Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[dave14305]

Good catch Mr. dave14305. Do you also recommend adding the port after the interface ip's?

No not anymore really. It was an easy way to configure one interface with a non-standard port, but once you start actually using the port: parameter, the @ port method can just cause confusion.

 

[Safemode]

No not anymore really. It was an easy way to configure one interface with a non-standard port, but once you start actually using the port: parameter, the @ port method can just cause confusion.

Copy that thanks for clarifying this.
Can someone verify with unbound -V and see which version of openssl their unbound is running with. Mine shows OpenSSL 1.1.1d 10 Sep 2019.

 

[L&LD]

@Safemode, yes, the same version here.

 

[Milan]

when i switched to unbound only, i see that the websites are not automatically switching to their https versions.
i mean previously i wrote in ffox URL line only snbforums.com and it loaded page automatically with https prefix.
same happens when i open this URL from results of a google search - it throws an error about broken protocol :

Oops.

The site at http://www.snbforums.com/ has experienced a network protocol violation that cannot be repaired.

The page you are trying to view cannot be shown because an error in the data transmission was detected.

    Please contact the website owners to inform them of this problem.

now i need to add this prefix manually because it is trying to load HTTP.

have others same experience?

edit: page http://forums.mozillazine.org/ is not working even with https.
edit2: same behaviour in ms edge
edit3: update for antivirus is not working too as example. i see that it is resolving update servers dns but download is not working. same for WGC game center update.

 

[Martineau]

Yes i understand, i wasn't meaning that they can't co exist. I was thinking more about the wasted memory.
If you are giving dnsmasq "first refusal" then what ever blocking list you have in memory for enabled unbound ad blocking would be duplication of effort (most likely using a very similar list of domains) just catching the dribble of domains missed by diversion. Similarly once you bypassed dnsmasq and did the ad blocking via unbound, the hostfile for dnsmasq would still be sitting in memory with no purpose.
I'm impressed by @Martineau efforts to enable flipping between the two with a simple command and just offered up the idea as icing on the cake, as he says, probably a niche use case, and maybe not worth the coding effort for the few that might want it.
Im pretty interested in the DNS firewall and see that as a potential complimentary feature to ad blocking through dnsmasq or though unbound which ever is active.

I've uploaded v3.10 Hotfix

Version=3.10
Github md5=6126e734d0ea5c65965cbae5a221f322
​

Use of the 'i = Update unbound Installation' **Not required** see Change Log

Hotfix: 'dnsmasq disable' (aka bypass dnsmasq) no longer listens on ALL interfaces, but only to local LAN subnet. - Thanks @dave14305
HotFix: Issue warning if bypass dnsmasq is requested and Router's Domain name is 'blank' before creating 'unbound.conf.localhosts' - @dave14305/@milan
Hotfix: Pending 'unbound.conf' v1.10,dynamically fix incorrect CIDRs (192.168.0.0/24->16 & 172.16.0.0/16->12) @dave14305 
Change: As per @Tomsk request, if Diversion is ACTIVE, when requesting dnsmasq bypass allow (semi-auto) replacing Diversion with Ad Block.
        Similarly if switching back to dnsmasq, allow (semi-auto) replacing Ad Block with Diversion
Change: Timestamp console messages when switching between dnsmasq or unbound as primary DNS

e  = Exit Script [?]

A:Option ==> dnsmasq disable

 If you currently use or rely on dnsmasq features such as Diversion/x3mRouting etc., then re-consider.

  Warning Diversion is ACTIVE (You can switch to Ad Block)

 Do you still want to DISABLE dnsmasq?

 Reply 'y' or press [Enter]  to skip
y

e.g. dnsmasq is bypassed, so the switch back to dnsmasq

e  = Exit Script [?]

A:Option ==> dnsmasq

09:45:17 Configuring dnsmasq to be the primary DNS for ALL LAN Clients.....

09:45:19 Checking 'unbound.conf' for syntax errors.....
09:45:21 Saving unbound cache to '/opt/share/unbound/configs/cache.txt'
09:45:21 Requesting unbound (S61unbound) restart.....
 Shutting down unbound...              done.
 Starting unbound...              done.
09:45:25 Checking status, please wait.....
09:45:27 Restoring unbound cache from '/opt/share/unbound/configs/cache.txt' (2020-05-07 09:45:21)
09:45:30 unbound OK
09:45:30 Starting 'Diversion'.....
  ____  _                    _
 |  _ \(_)_   _____ _ __ ___(_) ___  _ __
 | | | | \ \ / / _ \ '__/ __| |/ _ \| '_ \
 | |_| | |\ V /  __/ |  \__ \ | (_) | | | |
 |____/|_| \_/ \___|_|  |___/_|\___/|_| |_|
 Welcome
 This is Diversion 4.1.12
  i  Enter 'diversion help' for more options

 Starting pixelserv-tls (Diversion)... done
  ✔  Diversion services enabled

Removing Ad and Tracker 'include: /opt/var/lib/unbound/adblock/adservers'
Removing Ad and Tracker Update cron job

@tomsk please test when convenient, although depending on feedback, I may decide not to keep your suggestion.

 

[tomsk]

I've uploaded v3.10 Hotfix

Version=3.10
Github md5=80207eb496dccbc48ebf944854c81abc​

Use of the 'i = Update unbound Installation' **Not required** see Change Log

Hotfix: 'dnsmasq disable' (aka bypass dnsmasq) no longer listens on ALL interfaces, but only to local LAN subnet. - Thanks @dave14305
HotFix: Issue warning if bypass dnsmasq is requested and Router's Domain name is 'blank' before creating 'unbound.localhosts' - @dave14305/@milan
Hotfix: Pending 'unbound.conf' v1.10,dynamically fix incorrect CIDRs (192.168.0.0/24->16 & 172.16.0.0/16->12)
Change: As per @Tomsk request, if Diversion is ACTIVE, when requesting dnsmasq bypass allow (semi-auto) replacing Diversion with Ad Block.
        Similarly if switching back to dnsmasq, allow (semi-auto) replacing Ad Block with Diversion
Change: Timestamp messages console messages when switching between dnsmasq or unbound as primary DNS

e  = Exit Script [?]

A:Option ==> dnsmasq disable

 If you currently use or rely on dnsmasq features such as Diversion/x3mRouting etc., then re-consider.

  Warning Diversion is ACTIVE (You can switch to Ad Block)

 Do you still want to DISABLE dnsmasq?

 Reply 'y' or press [Enter]  to skip
y

e.g. dnsmasq is bypassed, so the switch back to dnsmasq

e  = Exit Script [?]

A:Option ==> dnsmasq

09:45:17 Configuring dnsmasq to be the primary DNS for ALL LAN Clients.....

09:45:19 Checking 'unbound.conf' for syntax errors.....
09:45:21 Saving unbound cache to '/opt/share/unbound/configs/cache.txt'
09:45:21 Requesting unbound (S61unbound) restart.....
 Shutting down unbound...              done.
 Starting unbound...              done.
09:45:25 Checking status, please wait.....
09:45:27 Restoring unbound cache from '/opt/share/unbound/configs/cache.txt' (2020-05-07 09:45:21)
09:45:30 unbound OK
09:45:30 Starting 'Diversion'.....
  ____  _                    _
 |  _ \(_)_   _____ _ __ ___(_) ___  _ __
 | | | | \ \ / / _ \ '__/ __| |/ _ \| '_ \
 | |_| | |\ V /  __/ |  \__ \ | (_) | | | |
 |____/|_| \_/ \___|_|  |___/_|\___/|_| |_|
 Welcome
 This is Diversion 4.1.12
  i  Enter 'diversion help' for more options

 Starting pixelserv-tls (Diversion)... done
  ✔  Diversion services enabled

Removing Ad and Tracker 'include: /opt/var/lib/unbound/adblock/adservers'
Removing Ad and Tracker Update cron job

@tomsk please test when convenient, although depending on feedback, I may decide not to keep your suggestion.

Hi Martineau..... the switchover for me still fails with unbound not starting because it believes there's still something listening on the port. I tried with DNS privacy disabled but its still failing..... i remember during one hot fix you removed a delay... does that need to be reintroduced? Any testing or logs you need i will be glad to provide.
Just for your info i rebooted the router just in case it a had got itself into a weird place... but still no help.... sorry this is proving to be a hard one to resolve... no pun intended.

 

[Martineau]

Hi Martineau..... the switchover for me still fails with unbound not starting because it believes there's still something listening on the port. I tried with DNS privacy disabled but its still failing..... i remember during one hot fix you removed a delay... does that need to be reintroduced? Any testing or logs you need i will be glad to provide.
Just for your info i rebooted the router just in case it a had got itself into a weird place... but still no help.... sorry this is proving to be a hard one to resolve... no pun intended.

The Hotfix means unbound no longer listens on ALL/ANY, so will now ONLY listen on a specific LAN socket (well two actually) so there is no need for a sleep delay.

So when 'dnsmasq disable' is used and unbound fails to start, what does the following show

grep -E -m 1 -A 5 "^port:" /opt/var/lib/unbound/unbound.conf

Is unbound still failing with the message '0.0.0.0 53' ?

EDIT: Corrected command typo

 

[tomsk]

The Hotfix means unbound no longer listens on ALL/ANY, so will now ONLY listen on a specific LAN socket (well two actually) so there is no need for a sleep delay.

So when 'dnsmasq disable' is used and unbound fails to start, what does the following show

grep -E -m 1 -A 5 "^port:" /opt/var/lib/unbound/unbound.conf

Is unbound still failing with the message '0.0.0.0 53' ?

EDIT: Corrected command typo

tOmsK@RT-AC68U-4690:/tmp/home/root# grep -E -m 1 -A 5 "^port:" /opt/var/lib/unbound/unbound.conf
port: 53                                 # v1.08 If 53 (Requires 'port=0' in '/etc/dnsmasq.conf') to answer queries direct from LAN clients
interface: 10.10.10.1                  # v1.01 as per @dave14305 minimal config
#port: 53 #NOdnsmasq                        # v1.08 https://www.snbforums.com/threads/unbound-gui-stats-including-top-blocked-top-replies-todays-replies.63188/
#interface: 0.0.0.0
interface: 127.0.0.1@53
access-control: 10.10.10.1/24 allow

[1588846817] unbound[25328:0] notice: Start of unbound 1.10.0.
May 07 10:20:17 unbound[25328:0] error: can't bind socket: Address already in use for 10.10.10.1 port 53
May 07 10:20:17 unbound[25328:0] fatal error: could not open ports

the config looks correct... so there wont be a need for any delay to make sure dnsmasq has stopped listening?
Theres a chance that the previous hotfix didn't work with the DNS privacy off but i never tested that (apologies) as you requested i try with DNS privacy back on.....

 

[Martineau]

tOmsK@RT-AC68U-4690:/tmp/home/root# grep -E -m 1 -A 5 "^port:" /opt/var/lib/unbound/unbound.conf
port: 53                                 # v1.08 If 53 (Requires 'port=0' in '/etc/dnsmasq.conf') to answer queries direct from LAN clients
interface: 10.10.10.1                  # v1.01 as per @dave14305 minimal config
#port: 53 #NOdnsmasq                        # v1.08 https://www.snbforums.com/threads/unbound-gui-stats-including-top-blocked-top-replies-todays-replies.63188/
#interface: 0.0.0.0
interface: 127.0.0.1@53
access-control: 10.10.10.1/24 allow

[1588846817] unbound[25328:0] notice: Start of unbound 1.10.0.
May 07 10:20:17 unbound[25328:0] error: can't bind socket: Address already in use for 10.10.10.1 port 53
May 07 10:20:17 unbound[25328:0] fatal error: could not open ports

the config looks correct... so there wont be a need for any delay to make sure dnsmasq has stopped listening?
Theres a chance that the previous hotfix didn't work with the DNS privacy off but i never tested that (apologies) as you requested i try with DNS privacy back on.....

Can you provide the output from

netstat -anp | grep LISTEN | grep -v unix | sort -k 4

 

[tomsk]

Can you provide the output from

netstat -anp | grep LISTEN | grep -v unix | sort -k 4

tOmsK@RT-AC68U-4690:/tmp/home/root# netstat -anp | grep LISTEN | grep -v unix | sort -k 4
tcp        0      0 0.0.0.0:18017           0.0.0.0:*               LISTEN      199/wanduck
tcp        0      0 0.0.0.0:3394            0.0.0.0:*               LISTEN      780/u2ec
tcp        0      0 0.0.0.0:3702            0.0.0.0:*               LISTEN      12550/wsdd2
tcp        0      0 0.0.0.0:5473            0.0.0.0:*               LISTEN      780/u2ec
tcp        0      0 0.0.0.0:7788            0.0.0.0:*               LISTEN      331/cfg_server
tcp        0      0 10.10.10.1:139          0.0.0.0:*               LISTEN      12548/smbd
tcp        0      0 10.10.10.1:22           0.0.0.0:*               LISTEN      216/dropbear
tcp        0      0 10.10.10.1:3838         0.0.0.0:*               LISTEN      781/lpd
tcp        0      0 10.10.10.1:445          0.0.0.0:*               LISTEN      12548/smbd
tcp        0      0 10.10.10.1:515          0.0.0.0:*               LISTEN      781/lpd
tcp        0      0 10.10.10.1:53           0.0.0.0:*               LISTEN      27023/dnsmasq
tcp        0      0 10.10.10.1:80           0.0.0.0:*               LISTEN      275/httpd
tcp        0      0 10.10.10.1:9100         0.0.0.0:*               LISTEN      781/lpd
tcp        0      0 10.10.10.3:443          0.0.0.0:*               LISTEN      1293/pixelserv-tls
tcp        0      0 10.10.10.3:80           0.0.0.0:*               LISTEN      1293/pixelserv-tls
tcp        0      0 127.0.0.1:139           0.0.0.0:*               LISTEN      12548/smbd
tcp        0      0 127.0.0.1:445           0.0.0.0:*               LISTEN      12548/smbd
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      27023/dnsmasq
tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN      275/httpd

Just dnsmasq listening with stubby not running

 

[Martineau]

tOmsK@RT-AC68U-4690:/tmp/home/root# netstat -anp | grep LISTEN | grep -v unix | sort -k 4
tcp        0      0 0.0.0.0:18017           0.0.0.0:*               LISTEN      199/wanduck
tcp        0      0 0.0.0.0:3394            0.0.0.0:*               LISTEN      780/u2ec
tcp        0      0 0.0.0.0:3702            0.0.0.0:*               LISTEN      12550/wsdd2
tcp        0      0 0.0.0.0:5473            0.0.0.0:*               LISTEN      780/u2ec
tcp        0      0 0.0.0.0:7788            0.0.0.0:*               LISTEN      331/cfg_server
tcp        0      0 10.10.10.1:139          0.0.0.0:*               LISTEN      12548/smbd
tcp        0      0 10.10.10.1:22           0.0.0.0:*               LISTEN      216/dropbear
tcp        0      0 10.10.10.1:3838         0.0.0.0:*               LISTEN      781/lpd
tcp        0      0 10.10.10.1:445          0.0.0.0:*               LISTEN      12548/smbd
tcp        0      0 10.10.10.1:515          0.0.0.0:*               LISTEN      781/lpd
tcp        0      0 10.10.10.1:53           0.0.0.0:*               LISTEN      27023/dnsmasq
tcp        0      0 10.10.10.1:80           0.0.0.0:*               LISTEN      275/httpd
tcp        0      0 10.10.10.1:9100         0.0.0.0:*               LISTEN      781/lpd
tcp        0      0 10.10.10.3:443          0.0.0.0:*               LISTEN      1293/pixelserv-tls
tcp        0      0 10.10.10.3:80           0.0.0.0:*               LISTEN      1293/pixelserv-tls
tcp        0      0 127.0.0.1:139           0.0.0.0:*               LISTEN      12548/smbd
tcp        0      0 127.0.0.1:445           0.0.0.0:*               LISTEN      12548/smbd
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      27023/dnsmasq
tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN      275/httpd

Just dnsmasq listening with stubby not running

Display

grep -A 1 "port=0" /jffs/configs/dnsmasq.conf.add /etc/dnsmasq.conf

 

[tomsk]

Display

grep -A 1 "port=0" /jffs/configs/dnsmasq.conf.add /etc/dnsmasq.conf

tOmsK@RT-AC68U-4690:/tmp/home/root# grep -A 1 "port=0" /jffs/configs/dnsmasq.conf.add /etc/dnsmasq.conf
/jffs/configs/dnsmasq.conf.add:port=0                           # unbound_manager
/jffs/configs/dnsmasq.conf.add-dhcp-option=lan,6,10.10.10.1      # unbound_manager

im guessing its not there in the dnsmasq conf as that would have been altered back when dnsmasq restarted? ... does dnsmasq need time to restart with the port=0 config before unbound starts, as dnsmasq itself can't be stopped as the watchdog will restart it

 

[Martineau]

tOmsK@RT-AC68U-4690:/tmp/home/root# grep -A 1 "port=0" /jffs/configs/dnsmasq.conf.add /etc/dnsmasq.conf
/jffs/configs/dnsmasq.conf.add:port=0                           # unbound_manager
/jffs/configs/dnsmasq.conf.add-dhcp-option=lan,6,10.10.10.1      # unbound_manager

im guessing its not there in the dnsmasq conf as that would have been altered back when dnsmasq restarted? ... does dnsmasq need time to restart with the port=0 config before unbound starts, as dnsmasq itself can't be stopped as the watchdog will restart it

Well because I'm stupid ........I have uploaded a Hotfix.....

i.e. I am conscious of the 'assistance' of the watchdog, and I implemented this patch

/opt/etc/init.d/S61unbound

[ -z "$(grep "^port 53535" /opt/var/lib/unbound/unbound.conf)" ] && service restart_dnsmasq

which clearly you don't have (yet!) but I do

 

[tomsk]

Well because I'm stupid ........I have uploaded a Hotfix.....

i.e. I am conscious of the 'assistance' of the watchdog, and I implemented this patch

/opt/etc/init.d/S61unbound

[ -z "$(grep "^port 53535" /opt/var/lib/unbound/unbound.conf)" ] && service restart_dnsmasq

which clearly you don't have (yet!) but I do

Yep that's fixed it! Very nice... installed the adblock for me and disabled Diversion. i didn't try my luck yet with DNS privacy enabled but will let you know how it pans out

    Options: Auto Reply='y' for User Selectable Options ('1  4') unbound Logging,Performance Tweaks

    [✔] unbound Logging
    [✔] Ad and Tracker Blocking (No. of Adblock domains=55204,Blocked Hosts=0,Whitelist=19)
    [✔] unbound CPU/Memory Performance tweaks
    [✔] Router Graphical GUI statistics TAB installed
    [✔] unbound-control FAST response ENABLED
    [✔] Unbound is the Primary DNS for ALL LAN Clients (dnsmaq DNS features DISABLED e.g. IPSET auto-populate)

    unbound Memory/Cache:

    'key-cache-size:'    8388608 (8.00 MB)
    'msg-cache-size:'    8388608 (8.00 MB)    0% used 77435    (75.62 KB)
    'rrset-cache-size:'    16777216 (16.00 MB)    2% used 378071    (369.21 KB)

    System Memory/Cache:

                 total       used       free     shared    buffers     cached
    Mem:        255676     154372     101304          0       1632      21616
    -/+ buffers/cache:     131124     124552
    Swap:       524284          0     524284

 

[tomsk]

i tried a few dnsmasq disable/enable cycles with the DNS privacy on... no hiccups thus far

 

[Milan]

seems one restart fixed all my previous issues with unbound as main DNS.
now even cache hits are on 70 % and more.
i am really satisfied now with unbound, thanks all.

 

[ARKASHA]

Dnsmasq disable definitely fixed unbound not working. It actually hit 80%n of the dns traffic. I removed Diversion, keeping Skynet only. My question is what unbound do with the dns address in the wan page, where I can't select the automatic setting.

Inviato dal mio ONEPLUS A6003 utilizzando Tapatalk

 

[tomsk]

Dnsmasq disable definitely fixed unbound not working. It actually hit 80%n of the dns traffic. I removed Diversion, keeping Skynet only. My question is what unbound do with the dns address in the wan page, where I can't select the automatic setting.

Inviato dal mio ONEPLUS A6003 utilizzando Tapatalk

With Unbound you are your own DNS server ..... if you do a DNS leak test you should get your own IP address.
Unbound will directly contact the root and top level servers instead of querying the server you enter into the wan dns box

https://www.geeksforgeeks.org/wp-content/uploads/gq/2017/02/DNS_3.png

 

[Martineau]

Dnsmasq disable definitely fixed unbound not working.

I don't understand this statement

unbound+dnsmasq combination is proven to be very stable and reliable. Can you explain why you say 'dnsmasq disable' fixed a non-working unbound?

NOTE: Whilst using unbound as the primary DNS server for your LAN (bypassing dnsmasq) does work, it is still an experimental feature. Use at your own risk

 

[juched]

Experimental feature if people want to try. Based on a link posted in the diversion thread, there seems to be some new ways to make YouTube ads blocking (or at least greatly reduce).

https://discourse.pi-hole.net/t/youtube-script-seems-to-be-working-very-well/31316/68

Now, I am a YT Premium subscriber, so I don't see ads, but did some testing in an incognito browser, and it seems to be working.

So, I created a new script for unbound in my dev branch. You need to download it and place it next to the gen_adblock.sh file in /opt/var/lib/unbound/adblock/

https://raw.githubusercontent.com/juched78/Unbound-Asuswrt-Merlin/develop/adblock/gen_ytadblock.sh

Then add a cron job to run every 5 minutes:

cru a ytadblock "*/5 * * * * /opt/var/lib/unbound/adblock/gen_ytadblock.sh"

What this script does it check the unbound cache for hits to the googlevideo URL as indicated in the discourse thread above. When it finds hits it add them in as local-data items into unbound every 5 minutes.

Unlike the thread above, you don't need to find the IP to use, this script will find the first IP and use it, and store it for future use. So, you simply set it and start watching YT. after 5 minutes, and every 5 minutes it will check and expand the list, and soon your ads should start stopping or greatly reducing.

If people want to try it and let me know the results, that would be great. running the script directly will simply update the list and tell you how many YT domains are being redirected.

Thanks!

Note: This script doesn't restart unbound, and don't change any settings. To uninstall simply:

rm -rf /opt/share/unbound/configs/ipytforce
rm -rf /opt/var/lib/unbound/adblock/gen_ytadblock.sh
rm -rf /opt/var/lib/unbound/adblock/ytadblock

unbound_manager restart