User Tools

Site Tools


docs:guide-user:services:dns:dot_unbound

DNS over TLS via Unbound

Introduction

  • This guide describes how to configure OpenWrt to protect your DNS traffic.
  • It utilizes DNS over TLS to provide DNS encryption.
  • DNS encryption is limited to DNS traffic, use VPN to protect all traffic.

Goals

  • Encrypt your DNS traffic improving security and privacy.
    • Prevent DNS leak and DNS hijacking.
  • Bypass regional restrictions using public DNS providers.
    • Escape DNS-based content filters and internet censorship.

Instructions

This method utilizes DoT via Unbound and focuses on performance and fault tolerance.

Encrypt both LAN client and local system DNS traffic. Disable Dnsmasq DNS role or remove it completely optionally replacing its DHCP role with odhcpd.

Use Unbound to encrypt DNS traffic. Override DNS encryption for NTP provider to avoid deadlock state if system time is not synchronized.

# Install packages
opkg update
opkg install unbound ca-bundle
 
# Enable DNS encryption
sed -i -e "/^[^#]/d" /etc/unbound/unbound_ext.conf
cat << EOF >> /etc/unbound/unbound_ext.conf
server:
    tls-cert-bundle: "/etc/ssl/cert.pem"
forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 2001:4860:4860::8888@853#dns.google
    forward-addr: 2001:4860:4860::8844@853#dns.google
    forward-addr: 8.8.8.8@853#dns.google
    forward-addr: 8.8.4.4@853#dns.google
forward-zone:
    name: "openwrt.pool.ntp.org."
    forward-addr: 2001:4860:4860::8888
    forward-addr: 2001:4860:4860::8844
    forward-addr: 8.8.8.8
    forward-addr: 8.8.4.4
EOF
service unbound restart

See also: DNS hijacking, Random generator

Testing

Verify that domain name resolution works.

nslookup openwrt.org localhost

Check your DNS provider. Make sure there is no DNS leak.

Test DNSSEC validation.

Troubleshooting

Collect and analyze the following information.

# Restart the services
service log restart; service unbound restart
 
# Log and status
logread -e unbound; netstat -l -n -p | grep -e unbound
 
# Runtime configuration
pgrep -f -a unbound
 
# Persistent configuration
uci show unbound
grep -v -e "^#" -e "^$" /etc/unbound/unbound_ext.conf
docs/guide-user/services/dns/dot_unbound.txt · Last modified: 2019/04/28 02:34 by vgaetera