OpenWrt Project

User Tools

Site Tools

You are here: Welcome to the OpenWrt Project » Documentation » User guide » Additional Services » DNS (aka Domain Name System) » DNS over TLS with Unbound
en
 ?

Sidebar

docs:guide-user:services:dns:dot_unbound

Table of Contents

DNS over TLS with Unbound

This article relies on the following:

Introduction

  • This how-to describes the method for setting up DNS over TLS on OpenWrt.
  • It relies on Unbound for performance and fault tolerance.
  • Follow DNS encryption for alternative methods or use VPN to protect all traffic.

Goals

  • Encrypt your DNS traffic improving security and privacy.
    • Prevent DNS leak and DNS hijacking.
  • Bypass regional restrictions using public DNS providers.
    • Escape DNS-based content filters and internet censorship.

Instructions

Disable Dnsmasq DNS role or remove it completely optionally replacing its DHCP role with odhcpd.

Install the packages and configure DNS encryption. 

# Install packages
opkg update
opkg install unbound-daemon
 
# Enable DNS encryption
while uci -q delete unbound.@zone[0]; do :; done
uci set unbound.forward="zone"
uci set unbound.forward.enabled="1"
uci set unbound.forward.fallback="0"
uci set unbound.forward.zone_type="forward_zone"
uci set unbound.forward.tls_upstream="1"
uci set unbound.forward.tls_index="dns.google"
uci add_list unbound.forward.zone_name="."
uci add_list unbound.forward.server="2001:4860:4860::8888"
uci add_list unbound.forward.server="2001:4860:4860::8844"
uci add_list unbound.forward.server="8.8.8.8"
uci add_list unbound.forward.server="8.8.4.4"
uci commit unbound
/etc/init.d/unbound restart

LAN clients and local system should use Unbound as a primary resolver assuming that Dnsmasq is disabled.

Testing

Verify that domain name resolution works. 

nslookup openwrt.org localhost

Check your DNS provider. Make sure there is no DNS leak.

Test DNSSEC validation.

Troubleshooting

Collect and analyze the following information. 

# Restart the services
/etc/init.d/log restart; /etc/init.d/unbound restart
 
# Log and status
logread -e unbound; netstat -l -n -p | grep -e unbound
 
# Runtime configuration
pgrep -f -a unbound
 
# Persistent configuration
uci show unbound

Extras

Web interface

Install the necessary packages if you want to manage the settings via web interface. 

# Install packages
opkg update
opkg install luci-app-unbound

Navigate to LuCI → Services → Recursive DNS to configure Unbound.

DoT provider

Unbound is configured with Google DNS. You can change it Cloudflare DNS or any other DoT provider. Make sure the provider supports DNSSEC validation if required. Specify several servers to improve fault tolerance. 

# Configure DoT provider
uci set unbound.forward.tls_index="cloudflare-dns.com"
uci -q delete unbound.forward.server
uci add_list unbound.forward.server="2606:4700:4700::1111"
uci add_list unbound.forward.server="2606:4700:4700::1001"
uci add_list unbound.forward.server="1.1.1.1"
uci add_list unbound.forward.server="1.0.0.1"
uci commit unbound
/etc/init.d/unbound restart

DNSSEC validation

Enforce DNSSEC validation if your DNS provider does not support it, or you want to perform the validation yourself. Beware of performance issues. 

# Enforce DNSSEC validation
uci set unbound.@unbound[0].validator="1"
uci commit unbound
/etc/init.d/unbound restart
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
docs/guide-user/services/dns/dot_unbound.txt · Last modified: 2020/06/16 14:01 by vgaetera

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki