Show pagesourceOld revisionsBacklinksBack to top × Table of Contents DoT with Unbound Introduction Goals Command-line interface Testing Troubleshooting Extras Web interface DoT provider DNSSEC validation DoT with Unbound This article relies on the following: Accessing OpenWrt CLI Managing configurations Managing packages Managing services Introduction This how-to describes the method for setting up DNS over TLS on OpenWrt. It relies on Unbound for performance and fault tolerance. Follow DNS hijacking to intercept DNS traffic or use VPN to protect all traffic. Goals Encrypt your DNS traffic improving security and privacy. Prevent DNS leak and DNS hijacking. Bypass regional restrictions using public DNS providers. Escape DNS-based content filters and internet censorship. Command-line interface Disable Dnsmasq DNS role or remove it completely optionally replacing its DHCP role with odhcpd. Install the packages and enable DNS encryption. # Install packages opkg update opkg install unbound-daemon ca-bundle # Enable DNS encryption while uci -q delete unbound.@zone[0]; do :; done uci set unbound.forward="zone" uci set unbound.forward.enabled="1" uci set unbound.forward.fallback="0" uci set unbound.forward.zone_type="forward_zone" uci set unbound.forward.tls_upstream="1" uci set unbound.forward.tls_index="dns.google" uci add_list unbound.forward.zone_name="." uci add_list unbound.forward.server="2001:4860:4860::8888" uci add_list unbound.forward.server="2001:4860:4860::8844" uci add_list unbound.forward.server="8.8.8.8" uci add_list unbound.forward.server="8.8.4.4" uci commit unbound /etc/init.d/unbound restart LAN clients and local system should use Unbound as a primary resolver assuming that Dnsmasq is disabled. Testing Use nslookup to verify that domain name resolution works. nslookup openwrt.org localhost Check your DNS provider. Make sure there is no DNS leak. https://dnsleaktest.com/ Test DNSSEC validation. https://dnssec.vs.uni-due.de/ Troubleshooting Collect and analyze the following information. # Restart services /etc/init.d/log restart; /etc/init.d/unbound restart # Log and status logread -e unbound; netstat -l -n -p | grep -e unbound # Runtime configuration pgrep -f -a unbound head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* # Persistent configuration uci show unbound Extras Web interface Install the necessary packages if you want to manage the settings using web interface. # Install packages opkg update opkg install luci-app-unbound /etc/init.d/rpcd restart Navigate to LuCI → Services → Recursive DNS to configure Unbound. DoT provider Unbound is configured with Google DNS. You can change it to Cloudflare DNS or any other DoT provider including your own DoT server with Nginx. Make sure the resolvers support DNSSEC validation if required. Specify several resolvers to improve fault tolerance. # Configure DoT provider uci set unbound.forward.tls_index="cloudflare-dns.com" uci -q delete unbound.forward.server uci add_list unbound.forward.server="2606:4700:4700::1111" uci add_list unbound.forward.server="2606:4700:4700::1001" uci add_list unbound.forward.server="1.1.1.1" uci add_list unbound.forward.server="1.0.0.1" uci commit unbound /etc/init.d/unbound restart DNSSEC validation Enforce DNSSEC validation if your DNS provider does not support it, or you want to perform the validation yourself. Beware of fault tolerance and performance issues. # Enforce DNSSEC validation uci set unbound.@unbound[0].validator="1" uci commit unbound /etc/init.d/unbound restart This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.OKMore information about cookies Last modified: 2021/05/06 08:49by vgaetera