Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:dns:dot_unbound [2019/04/20 10:16] – split from docs:guide-user:services:dns:encrypt vgaeteradocs:guide-user:services:dns:dot_unbound [2024/10/21 08:10] – Add chapter how to configure unbound with dnsmasq dpawlik
Line 1: Line 1:
-====== DNS over TLS via Dnsmasq and Stubby ====== +====== DoT with Unbound ====== 
-{{page>meta:infobox:cli_setup&noheader&nofooter&noeditbtn}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
-  * This guide describes how to configure OpenWrt to protect your DNS traffic. +  * This how-to describes the method for setting up [[wp>DNS_over_TLS|DNS over TLS]] on OpenWrt
-  * It utilizes [[wp>DNS_over_TLS|DNS over TLS]] to provide DNS encryption+  * It relies on [[docs:guide-user:services:dns:unbound|Unbound]] for performance and fault tolerance. 
-  * DNS encryption is limited to DNS trafficuse [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.+  * Follow [[docs:guide-user:firewall:fw3_configurations:intercept_dns|DNS hijacking]] to intercept DNS traffic or use [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.
  
 ===== Goals ===== ===== Goals =====
-{{section>dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}}+{{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}}
  
-===== Instructions ===== +===== Command-line instructions =====
-This method utilizes DoT and focuses on performance and fault tolerance. +
- +
-Encrypt both LAN client and local system DNS traffic.+
 [[docs:guide-user:base-system:dhcp_configuration#disabling_dns_role|Disable]] Dnsmasq DNS role or remove it completely optionally [[docs:guide-user:base-system:dhcp_configuration#replacing_dnsmasq_with_odhcpd_and_unbound|replacing]] its DHCP role with odhcpd. [[docs:guide-user:base-system:dhcp_configuration#disabling_dns_role|Disable]] Dnsmasq DNS role or remove it completely optionally [[docs:guide-user:base-system:dhcp_configuration#replacing_dnsmasq_with_odhcpd_and_unbound|replacing]] its DHCP role with odhcpd.
  
-Use [[docs:guide-user:services:dns:unbound|Unbound]] to encrypt DNS traffic+Install the required packages
-Override DNS encryption for NTP provider to avoid deadlock state if system time is not synchronized.+Enable DNS encryption.
  
 <code bash> <code bash>
 # Install packages # Install packages
 opkg update opkg update
-opkg install unbound ca-bundle+opkg install unbound-daemon
  
 # Enable DNS encryption # Enable DNS encryption
-sed -i -e "/^[^#]/d" /etc/unbound/unbound_ext.conf +uci set unbound.fwd_google.enabled="1
-cat << EOF >> /etc/unbound/unbound_ext.conf +uci set unbound.fwd_google.fallback="0
-server: +uci commit unbound
-    tls-cert-bundle: "/etc/ssl/cert.pem+
-forward-zone: +
-    name: ".+
-    forward-tls-upstream: yes +
-    forward-addr: 2001:4860:4860::8888@853#dns.google +
-    forward-addr: 2001:4860:4860::8844@853#dns.google +
-    forward-addr: 8.8.8.8@853#dns.google +
-    forward-addr: 8.8.4.4@853#dns.google +
-forward-zone: +
-    name: "openwrt.pool.ntp.org.+
-    forward-addr: 2001:4860:4860::8888 +
-    forward-addr: 2001:4860:4860::8844 +
-    forward-addr: 8.8.8.8 +
-    forward-addr: 8.8.4.4 +
-EOF+
 service unbound restart service unbound restart
 </code> </code>
 +
 +LAN clients and local system should use Unbound as a primary resolver assuming that Dnsmasq is disabled.
  
 ===== Testing ===== ===== Testing =====
-{{section>dnscrypt_dnsmasq_dnscrypt-proxy#testing&noheader&nofooter&noeditbutton}}+{{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#testing&noheader&nofooter&noeditbutton}}
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
Line 53: Line 37:
  
 <code bash> <code bash>
-# Restart the services+# Restart services
 service log restart; service unbound restart service log restart; service unbound restart
  
Line 61: Line 45:
 # Runtime configuration # Runtime configuration
 pgrep -f -a unbound pgrep -f -a unbound
 +head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
  
 # Persistent configuration # Persistent configuration
 uci show unbound uci show unbound
-grep -v -e "^#" -e "^$" /etc/unbound/unbound_ext.conf 
 </code> </code>
  
 ===== Extras ===== ===== Extras =====
-See also: [[intercept|DNS hijacking]], [[docs:guide-user:services:rng|Random generator]]+==== Web interface ==== 
 +If you want to manage the settings using web interface. 
 +Install the necessary packages.
  
-{{tag>How-to DNS DoT}}+<code bash> 
 +# Install packages 
 +opkg update 
 +opkg install luci-app-unbound 
 +service rpcd restart 
 +</code>
  
 +Navigate to **LuCI -> Services -> Recursive DNS** to configure Unbound.
 +
 +==== DoT provider ====
 +Unbound is configured with Google DNS.
 +You can change it to Cloudflare DNS or any other [[wp>Public_recursive_name_server|DoT provider]] including your own [[docs:guide-user:services:webserver:nginx#dns_over_tls|DoT server with Nginx]].
 +Use resolvers supporting DNSSEC validation if necessary.
 +Specify several resolvers to improve fault tolerance.
 +
 +Change to Cloudflare DNS
 +<code bash>
 +# Configure DoT provider
 +uci set unbound.fwd_google.enabled="0"
 +uci set unbound.fwd_cloudflare.enabled="1"
 +uci set unbound.fwd_cloudflare.fallback="0"
 +uci commit unbound
 +service unbound restart
 +</code>
 +
 +Change to other [[wp>Public_recursive_name_server|DoT provider]] 
 +<code bash>
 +# Configure DoT provider (example: "Cloudflare Family Protection")
 +uci set unbound.fwd_google.enabled="0"
 +uci set unbound.fwd_cloudflare.enabled="0"
 +while uci -q del unbound.@zone[4]; do :; done
 +uci add unbound zone
 +uci set unbound.@zone[-1].enabled="1"
 +uci set unbound.@zone[-1].fallback="0"
 +uci set unbound.@zone[-1].zone_type="forward_zone"
 +uci add_list unbound.@zone[-1].zone_name="."
 +uci add_list unbound.@zone[-1].server="1.1.1.3"
 +uci add_list unbound.@zone[-1].server="1.0.0.3"
 +uci add_list unbound.@zone[-1].server="2606:4700:4700::1113"
 +uci add_list unbound.@zone[-1].server="2606:4700:4700::1003"
 +uci set unbound.@zone[-1].tls_upstream="1"
 +uci set unbound.@zone[-1].tls_index="family.cloudflare-dns.com"
 +uci commit unbound
 +service unbound restart
 +</code>
 +
 +==== DNSSEC validation ====
 +Enforce [[wp>Domain_Name_System_Security_Extensions|DNSSEC]] validation if your DNS provider does not support it, or you want to perform the validation yourself.
 +Beware of fault tolerance and performance issues.
 +
 +<code bash>
 +# Enforce DNSSEC validation
 +uci set unbound.@unbound[0].validator="1"
 +uci commit unbound
 +service unbound restart
 +</code>
 +
 +
 +===== Configure unbound with dnsmasq =====
 +Unbound can also act as a resolver for dnsmasq. How to install and how to change the [[wp>Public_recursive_name_server|DoT provider]] were described earlier.
 +Here would be just described how to configure unbound with dnsmasq.
 +
 +=== Command-line instructions ===
 + 
 +<code bash>
 +# Change unbound port to 5353, because dnsmasq is running already on port 53
 +sed -i "s/option listen_port '53'/option listen_port '5353'/g" /etc/config/unbound
 +
 +# configure dnsmasq to forward to localhost 5353
 +service dnsmasq stop
 +uci set dhcp.@dnsmasq[0].noresolv="1"
 +uci set dhcp.@dnsmasq[0].localuse="1"
 +uci set dhcp.@dnsmasq[0].cachesize='0'
 +uci -q delete dhcp.@dnsmasq[0].server
 +uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#5353"
 +uci commit dhcp
 +service dnsmasq start
 +service unbound restart
 +
 +# Optional - ensure, that the NTP server can work without DNS
 +uci del system.ntp.server
 +uci add_list system.ntp.server='194.177.4.1'    # 0.openwrt.pool.ntp.org
 +uci add_list system.ntp.server='213.222.217.11' # 1.openwrt.pool.ntp.org
 +uci add_list system.ntp.server='80.50.102.114'  # 2.openwrt.pool.ntp.org
 +uci add_list system.ntp.server='193.219.28.60'  # 3.openwrt.pool.ntp.org
 +uci commit system
 +</code>
  • Last modified: 2024/11/20 13:42
  • by dpawlik