The link you were given earlier in this thread plus https://openwrt.org/docs/guide-user/network/routing/pbr.
it appears as though every time I install unbound / attempt to use unbound it breaks the routers ability to do connections through luci - I have installed the luci unbound - but now I can't connect to the router from the internet - it's just not showing up as able to be connected to now
gettin this error when I try to install unbound onto a freshly reset router on
openwrt one
firmware 24.10.5
We will not help you intentionally opening security holes.
my apologies, I do not understand what you mean; could u explain?
You say you want to connect the router from the whole internet.
I still dont understand 
Your router prone to cyber attack.
by
I meant, that luci gui was not working / unable to connect to the router through my internet browser (192.168.1.1)
now I just have the errors on my router that I posted before the last 3 or so posts
the errors in the config when trying to download unbound onto freshly reset openwrt one
does anyone have any ideas why im getting errors when fully resetting my router and then trying to install unbound?
(the configuration errors)
It seems like your situation is made worse by the fact that you have too many variables at play (threads about unbound, wireguard, resetting multiple times along the way, etc). I would highly recommend working on one issue at a time. Do not attempt to layer things on top of each other until you have verified the first is working exactly as expected. Then backup your config so you can get back to a known good state if things go south.
Soā¦ select one (and only one) of your threads and work it to a solution. Stop all other threads until that is done. Then move on to the second and so on.
currently I am working on just wireguard - but I am also just wondering about what I can do about the unbound error
not that im necessarily going to work on it right now / I was intending to work on it after / if I could get wireguard to work
also - um, hopefully this is on topic though
The original āerrorsā about ādefault ā¦ configurationā were not errors, but messages from the initial setup of the unbound package. They could have been ignored. If you uninstalled because of those errors, that removal likely created the additional errors about missing files.
Quite a few notifications in OpenWrt are simply labled 'error' (feel free to search for topics on this).
The messages accompanying the notifications are generally self-explanatory (i.e., no need to inquire).
To be clear it means (again):
Basically.
(Since it's been mentioned already, it's difficult to follow your threads when you change topics or make the same inquiry multiple times.)
If you still need to know what 'default configuration' means, feel free to ask.
The Unbound script simultaneously logs those messages to the system log and the stderr output using the logger -s syntax.
config unbound 'ub_main'
option dhcp_link 'dnsmasq'
option exclude_ipv6_ga '0'
option dns64 '0'
option domain 'lan'
option edns_size '1232'
option extended_stats '0'
option hide_binddata '1'
option interface_auto '1'
option listen_port '53'
option localservice '1'
option manual_conf '0'
option num_threads '1'
option protocol 'mixed'
option rate_limit '0'
option rebind_localhost '0'
option rebind_protection '1'
option recursion 'default'
option resource 'default'
option root_age '9'
option ttl_min '120'
option ttl_neg_max '1000'
option unbound_control '2'
option validator '0'
option verbosity '1'
list iface_wan 'wan'
option enabled '1'
option iface_lan 'lan'
list iface_trig 'lan'
list iface_trig 'wan'
config zone 'auth_icann'
option enabled '0'
option fallback '1'
option url_dir 'https://www.internic.net/domain/'
option zone_type 'auth_zone'
list server 'lax.xfr.dns.icann.org'
list server 'iad.xfr.dns.icann.org'
list zone_name '.'
list zone_name 'arpa.'
list zone_name 'in-addr.arpa.'
list zone_name 'ip6.arpa.'
config zone 'fwd_isp'
option enabled '0'
option fallback '1'
option resolv_conf '1'
option zone_type 'forward_zone'
list zone_name 'isp-bill.example.com.'
list zone_name 'isp-mail.example.net.'
config zone
option enabled '1'
option fallback '0'
option zone_type 'forward_zone'
list zone_name '.'
list server '9.9.9.9'
list server '149.112.112.112'
list server '2620:fe::fe'
list server '2620:fe::9'
option tls_upstream '1'
option tls_index 'tls://dns.quad9.net'
ok, i've gotten wireguard working and got a basic backup saved - now trying to fiddle with unbound again -- how does this config look?
it doesn't appear to be working when I do
nslookup on.quad9.net
This should be simply:
option tls_index 'dns.quad9.net'
# /var/lib/unbound/unbound.conf generated by UCI
# /var/lib/unbound/server.conf.tmp generated by UCI
server:
username: unbound
chroot: /var/lib/unbound
directory: /var/lib/unbound
pidfile: /var/run/unbound.pid
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
num-threads: 1
msg-cache-slabs: 1
rrset-cache-slabs: 1
infra-cache-slabs: 1
key-cache-slabs: 1
ratelimit-slabs: 1
ip-ratelimit-slabs: 1
use-syslog: yes
statistics-interval: 0
statistics-cumulative: no
verbosity: 1
extended-statistics: no
interface-automatic: yes
do-not-query-localhost: no
edns-buffer-size: 1232
port: 53
outgoing-port-permit: 10240-65535
do-ip4: yes
do-ip6: yes
module-config: "respip iterator"
cache-min-ttl: 120
cache-max-ttl: 72000
cache-max-negative-ttl: 1000
val-bogus-ttl: 300
infra-host-ttl: 900
hide-identity: yes
hide-version: yes
private-address: 10.0.0.0/8
private-address: 100.64.0.0/10
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: fc00::/7
private-address: fe80::/10
access-control: 10.70.114.5/32 allow
access-control: fc00:bbbb:bbbb:bb01::7:7204/128 allow
access-control: 192.168.1.1/24 allow
access-control: fd5b:3471:deac::1/60 allow
access-control: 192.168.1.1/24 allow
access-control: fd5b:3471:deac::1/60 allow
access-control: 127.0.0.0/8 allow
access-control: ::1/128 allow
access-control: fe80::/10 allow
# /var/lib/unbound/host.conf.tmp generated by UCI
include: /var/lib/unbound/adb_list.*
include: /var/lib/unbound/unbound_srv.conf
# /var/lib/unbound/zone.conf.tmp generated by UCI
# Special zone was not enabled or had UCI conflicts.
# Special zone was not enabled or had UCI conflicts.
auth-zone:
name: .
master: 9.9.9.9
master: 149.112.112.112
master: 2620:fe::fe
fallback-enabled: yes
for-downstream: no
for-upstream: yes
zonefile: root.zone
# /var/lib/unbound/ctrl.conf.tmp generated by UCI
include: /var/lib/unbound/unbound_ext.conf
that still didn't seem to work - how does this look , this is my "show:unbound" folder in the files of unbound in the luci gui
This looks like a hot mess. Post the cat /etc/config/unbound and /var/lib/unbound/unbound.conf at the same time to make sure theyāre in sync in this thread.
You donāt really need Unbound if you just intend to forward everything to Quad9. You could just use dnsmasq wih stubby or https-dns-proxy if you insist on encrypted DNS.