Unbound DNS over TLS Adblock up-to-date root.hints

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3, 4, 5  Next
Author Message
PavelVD
DD-WRT User


Joined: 26 Jul 2019
Posts: 67

PostPosted: Tue Sep 24, 2019 22:45    Post subject: Reply with quote
Alozaros wrote:
so PavelVD to my knowledge and understanding..
you run DNSCrypt via Unbound on the same port...
and it doesn't seems wright...well usually, DoT uses port 853 external and any internal you set for your loop back interface...

well i don't see any need for both of them apart of the options and settings that unbound does provide...
same set of futures and settings even more..you might have with DNScrypt v2,
and no need of unbound to run it...it still does recursive resolving as Stubby does too...if this is your goal...
Than the most interesting thing for me is, which of all above Stubby, DNScrypt, and Unbound drains less resources and provides the best and more stable/fast results...?? (all they do recursive resolving)
so far, im happy with DNSCrypt and Stubby on my units..

No, I ran Unbound on 127.0.0.1#5153, and DNSCrypt on 192.168.1.1#30. And that was for the test.
There is, apparently, a confusion: dnscrypt-proxy is NOT DNSCrypt2. Proxy is still embedded in our firmware. In combination with Unbound, it is good because it allows recursive queries (if I understand everything correctly) and encrypts them, while Unbound caches them.
I found several flaws in the current Unbound and set it aside. Switch to DNSCrypt2 from Entware. In principle, it works well, quickly, does DoH and crypt.
Actually, I would like to return to Unbound in the future. I like that not only my requests are hidden, but also the DNS server that I was accessing. I'm still looking.
It seems that I like the same as you. But I have not tried Stubby yet.
Sponsor
tinkeruntilitworks
Guest





PostPosted: Tue Sep 24, 2019 22:56    Post subject: Reply with quote
PavelVD wrote:
I found several flaws in the current Unbound and set it aside.


flaws in my setup?

or in how unbound runs on dd-wrt?

or both?
PavelVD
DD-WRT User


Joined: 26 Jul 2019
Posts: 67

PostPosted: Wed Sep 25, 2019 9:56    Post subject: Reply with quote
For the most part, I meant dd-wrt. Some things I can’t configure.
If I prepare ... Not now.
tinkeruntilitworks
Guest





PostPosted: Wed Sep 25, 2019 13:10    Post subject: Reply with quote
thanks for the response

i'm just trying to improve and learn more

i see there is an update coming. maybe that will help resolve some of the issues

https://svn.dd-wrt.com/changeset/41134
PavelVD
DD-WRT User


Joined: 26 Jul 2019
Posts: 67

PostPosted: Wed Sep 25, 2019 13:36    Post subject: Reply with quote
Great news!
So in r41135 is this already included?
And I looked about errors here: https://github.com/NLnetLabs/unbound/issues
And Changelog is here: https://github.com/NLnetLabs/unbound/blob/release-1.9.3/doc/Changelog

_________________
Linksys WRT1900ACSv2
Automatically adjustable temperature, always within the range of 59-68°С.
tinkeruntilitworks
Guest





PostPosted: Wed Sep 25, 2019 14:20    Post subject: Reply with quote
delete

Last edited by tinkeruntilitworks on Tue Apr 28, 2020 14:18; edited 3 times in total
PavelVD
DD-WRT User


Joined: 26 Jul 2019
Posts: 67

PostPosted: Wed Sep 25, 2019 19:32    Post subject: Reply with quote
I tried 1.9.3 wired now in dd-wrt ... disappointment.
I can not get the elementary log file. It seems that everything you need is included:
Code:
logfile: "/jffs/unbound/unbound.log"
verbosity: 1 (tried from 1 to 6)
use-syslog: no
log-identity: ""

How can I check the operation of other options if the log does not work?
Has anyone managed to turn it on?

At the expense of raspberries - this is a good idea, I have been thinking about it for a long time. I have available orange_pi_pc+; maybe you can install a full Unbound on it? While it serves for other purposes.

_________________
Linksys WRT1900ACSv2
Automatically adjustable temperature, always within the range of 59-68°С.
tinkeruntilitworks
Guest





PostPosted: Mon Dec 02, 2019 0:30    Post subject: Reply with quote
any other Unbound users out there?
how does this look?
PavelVD
DD-WRT User


Joined: 26 Jul 2019
Posts: 67

PostPosted: Mon Dec 02, 2019 19:00    Post subject: Reply with quote
I made several more attempts to switch to Unbound, but returned to DNSCrypt2 again.

When Unbound starts, the cache is still empty and the first requests are processed for a very long time. If you just go on the Internet pages, then such delays can be tolerated. But there are several TV boxes on my network that fail, they need faster responses. Another nuisance: after a long downtime (night, for example), the cache is empty again, and it seems that there is simply no Internet. The "prefetch: yes" parameter in the settings file does not seem to correct this situation.


Please note that the file "named.cache" from the firmware is hopelessly outdated.

Attempts to use Unbound on orange_pi_pc_plus also failed due to the lack of fresh versions - poor support in Armbian.

_________________
Linksys WRT1900ACSv2
Automatically adjustable temperature, always within the range of 59-68°С.
tinkeruntilitworks
Guest





PostPosted: Mon Dec 02, 2019 20:08    Post subject: Reply with quote
sounds like you're far better off with dnscrypt

*
yeah the named.cache in the default directory is out-of-date. one of the steps is downloading a new one in the new directory
tatsuya46
DD-WRT Guru


Joined: 03 Jan 2010
Posts: 7410
Location: YWG, Canada

PostPosted: Wed Apr 08, 2020 11:32    Post subject: Reply with quote
changing

root-hints: "/etc/unbound/named.cache"

to anything, but the default in quotes makes unbound not start.. not even changing it to the /usr/local/etc/ path the custom unbound conf is in. i cant tell if its actually using it, or the ancient default one. i did manually put a up to date named.cache in there anyway.

i also have this in conf:

auth-zone:
name: "."
master: 199.7.91.13 # d.root-servers.net
master: 192.203.230.10 # e.root-servers.net
master: 192.5.5.241 # f.root-servers.net
master: 192.58.128.30 # j.root-servers.net
fallback-enabled: yes
for-downstream: no
for-upstream: yes
zonefile: "root.zone"

in attempt to use the whole root.zone locally, it does download it to /tmp on start, but again cant tell if its using it.. lookup times seem the same.

_________________
LATEST FIRMWARE(S)

BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers

[x86_64] Haswell i3-4150/QCA9984/QCA9882 ------> r45460 std
[QUALCOMM] DIR-862L --------------------------------> r45460 std
[QUALCOMM] WNDR4300 v1 --------------------------> r45460 std
[QUALCOMM] DIR-862L --------------------------------> r45460 std
▲ ACTIVE / INACTIVE ▼
[BROADCOM] DIR-860L A1 ----------------------------> r44901 std


If you use DSLReports please enable hi-res bufferbloat.


Sigh.. why do i exist anyway..
tinkeruntilitworks
Guest





PostPosted: Thu Apr 09, 2020 14:32    Post subject: Reply with quote
i have limited knowledge and i'm not familiar with your setup

i'm not certain if everything gets implemented in my setup either. it runs well for me but according to the documentation some changes are dependent on how it was installed
Redback813
DD-WRT Novice


Joined: 10 Nov 2015
Posts: 39

PostPosted: Thu Apr 23, 2020 21:26    Post subject: Reply with quote
I can start the unbound in the setup of DD-WRT but for the life of me I can not find any info on how to use the custom setting of unbound from /jffs/unbound as oppose to the default setting, at present I using dnsmasq with great result but wish to play with unbound to see what it can do, any idea people on how to get the custom setting up running.
tinkeruntilitworks
Guest





PostPosted: Thu Apr 23, 2020 21:42    Post subject: Reply with quote
delete

Last edited by tinkeruntilitworks on Tue Apr 28, 2020 14:17; edited 3 times in total
tatsuya46
DD-WRT Guru


Joined: 03 Jan 2010
Posts: 7410
Location: YWG, Canada

PostPosted: Fri Apr 24, 2020 10:42    Post subject: Reply with quote
this is my current conf for reference.. recursion, no dnssec. still trying to understand some things like target-fetch-policy, auth zone, and why root hints cant be changed etc.

Code:

server:
verbosity: 1
interface: 0.0.0.0
outgoing-num-tcp: 15
incoming-num-tcp: 15
msg-buffer-size: 65552
outgoing-range: 4096
num-queries-per-thread: 2048
so-rcvbuf: 5m
so-sndbuf: 5m
key-cache-size: 8m
neg-cache-size: 2m
msg-cache-size: 128m
rrset-cache-size: 256m
rrset-roundrobin: yes
cache-min-ttl: 3600
infra-host-ttl: 259200
infra-cache-numhosts: 100000
serve-expired: yes
username: ""
pidfile: "/var/run/unbound.pid"
root-hints: "/etc/unbound/named.cache"
auto-trust-anchor-file: ""
prefetch: yes
prefetch-key: yes
target-fetch-policy: "-1 -1 -1 -1 -1"
harden-short-bufsize: no
harden-large-queries: no
minimal-responses: no
so-reuseport: yes
num-threads: 4
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
port: 7053
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
access-control: 127.0.0.0/8 allow
access-control: 10.150.10.0/24 allow
access-control: 0.0.0.0/0 refuse
local-data: "localhost A 127.0.0.1"
auth-zone:
name: "."
master: 199.7.91.13          # d.root-servers.net
master: 192.203.230.10       # e.root-servers.net
master: 192.5.5.241          # f.root-servers.net
master: 192.58.128.30        # j.root-servers.net
fallback-enabled: yes
for-downstream: no
for-upstream: yes
zonefile: root.zone
python:
remote-control:


running on a x86 with 4gb ram so adjust accordingly for a weak arm router etc..

_________________
LATEST FIRMWARE(S)

BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers

[x86_64] Haswell i3-4150/QCA9984/QCA9882 ------> r45460 std
[QUALCOMM] DIR-862L --------------------------------> r45460 std
[QUALCOMM] WNDR4300 v1 --------------------------> r45460 std
[QUALCOMM] DIR-862L --------------------------------> r45460 std
▲ ACTIVE / INACTIVE ▼
[BROADCOM] DIR-860L A1 ----------------------------> r44901 std


If you use DSLReports please enable hi-res bufferbloat.


Sigh.. why do i exist anyway..
Goto page Previous  1, 2, 3, 4, 5  Next Display posts from previous:    Page 2 of 5
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum