immi803
Senior Member
@Martineau
How can i try unbound_manager v3.20 beta?
How can i try unbound_manager v3.20 beta?
Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)
- Thread starter Martineau
- Start date
gspannu
Senior Member
Thank you for your guidance on ways to identify the blocked domain.
I am using the command
tail -f /opt/var/lib/unbound/unbound.log | grep -i "nxdomain"
to find the blocked domain and then add it to the whitelist if needed.
You have suggested that I can disable dnsmasq in case I need to identify the blocked domain by IP (192.168.1.27) address. I disabled dnsmasq and I am also able to identify blocked domains by specific IP addresses as well by the command
tail -f /opt/var/lib/unbound/unbound.log | grep -iE "nxdomain.*192.168.1.27"
Q: What are the disadvantages of disabling dnsmasq?
- I do not use Diversion or X3MRouting.
- I do have a few static IP addresses assigned by MAC address.
- I also run WireGuard as a server on the router
Will I lose anything by keeping dsnmasq permanently disabled and letting unbound manage the same?
Martineau
Part of the Furniture
If you wish to scan all of the file's contents, why waste time/effort/typing by loading two utilities...
Code:
grep -i "nxdomain" /opt/var/lib/unbound/unbound.log
grep -iE "nxdomain.*192.168.1.27" /opt/var/lib/unbound/unbound.logdnsmasq is a mature feature-rich inherent component of Asus routers.
Consequently there is a lot of knowledge/support available in the forums for fully exploiting dnsmasq's unique features etc., and it will take time for the number of knowledgeable unbound adopters to achieve the same level of tech-savvy critical mass.
i.e. although unbound v1.11.0 may now include an 'ipset' module (only HND-model routers?), I don't think it replicates the same functionality as dnsmasq's 'ipset=' directive, but even if you don't currently use X3MRouting, you may find that the feature may be useful outside of X3MRouting.
Performance-wise, DNS resolution for clients must be a few microseconds quicker by virtue of the fact that the LAN clients don't have to go thru dnsmasq i.e. bypassing the middleman.
I personally haven't noticed any issues with disabling dnsmasq, but unbound_manager's 'dnsmasq disable' migration feature may still be limited in its abilities in advanced dnsmasq case scenarios.
YMMV
Last edited:
gspannu
Senior Member
Thank you for your detailed response. I will keep dnsmasq enabled for now and just search for the blocked domains.
You are correct in your idea that I could just use grep.
The reason for using tail instead of grep is mainly that I can see the blocked domain entry in real-time as it is happening.
Use case: Browser page not loading properly or something being blocked.
ssh into router; Run the tail command; refresh the browser; and I can see the blocked domain appearing in the tail output.
Code:
tail -f /opt/var/lib/unbound/unbound.log | grep --color="auto" -i "always_nxdomain"Thank you for your response; much appreciated.
immi803
Senior Member
So we are set to disable dnsmasq in models like ax88u? Considering performance utmost?
Last edited:
L
Linux_Chemist
Guest
I like to disable dnsmasq and give unbound the reins entirely, for exactly the reasons mentioned but I also do a lot of blocklist tweaks.
One thing I noticed when I had Dnsmasq and this Unbound concurrently, is if you try to do blocking by country or domain, so something like
which will block any and all websites ending in .cn (china-based websites which I would have no occasion to ever visit and therefore gain more than I lose by blocking)
it will return NOERROR i.e. work without blocking, unless unbound is flying solo where it should correctly report NXDOMAIN when drilling/digging on a clear cache.
You can do some neat things with this, I have some work on github in an experimental stage, because by blocking an entire domain, while it can silently break the internet if a site needed a resource from a site with a country code you're blocking, it also means you can block ridiculously high numbers of advertising and tracking if you would never normally visit anything of that domain.
The question was "do I need to have an entry in my blocklist for "somebadsite.cn" and wait for hundreds of as-yet-unidentified entries if I never go on any chinese websites anyway?"
Targets for the chopping block in my case are country codes like "cn", "ru", "zw", and spamhaus.org recommends domains ending "icu", "ad" "fit". Got to be careful with those domain names though, as entries like .xyz and .io are increasingly popular, good and bad.
It's incredibly destructive (block "net" or "com" and you'll break almost the entire internet!), but has a lot of potential on a per user basis if you're absolutely 100% sure the sites you use won't need to connect to anything involving these addresses. I believe there's a use for it in moderation and it can significantly cut down on blocklist sizes.
One thing I noticed when I had Dnsmasq and this Unbound concurrently, is if you try to do blocking by country or domain, so something like
Code:
local-zone: "cn" always_nxdomainit will return NOERROR i.e. work without blocking, unless unbound is flying solo where it should correctly report NXDOMAIN when drilling/digging on a clear cache.
You can do some neat things with this
, I have some work on github in an experimental stage, because by blocking an entire domain, while it can silently break the internet if a site needed a resource from a site with a country code you're blocking, it also means you can block ridiculously high numbers of advertising and tracking if you would never normally visit anything of that domain.The question was "do I need to have an entry in my blocklist for "somebadsite.cn" and wait for hundreds of as-yet-unidentified entries if I never go on any chinese websites anyway?"
Targets for the chopping block in my case are country codes like "cn", "ru", "zw", and spamhaus.org recommends domains ending "icu", "ad" "fit". Got to be careful with those domain names though, as entries like .xyz and .io are increasingly popular, good and bad.
It's incredibly destructive (block "net" or "com" and you'll break almost the entire internet!), but has a lot of potential on a per user basis if you're absolutely 100% sure the sites you use won't need to connect to anything involving these addresses. I believe there's a use for it in moderation and it can significantly cut down on blocklist sizes.JT Strickland
Very Senior Member
I would like to try Unbound and Unbound Manager, but it may not play well with all my toys. I've got to figure out which ones to put up and which ones to keep.
immi803
Senior Member
I was checking out my ipv6 page & found a similar settings "connect to dns server automatically", in wan i certainly have placed it at NO which is prerequisite for unbound to work properly, what about ipv6, should i disable this option in ipv6 also or what's the mechanism of ipv6 with fallback ipv4?
@Martineau If I am running v3.20 beta the vpn 5 command does not work and returns VPN Client arg '5' invalid, must be in range 1-5. vpn disable works as expected. I can add the vpn by reverting to the current version, running vpn 5 and then re-loading the beta.
Martineau
Part of the Furniture
Whoops
.....one day I will learn to code. I have uploaded v3.20b2 to the Github dev branch.
QuikSilver
Very Senior Member
You're doing a great job! If it helps you, you are further along than me but I can make a mean batch file for ya.Whoops
I have uploaded v3.20b2 to the Github dev branch.
My configuration is similar to yours and I have the same results. After reading this entire thread, it seems some people actually see their VPN interface IP as the reported DNS server (rather than the WAN interface IP) when Accept DNS = Disabled for devices using the VPN. My knowledge here is very limited, but I believe it is working properly for us even though the various sites such as browserleaks.com or dnsleaktest.com show the WAN IP. Testing this from a client using the VPN tunnel, "nslookup whatever.com <WAN IP>" fails for me even though dnsleaktest reports this WAN IP as my DNS server. "Nslookup whatever.com <VPN IP>" works as hoped (again, even though dnsleaktest reports WAN IP as DNS server). Tenta https://tenta.com/test/ uses a different approach (try with all of your scenarios) and is unable to determine DNS server for VPN bound clients.
Last edited:
JGrana
Very Senior Member
I agree with @QuikSilver! I have been "wrestling" with Unbound on a Raspberry Pi running Raspbian. Can't tell you how many times I wished unbound_manager was supported in the Pi...You're doing a great job! If it helps you, you are further along than me but I can make a mean batch file for ya.
Martineau
Part of the Furniture
unbound_manager v3.20 should not have altered the core functionality of unbound.
Do you have the Rootcanary DNSSEC test failure when using unbound_manager v3.19?
John Fitzgerald
Very Senior Member
After I updated to 3.20 by using U then 1, I found that the internet was slow loading pages.
My remedy was to use the pinhole reset on the modem.
I held it for about a minute and when the modem rebooted all was working as it should.
Clark Griswald
Very Senior Member
@baud
I'm currently v3.19 and getting the same results as you from rootcanary I do not believe the issue is with the script. I have zero testing nor facts, but I have learned that many of my network/router "issues" are PEBKAC. I'm looking into what setting I "adjusted", now.
EDIT:
Updated to current v3.20 all is well when checking other services & only rootcanary gives poor response.
I'm currently v3.19 and getting the same results as you from rootcanary I do not believe the issue is with the script. I have zero testing nor facts, but I have learned that many of my network/router "issues" are PEBKAC. I'm looking into what setting I "adjusted", now.
EDIT:
Updated to current v3.20 all is well when checking other services & only rootcanary gives poor response.
Last edited:
gspannu
Senior Member
What are the other 4 tools you used for validation? Would you mind listing these here please?
Similar threads
Similar threads
Similar threads
-
-
-
-
-
Solved Latest entware update borked up Unbound- Started by Viktor Jaep
- Replies: 25
-
-
-
-
-
Unbound Unbound graphical statistics tab doesn't update all groups
- Started by Skywise
- Replies: 4
Latest threads
-
-
-
Use the VPN base on URL rather than IP address
- Started by Armandooooo
- Replies: 1
-
RT-AX88U Pro and RT-AX86U Pro vs Dual GT-AXE11000 Setup- Started by Mxlt
- Replies: 2
-
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!