DoT with Unbound

  • This how-to describes the method for setting up DNS over TLS on OpenWrt.
  • It relies on Unbound for performance and fault tolerance.
  • Follow DNS hijacking to intercept DNS traffic or use VPN to protect all traffic.
  • Encrypt your DNS traffic improving security and privacy.
    • Prevent DNS leaks and DNS hijacking.
  • Bypass regional restrictions using public DNS providers.
    • Escape DNS-based content filters and internet censorship.

Disable Dnsmasq DNS role or remove it completely optionally replacing its DHCP role with odhcpd.

Install the required packages. Enable DNS encryption.

# Install packages
opkg update
opkg install unbound-daemon
# Enable DNS encryption
uci set unbound.fwd_google.enabled="1"
uci set unbound.fwd_google.fallback="0"
uci commit unbound
service unbound restart

LAN clients and local system should use Unbound as a primary resolver assuming that Dnsmasq is disabled.

Verify domain name resolution with nslookup.

nslookup localhost

Check your DNS provider and test DNSSEC validation.

Collect and analyze the following information.

# Restart services
service log restart; service unbound restart
# Log and status
logread -e unbound; netstat -l -n -p | grep -e unbound
# Runtime configuration
pgrep -f -a unbound
head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
# Persistent configuration
uci show unbound

If you want to manage the settings using web interface. Install the necessary packages.

# Install packages
opkg update
opkg install luci-app-unbound
service rpcd restart

Navigate to LuCI → Services → Recursive DNS to configure Unbound.

Unbound is configured with Google DNS. You can change it to Cloudflare DNS or any other DoT provider including your own DoT server with Nginx. Use resolvers supporting DNSSEC validation if necessary. Specify several resolvers to improve fault tolerance.

Change to Cloudflare DNS

# Configure DoT provider
uci set unbound.fwd_google.enabled="0"
uci set unbound.fwd_cloudflare.enabled="1"
uci set unbound.fwd_cloudflare.fallback="0"
uci commit unbound
service unbound restart

Change to other DoT provider

# Configure DoT provider (example: "Cloudflare Family Protection")
uci set unbound.fwd_google.enabled="0"
uci set unbound.fwd_cloudflare.enabled="0"
while uci -q delete unbound.@zone[4]; do :; done
uci add unbound zone
uci set unbound.@zone[-1].enabled="1"
uci set unbound.@zone[-1].fallback="0"
uci set unbound.@zone[-1].zone_type="forward_zone"
uci add_list unbound.@zone[-1].zone_name="."
uci set unbound.@zone[-1].tls_upstream="1"
uci set unbound.@zone[-1].tls_index=""
uci add_list unbound.@zone[-1].server=""
uci add_list unbound.@zone[-1].server=""
uci add_list unbound.@zone[-1].server="2606:4700:4700::1113"
uci add_list unbound.@zone[-1].server="2606:4700:4700::1003"
uci commit unbound
service unbound restart

Enforce DNSSEC validation if your DNS provider does not support it, or you want to perform the validation yourself. Beware of fault tolerance and performance issues.

# Enforce DNSSEC validation
uci set unbound.@unbound[0].validator="1"
uci commit unbound
service unbound restart
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2023/10/14 05:26
  • by vgaetera