Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:dns:dot_unbound [2019/09/18 14:30] – [Introduction] vgaeteradocs:guide-user:services:dns:dot_unbound [2024/10/21 08:10] – Add chapter how to configure unbound with dnsmasq dpawlik
Line 1: Line 1:
-====== DNS over TLS with Unbound ====== +====== DoT with Unbound ====== 
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
   * This how-to describes the method for setting up [[wp>DNS_over_TLS|DNS over TLS]] on OpenWrt.   * This how-to describes the method for setting up [[wp>DNS_over_TLS|DNS over TLS]] on OpenWrt.
   * It relies on [[docs:guide-user:services:dns:unbound|Unbound]] for performance and fault tolerance.   * It relies on [[docs:guide-user:services:dns:unbound|Unbound]] for performance and fault tolerance.
-  * Follow [[docs:guide-user:services:dns:start#encryption|DNS encryption]] for alternative methods or use [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.+  * Follow [[docs:guide-user:firewall:fw3_configurations:intercept_dns|DNS hijacking]] to intercept DNS traffic or use [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.
  
 ===== Goals ===== ===== Goals =====
 {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}} {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}}
  
-===== Instructions ===== +===== Command-line instructions =====
-Encrypt both LAN client and local system DNS traffic.+
 [[docs:guide-user:base-system:dhcp_configuration#disabling_dns_role|Disable]] Dnsmasq DNS role or remove it completely optionally [[docs:guide-user:base-system:dhcp_configuration#replacing_dnsmasq_with_odhcpd_and_unbound|replacing]] its DHCP role with odhcpd. [[docs:guide-user:base-system:dhcp_configuration#disabling_dns_role|Disable]] Dnsmasq DNS role or remove it completely optionally [[docs:guide-user:base-system:dhcp_configuration#replacing_dnsmasq_with_odhcpd_and_unbound|replacing]] its DHCP role with odhcpd.
  
-Use Unbound to encrypt DNS traffic+Install the required packages
-Override DNS encryption for NTP provider to avoid deadlock state if system time is not synchronized.+Enable DNS encryption.
  
 <code bash> <code bash>
 # Install packages # Install packages
 opkg update opkg update
-opkg install unbound ca-bundle+opkg install unbound-daemon
  
 # Enable DNS encryption # Enable DNS encryption
-sed -i -e "/^[^#]/d/etc/unbound/unbound_ext.conf +uci set unbound.fwd_google.enabled="1
-cat << EOF >> /etc/unbound/unbound_ext.conf +uci set unbound.fwd_google.fallback="0
-server: +uci commit unbound 
-    tls-cert-bundle: "/etc/ssl/cert.pem" +service unbound restart
-forward-zone: +
-    name: ".+
-    forward-tls-upstream: yes +
-    forward-addr: 2001:4860:4860::8888@853#dns.google +
-    forward-addr: 2001:4860:4860::8844@853#dns.google +
-    forward-addr: 8.8.8.8@853#dns.google +
-    forward-addr: 8.8.4.4@853#dns.google +
-EOF +
-/etc/init.d/unbound restart+
 </code> </code>
  
-See also: +LAN clients and local system should use Unbound as a primary resolver assuming that Dnsmasq is disabled.
-[[docs:guide-user:services:dns:intercept|DNS hijacking]], +
-[[docs:guide-user:services:rng|Random generator]]+
  
 ===== Testing ===== ===== Testing =====
Line 49: Line 37:
  
 <code bash> <code bash>
-# Restart the services +# Restart services 
-/etc/init.d/log restart; /etc/init.d/unbound restart+service log restart; service unbound restart
  
 # Log and status # Log and status
Line 57: Line 45:
 # Runtime configuration # Runtime configuration
 pgrep -f -a unbound pgrep -f -a unbound
 +head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
  
 # Persistent configuration # Persistent configuration
 uci show unbound uci show unbound
-grep -v -e "^#" -e "^$" /etc/unbound/unbound_ext.conf 
 </code> </code>
  
 ===== Extras ===== ===== Extras =====
 +==== Web interface ====
 +If you want to manage the settings using web interface.
 +Install the necessary packages.
 +
 +<code bash>
 +# Install packages
 +opkg update
 +opkg install luci-app-unbound
 +service rpcd restart
 +</code>
 +
 +Navigate to **LuCI -> Services -> Recursive DNS** to configure Unbound.
 +
 ==== DoT provider ==== ==== DoT provider ====
-Unbound is configured with Google DNS by default+Unbound is configured with Google DNS. 
-You can change it to another [[wp>Public_recursive_name_server|DoT provider]]. +You can change it to Cloudflare DNS or any other [[wp>Public_recursive_name_server|DoT provider]] including your own [[docs:guide-user:services:webserver:nginx#dns_over_tls|DoT server with Nginx]]. 
-Make sure selected provider supports DNSSEC validation if required+Use resolvers supporting DNSSEC validation if necessary
-Specify several servers to improve fault tolerance.+Specify several resolvers to improve fault tolerance.
  
 +Change to Cloudflare DNS
 <code bash> <code bash>
 # Configure DoT provider # Configure DoT provider
-sed -i -e "/^[^#]/d/etc/unbound/unbound_ext.conf +uci set unbound.fwd_google.enabled="0" 
-cat << EOF >> /etc/unbound/unbound_ext.conf +uci set unbound.fwd_cloudflare.enabled="1" 
-server: +uci set unbound.fwd_cloudflare.fallback="0" 
-    tls-cert-bundle: "/etc/ssl/cert.pem+uci commit unbound 
-forward-zone: +service unbound restart 
-    name: "." +</code> 
-    forward-tls-upstream: yes + 
-    forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com +Change to other [[wp>Public_recursive_name_server|DoT provider]]  
-    forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com +<code bash> 
-    forward-addr: 1.1.1.1@853#cloudflare-dns.com +# Configure DoT provider (example: "Cloudflare Family Protection"
-    forward-addr: 1.0.0.1@853#cloudflare-dns.com +uci set unbound.fwd_google.enabled="0" 
-EOF +uci set unbound.fwd_cloudflare.enabled="0" 
-/etc/init.d/unbound restart+while uci -q del unbound.@zone[4]; do :; done 
 +uci add unbound zone 
 +uci set unbound.@zone[-1].enabled="1" 
 +uci set unbound.@zone[-1].fallback="0
 +uci set unbound.@zone[-1].zone_type="forward_zone" 
 +uci add_list unbound.@zone[-1].zone_name="." 
 +uci add_list unbound.@zone[-1].server="1.1.1.3
 +uci add_list unbound.@zone[-1].server="1.0.0.3" 
 +uci add_list unbound.@zone[-1].server="2606:4700:4700::1113" 
 +uci add_list unbound.@zone[-1].server="2606:4700:4700::1003" 
 +uci set unbound.@zone[-1].tls_upstream="1
 +uci set unbound.@zone[-1].tls_index="family.cloudflare-dns.com" 
 +uci commit unbound 
 +service unbound restart
 </code> </code>
  
 ==== DNSSEC validation ==== ==== DNSSEC validation ====
 Enforce [[wp>Domain_Name_System_Security_Extensions|DNSSEC]] validation if your DNS provider does not support it, or you want to perform the validation yourself. Enforce [[wp>Domain_Name_System_Security_Extensions|DNSSEC]] validation if your DNS provider does not support it, or you want to perform the validation yourself.
-Beware of performance issues.+Beware of fault tolerance and performance issues.
  
 <code bash> <code bash>
Line 95: Line 110:
 uci set unbound.@unbound[0].validator="1" uci set unbound.@unbound[0].validator="1"
 uci commit unbound uci commit unbound
-/etc/init.d/unbound restart+service unbound restart
 </code> </code>
  
 +
 +===== Configure unbound with dnsmasq =====
 +Unbound can also act as a resolver for dnsmasq. How to install and how to change the [[wp>Public_recursive_name_server|DoT provider]] were described earlier.
 +Here would be just described how to configure unbound with dnsmasq.
 +
 +=== Command-line instructions ===
 + 
 +<code bash>
 +# Change unbound port to 5353, because dnsmasq is running already on port 53
 +sed -i "s/option listen_port '53'/option listen_port '5353'/g" /etc/config/unbound
 +
 +# configure dnsmasq to forward to localhost 5353
 +service dnsmasq stop
 +uci set dhcp.@dnsmasq[0].noresolv="1"
 +uci set dhcp.@dnsmasq[0].localuse="1"
 +uci set dhcp.@dnsmasq[0].cachesize='0'
 +uci -q delete dhcp.@dnsmasq[0].server
 +uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#5353"
 +uci commit dhcp
 +service dnsmasq start
 +service unbound restart
 +
 +# Optional - ensure, that the NTP server can work without DNS
 +uci del system.ntp.server
 +uci add_list system.ntp.server='194.177.4.1'    # 0.openwrt.pool.ntp.org
 +uci add_list system.ntp.server='213.222.217.11' # 1.openwrt.pool.ntp.org
 +uci add_list system.ntp.server='80.50.102.114'  # 2.openwrt.pool.ntp.org
 +uci add_list system.ntp.server='193.219.28.60'  # 3.openwrt.pool.ntp.org
 +uci commit system
 +</code>
  • Last modified: 2024/11/20 13:42
  • by dpawlik