Has anyone done performance testing on an RTAC68U with unbound?
2. Is there a way to improve performance on the 68U? Currently have the CPU/Memory tweaks option as Active.

There's an obvious trade-off related to privacy and that's one of the reasons one might prefer unbound (or some other similar solution), but understanding expected performance allows you to make that decision. If you have a quantifiable manner of testing privacy, then feel free to post and I'll be happy to include that in future testing.

 

[heysoundude]

You're clearly missing the point of the post.
Specific questions in the post were:
1. Has anyone done performance testing on an RTAC68U with unbound?
2. Is there a way to improve performance on the 68U? Currently have the CPU/Memory tweaks option as Active

performance testing an ac68 would be like re-checking the resolution of a 720 monitor: It's already well established and published by the manufacturer at release.
We can help with optimization to achieve close to that benchmark; unbound and CPU/Memory tweaks are tools/options to help achieve the 1200 Mbps (?) throughput your router might be capable of - but is your ISP connection up to the task? just what are you trying to accomplish?

 

[isr25]

Hi there, is this normal in the system messages logs?

Aug 24 10:57:00 RT-AC86U-8380 (unbound_log.sh): 10089 Processed 0 reply_domains...
Aug 24 10:57:00 RT-AC86U-8380 (unbound_log.sh): 10089 Processed 0 nx_domains...
Aug 24 10:57:01 RT-AC86U-8380 (unbound_log.sh): 10089 Processed 0 RPZ events...

these 3 lines appear every hour

 

[tomsk]

Hi there, is this normal in the system messages logs?

Aug 24 10:57:00 RT-AC86U-8380 (unbound_log.sh): 10089 Processed 0 reply_domains...
Aug 24 10:57:00 RT-AC86U-8380 (unbound_log.sh): 10089 Processed 0 nx_domains...
Aug 24 10:57:01 RT-AC86U-8380 (unbound_log.sh): 10089 Processed 0 RPZ events...

these 3 lines appear every hour

There is a cron job which runs the unbound_log,sh script at 57 minutes past the hour, and these are outputs to the syslog form that script.. its normal to see these kind of message, however you shouldn't be seeing 0 counts.

Check to see if your Unbound is running ok and you are not diverting your DNS queries somewhere else

I see you are using an AC86U ... so this maybe some corruption of the JFFS partition if you recently updated your firmware

 

[raion969]

do you use the pixelserv-tls does? it improve performance or how can i disable it and still have ad blocking?

 

[QuikSilver]

do you use the pixelserv-tls does? it improve performance or how can i disable it and still have ad blocking?

Are you using Diversion as well? If so you can go into the settings of Diversion and disable pixelsrv.

 

[raion969]

Yes i use diversion, does it improve performance?