Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[dave14305]

No I did not. So how do I change it now in unbound so DoT works?

I’m notorious for suggesting Unbound is a waste of resources if you intend to use Stubby for DoT. IMO, you’re better off just using the built-in router functions (dnsmasq+Stubby) instead of dnsmasq+Unbound+Stubby.

 

[Khadanja]

I’m notorious for suggesting Unbound is a waste of resources if you intend to use Stubby for DoT. IMO, you’re better off just using the built-in router functions (dnsmasq+Stubby) instead of dnsmasq+Unbound+Stubby.

I like that. So uninstall unbound & that's it. Do I need to install anything for stubby?

 

[dave14305]

Do I need to install anything for stubby?

No, the built-in DNS Privacy feature in Merlin uses Stubby behind the scenes. Your settings on the WAN page are used to configure DoT with Stubby.

 

[Khadanja]

No, the built-in DNS Privacy feature in Merlin uses Stubby behind the scenes. Your settings on the WAN page are used to configure DoT with Stubby.

Ok uninstallin gunbound will report back soon. Slightly off topic but you wouldn't happen to know the fix for Traffic Monitor not showing any data for Daily & Monthly? Shows the dates But always 0.00 KB

 

[dave14305]

Ok uninstallin gunbound will report back soon. Slightly off topic but you wouldn't happen to know the fix for Traffic Monitor not showing any data for Daily & Monthly? Shows the dates But always 0.00 KB

No, but if the data is only stored in RAM, a reboot would kill any history. I don’t pay much attention to it usually.

 

[Khadanja]

No, the built-in DNS Privacy feature in Merlin uses Stubby behind the scenes. Your settings on the WAN page are used to configure DoT with Stubby.

Enable DNS Rebind protection and Enable DNSSEC support should be Yes or No?

 

[joe scian]

An observation regarding the use of Restorecache command within Unbound- by design the restorecache option will only work after a reboot provided of course that you had used the dumpcache command. However - I had to use the "scribe" command to restart logging of Unbound to UIScribe after a restart of Syslog-ng within Scribe. This resets the cache used in Unbound. The subsequent issue of the Restorecache command does NOT restore the Unbound Cache.

 

[dave14305]

Enable DNS Rebind protection and Enable DNSSEC support should be Yes or No?

Personally, I would use Yes with Cloudflare or Quad9 or both. If you enable DNSSEC, the Cloudflare test sites will not report reliable results, but then you can use the tcpdump command to ensure traffic is going over port 853.

 

[Martineau]

An observation regarding the use of Restorecache command within Unbound- by design the restorecache option will only work after a reboot provided of course that you had used the dumpcache command.

However - I had to use the "scribe" command to restart logging of Unbound to UIScribe after a restart of Syslog-ng within Scribe. This resets the cache used in Unbound.

The subsequent issue of the Restorecache command does NOT restore the Unbound Cache.

Unfortunately I can't replicate your issue.

Rather than directly execute /init.d/S61unbound, since v2.17+, 'unbound_manager' always calls a function 'Restart_unbound()' which should ensure the cache is saved/restored.

Spoiler: Debug cache save/restore for 'scribe' command

A:Option ==> + [ N == Y ]
+ read -r menu1

scribe

<snip>

Enabling syslog-ng logging (scribe).....+ local TXT=
+ unset
+ Restart_unbound
+ local NOCACHE=
+ [  == nochk ]
+ Valid_unbound_config_Syntax /opt/var/lib/unbound/unbound.conf
+ local VALID=Y
+ local RC=0
+ local CHECKTHIS=/opt/var/lib/unbound/unbound.conf
+ [ -z /opt/var/lib/unbound/unbound.conf ]
+ local STATEMENTS=server:|access-control:|private-address:|domain-insecure:|forward-addr:|include:|interfaces:outgoing-interface
+ sed /^#/d /opt/var/lib/unbound/unbound.conf
+ awk {print $1}
+ sort
+ uniq -cd
+ grep .
+ grep -vE server:|access-control:|private-address:|domain-insecure:|forward-addr:|include:|interfaces:outgoing-interface
+ local DUPLICATES=
+ [ -z  ]
+ unbound-checkconf /opt/var/lib/unbound/unbound.conf
+ local CHK_Config_Syntax=unbound-checkconf: no errors in /opt/var/lib/unbound/unbound.conf
+ echo unbound-checkconf: no errors in /opt/var/lib/unbound/unbound.conf
+ grep -o no errors in
+ [ -z no errors in ]
+ [  == returndup ]
+ echo Y
+ return 0
+ [ Y == Y ]
+ [  != nochk ]
+ echo -e \e[92m
+ unbound-checkconf /opt/var/lib/unbound/unbound.conf
unbound-checkconf: no errors in /opt/var/lib/unbound/unbound.conf
+ echo -e
+ pidof unbound
+ [ -n 17483 ]
+ [  != nocache ]
+ Manage_cache_stats save
+ unbound_Control dump
+ pidof unbound
+ [ -z 17483 ]
+ local RESET=_noreset
+ local RETVAL=
+ local ADDFILTER=
+ echo dump
+ wc -w
+ [ 1 -eq 2 ]
+ local FN=/opt/share/unbound/configs/cache.txt
+ unbound-control dump_cache
+ [ dump == save ]
+ Check_config_add_and_postconf
+ local CONFIG_ADD=/opt/share/unbound/configs/unbound.conf.add
+ [ -f /opt/share/unbound/configs/unbound.conf.add ]
+ echo -e \e[96mAdding \e[92m'include: "/opt/share/unbound/configs/unbound.conf.add"  '/opt/var/lib/unbound/unbound.conf'\e[90m
Adding 'include: "/opt/share/unbound/configs/unbound.conf.add"  '/opt/var/lib/unbound/unbound.conf'
+ grep ^include.*"/opt/share/unbound/configs/unbound.conf.add" /opt/var/lib/unbound/unbound.conf
+ [ -z include: "/opt/share/unbound/configs/unbound.conf.add"       # Custom server directives]
+ local POSTCONF_SCRIPT=/opt/share/unbound/configs/unbound.postconf
+ [ -f /opt/share/unbound/configs/unbound.postconf ]
+ /opt/etc/init.d/S61unbound restart
 Shutting down unbound...              done.
 Starting unbound...              done.
+ [ -z  ]
+ CHECK_GITHUB=1
+ echo -en \e[0m\nPlease wait for up to \e[93m10 seconds\e[0m for status.....\e[0m
Please wait for up to 10 seconds for status.....+ WAIT=11
+ INTERVAL=1
+ I=0
+ [ 0 -lt 10 ]
+ sleep 1
+ I=1
+ pidof unbound
+ [ -z 11631 ]
+ [ 1 -eq 2 ]
+ [ 1 -lt 10 ]
+ sleep 1
+ I=2
+ pidof unbound
+ [ -z 11631 ]
+ [ 2 -eq 2 ]
+ [  != nocache ]
+ Manage_cache_stats restore
+ unbound_Control load
+ pidof unbound
+ [ -z 11631 ]
+ local RESET=_noreset
+ local RETVAL=
+ local ADDFILTER=
+ wc -w
+ echo load
+ [ 1 -eq 2 ]
+ local FN=/opt/share/unbound/configs/cache.txt
+ [ -s /opt/share/unbound/configs/cache.txt ]
+ unbound-control load_cache
+ [ load == rest ]
+ rm /opt/share/unbound/configs/cache.txt
+ [ 2 -lt 10 ]
+ sleep 1
+ I=3

As I've posted before, during the cache restore, usually a lot of the rrset.cache appears to get internally dropped?

i.e. 'dumpcache' created 'cache.txt' with approx 20,000 lines, so manually renamed it to 'cache.txtbak' then 'rs nocache'

After the unbound restart

total.num.queries=2                 total.num.zero_ttl=0            total.requestlist.exceeded=0         total.tcpusage=0
total.num.queries_ip_ratelimited=0  total.num.recursivereplies=2    total.requestlist.current.all=0      msg.cache.count=15
total.num.cachehits=0               total.requestlist.avg=1         total.requestlist.current.user=0     rrset.cache.count=120
total.num.cachemiss=2               total.requestlist.max=2         total.recursion.time.avg=0.129313    infra.cache.count=20
total.num.prefetch=0                total.requestlist.overwritten=0 total.recursion.time.median=0        key.cache.count=4

then quickly renamed 'cache.txtbak' to 'cache.txt'..... then 'restorecache'

total.num.queries=157               total.num.zero_ttl=2            total.requestlist.exceeded=0         total.tcpusage=0
total.num.queries_ip_ratelimited=0  total.num.recursivereplies=20   total.requestlist.current.all=0      msg.cache.count=855
total.num.cachehits=137             total.requestlist.avg=0.615385  total.requestlist.current.user=0     rrset.cache.count=5195
total.num.cachemiss=20              total.requestlist.max=4         total.recursion.time.avg=0.140776    infra.cache.count=69
total.num.prefetch=6                total.requestlist.overwritten=0 total.recursion.time.median=0.065536 key.cache.count=30

So processing the 20,000 lines contained in 'cache.txt' - resulted in the both the rrset.cache and msg.cache significantly jumping
i.e.

msg.cache.count= 15 --> 855
rrset.cache.count= 120 --> 5195​

so clearly the cache restore request is honoured, but I have no control over the internal restore criteria.

NOTE: I used the one-off 'dumpcache bootrest' which modifies 'post-mount' to enable auto-restoring the cache during the boot process if 'cache.txt' exists, so I have manually modified 'services-stop' to save the unbound cache.
(I could create a cron job to dump the cache say every hour to try and reduce the loss of the cache due to an unexpected crash/reboot.)

 

[Stephen Harrington]

I could create a cron job to dump the cache say every hour to try and reduce the loss of the cache due to an unexpected crash/reboot.)

@Martineau thanks for your continued great work on this script!

Personally I think many people would find it useful to “not have to think about it” so an automatic “dumpcache” every 30 or 60 minutes perhaps, which then automagically got reloaded after a reboot or power cycle, may suit a lot of us?

What do others think?

 

[juched]

@Martineau thanks for your continued great work on this script!

Personally I think many people would find it useful to “not have to think about it” so an automatic “dumpcache” every 30 or 60 minutes perhaps, which then automagically got reloaded after a reboot or power cycle, may suit a lot of us?

What do others think?

People are too worried about their cache. If your router crashes that often then you have bigger issues. I suggest to keep it as is personally.

That being said, I do have the issue after reboot their are no logs in syslog. I use to just use the scribe command to fix it but found that a simple unbound_manager.sh restart command fixes it. Timing issue maybe?

 

[Treadler]

Enable DNS Rebind protection and Enable DNSSEC support should be Yes or No?

Yes.

 

[Stephen Harrington]

People are too worried about their cache. If your router crashes that often then you have bigger issues. I suggest to keep it as is personally.

@juched
Indeed you are probably correct - I may be too worried about my cache.
My router (RT-AC86U) doesn't crash at all from what I can tell, but it does get rebooted after upgrades etc, which is what I was really referring to.
That's usually about the time I remember that I haven't gone into Unbound and done a "dumpcache"
But as you say, not sure it makes that much difference in the grand scheme of things ...

 

[BeHappy]

Personally, I would use Yes with Cloudflare or Quad9 or both. If you enable DNSSEC, the Cloudflare test sites will not report reliable results, but then you can use the tcpdump command to ensure traffic is going over port 853.

I assume this is the case when you don't want to use Unbound ?

Is it possible to use Unbound with DoT? Do I have to enter the IP address of the router as the DoT-server?

Thanks!!!
ONEPLUS 5T with Tapatalk

 

[martinr]

I assume this is the case when you don't want to use Unbound ?

Is it possible to use Unbound with DoT? Do I have to enter the IP address of the router as the DoT-server?

Thanks!!!
ONEPLUS 5T with Tapatalk

This is from Post #4, Martineau’s Q&A:

Q. Does unbound support DoT
A. @dave14305 replied: "unbound does not use any encrypted traffic as a 'recursive resolver'. It can’t make 'recursive queries' using encryption. You can reconfigure unbound to become a forwarder (like dnsmasq and Stubby) and use DoT, butwhat’s the value of unboundthen as just another forwarder? when dnsmasq+Stubbyalready do that well enough."

NOTE: Forcompleteness/freedom of choice, v2.12 now does allowunbound DoT to be configured using both Cloudflare & Quad9 IPv4/IPv6 servers.

 

[Martineau]

I assume this is the case when you don't want to use Unbound ?

Is it possible to use Unbound with DoT? Do I have to enter the IP address of the router as the DoT-server?

Thanks!!!
ONEPLUS 5T with Tapatalk

You can indeed configure unbound to use the default (currently Cloudflare & Quad9) DoT servers defined in 'unbound.conf'

Warning: This will DISABLE being able to be your own trusted Recursive DNS Resolver

e  = Exit Script

A:Option ==> DoT

<snip>

 Options: Auto Reply='y' for User Selectable Options ('4') Performance Tweaks

 [✔] unbound CPU/Memory Performance tweaks
 [✔] DoT ENABLED. These third parties are used:
            1.1.1.1@853#cloudflare-dns.com
            1.0.0.1@853#cloudflare-dns.com
            9.9.9.9@853#dns.quad9.net
            149.112.112.112@853#dns.quad9.net

 

[juched]

You can indeed configure unbound to use the default (currently Cloudflare & Quad9) DoT servers defined in 'unbound.conf'

Warning: This will DISABLE being able to be your own trusted Recursive DNS Resolver

e  = Exit Script

A:Option ==> DoT

<snip>

 Options: Auto Reply='y' for User Selectable Options ('4') Performance Tweaks

 [[emoji818]] unbound CPU/Memory Performance tweaks
 [[emoji818]] DoT ENABLED. These third parties are used:
            1.1.1.1@853#cloudflare-dns.com
            1.0.0.1@853#cloudflare-dns.com
            9.9.9.9@853#dns.quad9.net
            149.112.112.112@853#dns.quad9.net

I am not against choice, but there is no advantage to using unbound to forward to DoT then stubby, so suggest it be removed. Need to keep the script (maybe v3.0) clean and focused

 

[immi803]

Hi everyone
Just new to unbound, installed few minutes ago My network is Dual stack by generic, ipv6 with fall back on ipv4

Just a confirmation message

1. Entware was installed
2. Swap 2GB already was working
3. Wan , don't automatically get dns, instead input cloud 1.1.1.1 & 1.0.0.1 and apllied, dns over tls NONE, may turn on later
4. Lan, dns filter turned on, selected option router & removed default Google dns and left dns empty and applied
5. Installed Unbound from amtm, did advanced installed, skipped stubby, extended logging on for web ui

Have i done everything ?

 

[Treadler]

Hi everyone
Just new to unbound, installed few minutes ago My network is Dual stack by generic, ipv6 with fall back on ipv4

Just a confirmation message

1. Entware was installed
2. Swap 2GB already was working
3. Wan , don't automatically get dns, instead input cloud 1.1.1.1 & 1.0.0.1 and apllied, dns over tls NONE, may turn on later
4. Lan, dns filter turned on, selected option router & removed default Google dns and left dns empty and applied
5. Installed Unbound from amtm, did advanced installed, skipped stubby, extended logging on for web ui

Have i done everything ?

Looks ok to me.

 

[Milan]

Hi everyone
Just new to unbound, installed few minutes ago My network is Dual stack by generic, ipv6 with fall back on ipv4

Just a confirmation message

1. Entware was installed
2. Swap 2GB already was working
3. Wan , don't automatically get dns, instead input cloud 1.1.1.1 & 1.0.0.1 and apllied, dns over tls NONE, may turn on later
4. Lan, dns filter turned on, selected option router & removed default Google dns and left dns empty and applied
5. Installed Unbound from amtm, did advanced installed, skipped stubby, extended logging on for web ui

Have i done everything ?

I think as you set your DNS for wan you are skipping your local Unbound, or switched it to other forwarder ...