Unbound DNS over TLS Adblock up-to-date root.hints

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3, 4, 5  Next
Author Message
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 5383
Location: Texas

PostPosted: Mon Apr 27, 2020 18:04    Post subject: Reply with quote
E900 wrote:
unbound.conf has to be in /jffs/etc folder or doesn't work.


E900, yeahuh that is correct --- glad you finally told'em Wink
DD-WRT default 'unbound' looks to '/jffs/etc/' for its unbound.conf ...if not there it creates its own and uses '/tmp/unbound.conf' Twisted Evil
Sponsor
tinkeruntilitworks
Guest





PostPosted: Mon Apr 27, 2020 19:03    Post subject: Reply with quote
..

Last edited by tinkeruntilitworks on Tue Jun 23, 2020 16:00; edited 1 time in total
E900
DD-WRT Novice


Joined: 05 Mar 2018
Posts: 24
Location: In your Heart

PostPosted: Mon Apr 27, 2020 21:30    Post subject: Reply with quote
..

Last edited by E900 on Thu May 07, 2020 18:54; edited 7 times in total
jauch888888
DD-WRT User


Joined: 23 Apr 2020
Posts: 129

PostPosted: Mon Apr 27, 2020 23:33    Post subject: Reply with quote
Thank you for this.

In the additional DNSmasq option I have
no resolv servers, I have to remove but in DNS static in setup page, we need what?

Thanks


Last edited by jauch888888 on Tue Apr 28, 2020 13:50; edited 1 time in total
E900
DD-WRT Novice


Joined: 05 Mar 2018
Posts: 24
Location: In your Heart

PostPosted: Tue Apr 28, 2020 0:07    Post subject: Reply with quote
..

Last edited by E900 on Thu May 07, 2020 18:55; edited 3 times in total
jauch888888
DD-WRT User


Joined: 23 Apr 2020
Posts: 129

PostPosted: Tue Apr 28, 2020 3:11    Post subject: Reply with quote
E900 wrote:



Pre-reqs:
[list][*]Setup -> Basic Setup
  • Recursive DNS Resolving (Unbound): Tick
  • Server IP/Name: 216.239.35.0 or 216.239.35.12 (Google NTP servers)

.


Do we really need those ntp servers or we can use closer one. I use one from pool.ntp.org

?
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 5383
Location: Texas

PostPosted: Tue Apr 28, 2020 3:37    Post subject: Reply with quote
jauch888888 wrote:
E900 wrote:



Pre-reqs:
[list][*]Setup -> Basic Setup
  • Recursive DNS Resolving (Unbound): Tick
  • Server IP/Name: 216.239.35.0 or 216.239.35.12 (Google NTP servers)

.


Do we really need those ntp servers or we can use closer one. I use one from pool.ntp.org

?

Set 'Time Zone'
Leave 'Server IP/Name' blank

has always worked for me ....and I don't care what the silly DD-WRT 'unbound' wiki says. Mine has always been blank using unbound or not. DD-WRT will resort to NTP IP and do it all just fine by itself.
E900
DD-WRT Novice


Joined: 05 Mar 2018
Posts: 24
Location: In your Heart

PostPosted: Tue Apr 28, 2020 10:31    Post subject: Reply with quote
jauch888888 wrote:
Do we really need those ntp servers or we can use closer one. I use one from pool.ntp.org?

You need to use an IP address for the NTP server instead of the domain name.
http://www.pool.ntp.org/zone/@
Pick your zone and then look up the ip for that domain.

Use PingInfoView to find best server
https://www.nirsoft.net/utils/pinginfoview.zip
Input all the ip addresses, ping them and use the one with lowest ping time.


mrjcd wrote:
Set 'Time Zone'
Leave 'Server IP/Name' blank

has always worked for me ....and I don't care what the silly DD-WRT 'unbound' wiki says. Mine has always been blank using unbound or not. DD-WRT will resort to NTP IP and do it all just fine by itself.

In DNSCrypt v2 (DoH) if you do not use the IP address of the NTP server and use the domain name, DNSCrypt v2 does not work and you cannot surf the Internet, that's why I always use the IP address of the NTP server, to avoid problems.
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 5383
Location: Texas

PostPosted: Tue Apr 28, 2020 10:56    Post subject: Reply with quote
E900 wrote:
if you do not use the IP address of the NTP server and use your domain name
that is NOT what I said Rolling Eyes
I wrote:
Set 'Time Zone'
Leave 'Server IP/Name' blank

DD-WRT has built-in NTP by IP address
E900
DD-WRT Novice


Joined: 05 Mar 2018
Posts: 24
Location: In your Heart

PostPosted: Tue Apr 28, 2020 11:21    Post subject: Reply with quote
mrjcd wrote:
DD-WRT has built-in NTP by IP address

But it is not bad to be cautious to avoid problems, like the one I mentioned earlier.
jauch888888
DD-WRT User


Joined: 23 Apr 2020
Posts: 129

PostPosted: Tue Apr 28, 2020 16:34    Post subject: Reply with quote
the best is to use 2 dns servers from the same provider? and I guess two is enough, dont need to add 3 or 4?

btw, a big difference in latency, I tested with namebench, cache latency bench, no DoT (my isp dns servers vs 4 dns servers (DoT) one at the time.

my isp - 44 ms average vs 150 to 300ms for clean browsing, adguard, quad9, cloudflare etc..

thanks
tinkeruntilitworks
Guest





PostPosted: Tue Apr 28, 2020 18:55    Post subject: Reply with quote
..

Last edited by tinkeruntilitworks on Tue Jun 23, 2020 15:59; edited 1 time in total
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 4098
Location: UK, London, just across the river..

PostPosted: Thu Apr 30, 2020 7:17    Post subject: Reply with quote
jauch888888 wrote:
the best is to use 2 dns servers from the same provider? and I guess two is enough, dont need to add 3 or 4?

btw, a big difference in latency, I tested with namebench, cache latency bench, no DoT (my isp dns servers vs 4 dns servers (DoT) one at the time.

my isp - 44 ms average vs 150 to 300ms for clean browsing, adguard, quad9, cloudflare etc..

thanks


encrypted vs non-encrypted - it takes resources and time...
ISP vs public DNS - witch is close ??
so what you expect...?
ISP DNS is it safe and they do not collect logs ??
Public Encrypted DNS (DoT), how did you test it... what did you use, any settings to share expose, otherwise how could we guess?
When you need help, be more specific...what did you do, what settings you had, different try's and so on...

_________________
Atheros
TP-Link WR740Nv1 -----DD-WRT 44538 BS AP,NAT
TP-Link WR740Nv4 -----DD-WRT 44251 BS WAP/Switch
TP-Link WR1043NDv2 ---DD-WRT 45229 BS AP,NAT,AP Isolation,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---DD-WRT 45454 BS AP,NAT,AD Block,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---Gargoyle OS 1.12.0 AP,NAT,QoS,Quotas
Qualcomm/IPQ8065
Netgear R7800 -----DD-WRT 44719 BS AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT
Broadcom
Netgear R7000 -----DD-WRT 45454 BS AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,DoT,VPN
-----------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
jauch888888
DD-WRT User


Joined: 23 Apr 2020
Posts: 129

PostPosted: Thu Apr 30, 2020 11:43    Post subject: Reply with quote
Alozaros wrote:
jauch888888 wrote:
the best is to use 2 dns servers from the same provider? and I guess two is enough, dont need to add 3 or 4?

btw, a big difference in latency, I tested with namebench, cache latency bench, no DoT (my isp dns servers vs 4 dns servers (DoT) one at the time.

my isp - 44 ms average vs 150 to 300ms for clean browsing, adguard, quad9, cloudflare etc..

thanks


encrypted vs non-encrypted - it takes resources and time...
ISP vs public DNS - witch is close ??
so what you expect...?
ISP DNS is it safe and they do not collect logs ??
Public Encrypted DNS (DoT), how did you test it... what did you use, any settings to share expose, otherwise how could we guess?
When you need help, be more specific...what did you do, what settings you had, different try's and so on...


As I wrote, I used namebench and I tested the cache latency.


the performance between router and a DoT server. So I configured DoT on the router to use only the one server i want to test. Then setup namebench so that it only testing router's IP address and only testing 100 % cache misses.

I have R7800 and last build.

EDIT: finaly I found the fastest, is the new one, next DNS... impressive.
40ms latency, stubby
tinkeruntilitworks
Guest





PostPosted: Fri Jun 05, 2020 20:20    Post subject: Reply with quote
you can use a usb mounted to jffs as well. you have to add a sleep and unbound restart in your startup script though. if not the routers default conf will be used. 2 works for me. test with
Code:
ps | grep unbound

example start up script
Code:
sleep 2
stopservice unbound
startservice unbound

with Changeset 43433 DD-WRT if more than 1 cpu is used so-reuseport: no becomes the default setting. using the default conf it is added automatically. I'm not certain what happens with a custom conf. so for good practice add it to your conf.
Code:
so-reuseport: no

root hints get updated monthly. you shouldn't need to update that often. but every so often is a good idea.
Code:
curl -sS --output /jffs/etc/root.hints https://www.internic.net/domain/named.cache
stopservice unbound
startservice unbound
ps | grep unbound

In the DD-WRT v3.0-r44048 std (08/02/20) build there was an Unbound update. So far I've noticed when Unbound restarts it now prints stats to the system log. You can view them when you want by running the following in command line
Code:
unbound-control stats_noreset

If you add the following to your unbound.conf
Code:
control-enable: yes
control-use-cert: no

For Testing Purposes/Curiosity add the following. It creates a log file and shows a lot of information.
Code:
verbosity: 5
extended-statistics: yes
logfile: "/jffs/etc/unbound.log"
log-time-ascii: yes
log-queries: yes
log-replies: yes
log-tag-queryreply: yes
log-local-actions: yes
log-servfail: yes
control-enable: yes
control-use-cert: no

*August 17th 2020

an example conf because it seems it matters where they are placed
Code:
cat << EOF > /jffs/etc/unbound.conf
server:
verbosity: 5
extended-statistics: yes
num-threads: 2
interface: 127.0.0.1@7053
outgoing-range: 462
so-reuseport: no
msg-buffer-size: 8192
msg-cache-size: 1m
msg-cache-slabs: 2
num-queries-per-thread: 30
rrset-cache-size: 2m
rrset-cache-slabs: 2
infra-cache-slabs: 2
infra-cache-numhosts: 200
udp-upstream-without-downstream: yes
access-control: 192.168.1.1/24 allow
chroot: "/jffs/etc"
username: ""
directory: "/jffs/etc"
logfile: "/jffs/etc/unbound.log"
log-time-ascii: yes
log-queries: yes
log-replies: yes
log-tag-queryreply: yes
log-local-actions: yes
log-servfail: yes
pidfile: "/var/run/unbound.pid"
root-hints: "/jffs/etc/root.hints"
target-fetch-policy: "2 1 0 0 0 0"
harden-short-bufsize: yes
harden-large-queries: yes
auto-trust-anchor-file: "/jffs/etc/root.key"
key-cache-size: 100k
key-cache-slabs: 2
neg-cache-size: 10k
include: "/jffs/etc/blockedhosts.conf"
tls-cert-bundle: "/etc/ssl/ca-bundle.crt"
python:
remote-control:
control-enable: yes
control-use-cert: no
forward-zone:
name: "."
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net
forward-tls-upstream: yes
auth-zone:
name: "."
url: "https://www.internic.net/domain/root.zone"
fallback-enabled: yes
for-downstream: no
for-upstream: yes
zonefile: "root.zone"   
EOF
stopservice unbound
startservice unbound
ps | grep unbound

*August 21st 2020
Thanks Brain Slayer
Goto page Previous  1, 2, 3, 4, 5  Next Display posts from previous:    Page 4 of 5
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum