Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:dns:dot_unbound [2020/06/02 23:32] – Update for OpenWrt 19.07 vgaetera | docs:guide-user:services:dns:dot_unbound [2024/10/21 08:10] – Add chapter how to configure unbound with dnsmasq dpawlik | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== | + | ====== |
| - | DNS over TLS is fully supported with UCI and LuCI starting with OpenWrt 19.07. You can manage zone recursion, zone forward, and zone transfer preferences in a form similar to how the firewall pin point rules work. You may forward specific domains to specific DNS servers for example " | + | {{section> |
| - | * [[https:// | + | |
| - | * [[https:// | + | |
| - | + | ||
| - | ====== Older Versions | + | |
| - | {{section> | + | |
| ===== Introduction ===== | ===== Introduction ===== | ||
| * This how-to describes the method for setting up [[wp> | * This how-to describes the method for setting up [[wp> | ||
| * It relies on [[docs: | * It relies on [[docs: | ||
| - | * Follow [[docs: | + | * Follow [[docs: |
| ===== Goals ===== | ===== Goals ===== | ||
| {{section> | {{section> | ||
| - | ===== Instructions | + | ===== Command-line instructions |
| [[docs: | [[docs: | ||
| - | Use Unbound to encrypt both LAN client and local system DNS traffic. | + | Install the required packages. |
| - | + | Enable DNS encryption. | |
| - | In case of OpenWrt 19.07. | + | |
| <code bash> | <code bash> | ||
| Line 28: | Line 22: | ||
| # Enable DNS encryption | # Enable DNS encryption | ||
| - | while uci -q delete unbound.@zone[0]; | + | uci set unbound.fwd_google.enabled=" |
| - | uci set unbound.root=" | + | uci set unbound.fwd_google.fallback=" |
| - | uci set unbound.root.enabled=" | + | |
| - | uci set unbound.root.fallback=" | + | |
| - | uci set unbound.root.zone_type=" | + | |
| - | uci set unbound.root.tls_upstream=" | + | |
| - | uci set unbound.root.tls_index=" | + | |
| - | uci add_list unbound.root.zone_name=" | + | |
| - | uci add_list unbound.root.server=" | + | |
| - | uci add_list unbound.root.server=" | + | |
| - | uci add_list unbound.root.server=" | + | |
| - | uci add_list unbound.root.server=" | + | |
| uci commit unbound | uci commit unbound | ||
| - | / | + | service |
| </ | </ | ||
| - | In case of OpenWrt 18.06 and earlier. | + | LAN clients |
| - | + | ||
| - | <code bash> | + | |
| - | # Install packages | + | |
| - | opkg update | + | |
| - | opkg install unbound ca-bundle | + | |
| - | + | ||
| - | # Enable DNS encryption | + | |
| - | sed -i -e "/ | + | |
| - | cat << EOF >> / | + | |
| - | server: | + | |
| - | tls-cert-bundle: | + | |
| - | forward-zone: | + | |
| - | name: " | + | |
| - | forward-tls-upstream: | + | |
| - | forward-addr: | + | |
| - | forward-addr: | + | |
| - | forward-addr: | + | |
| - | forward-addr: | + | |
| - | EOF | + | |
| - | /etc/init.d/unbound restart | + | |
| - | </ | + | |
| ===== Testing ===== | ===== Testing ===== | ||
| Line 74: | Line 37: | ||
| <code bash> | <code bash> | ||
| - | # Restart | + | # Restart services |
| - | / | + | service |
| # Log and status | # Log and status | ||
| Line 82: | Line 45: | ||
| # Runtime configuration | # Runtime configuration | ||
| pgrep -f -a unbound | pgrep -f -a unbound | ||
| + | head -v -n -0 / | ||
| # Persistent configuration | # Persistent configuration | ||
| uci show unbound | uci show unbound | ||
| - | grep -v -e " | ||
| </ | </ | ||
| ===== Extras ===== | ===== Extras ===== | ||
| ==== Web interface ==== | ==== Web interface ==== | ||
| - | Install the necessary packages if you want to manage the settings | + | If you want to manage the settings |
| + | Install the necessary packages. | ||
| <code bash> | <code bash> | ||
| Line 96: | Line 60: | ||
| opkg update | opkg update | ||
| opkg install luci-app-unbound | opkg install luci-app-unbound | ||
| + | service rpcd restart | ||
| </ | </ | ||
| - | Navigate to **[[http:// | + | Navigate to **LuCI -> Services -> Recursive DNS** to configure Unbound. |
| ==== DoT provider ==== | ==== DoT provider ==== | ||
| - | Unbound | + | Unbound |
| - | You can change it to CloudFlare, another | + | You can change it to Cloudflare DNS or any other [[wp> |
| - | Make sure selected provider supports | + | Use resolvers supporting |
| - | Specify several | + | Specify several |
| - | + | ||
| - | In case of OpenWrt 19.07. | + | |
| + | Change to Cloudflare DNS | ||
| <code bash> | <code bash> | ||
| # Configure DoT provider | # Configure DoT provider | ||
| - | uci set unbound.root.tls_index="cloudflare-dns.com" | + | uci set unbound.fwd_google.enabled="0" |
| - | uci -q delete | + | uci set unbound.fwd_cloudflare.enabled=" |
| - | uci add_list unbound.root.server=" | + | uci set unbound.fwd_cloudflare.fallback=" |
| - | uci add_list unbound.root.server=" | + | |
| - | uci add_list unbound.root.server="1.1.1.1" | + | |
| - | uci add_list | + | |
| uci commit unbound | uci commit unbound | ||
| - | / | + | service |
| </ | </ | ||
| - | In case of OpenWrt 18.06 and earlier. | + | Change to other [[wp> |
| <code bash> | <code bash> | ||
| - | # Configure DoT provider | + | # Configure DoT provider |
| - | sed -i -e "/^[^#]/d" | + | uci set unbound.fwd_google.enabled=" |
| - | cat << EOF >> /etc/unbound/ | + | uci set unbound.fwd_cloudflare.enabled=" |
| - | server: | + | while uci -q del unbound.@zone[4]; |
| - | tls-cert-bundle: | + | uci add unbound zone |
| - | forward-zone: | + | uci set unbound.@zone[-1].enabled="1" |
| - | | + | uci set unbound.@zone[-1].fallback=" |
| - | | + | uci set unbound.@zone[-1].zone_type=" |
| - | | + | uci add_list unbound.@zone[-1].zone_name=" |
| - | forward-addr: | + | uci add_list unbound.@zone[-1].server="1.1.1.3" |
| - | forward-addr: | + | uci add_list unbound.@zone[-1].server=" |
| - | forward-addr: | + | uci add_list unbound.@zone[-1].server=" |
| - | EOF | + | uci add_list unbound.@zone[-1].server=" |
| - | / | + | uci set unbound.@zone[-1].tls_upstream=" |
| + | uci set unbound.@zone[-1].tls_index=" | ||
| + | uci commit unbound | ||
| + | service | ||
| </ | </ | ||
| ==== DNSSEC validation ==== | ==== DNSSEC validation ==== | ||
| Enforce [[wp> | Enforce [[wp> | ||
| - | Beware of performance issues. | + | Beware of fault tolerance and performance issues. |
| <code bash> | <code bash> | ||
| Line 147: | Line 110: | ||
| uci set unbound.@unbound[0].validator=" | uci set unbound.@unbound[0].validator=" | ||
| uci commit unbound | uci commit unbound | ||
| - | / | + | service |
| </ | </ | ||
| - | ==== Local system ==== | ||
| - | Local system uses Unbound as a primary resolver assuming that Dnsmasq is disabled. | ||
| - | Unbound provides a built-in workaround to avoid deadlock state when system time is not synchronized. | ||
| - | No additional action is required by default. | ||
| + | ===== Configure unbound with dnsmasq ===== | ||
| + | Unbound can also act as a resolver for dnsmasq. How to install and how to change the [[wp> | ||
| + | Here would be just described how to configure unbound with dnsmasq. | ||
| + | |||
| + | === Command-line instructions === | ||
| + | |||
| + | <code bash> | ||
| + | # Change unbound port to 5353, because dnsmasq is running already on port 53 | ||
| + | sed -i " | ||
| + | |||
| + | # configure dnsmasq to forward to localhost 5353 | ||
| + | service dnsmasq stop | ||
| + | uci set dhcp.@dnsmasq[0].noresolv=" | ||
| + | uci set dhcp.@dnsmasq[0].localuse=" | ||
| + | uci set dhcp.@dnsmasq[0].cachesize=' | ||
| + | uci -q delete dhcp.@dnsmasq[0].server | ||
| + | uci add_list dhcp.@dnsmasq[0].server=" | ||
| + | uci commit dhcp | ||
| + | service dnsmasq start | ||
| + | service unbound restart | ||
| + | |||
| + | # Optional - ensure, that the NTP server can work without DNS | ||
| + | uci del system.ntp.server | ||
| + | uci add_list system.ntp.server=' | ||
| + | uci add_list system.ntp.server=' | ||
| + | uci add_list system.ntp.server=' | ||
| + | uci add_list system.ntp.server=' | ||
| + | uci commit system | ||
| + | </ | ||