This article relies on the following:
Disable Dnsmasq DNS role or remove it completely optionally replacing its DHCP role with odhcpd.
Use Unbound to encrypt both LAN client and local system DNS traffic.
# Install packages opkg update opkg install unbound ca-bundle # Enable DNS encryption sed -i -e "/^[^#]/d" /etc/unbound/unbound_ext.conf cat << EOF >> /etc/unbound/unbound_ext.conf server: tls-cert-bundle: "/etc/ssl/cert.pem" forward-zone: name: "." forward-tls-upstream: yes forward-addr: 2001:4860:4860::8888@853#dns.google forward-addr: 2001:4860:4860::8844@853#dns.google forward-addr: 8.8.8.8@853#dns.google forward-addr: 8.8.4.4@853#dns.google EOF /etc/init.d/unbound restart
Verify that domain name resolution works.
nslookup openwrt.org localhost
Check your DNS provider. Make sure there is no DNS leak.
Test DNSSEC validation.
Collect and analyze the following information.
# Restart the services /etc/init.d/log restart; /etc/init.d/unbound restart # Log and status logread -e unbound; netstat -l -n -p | grep -e unbound # Runtime configuration pgrep -f -a unbound # Persistent configuration uci show unbound grep -v -e "^#" -e "^$" /etc/unbound/unbound_ext.conf
Install the necessary packages if you want to manage the settings via web interface.
# Install packages opkg update opkg install luci-app-unbound
Navigate to LuCI → Services → Recursive DNS to configure Unbound.
Unbound is configured with Google DNS by default. You can change it to another DoT provider. Make sure selected provider supports DNSSEC validation if required. Specify several servers to improve fault tolerance.
# Configure DoT provider sed -i -e "/^[^#]/d" /etc/unbound/unbound_ext.conf cat << EOF >> /etc/unbound/unbound_ext.conf server: tls-cert-bundle: "/etc/ssl/cert.pem" forward-zone: name: "." forward-tls-upstream: yes forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com forward-addr: 1.1.1.1@853#cloudflare-dns.com forward-addr: 1.0.0.1@853#cloudflare-dns.com EOF /etc/init.d/unbound restart
Enforce DNSSEC validation if your DNS provider does not support it, or you want to perform the validation yourself. Beware of performance issues.
# Enforce DNSSEC validation uci set unbound.@unbound[0].validator="1" uci commit unbound /etc/init.d/unbound restart
Local system uses Unbound as a primary resolver assuming that Dnsmasq is disabled. Unbound provides a built-in workaround to avoid deadlock state when system time is not synchronized. No additional action is required by default.