Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[L&LD]

@Martineau, thanks for that tip!

So really, the best of both worlds. Using updated underlying code/bits and also re-using the custom .conf file I want to use too (without retyping or copy/pasting)!

 

[dave14305]

I suspect no-one is willing to formally maintain the Ad Block script 'gen_adblock.sh' but it uses the 'StevenBlack Adlist' (so is probably adequate for most), yet unfortunately the script is hardcoded to explicitly still reference the now defunct SME GitHub for the hostlist.

I sent a pull request to Jack Yaz to remove that curl command entirely. Hasn't been merged yet.

While I think it's easier for everyone to maintain blocklists, blacklists and whitelists in Diversion, if you still want to offer adblock with Unbound, continue on the path you started when you compare the Diversion list and actually convert it into an Unbound equivalent.

I had tested this a while back but ultimately didn't want Unbound doing the adblocking due to memory consumption. This points everything to a hardcoded Pixelserv IP. You could adapt it to pull whatever IP is in the first field of each record.

#!/bin/sh

if [ /opt/share/diversion/list/blockinglist -nt /opt/var/lib/unbound/ads.conf ] || [ ! -f /opt/var/lib/unbound/ads.conf ]; then
        awk '{for (i=2; i<=NF; i++) print "local-data: \""$i". 0 A 192.168.1.2\""}' /opt/share/diversion/list/blockinglist > /opt/var/lib/unbound/ads.conf

        if $(grep -q "ads\.conf" /opt/var/lib/unbound/unbound.conf); then
                unbound-control reload
        fi
fi

 

[Martineau]

Thank you for explaining the update procedures, I use the speed tweaks on my RT-AC86U and have experienced no problems that I’m aware of [emoji4]

I think I've almost exhausted the end-user features (that I would personally expect to be available in unbound_manager), so script development will cease, so I will probably bite the bullet and give @L&LD's config tweak an extended trial myself.

I wouldn't expect either you @skeal or @L&LD to be able to provide metrics to promote the cutting-edge tweaks vs. the conservative values, but the bias appears to be that the tweaks usually work.

Thanks for the datapoint.

 

[Martineau]

Personally, the cpu/memory tweak is better as an "opt in" option to give us time to know what it does and why we need it then decide. One size fits all is scary.

I disagree.

You are not forced to choose option 2, so hopefully most first-time installers would simply stick with option 1, but 'standing on the shoulders of giants' is why option 2 exists as a way of getting a simple step up the performance ladder (for free) in a controlled baby-steps manner.

Are you formally requesting that in 'easy' mode there shouldn't even be an option 2?

Also, I uninstalled unbound advanced then installed basic, unbound manager still shows remnants(customize cpu/memory usage) of the advanced installation. Looks like uninstall needs a little cleanup?
View attachment 21351

The header box initially displayed (only once) the first time unbound_manager is run, does not show what options are currently installed (use '?' to see the true live status) it is effectively a 'help' screen to guide the user on what option 2 would do if chosen.

Please formally clarify your throw-away statement

"Looks like uninstall needs a little cleanup?" ​

 

[thewan]

Q&A

A. Well...Stubby encrypts your DNS traffic to an upstream DNS service. Normally you are forced to trust the upstream DNS provider/your ISP. unbound communicates directly with the authoritative name servers, thereby eliminating snooping by any upstream "middle-men". So given unbound uses DNSSEC, if you want to remain as your own trusted recursive DNS resolver then the answer is No.
​

No citation provided. I've so far found no definitive answer as to whether is it really the case that your ISP can't just see what does your unbound setup communicate to those authoritative name servers. Not saying your ISP or other DNS providers are any better, but this shouldn't be stated as an advantage to using unbound. If you have sources that prove this, by all means do provide us with them, especially research papers. Those would greatly help to assure that our privacy is better protected as you mentioned above.

 

[skeal]

I wouldn't expect either you @skeal or @L&LD to be able to provide metrics to promote the cutting-edge tweaks vs. the conservative values, but the bias appears to be that the tweaks usually work.

Metrics what are those and how do I use them? I can feel the difference more than document it.

 

[Martineau]

I've uploaded v2.09 (you will need to use 'i' to UPDATE if you wish to use the 'di' command)

Fix: unbound utility 'unbound-control' requires Entware OpenSSL and the dependency install unfortunately breaks diversion. Uninstall both packages during Install/Update - Thanks @dave14305 post #339
Change: 'x' unbound STOP command will now return DNS duties to dnsmasq rather than leave internet access DOWN.
Change: 'z' unbound UNINSTALL command will now also remove unbound scribe files that remain in the router Syslog GUI - @Kingp1n
New: If Skynet is installed and its Country Ban feature is ACTIVE it can apparently impact unbound's performance and integrity. Add pre-req Warning - @skeal @dave14305

 Router Configuration recommended pre-reqs status:
 [✔] Swapfile=262140 kB
 [✔] DNS Filter=ON
 [✔] DNS Filter=ROUTER
<snip>
 [✖] Warning Skynet's Country BAN feature is currently ACTIVE and may significantly reduce unbound performance and in some cases block sites

New: Install Entware's 'dig' utility and add 'di[g]' menu command i.e. although most users probably don't understand the output, it is a convenient debug cut'n'paste to the forum if requested by a guru.

Spoiler: Example dig output for 'usaa.com'

e  = Exit Script

A:Option ==> di usaa.com

; <<>> DiG 9.14.8 <<>> txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17790
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;.    IN NS
;; ANSWER SECTION:
.   21575 IN NS f.root-servers.net.
.   21575 IN NS c.root-servers.net.
.   21575 IN NS d.root-servers.net.
.   21575 IN NS g.root-servers.net.
.   21575 IN NS a.root-servers.net.
.   21575 IN NS b.root-servers.net.
.   21575 IN NS e.root-servers.net.
.   21575 IN NS l.root-servers.net.
.   21575 IN NS j.root-servers.net.
.   21575 IN NS i.root-servers.net.
.   21575 IN NS m.root-servers.net.
.   21575 IN NS h.root-servers.net.
.   21575 IN NS k.root-servers.net.
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb 12 10:53:47 GMT 2020
;; MSG SIZE  rcvd: 239

; <<>> DiG 9.14.8 <<>> @127.0.0.1 -p 53535
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37672
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;.    IN NS
;; ANSWER SECTION:
.   21575 IN NS d.root-servers.net.
.   21575 IN NS g.root-servers.net.
.   21575 IN NS a.root-servers.net.
.   21575 IN NS b.root-servers.net.
.   21575 IN NS e.root-servers.net.
.   21575 IN NS l.root-servers.net.
.   21575 IN NS j.root-servers.net.
.   21575 IN NS i.root-servers.net.
.   21575 IN NS m.root-servers.net.
.   21575 IN NS h.root-servers.net.
.   21575 IN NS k.root-servers.net.
.   21575 IN NS f.root-servers.net.
.   21575 IN NS c.root-servers.net.
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53535(127.0.0.1)
;; WHEN: Wed Feb 12 10:53:47 GMT 2020
;; MSG SIZE  rcvd: 239

New: 'links' commands will now include Check My DNS @rgnldo

Live Root Server status​

 

[skeal]

There are two of the tweaks I do not mess with. Theses are my defaults.

cache-min-ttl: 5
ip-ratelimit: 100

If I change them I have trouble with my multicast TV streaming.

 

[Martineau]

Metrics what are those and how do I use them? I can feel the difference more than document it.

So it may be a placebo effect, since you are presumably reporting your 'gut-feel'?

A controlled procedure that is reliably and consistently repeatable over say 1000 iterations could be measured by something tangible like wall-clock time.

However, given the nature of the testing (and you would obviously exclude any cached results) you would be at the mercy of so many factors outside of your control e.g. geographical location/time of day etc., so attempting to state you observed say a useful 40% reduction in total/wait-time couldn't be accepted.

 

[skeal]

So it may be a placebo effect, since you are presumably reporting your 'gut-feel'?

A controlled procedure that is reliably and consistently repeatable over say 1000 iterations could be measured by something tangible like wall-clock time.

However, given the nature of the testing (and you would obviously exclude any cached results) you would be at the mercy of so many factors outside of your control e.g. geographical location/time of day etc., so attempting to state you observed say a useful 40% reduction in total/wait-time couldn't be accepted.

Absolutely agree!

 

[Mutzli]

I've uploaded v2.09

Country block warning works and everything else too.

 

[kfahoo]

question regarding stubby
dig spits out:

;; SERVER: 149.112.112.11#53(149.112.112.11)

does it mean that stubby isn't involved?

 

[skeal]

does it mean that stubby isn't involved?

Yes it does.

 

[L&LD]

This is an update to the previous post about optimizing unbound.conf. Please read at the link below for further information.

https://www.snbforums.com/threads/r...recursive-dns-server.61669/page-3#post-548469

@Martineau are you up for this one?

These settings are specifically with my RT-AX88U and my 1Gbps up/down symmetrical Fibre connection to my ISP.

Proceed at your own risk!

While these settings give me an exceptionally fast and responsive network experience, test it thoroughly before implementing it into your normal workflows.

# no threads and no memory slabs for threads
num-threads: 8                    # L&LDv1.09 (Orig 1) RT-AX88U For RT-AC86U use (2)
msg-cache-slabs: 16                # L&LDv1.09 (Orig 1) RT-AX88U For RT-AC86U use (2)
rrset-cache-slabs: 16                # L&LDv1.09 (Orig 1) RT-AX88U For RT-AC86U use (2)
infra-cache-slabs: 16                # L&LDv1.09 (Orig 1) RT-AX88U For RT-AC86U use (2)
key-cache-slabs: 16                # L&LDv1.09 (Orig 1) RT-AX88U For RT-AC86U use (2)

# tiny memory cache
key-cache-size: 32m                # L&LDv1.09 (Orig 8m) RT-AX88U For RT-AC86U use (8m)
msg-cache-size: 32m                # L&LDv1.09 (Orig 8m) RT-AX88U For RT-AC86U use (8m)
rrset-cache-size: 64m                # L&LDv1.09 (Orig 16m) RT-AX88U For RT-AC86U use (16m)
cache-max-ttl: 21600               
cache-min-ttl: 0                # L&LDv1.09 (Orig 5) RT-AX88U or RT-AC86U
prefetch: yes
prefetch-key: yes
serve-expired: yes
serve-expired-ttl: 3600
incoming-num-tcp: 1024                # L&LDv1.09 (Orig 600) RT-AX88U For RT-AC86U use (1024)
outgoing-num-tcp: 128                # L&LDv1.09 (Orig 100) RT-AX88U For RT-AC86U use (512)
ip-ratelimit: 0                    # L&LDv1.09 (Orig 100) RT-AX88U For RT-AC86U use (0)
edns-buffer-size: 4096                # L&LDv1.09 RT-AX88U (Orig (1472) v1.01 as per @dave14305 minimal config)

I've upgraded to v2.09 and even with a 'zero' % hit ratio initially, this still is faster than the 'safe' defaults for me.

The 1GB RAM on the RT-AX88U has disappeared, there is between 16MB and 36MB depending on what I'm using the network for at the time. Asus, give us more RAM!

The 2GB swap file is at about 29.57 / 2048 MB currently (have seen it to almost 490MB).

Note the limitations that @skeal points out:

There are two of the tweaks I do not mess with. Theses are my defaults.

cache-min-ttl: 5
ip-ratelimit: 100

If I change them I have trouble with my multicast TV streaming.

For the RT-AC86U? Someone else (who has the router in use) needs to test the limits and report back to us.

For anything below the two HND models (RT-AX88U and the RT-AC86U)? Who wants to be a pioneer?

Opening up a shortcut folder (Open all) of 25 or 40 links in Edge Chromium has never happened so quickly before.

Metrics on these kinds of improvements? Like driving a fine car and trying to explain it to someone who only drives a horse and buggy.

You just have to get behind the wheel to find out.

 

[kfahoo]

Yes it does.

how you're so sure? it uses entry from wan settings not dot

 

[Martineau]

No citation provided. I've so far found no definitive answer as to whether is it really the case that your ISP can't just see what does your unbound setup communicate to those authoritative name servers. Not saying your ISP or other DNS providers are any better, but this shouldn't be stated as an advantage to using unbound. If you have sources that prove this, by all means do provide us with them, especially research papers. Those would greatly help to assure that our privacy is better protected as you mentioned above.

Firstly, I respectfully suggest you pose your concern with the vendor, by subscribing to the support mailing list found on their Official NLnet labs - Unbound Project 'About unbound' page

Alternatively I suggest you pose your concern in the official Unbound - Authoritative Recursive Caching DNS Server thread where I'm sure the resident unbound SME can provide the necessary citation you desperately crave.​

Secondly, if the poorly worded Q&A you quoted has offended you then I'm truly sorry but the actual intent was to promote the self hosted Recursive feature of unbound, and the negative impact of opting for the Stubby-Integration using my script.

Nothing more nothing less.

Thank you for your input and good luck in your noble quest.

 

[dave14305]

question regarding stubby
dig spits out:

;; SERVER: 149.112.112.11#53(149.112.112.11)

does it mean that stubby isn't involved?

I think @Martineau should add an @127.0.0.1 to ensure dig will query dnsmasq on port 53. The behavior without it will default to WAN DNS servers, which doesn't test your setup. Of course this depends on the setting for Wan: Use local caching resolver...

EDIT: it also looks like there is a variable discrepancy in the script between TESTTHIS and THIS.

 

[elorimer]

Trying 2.09 on a 56U at 384.6 I get this glitch in the install:

i  = Begin unbound Installation Process ('/opt/var/lib/unbound/')      
z  = Remove unbound/unbound_manager Installation          
3  = Advanced Tools                            rl = Reload Configuration (Doesn't halt unbound) e.g. 'rl test1[.conf]' (Recovery u)
?  = About Configuration                      
                      
e  = Exit Script
A:Option ==> i
    Router Configuration recommended pre-reqs status:
    [?] Swapfile=262140 kB
    [?] ***ERROR DNS Filter is OFF!                          see http://192.168.2.200:80/DNSFilter.asp LAN->DNSFilter Enable DNSg
[: 0: unknown operand
    [?] WAN: Use local caching DNS server as system resolver=NO
[: 0: unknown operand
    [?] Enable local NTP server=YES
    [?] Enable DNS Rebind protection=NO
    [?] Enable DNSSEC support=NO
    Options: unbound Advanced install - User will be prompted to install options
    The router does not currently meet ALL of the recommended pre-reqs as shown above.
    However, whilst they are recommended, you may proceed with the unbound INSTALL
    as the recommendations are NOT usually FATAL if they are NOT strictly followed.
    Press Y to continue unbound INSTALL  or press [Enter] to ABORT

Nevermind the DNS Filter, I was just noticing the unknown operands.

 

[JemTheWire]

Post deleted.

I had a senior moment and posted in haste. DOH.

 

[Kingp1n]

For the RT-AC86U? Someone else (who has the router in use) needs to test the limits and report back to us.

L&LD, I have a RT-AC86U...any specific way i can test to the limits?