you can use a usb mounted to jffs as well. you have to add a sleep and unbound restart in your startup script though. if not the routers default conf will be used. 2 works for me. test with
Code:
ps | grep unbound
example start up script
Code:
sleep 2
stopservice unbound
startservice unbound
with Changeset 43433 DD-WRT if more than 1 cpu is used so-reuseport: no becomes the default setting. using the default conf it is added automatically. I'm not certain what happens with a custom conf. so for good practice add it to your conf.
Code:
so-reuseport: no
root hints get updated monthly. you shouldn't need to update that often. but every so often is a good idea.
In the DD-WRT v3.0-r44048 std (08/02/20) build there was an Unbound update. So far I've noticed when Unbound restarts it now prints stats to the system log. You can view them when you want by running the following in command line
Code:
unbound-control stats_noreset
If you add the following to your unbound.conf
Code:
control-enable: yes
control-use-cert: no
For Testing Purposes/Curiosity add the following. It creates a log file and shows a lot of information.
Joined: 26 Mar 2013 Posts: 1857 Location: Hung Hom, Hong Kong
Posted: Sun Nov 29, 2020 14:02 Post subject:
BTW, I found Cloudfare's DNS is relatively slower than Google's DNS.
There's sometimes a very short delay when going to some oversea websites from Hong Kong. Local websites are less affected. Cloudfare did connect my router to its HKG DNS servers.
I didn't benchmark them though using tracert or other tools....
_________________ Router: Asus RT-N18U (rev. A1)
Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!
Is there a service that Quad9 offers that does not have the blocklist or other security?
The primary IP address for Quad9 is 9.9.9.9, which includes the blocklist, DNSSEC validation, and other security features. However, we do provide an unsecured service and it can be helpful in determining if there are false positives in the Quad9 threat feed or DNSSEC errors with a specific domain.
Unsecured IP: 9.9.9.10 Provides: No security blocklist, no DNSSEC, No EDNS Client-Subnet sent. Please use the unsecured secondary address of 149.112.112.10
IPv6: 2620:fe::10, 2620:fe::fe:10
Note: We do not recommend mixing the secure and unsecured IP addresses in the same configuration. Your devices will not be protected 100% of the time and it leads to confusion when debugging potential problems.
_________________ Router: Asus RT-N18U (rev. A1)
Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!
Joined: 26 Mar 2013 Posts: 1857 Location: Hung Hom, Hong Kong
Posted: Tue Dec 01, 2020 11:06 Post subject:
It seemed that Cloudfare 1.1.1.1 DNSSEC could not hanedle "use-caps-for-id: yes". This parameter affected the test result in http://1.1.1.1/help, notably the entry "Using DNS over TLS (DoT)"! And that test page might not be valid for other DNSSEC servers (Google, Quad9).
Is there a non-Cloudfare-specific DNSSEC server test page?
Also, I have found another method to run Unbound. SO my previous config file might not be simple enough. You don't have to copy/create your own root files and anchors in /jffs/etc/, even the chroot and pid file location might not be necessary.
Joined: 26 Mar 2013 Posts: 1857 Location: Hung Hom, Hong Kong
Posted: Tue Dec 01, 2020 15:30 Post subject:
itwontbewe wrote:
yea speeds will very for everyone. i would prefer quad9 but cloudflare is noticeably faster for me right now.
Tonight, I modified unbound.conf to use Quad 1. Cloudfare HKG's DNSSEC was absolutely slow ... it's peak hour, but it's just not smooth.
I have a conspiracy theory: my browsing habbit was too FAST for Cloudfare's intended design (the firewall?). I think Cloudfare tbought I was doing dDOS because I went from site to site too fast...
OK, let me remove all those performance tunning stuff in unbound.conf I copied from others' posts.
Update@03 Dec:
Removing performance tuning stuff didn't solve problem. It seemed the problem was a result of port conflict between dnsmasq and unbound. The dnsmasq settings for use with Unbound I copied from some guides were not 100% correct or incomplete.
_________________ Router: Asus RT-N18U (rev. A1)
Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!
Joined: 26 Mar 2013 Posts: 1857 Location: Hung Hom, Hong Kong
Posted: Thu Dec 03, 2020 7:46 Post subject:
One more issue when using Unbound:
If you have:
1. ticked "Ignore WAN DNS" in "WAN Connection Type"
2. un-ticked "Use DNSmasq for DNS"
3. filled in a time server name in Basic-Setup->Time Settings
Then process_monitor has no DNS server to use when setting initial system time during startup. Unbound will refuse to work (but is still loaded) becasue of inaccurate date-time, and hence no DNS service for both WAN and LAN.
You need to blank the custom time server name in Basic Setup->Time Settings, so that process_monitor uses its hard-coded NTP server address "212.18.3.19" (which is pool.ntp.org). Once time is set correctly during startup, unbound works. I heard that iOS is also using a hard-code time server IP address as well!
If you insist to use your own NTP server in Time Settings, insert a local-data record in unbound.conf to resolve that time server name. Alternative, fill in IP address instead of a name in Basic Setup->Time Settings so that DNS server is not needed by process_monitor during startup.
You might argue why ticked "Ignore WAN DNS" in the first place. Well, that guarantees Unbound is the only DNS server in your LAN.
Lastly on user interface:
I don't know whether that Time Settings->"Server IP/Nam" field support IPv6 address. Add a special DNS server entry there?
Maybe it's a good idea to only allow IP addresses in that field? Also, should this field in WEBUI by default displays the hard-coded "212.18.3.19"?
Also, should process_monitor auto-magically falls back to its hard-code NTP server if users fill in wrong values or unreachable server IP/name there, and log an entry in /var/log/messages?
_________________ Router: Asus RT-N18U (rev. A1)
Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!
The IETF has standardized two DNS over secure transport protocols: DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH). These two protocols have broadly similar security and privacy properties. We chose DoH because we believe it is a better fit for our existing mature browser networking stack (which is focused on HTTP) and provides better support for future protocol features such as HTTP/DNS multiplexing and QUIC.
Joined: 26 Mar 2013 Posts: 1857 Location: Hung Hom, Hong Kong
Posted: Mon Dec 07, 2020 16:10 Post subject:
New unbound.conf, which enabled port 853. Spent some time checking settings and their effects.
edited: 09 Dec 2020 - use primary in auth-zone, remove prefetch
edited: 10 Dec 2020 - take out root.hints & performance stuff
edited: 11 Dec 2020 - do-not-query-localhost, private-domain
edited: 06 Jan 2021 - misunderstood "primary" option in auth-zone
edited: 26 Aug 2021 - add option "tsl-upstream: yes to "server" section. It's not the same as "ssl-upstream". bugfix for ports and interfaces:
Code:
#
# source: https://0xcb.dev/unbound-recursive-dns-resolver/
#
# curl -sS -L --compressed "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
# > /tmp/blockedhosts grep '^0.0.0.0' /tmp/blockedhosts | awk '{print "local-data: ""$2" A 127.0.0.1""}'
# > /jffs/etc/blockedhosts.conf
#
# reference: https://calomel.org/unbound_dns.html
#
# /jffs/etc/root.zone came from https://data.iana.org/root-anchors/root-anchors.xml
#
# Trust anchors: https://data.iana.org/root-anchors/
#
# Official root files: https://www.iana.org/domains/root/files
#
# Default ntp server for process_monitor without DNS: 212.18.3.19
#
# Additional options for dnsmasq:
#
# WAN Setup -> Ignore WAN DNS = Yes
# Network Setup -> Local DNS = 192.168.1.1
# Use DNSMasq for DNS = No
# DHCP-Authoritative = Yes
# Recursive DNS Resolving (Unbound) = Yes
#
# Services -> Dnsmasq:
# Query DNS in Strict Order: Disable
# Additional DNSmasq Options:
# cache-size=0
#
# Setup -> Time Settings -> Server IP/Name: blank!
#
# The last setting is important when Unbound is
# the only DNS. It affects process_monitor from
# setting the correct time in order for Unbound
# to work. It forces process_monitor to use
# built-in hard-coded setting to get time even
# when DNS server is not available. Better, fill
# in IP address of preferred NTP server instead of domain name!
#
server:
#
# https://nurdletech.com/linux-notes/dns/unbound.html
#
# enable port 853
#
tls-port: 853
interface: 0.0.0.0@853
interface: 0.0.0.0@53
tls-service-key: "/etc/key.pem"
tls-service-pem: "/etc/cert.pem"
tls-cert-bundle: "/etc/ssl/ca-bundle.crt"
#
outgoing-port-avoid: 0-32767
do-tcp: yes
do-udp: yes
do-ip4: yes
do-ip6: no
access-control: 127.0.0.0/8 allow
access-control: 192.168.1.0/8 allow
#
username: ""
#
verbosity: 1
log-servfail: yes
log-time-ascii: yes
extended-statistics: yes
logfile: "/var/log/unbound.log"
#
# reference: https://nlnetlabs.nl/documentation/unbound/howto-anchor/
#
# The unbound-anchor tool provides an initial anchor from builtin values,
# but for real trust you should check this thoroughly.
#
auto-trust-anchor-file: "/etc/unbound/root.key"
#
# Since I have auth-zone for ".", no need to use
# root-hints: "/etc/unbound/named.cache"
# And it seemed it's after this way
#
identity: ".."
hide-identity: yes
hide-version: yes
harden-short-bufsize: yes
harden-large-queries: yes
harden-glue: yes
#
minimal-responses: yes
qname-minimisation: yes
#
# not that helpful based on unbound stats
# prefetch: yes
# prefetch-key: yes
#
rrset-roundrobin: yes
ssl-upstream: yes
tsl-upstream: yes
#
# following parameter disabled TLS
# use-caps-for-id: yes
#
# Performance tuning:
#
edns-buffer-size: 1472
#
# For use at your discretion:
#
# num-queries-per-thread: 2048
# outgoing-range: 2048
# msg-cache-size: 67108864
# rrset-cache-size: 128525653
#
# num-threads: 1
# msg-cache-slabs: 1
# rrset-cache-slabs: 1
# infra-cache-slabs: 1
# key-cache-slabs: 1
#
private-domain: "my_domain.com"
domain-insecure: "my_domain.com"
#
# do not use the following line
# do-not-query-localhost: no
#
local-zone: "my_domain.com." static
local-data: "router.my_domain.com. IN A 192.168.1.1"
local-data-ptr: "192.168.1.1 router.my_doamain.com"
#
# for using custom time server name in Time Settings
# local-data: "time.hko.hk IN A 118.143.17.82"
#
forward-zone:
name: "."
# forward-first: yes
forward-tls-upstream: yes
forward-addr: 1.0.0.1@853#cloudflare-dns.com
forward-addr: 1.1.1.1@853#one.one.one.one
#
# To test setup using Cloudfare's page,
# comment out following non-Cloudfare servers!
#
forward-addr: 8.8.4.4@853#dns.google
forward-addr: 8.8.8.8@853#dns.google
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net
#
auth-zone:
name: "."
# https://www.iana.org/domains/root/servers
master: 192.41.0.4
master: 199.9.14.201
master: 192.33.4.12
master: 199.7.91.13
master: 192.203.230.10
master: 192.5.5.241
fallback-enabled: yes
for-downstream: no
for-upstream: yes
#
# zonefile: "root.zone"
# url: "https://www.internic.net/domain/root.zone"
#
auth-zone:
name: "my_domain.com"
for-downstream: yes
for-upstream: yes
#
# unbound-checkconf unbound.conf
# stopservice unbound
# startservice unbound
# ps | grep unbound
#
# To test DNSSEC:
#
# https://1.1.1.1/help
# https://www.cloudflare.com/ssl/encrypted-sni/
# https://dnssec.vs.uni-due.de/
# openssl s_client -connect 1.1.1.1:853
# openssl s_client -connect localhost:853
#
# reference: https://wiki.archlinux.org/index.php/unbound#Setting_up_unbound-control
# reference: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=325167
# reference: https://www.saic.it/how-to-install-and-configure-cache-only-dns-server-with-unbound-in-rhel-centos-7/
#
# run unbound-control-setup to generate certs
#
# echo dumping & reloading cache...
# unbound-control dump_cache > $DIR/cache
# echo backing up the dns cache...
# cat cache > $DIR/backup/cache$(date +%Y-%m-%d).bak
# cat $DIR/cache | unbound-control load_cache
#
##!/bin/sh
# mapfile -t NSArray < <(unbound-control dump_cache | grep -P "IN NS" | sed '/NSEC/d')
# for (( i=0; i<${#NSArray[@]}; i++ )); do
# IFS=$' ' read -r zone ttl ignore2 ignore3 nameserver <<< "${NSArray[i]}"
# if [[ $(echo "${zone::-1}" | grep '.') ]]; then
# echo "${nameserver}"
# fi
# done
#
# unbound-control stats | grep total
#
remote-control:
control-interface: 127.0.0.1
control-use-cert: no
control-enable: yes
if you're not using blocking you dont need to create the > /jffs/etc/blockedhosts.conf file. if you know what dns you want to use you don't need the > /jffs/etc/unbound_dns.conf file. i also now create a new directory for unbound
Code:
cat << EOF > /jffs/etc/unbound.conf
server:
verbosity: 1
num-threads: 2
interface: 127.0.0.1@7053 # i use 0.0.0.0 now
port: 7053
outgoing-range: 950
msg-cache-size: 50m # probably don't need this much
msg-cache-slabs: 1
num-queries-per-thread: 512
rrset-cache-size: 100m # probably don't need this much
rrset-cache-slabs: 1
infra-cache-slabs: 1
access-control: 127.0.0.0/8 allow
access-control: 192.168.123.61/24 allow
chroot: "/jffs/etc"
username: ""
directory: "/jffs/etc"
pidfile: "/var/run/unbound.pid"
root-hints: "/jffs/etc/root.hints"
hide-identity: yes
hide-version: yes
# do-not-query-localhost: no # documentation says this is for testing only
rrset-roundrobin: yes
auto-trust-anchor-file: "/jffs/etc/root.key"
key-cache-slabs: 1
# Adblock
# include: "/jffs/etc/blockedhosts.conf"
tls-cert-bundle: "/etc/ssl/ca-bundle.crt"
python:
remote-control:
forward-zone:
name: "."
forward-addr: 1.1.1.1@853#cloudflare-dns.com # cloudflare suggests different host names now
forward-addr: 1.0.0.1@853#cloudflare-dns.com
forward-tls-upstream: yes
# Custom DNS Resolver
# include: "/jffs/etc/unbound_dns.conf"
auth-zone:
name: "."
url: "https://www.internic.net/domain/root.zone" # i use addresses for this now.
fallback-enabled: yes
for-downstream: no
for-upstream: yes
zonefile: "root.zone"
EOF
stopservice unbound
startservice unbound
ps | grep unbound
there are different approaches. mwchang has posted a setup and other users as well. you just have to make sure you are consistent with directories and what not. i'm not the best at explaining things hope i helped at least a little.