Unbound DNS over TLS Adblock up-to-date root.hints

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3, 4, 5
Author Message
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 739
Location: Hung Hom, Hong Kong

PostPosted: Sun Nov 29, 2020 10:34    Post subject: Reply with quote
Here is my custom /jffs/etc/unbound.conf minced with some notes and comments:

History:
Edited 02 Dec 2020
Edited 03 Dec 2020

This is a result of copying others' work without much study. Not recommended. Use the newer one I posted below.
Code:

#
# source: https://0xcb.dev/unbound-recursive-dns-resolver/
#
# curl -sS -L --compressed "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
# > /tmp/blockedhosts grep '^0\.0\.0\.0' /tmp/blockedhosts | awk '{print "local-data: \""$2" A 127.0.0.1\""}'
# > /jffs/etc/blockedhosts.conf
#
# reference: https://calomel.org/unbound_dns.html
#
# /jffs/etc/root.zone came from https://data.iana.org/root-anchors/root-anchors.xml
#
# Trust anchors: https://data.iana.org/root-anchors/
#
# Official root files: https://www.iana.org/domains/root/files
#
# # Default ntp server for process_monitor without DNS: 212.18.3.19
#
server:
interface: 0.0.0.0
do-tcp: yes
do-ip6: no
access-control: 127.0.0.0/8 allow
access-control: 192.168.0.0/16 allow
#
username: ""
tls-cert-bundle: "/etc/ssl/ca-bundle.crt"
#
verbosity: 1
log-servfail: yes
extended-statistics: yes
#
# reference: https://nlnetlabs.nl/documentation/unbound/howto-anchor/
#
# The unbound-anchor tool provides an initial anchor from builtin values,
# but for real trust you should check this thoroughly.
#
auto-trust-anchor-file: "/etc/unbound/root.key"
root-hints: "/etc/unbound/named.cache"
#
hide-identity: yes
hide-version: yes
harden-short-bufsize: yes
harden-large-queries: yes
# harden-glue: yes
#
minimal-responses: yes
qname-minimisation: yes
prefetch: yes
prefetch-key: yes
rrset-roundrobin: yes
#
# following parameter disabled TLS
# use-caps-for-id: yes
#
# Performance tuning:
#
num-queries-per-thread: 2048
outgoing-range: 2048
edns-buffer-size: 1472
msg-cache-size: 67108864
rrset-cache-size: 128525653
#
num-threads: 1
msg-cache-slabs: 1
rrset-cache-slabs: 1
infra-cache-slabs: 1
key-cache-slabs: 1
#
local-zone: "my_domain.com." static
local-data: "rt-n18u.my_domain.com. IN A 192.168.1.1"
local-data-ptr: "192.168.1.1 rt-n18u.my_domain.com"
#
# for using custom time server name in Time Settings
# local-data: "time.hko.hk IN A 118.143.17.82"
#
forward-zone:
  name: "."
  forward-tls-upstream: yes
  forward-addr: 1.0.0.1@853#one.one.one.one
  forward-addr: 1.1.1.1@853#one.one.one.one
  forward-addr: 8.8.4.4@853#dns.google
  forward-addr: 8.8.8.8@853#dns.google
  forward-addr: 9.9.9.9@853#dns.quad9.net
  forward-addr: 149.112.112.112@853#dns.quad9.net
#
auth-zone:
  name: "."
# https://www.iana.org/domains/root/servers
  master: 192.41.0.4
  master: 199.9.14.201
  master: 192.33.4.12
  master: 199.7.91.13
  master: 192.203.230.10
  master: 192.5.5.241
  fallback-enabled: yes
  for-downstream: no
  for-upstream: yes
#  zonefile: "root.zone"
#  url: "https://www.internic.net/domain/root.zone"
#
# unbound-checkconf unbound.conf
# stopservice unbound
# startservice unbound
# ps | grep unbound
#
# To test DNSSEC:
#
# https://1.1.1.1/help
# https://www.cloudflare.com/ssl/encrypted-sni/
# https://dnssec.vs.uni-due.de/
#
# reference: https://wiki.archlinux.org/index.php/unbound#Setting_up_unbound-control
# reference: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=325167
#
# run unbound-control-setup to generate certs
#
# echo dumping & reloading cache...
# unbound-control dump_cache > $DIR/cache
# echo backing up the dns cache...
# cat cache > $DIR/backup/cache$(date +%Y-%m-%d).bak
# cat $DIR/cache | unbound-control load_cache
#
remote-control:
  control-interface: 127.0.0.1
  control-use-cert: no
  control-enable: yes

Some interesting articles:

Unbound recursive DNS resolver - Burns
https://0xcb.dev/unbound-recursive-dns-resolver/

Unbound DNS Tutorial
https://calomel.org/unbound_dns.html

https://tools.ietf.org/html/rfc7958#section-2.1.3

https://www.iana.org/domains/root/files


_________________
Router: Asus RT-N18U (rev. A1)

May the Force and farces be with you! Live long and proper!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832


Last edited by mwchang on Thu Dec 10, 2020 14:55; edited 11 times in total
Sponsor
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 739
Location: Hung Hom, Hong Kong

PostPosted: Sun Nov 29, 2020 14:02    Post subject: Reply with quote
BTW, I found Cloudfare's DNS is relatively slower than Google's DNS.

There's sometimes a very short delay when going to some oversea websites from Hong Kong. Local websites are less affected. Cloudfare did connect my router to its HKG DNS servers.

I didn't benchmark them though using tracert or other tools.... Smile


_________________
Router: Asus RT-N18U (rev. A1)

May the Force and farces be with you! Live long and proper!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
itwontbewe
DD-WRT User


Joined: 29 Sep 2020
Posts: 114

PostPosted: Sun Nov 29, 2020 15:02    Post subject: Reply with quote
yea speeds will very for everyone. i would prefer quad9 but cloudflare is noticeably faster for me right now.

thanks for sharing your setup. ill check it out

** a couple notes about the op of this thread. i noticed AdGuard DNS has new addresses

and the quad9 no security will do DoT but not DNSSEC so they wont work properly
Code:
forward-addr: 9.9.9.10@853#dns-nosec.quad9.net
forward-addr: 149.112.112.10@853#dns-nosec.quad9.net

*** ill add my setup on a Netgear R7000P DD-WRT v3.0-r45592 std (01/28/21) and add archlinux Unbound to consulted sites

Setup/Basic Setup
Shortcut Forwarding Engine: Disable
Recursive DNS Resolving (Unbound): Enable
NTP Client- Time Zone: Set
Services/Services
Secure Shell- SSHd: Enable

JFFS2
Administration/Management
JFFS2 Support
Internal Flash Storage: Enable
Clean Internal Flash Storage: Enable
or
USB
Services/USB
Core USB Support: Enable
USB Storage Support: Enable
Automatic Drive Mount: Enable
USB with EXT2 partition with Label jffs plugged in a USB port
Administration/Command
Paste
Code:
sleep 3
stopservice unbound
startservice unbound

Click Save Startup button * your router might not need the startup script. see below

Unbound set up run in CLI: (Do a Reboot first)
Code:
mkdir -p /jffs/etc/unbound
# blocking
# https://github.com/StevenBlack/hosts
# Example configuration file.
# You can override certain queries with
# local-data: "adserver.example.com A 127.0.0.1"
curl -sS --output /tmp/override https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
grep '^0\.0\.0\.0' /tmp/override | awk '{print "local-data: \""$2" A 127.0.0.1\""}' > /jffs/etc/unbound/override.conf
rm -r /tmp/override
# root files
# https://www.iana.org/domains/root/files
curl -sS --output /jffs/etc/unbound/named.root https://www.internic.net/domain/named.root
curl -sS --output /jffs/etc/unbound/root.zone https://www.internic.net/domain/root.zone
cp /etc/unbound/root.key /jffs/etc/unbound
cp /etc/unbound/unbound.conf /jffs/etc/unbound
> /jffs/etc/unbound.conf
cat << EOF > /jffs/etc/unbound.conf
server:
num-threads: 2
interface: 0.0.0.0@7053
outgoing-range: 462
num-queries-per-thread: 231
cache-max-ttl: 14400
access-control: 192.168.1.1/24 allow
chroot: "/jffs/etc"
username: ""
directory: "/jffs/etc/unbound"
pidfile: "/var/run/unbound.pid"
root-hints: "/jffs/etc/unbound/named.root"
auto-trust-anchor-file: "/jffs/etc/unbound/root.key"
include: "/jffs/etc/unbound/override.conf"
tls-cert-bundle: "/etc/ssl/ca-bundle.crt"
remote-control:
control-enable: yes
control-use-cert: no
forward-zone:
name: "."
forward-addr: 149.112.112.112@853#dns.quad9.net
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-tls-upstream: yes
auth-zone:
name: "."
fallback-enabled: yes
for-downstream: no
for-upstream: yes
zonefile: "root.zone"   
EOF
stopservice unbound
startservice unbound
ps | grep unbound

* after setup do another reboot and run the below in CLI to see if your conf is being used
Code:
ps | grep unbound



Last edited by itwontbewe on Thu Feb 04, 2021 19:23; edited 23 times in total
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 739
Location: Hung Hom, Hong Kong

PostPosted: Mon Nov 30, 2020 15:07    Post subject: Reply with quote
itwontbewe wrote:
a couple notes from the op of this thread. i noticed AdGuard DNS has new addresses

and the quad9 no security will do DoT but not DNSSEC so they wont work properly
Code:
forward-addr: 9.9.9.10@853#dns-nosec.quad9.net
forward-addr: 149.112.112.10@853#dns-nosec.quad9.net

From https://www.quad9.net/faq/#Does_Quad9_implement_DNSSEC
Code:

Is there a service that Quad9 offers that does not have the blocklist or other security?

The primary IP address for Quad9 is 9.9.9.9, which includes the blocklist, DNSSEC validation, and other security features. However, we do provide an unsecured service and it can be helpful in determining if there are false positives in the Quad9 threat feed or DNSSEC errors with a specific domain.

Unsecured IP: 9.9.9.10 Provides: No security blocklist, no DNSSEC, No EDNS Client-Subnet sent. Please use the unsecured secondary address of 149.112.112.10

IPv6: 2620:fe::10, 2620:fe::fe:10

Note: We do not recommend mixing the secure and unsecured IP addresses in the same configuration. Your devices will not be protected 100% of the time and it leads to confusion when debugging potential problems.

_________________
Router: Asus RT-N18U (rev. A1)

May the Force and farces be with you! Live long and proper!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 739
Location: Hung Hom, Hong Kong

PostPosted: Tue Dec 01, 2020 11:06    Post subject: Reply with quote
It seemed that Cloudfare 1.1.1.1 DNSSEC could not hanedle "use-caps-for-id: yes". This parameter affected the test result in http://1.1.1.1/help, notably the entry "Using DNS over TLS (DoT)"! And that test page might not be valid for other DNSSEC servers (Google, Quad9).

Is there a non-Cloudfare-specific DNSSEC server test page? Smile

Also, I have found another method to run Unbound. SO my previous config file might not be simple enough. You don't have to copy/create your own root files and anchors in /jffs/etc/, even the chroot and pid file location might not be necessary.

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1146717
Code:
I managed to get this working using unbound from opkg and pointing dnsmasq at it to handle the queries.

unbound -v -c /opt/etc/unbound/unbound.conf

interface 0.0.0.0@53535

dig @127.0.0.1 -p 53535 www.example.com


----- add additional options to DNSMasq on DD-WRT --> Services Web Page -----
no-resolv
server=127.0.0.1#53535

Setup your DHCP static dns to be your DD-WRT IP address.



_________________
Router: Asus RT-N18U (rev. A1)

May the Force and farces be with you! Live long and proper!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 739
Location: Hung Hom, Hong Kong

PostPosted: Tue Dec 01, 2020 15:30    Post subject: Reply with quote
itwontbewe wrote:
yea speeds will very for everyone. i would prefer quad9 but cloudflare is noticeably faster for me right now.

Tonight, I modified unbound.conf to use Quad 1. Cloudfare HKG's DNSSEC was absolutely slow ... it's peak hour, but it's just not smooth.

I have a conspiracy theory: my browsing habbit was too FAST for Cloudfare's intended design (the firewall?). I think Cloudfare tbought I was doing dDOS because I went from site to site too fast... Smile

OK, let me remove all those performance tunning stuff in unbound.conf I copied from others' posts.

Update@03 Dec:

Removing performance tuning stuff didn't solve problem. It seemed the problem was a result of port conflict between dnsmasq and unbound. The dnsmasq settings for use with Unbound I copied from some guides were not 100% correct or incomplete.


_________________
Router: Asus RT-N18U (rev. A1)

May the Force and farces be with you! Live long and proper!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 739
Location: Hung Hom, Hong Kong

PostPosted: Thu Dec 03, 2020 4:52    Post subject: Reply with quote
I found an interesting article regarding Unbound and DNS over HTTP. It's about unbound 1.8.1 ...

Unbound SNI on DoT
https://forum.turris.cz/t/unbound-sni-on-dot/8292
Code:
In order to provide SNI support on DoT a patch is being provided by unbound master

unbound version bump 1.8.1
https://gitlab.nic.cz/turris/turris-os-packages/-/issues/220#note_87981

_________________
Router: Asus RT-N18U (rev. A1)

May the Force and farces be with you! Live long and proper!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 739
Location: Hung Hom, Hong Kong

PostPosted: Thu Dec 03, 2020 7:46    Post subject: Reply with quote
One more issue when using Unbound:

If you have:

1. ticked "Ignore WAN DNS" in "WAN Connection Type"
2. un-ticked "Use DNSmasq for DNS"
3. filled in a time server name in Basic-Setup->Time Settings

Then process_monitor has no DNS server to use when setting initial system time during startup. Unbound will refuse to work (but is still loaded) becasue of inaccurate date-time, and hence no DNS service for both WAN and LAN.

You need to blank the custom time server name in Basic Setup->Time Settings, so that process_monitor uses its hard-coded NTP server address "212.18.3.19" (which is pool.ntp.org). Once time is set correctly during startup, unbound works. I heard that iOS is also using a hard-code time server IP address as well!

If you insist to use your own NTP server in Time Settings, insert a local-data record in unbound.conf to resolve that time server name. Alternative, fill in IP address instead of a name in Basic Setup->Time Settings so that DNS server is not needed by process_monitor during startup.

You might argue why ticked "Ignore WAN DNS" in the first place. Well, that guarantees Unbound is the only DNS server in your LAN.

Lastly on user interface:

I don't know whether that Time Settings->"Server IP/Nam" field support IPv6 address. Add a special DNS server entry there?

Maybe it's a good idea to only allow IP addresses in that field? Also, should this field in WEBUI by default displays the hard-coded "212.18.3.19"?

Also, should process_monitor auto-magically falls back to its hard-code NTP server if users fill in wrong values or unreachable server IP/name there, and log an entry in /var/log/messages?


_________________
Router: Asus RT-N18U (rev. A1)

May the Force and farces be with you! Live long and proper!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 739
Location: Hung Hom, Hong Kong

PostPosted: Mon Dec 07, 2020 15:51    Post subject: Why is Firefox implementing DoH and not DoT? Reply with quote
Source: https://support.mozilla.org/en-US/kb/dns-over-https-doh-faqs#w_why-is-firefox-implementing-doh-and-not-dot

Why is Firefox implementing DoH and not DoT?

The IETF has standardized two DNS over secure transport protocols: DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH). These two protocols have broadly similar security and privacy properties. We chose DoH because we believe it is a better fit for our existing mature browser networking stack (which is focused on HTTP) and provides better support for future protocol features such as HTTP/DNS multiplexing and QUIC.

DNS over HTTPS - the good, the bad and the ugly
https://archive.fosdem.org/2019/schedule/event/dns_over_http/


_________________
Router: Asus RT-N18U (rev. A1)

May the Force and farces be with you! Live long and proper!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 739
Location: Hung Hom, Hong Kong

PostPosted: Mon Dec 07, 2020 16:10    Post subject: Reply with quote
New unbound.conf, which enabled port 853. Spent some time checking settings and their effects.

edited: 09 Dec 2020 - use primary in auth-zone, remove prefetch
edited: 10 Dec 2020 - take out root.hints & performance stuff
edited: 11 Dec 2020 - do-not-query-localhost, private-domain
edited: 06 Jan 2021 - misunderstood "primary" option in auth-zone
Code:

#
# source: https://0xcb.dev/unbound-recursive-dns-resolver/
#
# curl -sS -L --compressed "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
# > /tmp/blockedhosts grep '^0.0.0.0' /tmp/blockedhosts | awk '{print "local-data: ""$2" A 127.0.0.1""}'
# > /jffs/etc/blockedhosts.conf
#
# reference: https://calomel.org/unbound_dns.html
#
# /jffs/etc/root.zone came from https://data.iana.org/root-anchors/root-anchors.xml
#
# Trust anchors: https://data.iana.org/root-anchors/
#
# Official root files: https://www.iana.org/domains/root/files
#
# Default ntp server for process_monitor without DNS: 212.18.3.19
#
# Additional options for dnsmasq:
#
# WAN Setup -> Ignore WAN DNS = Yes
# Network Setup -> Local DNS = 192.168.1.1
# Use DNSMasq for DNS = No
# DHCP-Authoritative = Yes
# Recursive DNS Resolving (Unbound) = Yes
# Additional DNSmasq Options:
#    cache-size=0
# Setup -> Time Settings -> Server IP/Name: blank!
#
# The last setting is important when Unbound is
# the only DNS. It affects process_monitor from
# setting the correct time in order for Unbound
# to work. It forces process_monitor to use
# built-in hard-coded setting to get time even
# when DNS server is not available. Better, fill
# in IP address of preferred NTP server instead of domain name!
#
server:
#
# https://nurdletech.com/linux-notes/dns/unbound.html
# enable port 853
#
tls-service-key: "/etc/key.pem"
tls-service-pem: "/etc/cert.pem"
tls-cert-bundle: "/etc/ssl/ca-bundle.crt"
interface: 127.0.0.1@853
#
interface: 0.0.0.0
outgoing-port-avoid: 0-32767
do-tcp: yes
do-udp: yes
do-ip4: yes
do-ip6: no
access-control: 127.0.0.0/8 allow
access-control: 192.168.1.0/8 allow
#
username: ""
#
verbosity: 1
log-servfail: yes
log-time-ascii: yes
extended-statistics: yes
logfile: "/var/log/unbound.log"
#
# reference: https://nlnetlabs.nl/documentation/unbound/howto-anchor/
#
# The unbound-anchor tool provides an initial anchor from builtin values,
# but for real trust you should check this thoroughly.
#
auto-trust-anchor-file: "/etc/unbound/root.key"
#
# Since I have auth-zone for ".", no need to use
# root-hints: "/etc/unbound/named.cache"
# And it seemed it's after this way
#
identity: ".."
hide-identity: yes
hide-version: yes
harden-short-bufsize: yes
harden-large-queries: yes
harden-glue: yes
#
minimal-responses: yes
qname-minimisation: yes
#
# not that helpful based on unbound stats
# prefetch: yes
# prefetch-key: yes
#
rrset-roundrobin: yes
ssl-upstream: yes
#
# following parameter disabled TLS
# use-caps-for-id: yes
#
# Performance tuning:
#
edns-buffer-size: 1472
#
# For use at your discretion:
#
# num-queries-per-thread: 2048
# outgoing-range: 2048
# msg-cache-size: 67108864
# rrset-cache-size: 128525653
#
# num-threads: 1
# msg-cache-slabs: 1
# rrset-cache-slabs: 1
# infra-cache-slabs: 1
# key-cache-slabs: 1
#
private-domain: "my_domain.com"
domain-insecure: "my_domain.com"
#
# do not use the following line
# do-not-query-localhost: no
#
local-zone: "my_domain.com." static
local-data: "router.my_domain.com. IN A 192.168.1.1"
local-data-ptr: "192.168.1.1 router.my_doamain.com"
#
# for using custom time server name in Time Settings
# local-data: "time.hko.hk IN A 118.143.17.82"
#
forward-zone:
  name: "."
#  forward-first: yes
  forward-tls-upstream: yes
  forward-addr: 1.0.0.1@853#cloudflare-dns.com
  forward-addr: 1.1.1.1@853#one.one.one.one
#
# To test setup using Cloudfare's page,
# comment out following non-Cloudfare servers!
#
  forward-addr: 8.8.4.4@853#dns.google
  forward-addr: 8.8.8.8@853#dns.google
  forward-addr: 9.9.9.9@853#dns.quad9.net
  forward-addr: 149.112.112.112@853#dns.quad9.net
#
auth-zone:
  name: "."
# https://www.iana.org/domains/root/servers
  master: 192.41.0.4
  master: 199.9.14.201
  master: 192.33.4.12
  master: 199.7.91.13
  master: 192.203.230.10
  master: 192.5.5.241
  fallback-enabled: yes
  for-downstream: no
  for-upstream: yes
#
#  zonefile: "root.zone"
#  url: "https://www.internic.net/domain/root.zone"
#
auth-zone:
  name: "my_domain.com"
  for-downstream: yes
  for-upstream: yes
#
# unbound-checkconf unbound.conf
# stopservice unbound
# startservice unbound
# ps | grep unbound
#
# To test DNSSEC:
#
# https://1.1.1.1/help
# https://www.cloudflare.com/ssl/encrypted-sni/
# https://dnssec.vs.uni-due.de/
# openssl s_client -connect 1.1.1.1:853
# openssl s_client -connect localhost:853
#
# reference: https://wiki.archlinux.org/index.php/unbound#Setting_up_unbound-control
# reference: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=325167
# reference: https://www.saic.it/how-to-install-and-configure-cache-only-dns-server-with-unbound-in-rhel-centos-7/
#
# run unbound-control-setup to generate certs
#
# echo dumping & reloading cache...
# unbound-control dump_cache > $DIR/cache
# echo backing up the dns cache...
# cat cache > $DIR/backup/cache$(date +%Y-%m-%d).bak
# cat $DIR/cache | unbound-control load_cache
#
##!/bin/sh
# mapfile -t NSArray < <(unbound-control dump_cache |  grep -P "IN   NS" | sed '/NSEC/d')
# for (( i=0; i<${#NSArray[@]}; i++ )); do
#   IFS=$'   ' read -r zone ttl ignore2 ignore3 nameserver  <<< "${NSArray[i]}"
#   if [[ $(echo "${zone::-1}" | grep '.') ]]; then
#      echo "${nameserver}"
#   fi
# done
#
# unbound-control stats | grep total
#
remote-control:
  control-interface: 127.0.0.1
  control-use-cert: no
  control-enable: yes


Some interesting articles:

Unbound recursive DNS resolver - Burns
https://0xcb.dev/unbound-recursive-dns-resolver/

Unbound DNS Tutorial
https://calomel.org/unbound_dns.html

https://tools.ietf.org/html/rfc7958#section-2.1.3

https://www.iana.org/domains/root/files


_________________
Router: Asus RT-N18U (rev. A1)

May the Force and farces be with you! Live long and proper!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
Goto page Previous  1, 2, 3, 4, 5 Display posts from previous:    Page 5 of 5
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum