Unbound and IPSET how to setup?

AcidSlide · May 30, 2025, 5:35am

Hi,

Current Unbound in openwrt has IPSET support. But there is not much documentation on how to use it or even make it work.

Does anybody know how to configure ipsets with unbound?

I would like to switch to unbound from dnsmasq but this got me stomped as I have multiple ipsets i'm using in dnsmasq. This is the only thing right now stopping me from switching.

Thanks in advance!

bluewavenet · May 30, 2025, 9:02am

IPSET is a legacy iptables extension.
OpenWrt no longer uses iptables and has replaced IPSET in the fw4 package with a rather messy emulation that actually uses nftsets in the background.

If unbound requires genuine iptables ipsets, then it is not really (default) supported by OpenWrt any more and needs to be upgraded to use nftsets directly, in the same way dnsmasq does.

AcidSlide · May 30, 2025, 10:24am

So what you are saying, current unbound would not work with IPSETs with current openwrt?

Is there any other way on doing this with unbound even through scripting?

reinerotto · May 30, 2025, 10:36am

You still have the option to build custom image, incl. iptables.
And to get rid of fw4 completely, if you want. Otherwise, iptables and nftables can co-exist, depending upon careful usage, avoiding interference.

AcidSlide · May 30, 2025, 10:38am

My custom build already have iptables and related packages since I'm also using mwan3. I've got the nft2ipset (actually a more streamlined version based on the original script) running also for mwan3. This is actually the reason I need ipset to work with unbound as I have some routing set for certain domains using ipset which is working in dnsmasq.

reinerotto · May 30, 2025, 10:47am

It seems, you should be able then to do a special compile of UNBOUND for your image, to directly use ipsets.
May need editing of openwrts Makefile for UNBOUND, though. Use Makefile from older openwrt as template, then.
Native ipsets are MUCH faster than nftsets, BTW.

dave14305 · May 30, 2025, 10:49am

The unbound configuration is described here:

github.com/NLnetLabs/unbound

doc/README.ipset.md

master

## Created a module to support the ipset that could add the domain's ip to a list easily.

### Purposes:
* In my case, I can't access the facebook, twitter, youtube and thousands web site for some reason. VPN is a solution. But the internet too slow whether all traffics pass through the vpn.
So, I set up a transparent proxy to proxy the traffic which has been blocked only.
At the final step, I need to install a dns service which would work with ipset well to launch the system.
I did some research for this. Unfortunately, Unbound, My favorite dns service doesn't support ipset yet. So, I decided to implement it by my self and contribute the patch. It's good for me and the community.
```
# unbound.conf
server:
  ...
  local-zone: "facebook.com" ipset
  local-zone: "twitter.com" ipset
  local-zone: "instagram.com" ipset
  more social website

ipset:
  name-v4: "gfwlist"
```
```

This file has been truncated. show original

AcidSlide · May 30, 2025, 10:50am

IPSET is enabled already by default. Even if you download the latest apk/opkg from package snapshot, ipset is already enabled on the build.

And yes, I've checked my build, and IPSET is enabled.

AcidSlide · May 30, 2025, 10:51am

That is for one IPSET only (well 2 because of ipv4/ipv6 pairing).. i've got at least 4 ipsets (2 ipv4/ipv6 pairs). Is there an example/documentaiton for multiple ipsets?

dave14305 · May 30, 2025, 10:57am

No, according to the original PR to unbound, multiple ipsets were never supported.

github.com/NLnetLabs/unbound

IPSet module

master ← k9982874:master

opened 09:48AM - 03 May 19 UTC

k9982874

+4406 -3630

## Created a module to support the ipset that could add the domain's ip to a lis…t easily. ### Purposes: * In my case, I can't access the facebook, twitter, youtube and thousands web site for some reason. VPN is a solution. But the internet too slow whether all traffics pass through the vpn. So, I set up a transparent proxy to proxy the traffic which has been blocked only. At the final step, I need to install a dns service which would work with ipset well to launch the system. I did some research for this. Unfortunately, Unbound, My favorite dns service doesn't support ipset yet. So, I decided to implement it by my self and contribute the patch. It's good for me and the community. ``` # unbound.conf server: ... local-zone: "facebook.com" ipset local-zone: "twitter.com" ipset local-zone: "instagram.com" ipset more social website ipset: name-v4: "gfwlist" ``` ``` # iptables iptables -A PREROUTING -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-ports 10800 iptables -A OUTPUT -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-ports 10800 ``` * This patch could work with iptables rules to batch block the IPs. ``` # unbound.conf server: ... local-zone: "facebook.com" ipset local-zone: "twitter.com" ipset local-zone: "instagram.com" ipset more social website ipset: name-v4: "blacklist" name-v6: "blacklist6" ``` ``` # iptables iptables -A INPUT -m set --set blacklist src -j DROP ip6tables -A INPUT -m set --set blacklist6 src -j DROP ``` ### Notes: * To enable this module the root privileges is required. * Please create a set with ipset command first. eg. **ipset -N blacklist iphash** ### How to use: ``` ./configure --enable-ipset make && make install ``` ### Configuration: ``` # unbound.conf server: ... local-zone: "example.com" ipset ipset: name-v4: "blacklist" ```

AcidSlide · May 30, 2025, 11:01am

Ok thanks.. so it seems I won't be able to switch to unbound anytime soon as I don't see any track or conversations about nftsets.

bluewavenet · May 30, 2025, 12:20pm

Correct.
As @reinerotto says, you can, if you really know what you are doing, revert OpenWrt back to iptables.

Yes, but as I said previously, that is not a real ipset, it is an emulation in fw4 using nftsets.

Dnsmasq in OpenWrt 23.5.0 onwards does not support the real legacy ipsets. To get that you would have to compile it yourself with the option set.

AcidSlide · May 30, 2025, 2:20pm

I think dnsmasq still calls it IPSET in the config but actually it's already using NFTSET in the background.

Anyway, staying with dnsmasq outweighs the need of switching to legacy iptables just to make unbound work. Looks like I will stay with dnsmasq until such time unbound can work with nft sets.

dibdot · May 30, 2025, 2:42pm

Why should a dns resolver handle nftables sets? Why did you use dnsmasq with these kind of sets? Whats so special that the fw4 can't handle this directly?

AcidSlide · May 30, 2025, 6:07pm

I've got two requirements, the first one is domain based filtering, something like this: https://openwrt.org/docs/guide-user/firewall/fw3_configurations/dns_ipset

I know banip has this feature (which I'm using already), but there are certain domains that I want specific mac addresses only (not the whole network) to be blocked. And some of the domains are only accessible for certain time of the day. Although this is just my secondary requirement.

Second (primary requirement), is domain based routing in mwan3 using ipsets. I've got some domains I need (which should include all subdomains) route to a VPN. And another set of domains routing to my secondary wan.