does unbound 1.13.2-2 in openwrt 21.02 support ipset? according to this : https://fossies.org/linux/unbound/doc/README.ipset.md there is a module for ipset. does this module include in openwrt 21.02?
since there is no uci in etc/config/unbound, how to active it?
Yes, it does support ipsets.
is there special switch to active it? or just using as this:(to add to /etc/unbound/unbound_srv.conf)
# unbound.conf
server:
...
local-zone: "facebook.com" ipset
local-zone: "twitter.com" ipset
local-zone: "instagram.com" ipset
more social website
ipset:
name-v4: "blacklist"
name-v6: "blacklist6"
by the way, is my lan contain nothing, is it correct?
Nothing required to activate it, but if you are using the package have a look at file /etc/unbound/unbound.conf:
[...]
# local-zone: "b.e.f.ip6.arpa." nodefault
# local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
# And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
# Add example.com into ipset
# local-zone: "example.com" ipset
# If unbound is running service for the local host then it is useful
# to perform lan-wide lookups to the upstream, and unblock the
# long list of local-zones above. If this unbound is a dns server
[...]
# redis-timeout: 100
# # set timeout on redis records based on DNS response TTL
# redis-expire-records: no
# IPSet
# Add specify domain into set via ipset.
# Note: To enable ipset unbound needs to run as root user.
# ipset:
# # set name for ip v4 addresses
# name-v4: "list-v4"
# # set name for ip v6 addresses
# name-v6: "list-v6"
#
# Dnstap logging support, if compiled in. To enable, set the dnstap-enable
# to yes and also some of dnstap-log-..-messages to yes. And select an
# upstream log destination, by socket path, TCP or TLS destination.
[...]
You have everything ready to use in there. 
In any case this is very limited, only a list for IPv4 and another one for IPv6.
thanks. do you know how to set bogus-nxdomain in unbound? and do you notice the picture? my lan contain nothing? is it correct?
You empty lan field is correct. Mine looks like it too.
Regarding a bogus NXDOMAIN it's easy, define static local zones, e.g.,
local-zone: "domain-to-block.com" static
This will try a match from local-data if you don't have a local-data entry the query will be answered with NODATA or NXDOMAIN, which one I'm not sure, just check unbound docos.
However, if you plan to use your ipsets to drop connections you need to couple it with a firewall rule, its intention from design is to be use to block access, not to reply with a NXDOMAIN.
Can I ask what do you want to do?
nxdomain is to fight dns pollution and ad by isp, the isp block some web site by return some ips faster, even resolve an non-exist web site to ad. so I hope to nxdomain these ips.
ipset i hope to use ip rule to split vpn. to fight with firewall.
Okay, I think you are a great candidate for banip and adblock packages. The adblock package works fine with Unbound. You can still use your ipset on your other matter.
by the other hand I consider the firewall always returns such fake ips before the real ip arrieved, I can nxdomain this ips to wait real ips arrives. I dont know whether it is feasible. main target is firewall.
Sorry, I'm confused, I don't know what you mean.
the fire wall block some web site by return some fake ips, because the fake reply is receive early than real reply, dns hijack, I hope to filter these fake reply, to wait the real dns reply.
So essentially what you want to do is ad blocking combined with Unbound recursive DNS. So you will need to my understanding of what you want to achieve:
adblock package blocking any request to known ad servers.banip DoH server list to ensure no other request goes through to a DNS-over-HTTP server from your LAN.That will get rid of your ISP name server and almost any other ads in your network.
Yes, package adblock and unbound work quite well together. You may be experiencing ISP DNS hijacking. DNSSEC protects few sites so spoofing recursive UDP responses is trivial. The way to thwart this is DNS over TLS (DoT). Instructions are with the package of unbound OpenWRT/Packages-README. Some servers are configured-almost-ready by default (1.1.1.1) and just disabled. Web interface luci-app-unbound can make this easier also.
Yes, ipset module is built in but no automatic UCI is created for it. This is a power feature that many will use differently. I see no one solution that I can think to put in a tight box right now.