Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:dns:dot_unbound [2020/01/01 14:03] – [Instructions] charles.suhdocs:guide-user:services:dns:dot_unbound [2024/10/21 08:10] – Add chapter how to configure unbound with dnsmasq dpawlik
Line 1: Line 1:
-====== DNS over TLS with Unbound ====== +====== DoT with Unbound ====== 
-DNS over TLS is fully supported with UCI and LuCI starting with OpenWrt 19.07. You can manage zone recursion, zone forward, and zone transfer preferences in a form similar to how the firewall pin point rules work. You may forward specific domains to specific DNS servers for example "youtube.com." to "8.8.8.8" with or without TLS. +{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
-  * [[https://github.com/openwrt/packages/tree/openwrt-19.07/net/unbound/files/README.md|README for Unbound 1.9.3 @ OpenWrt 19.07]] +
-  * [[https://github.com/openwrt/packages/tree/master/net/unbound/files/README.md|README for Unbound @ OpenWrt Snapshot]] +
- +
-====== Older Versions ====== +
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+
  
 ===== Introduction ===== ===== Introduction =====
   * This how-to describes the method for setting up [[wp>DNS_over_TLS|DNS over TLS]] on OpenWrt.   * This how-to describes the method for setting up [[wp>DNS_over_TLS|DNS over TLS]] on OpenWrt.
   * It relies on [[docs:guide-user:services:dns:unbound|Unbound]] for performance and fault tolerance.   * It relies on [[docs:guide-user:services:dns:unbound|Unbound]] for performance and fault tolerance.
-  * Follow [[docs:guide-user:services:dns:start#encryption|DNS encryption]] for alternative methods or use [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.+  * Follow [[docs:guide-user:firewall:fw3_configurations:intercept_dns|DNS hijacking]] to intercept DNS traffic or use [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.
  
 ===== Goals ===== ===== Goals =====
 {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}} {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}}
  
-===== Instructions =====+===== Command-line instructions =====
 [[docs:guide-user:base-system:dhcp_configuration#disabling_dns_role|Disable]] Dnsmasq DNS role or remove it completely optionally [[docs:guide-user:base-system:dhcp_configuration#replacing_dnsmasq_with_odhcpd_and_unbound|replacing]] its DHCP role with odhcpd. [[docs:guide-user:base-system:dhcp_configuration#disabling_dns_role|Disable]] Dnsmasq DNS role or remove it completely optionally [[docs:guide-user:base-system:dhcp_configuration#replacing_dnsmasq_with_odhcpd_and_unbound|replacing]] its DHCP role with odhcpd.
  
-Use Unbound to encrypt both LAN client and local system DNS traffic.+Install the required packages. 
 +Enable DNS encryption.
  
 <code bash> <code bash>
 # Install packages # Install packages
 opkg update opkg update
-opkg install unbound ca-bundle +opkg install unbound-daemon
-</code> +
- +
-In 19.07 and later, configuring TLS via UCI in `/etc/config/unbound` is supported: +
-<code> +
-config zone +
- option enabled '1' +
- option zone_type 'forward_zone' +
- option tls_upstream '1' +
- option tls_index 'dns.google' +
- list zone_name '.' +
- list server '8.8.8.8' +
- list server '8.8.4.4' +
- list server '2001:4860:4860::8888' +
- list server '2001:4860:4860::8844' +
-</code>+
  
-In 18.06 and earlier: 
-<code bash> 
 # Enable DNS encryption # Enable DNS encryption
-sed -i -e "/^[^#]/d/etc/unbound/unbound_ext.conf +uci set unbound.fwd_google.enabled="1
-cat << EOF >> /etc/unbound/unbound_ext.conf +uci set unbound.fwd_google.fallback="0
-server: +uci commit unbound 
-    tls-cert-bundle: "/etc/ssl/cert.pem" +service unbound restart
-forward-zone: +
-    name: ".+
-    forward-tls-upstream: yes +
-    forward-addr: 2001:4860:4860::8888@853#dns.google +
-    forward-addr: 2001:4860:4860::8844@853#dns.google +
-    forward-addr: 8.8.8.8@853#dns.google +
-    forward-addr: 8.8.4.4@853#dns.google +
-EOF+
 </code> </code>
  
-<code bash> +LAN clients and local system should use Unbound as a primary resolver assuming that Dnsmasq is disabled.
-/etc/init.d/unbound restart +
-</code>+
  
 ===== Testing ===== ===== Testing =====
Line 68: Line 37:
  
 <code bash> <code bash>
-# Restart the services +# Restart services 
-/etc/init.d/log restart; /etc/init.d/unbound restart+service log restart; service unbound restart
  
 # Log and status # Log and status
Line 76: Line 45:
 # Runtime configuration # Runtime configuration
 pgrep -f -a unbound pgrep -f -a unbound
 +head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
  
 # Persistent configuration # Persistent configuration
 uci show unbound uci show unbound
-grep -v -e "^#" -e "^$" /etc/unbound/unbound_ext.conf 
 </code> </code>
  
 ===== Extras ===== ===== Extras =====
 ==== Web interface ==== ==== Web interface ====
-Install the necessary packages if you want to manage the settings via web interface.+If you want to manage the settings using web interface
 +Install the necessary packages.
  
 <code bash> <code bash>
Line 90: Line 60:
 opkg update opkg update
 opkg install luci-app-unbound opkg install luci-app-unbound
 +service rpcd restart
 </code> </code>
  
-Navigate to **[[http://openwrt.lan/|LuCI]] -> Services -> Recursive DNS** to configure Unbound.+Navigate to **LuCI -> Services -> Recursive DNS** to configure Unbound.
  
 ==== DoT provider ==== ==== DoT provider ====
-Unbound is configured with Google DNS by default+Unbound is configured with Google DNS. 
-You can change it to another [[wp>Public_recursive_name_server|DoT provider]]. +You can change it to Cloudflare DNS or any other [[wp>Public_recursive_name_server|DoT provider]] including your own [[docs:guide-user:services:webserver:nginx#dns_over_tls|DoT server with Nginx]]. 
-Make sure selected provider supports DNSSEC validation if required+Use resolvers supporting DNSSEC validation if necessary
-Specify several servers to improve fault tolerance.+Specify several resolvers to improve fault tolerance.
  
 +Change to Cloudflare DNS
 <code bash> <code bash>
 # Configure DoT provider # Configure DoT provider
-sed -i -e "/^[^#]/d/etc/unbound/unbound_ext.conf +uci set unbound.fwd_google.enabled="0" 
-cat << EOF >> /etc/unbound/unbound_ext.conf +uci set unbound.fwd_cloudflare.enabled="1" 
-server: +uci set unbound.fwd_cloudflare.fallback="0" 
-    tls-cert-bundle: "/etc/ssl/cert.pem+uci commit unbound 
-forward-zone: +service unbound restart 
-    name: "." +</code> 
-    forward-tls-upstream: yes + 
-    forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com +Change to other [[wp>Public_recursive_name_server|DoT provider]]  
-    forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com +<code bash> 
-    forward-addr: 1.1.1.1@853#cloudflare-dns.com +# Configure DoT provider (example: "Cloudflare Family Protection"
-    forward-addr: 1.0.0.1@853#cloudflare-dns.com +uci set unbound.fwd_google.enabled="0" 
-EOF +uci set unbound.fwd_cloudflare.enabled="0" 
-/etc/init.d/unbound restart+while uci -q del unbound.@zone[4]; do :; done 
 +uci add unbound zone 
 +uci set unbound.@zone[-1].enabled="1" 
 +uci set unbound.@zone[-1].fallback="0
 +uci set unbound.@zone[-1].zone_type="forward_zone" 
 +uci add_list unbound.@zone[-1].zone_name="." 
 +uci add_list unbound.@zone[-1].server="1.1.1.3
 +uci add_list unbound.@zone[-1].server="1.0.0.3" 
 +uci add_list unbound.@zone[-1].server="2606:4700:4700::1113" 
 +uci add_list unbound.@zone[-1].server="2606:4700:4700::1003" 
 +uci set unbound.@zone[-1].tls_upstream="1
 +uci set unbound.@zone[-1].tls_index="family.cloudflare-dns.com" 
 +uci commit unbound 
 +service unbound restart
 </code> </code>
  
 ==== DNSSEC validation ==== ==== DNSSEC validation ====
 Enforce [[wp>Domain_Name_System_Security_Extensions|DNSSEC]] validation if your DNS provider does not support it, or you want to perform the validation yourself. Enforce [[wp>Domain_Name_System_Security_Extensions|DNSSEC]] validation if your DNS provider does not support it, or you want to perform the validation yourself.
-Beware of performance issues.+Beware of fault tolerance and performance issues.
  
 <code bash> <code bash>
Line 125: Line 110:
 uci set unbound.@unbound[0].validator="1" uci set unbound.@unbound[0].validator="1"
 uci commit unbound uci commit unbound
-/etc/init.d/unbound restart+service unbound restart
 </code> </code>
  
-==== Local system ==== 
-Local system uses Unbound as a primary resolver assuming that Dnsmasq is disabled. 
-Unbound provides a built-in workaround to avoid deadlock state when system time is not synchronized. 
-No additional action is required by default. 
  
 +===== Configure unbound with dnsmasq =====
 +Unbound can also act as a resolver for dnsmasq. How to install and how to change the [[wp>Public_recursive_name_server|DoT provider]] were described earlier.
 +Here would be just described how to configure unbound with dnsmasq.
 +
 +=== Command-line instructions ===
 + 
 +<code bash>
 +# Change unbound port to 5353, because dnsmasq is running already on port 53
 +sed -i "s/option listen_port '53'/option listen_port '5353'/g" /etc/config/unbound
 +
 +# configure dnsmasq to forward to localhost 5353
 +service dnsmasq stop
 +uci set dhcp.@dnsmasq[0].noresolv="1"
 +uci set dhcp.@dnsmasq[0].localuse="1"
 +uci set dhcp.@dnsmasq[0].cachesize='0'
 +uci -q delete dhcp.@dnsmasq[0].server
 +uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#5353"
 +uci commit dhcp
 +service dnsmasq start
 +service unbound restart
 +
 +# Optional - ensure, that the NTP server can work without DNS
 +uci del system.ntp.server
 +uci add_list system.ntp.server='194.177.4.1'    # 0.openwrt.pool.ntp.org
 +uci add_list system.ntp.server='213.222.217.11' # 1.openwrt.pool.ntp.org
 +uci add_list system.ntp.server='80.50.102.114'  # 2.openwrt.pool.ntp.org
 +uci add_list system.ntp.server='193.219.28.60'  # 3.openwrt.pool.ntp.org
 +uci commit system
 +</code>
  • Last modified: 2024/11/20 13:42
  • by dpawlik