Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:dns:dot_unbound [2020/01/01 14:08] – [DoT provider] charles.suhdocs:guide-user:services:dns:dot_unbound [2024/10/21 08:10] – Add chapter how to configure unbound with dnsmasq dpawlik
Line 1: Line 1:
-====== DNS over TLS with Unbound ====== +====== DoT with Unbound ====== 
-DNS over TLS is fully supported with UCI and LuCI starting with OpenWrt 19.07. You can manage zone recursion, zone forward, and zone transfer preferences in a form similar to how the firewall pin point rules work. You may forward specific domains to specific DNS servers for example "youtube.com." to "8.8.8.8" with or without TLS. +{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
-  * [[https://github.com/openwrt/packages/tree/openwrt-19.07/net/unbound/files/README.md|README for Unbound 1.9.3 @ OpenWrt 19.07]] +
-  * [[https://github.com/openwrt/packages/tree/master/net/unbound/files/README.md|README for Unbound @ OpenWrt Snapshot]] +
- +
-====== Older Versions ====== +
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+
  
 ===== Introduction ===== ===== Introduction =====
   * This how-to describes the method for setting up [[wp>DNS_over_TLS|DNS over TLS]] on OpenWrt.   * This how-to describes the method for setting up [[wp>DNS_over_TLS|DNS over TLS]] on OpenWrt.
   * It relies on [[docs:guide-user:services:dns:unbound|Unbound]] for performance and fault tolerance.   * It relies on [[docs:guide-user:services:dns:unbound|Unbound]] for performance and fault tolerance.
-  * Follow [[docs:guide-user:services:dns:start#encryption|DNS encryption]] for alternative methods or use [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.+  * Follow [[docs:guide-user:firewall:fw3_configurations:intercept_dns|DNS hijacking]] to intercept DNS traffic or use [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.
  
 ===== Goals ===== ===== Goals =====
 {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}} {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}}
  
-===== Instructions =====+===== Command-line instructions =====
 [[docs:guide-user:base-system:dhcp_configuration#disabling_dns_role|Disable]] Dnsmasq DNS role or remove it completely optionally [[docs:guide-user:base-system:dhcp_configuration#replacing_dnsmasq_with_odhcpd_and_unbound|replacing]] its DHCP role with odhcpd. [[docs:guide-user:base-system:dhcp_configuration#disabling_dns_role|Disable]] Dnsmasq DNS role or remove it completely optionally [[docs:guide-user:base-system:dhcp_configuration#replacing_dnsmasq_with_odhcpd_and_unbound|replacing]] its DHCP role with odhcpd.
  
-Use Unbound to encrypt both LAN client and local system DNS traffic.+Install the required packages. 
 +Enable DNS encryption.
  
 <code bash> <code bash>
 # Install packages # Install packages
 opkg update opkg update
-opkg install unbound ca-bundle +opkg install unbound-daemon
-</code>+
  
-In 19.07 and later, configuring TLS via UCI in ''/etc/config/unbound'' is supported: 
-<code> 
-config zone 
- option enabled '1' 
- option zone_type 'forward_zone' 
- option tls_upstream '1' 
- option tls_index 'dns.google' 
- list zone_name '.' 
- list server '8.8.8.8' 
- list server '8.8.4.4' 
- list server '2001:4860:4860::8888' 
- list server '2001:4860:4860::8844' 
-</code> 
- 
-In 18.06 and earlier: 
-<code bash> 
 # Enable DNS encryption # Enable DNS encryption
-sed -i -e "/^[^#]/d/etc/unbound/unbound_ext.conf +uci set unbound.fwd_google.enabled="1
-cat << EOF >> /etc/unbound/unbound_ext.conf +uci set unbound.fwd_google.fallback="0
-server: +uci commit unbound 
-    tls-cert-bundle: "/etc/ssl/cert.pem" +service unbound restart
-forward-zone: +
-    name: ".+
-    forward-tls-upstream: yes +
-    forward-addr: 2001:4860:4860::8888@853#dns.google +
-    forward-addr: 2001:4860:4860::8844@853#dns.google +
-    forward-addr: 8.8.8.8@853#dns.google +
-    forward-addr: 8.8.4.4@853#dns.google +
-EOF+
 </code> </code>
  
-<code bash> +LAN clients and local system should use Unbound as a primary resolver assuming that Dnsmasq is disabled.
-/etc/init.d/unbound restart +
-</code>+
  
 ===== Testing ===== ===== Testing =====
Line 68: Line 37:
  
 <code bash> <code bash>
-# Restart the services +# Restart services 
-/etc/init.d/log restart; /etc/init.d/unbound restart+service log restart; service unbound restart
  
 # Log and status # Log and status
Line 76: Line 45:
 # Runtime configuration # Runtime configuration
 pgrep -f -a unbound pgrep -f -a unbound
 +head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
  
 # Persistent configuration # Persistent configuration
 uci show unbound uci show unbound
-grep -v -e "^#" -e "^$" /etc/unbound/unbound_ext.conf 
 </code> </code>
  
 ===== Extras ===== ===== Extras =====
 ==== Web interface ==== ==== Web interface ====
-Install the necessary packages if you want to manage the settings via web interface.+If you want to manage the settings using web interface
 +Install the necessary packages.
  
 <code bash> <code bash>
Line 90: Line 60:
 opkg update opkg update
 opkg install luci-app-unbound opkg install luci-app-unbound
 +service rpcd restart
 </code> </code>
  
-Navigate to **[[http://openwrt.lan/|LuCI]] -> Services -> Recursive DNS** to configure Unbound.+Navigate to **LuCI -> Services -> Recursive DNS** to configure Unbound.
  
 ==== DoT provider ==== ==== DoT provider ====
-Unbound was configured with Google DNS above+Unbound is configured with Google DNS. 
-You can change it to CloudFlare, another [[wp>Public_recursive_name_server|DoT provider]]. +You can change it to Cloudflare DNS or any other [[wp>Public_recursive_name_server|DoT provider]] including your own [[docs:guide-user:services:webserver:nginx#dns_over_tls|DoT server with Nginx]]. 
-Make sure selected provider supports DNSSEC validation if required+Use resolvers supporting DNSSEC validation if necessary
-Specify several servers to improve fault tolerance.+Specify several resolvers to improve fault tolerance.
  
-In 19.07 and later, edit ''/etc/config/unbound'': +Change to Cloudflare DNS
-<code> +
-config zone +
- option enabled '1' +
- option zone_type 'forward_zone' +
- option tls_upstream '1' +
- option tls_index 'cloudflare-dns.com' +
- list zone_name '.' +
- list server '1.1.1.1' +
- list server '1.0.0.1' +
- list server '2606:4700:4700::1111' +
- list server '2606:4700:4700::1001' +
-</code> +
- +
-In 18.06 and earlier:+
 <code bash> <code bash>
 # Configure DoT provider # Configure DoT provider
-sed -i -e "/^[^#]/d" /etc/unbound/unbound_ext.conf +uci set unbound.fwd_google.enabled="0
-cat << EOF >> /etc/unbound/unbound_ext.conf +uci set unbound.fwd_cloudflare.enabled="1" 
-server: +uci set unbound.fwd_cloudflare.fallback="0" 
-    tls-cert-bundle: "/etc/ssl/cert.pem+uci commit unbound 
-forward-zone: +service unbound restart
-    name: "." +
-    forward-tls-upstream: yes +
-    forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com +
-    forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com +
-    forward-addr: 1.1.1.1@853#cloudflare-dns.com +
-    forward-addr: 1.0.0.1@853#cloudflare-dns.com +
-EOF+
 </code> </code>
  
-Then: +Change to other [[wp>Public_recursive_name_server|DoT provider]] 
 <code bash> <code bash>
-/etc/init.d/unbound restart+# Configure DoT provider (example: "Cloudflare Family Protection"
 +uci set unbound.fwd_google.enabled="0" 
 +uci set unbound.fwd_cloudflare.enabled="0" 
 +while uci -q del unbound.@zone[4]; do :; done 
 +uci add unbound zone 
 +uci set unbound.@zone[-1].enabled="1" 
 +uci set unbound.@zone[-1].fallback="0" 
 +uci set unbound.@zone[-1].zone_type="forward_zone" 
 +uci add_list unbound.@zone[-1].zone_name="." 
 +uci add_list unbound.@zone[-1].server="1.1.1.3" 
 +uci add_list unbound.@zone[-1].server="1.0.0.3" 
 +uci add_list unbound.@zone[-1].server="2606:4700:4700::1113" 
 +uci add_list unbound.@zone[-1].server="2606:4700:4700::1003" 
 +uci set unbound.@zone[-1].tls_upstream="1" 
 +uci set unbound.@zone[-1].tls_index="family.cloudflare-dns.com" 
 +uci commit unbound 
 +service unbound restart
 </code> </code>
  
 ==== DNSSEC validation ==== ==== DNSSEC validation ====
 Enforce [[wp>Domain_Name_System_Security_Extensions|DNSSEC]] validation if your DNS provider does not support it, or you want to perform the validation yourself. Enforce [[wp>Domain_Name_System_Security_Extensions|DNSSEC]] validation if your DNS provider does not support it, or you want to perform the validation yourself.
-Beware of performance issues.+Beware of fault tolerance and performance issues.
  
 <code bash> <code bash>
Line 145: Line 110:
 uci set unbound.@unbound[0].validator="1" uci set unbound.@unbound[0].validator="1"
 uci commit unbound uci commit unbound
-/etc/init.d/unbound restart+service unbound restart
 </code> </code>
  
-==== Local system ==== 
-Local system uses Unbound as a primary resolver assuming that Dnsmasq is disabled. 
-Unbound provides a built-in workaround to avoid deadlock state when system time is not synchronized. 
-No additional action is required by default. 
  
 +===== Configure unbound with dnsmasq =====
 +Unbound can also act as a resolver for dnsmasq. How to install and how to change the [[wp>Public_recursive_name_server|DoT provider]] were described earlier.
 +Here would be just described how to configure unbound with dnsmasq.
 +
 +=== Command-line instructions ===
 + 
 +<code bash>
 +# Change unbound port to 5353, because dnsmasq is running already on port 53
 +sed -i "s/option listen_port '53'/option listen_port '5353'/g" /etc/config/unbound
 +
 +# configure dnsmasq to forward to localhost 5353
 +service dnsmasq stop
 +uci set dhcp.@dnsmasq[0].noresolv="1"
 +uci set dhcp.@dnsmasq[0].localuse="1"
 +uci set dhcp.@dnsmasq[0].cachesize='0'
 +uci -q delete dhcp.@dnsmasq[0].server
 +uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#5353"
 +uci commit dhcp
 +service dnsmasq start
 +service unbound restart
 +
 +# Optional - ensure, that the NTP server can work without DNS
 +uci del system.ntp.server
 +uci add_list system.ntp.server='194.177.4.1'    # 0.openwrt.pool.ntp.org
 +uci add_list system.ntp.server='213.222.217.11' # 1.openwrt.pool.ntp.org
 +uci add_list system.ntp.server='80.50.102.114'  # 2.openwrt.pool.ntp.org
 +uci add_list system.ntp.server='193.219.28.60'  # 3.openwrt.pool.ntp.org
 +uci commit system
 +</code>
  • Last modified: 2024/11/20 13:42
  • by dpawlik