Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:dns:dot_unbound [2020/06/13 22:07] – Encourage users to first use the package README for latest official releases ericluehrsen | docs:guide-user:services:dns:dot_unbound [2024/10/21 08:10] – Add chapter how to configure unbound with dnsmasq dpawlik | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== | + | ====== |
| - | DNS over TLS is fully supported with Unbound configuration helpers in UCI and LuCI. **You should be able to find it all in the README.** You can manage zone recursion, zone forward, and zone transfer preferences. These are present in a form similar to how the firewall pin point rules work. You may forward specific domains to specific DNS servers with or without TLS. This may be useful where you need location specific resolution for ISP colocated services such as is often done by Google (www.youtube.com by 8.8.8.8), but wish to have a private DNS like CloudFlare (1.1.1.1) mask location while resolving general look-ups. | + | {{section> |
| - | * [[https:// | + | |
| - | * [[https:// | + | |
| - | + | ||
| - | ====== Older Versions ====== | + | |
| - | If you are using OpenWrt 18.06 or LEDE 17.01 as your base for custom builds, then the following may be useful. | + | |
| ===== Introduction ===== | ===== Introduction ===== | ||
| - | {{section> | ||
| * This how-to describes the method for setting up [[wp> | * This how-to describes the method for setting up [[wp> | ||
| * It relies on [[docs: | * It relies on [[docs: | ||
| - | * Follow [[docs: | + | * Follow [[docs: |
| ===== Goals ===== | ===== Goals ===== | ||
| {{section> | {{section> | ||
| - | ===== Instructions | + | ===== Command-line instructions |
| [[docs: | [[docs: | ||
| - | Use Unbound to encrypt both LAN client and local system DNS traffic. | + | Install the required packages. |
| - | + | Enable DNS encryption. | |
| - | In case of OpenWrt 19.07. | + | |
| <code bash> | <code bash> | ||
| Line 29: | Line 22: | ||
| # Enable DNS encryption | # Enable DNS encryption | ||
| - | while uci -q delete unbound.@zone[0]; | + | uci set unbound.fwd_google.enabled=" |
| - | uci set unbound.forward=" | + | uci set unbound.fwd_google.fallback=" |
| - | uci set unbound.forward.enabled=" | + | |
| - | uci set unbound.forward.fallback=" | + | |
| - | uci set unbound.forward.zone_type=" | + | |
| - | uci set unbound.forward.tls_upstream=" | + | |
| - | uci set unbound.forward.tls_index=" | + | |
| - | uci add_list unbound.forward.zone_name=" | + | |
| - | uci add_list unbound.forward.server=" | + | |
| - | uci add_list unbound.forward.server=" | + | |
| - | uci add_list unbound.forward.server=" | + | |
| - | uci add_list unbound.forward.server=" | + | |
| uci commit unbound | uci commit unbound | ||
| - | / | + | service |
| </ | </ | ||
| - | In case of OpenWrt 18.06 and earlier. | + | LAN clients |
| - | + | ||
| - | <code bash> | + | |
| - | # Install packages | + | |
| - | opkg update | + | |
| - | opkg install unbound ca-bundle | + | |
| - | + | ||
| - | # Enable DNS encryption | + | |
| - | sed -i -e "/ | + | |
| - | cat << EOF >> / | + | |
| - | server: | + | |
| - | tls-cert-bundle: | + | |
| - | forward-zone: | + | |
| - | name: " | + | |
| - | forward-tls-upstream: | + | |
| - | forward-addr: | + | |
| - | forward-addr: | + | |
| - | forward-addr: | + | |
| - | forward-addr: | + | |
| - | EOF | + | |
| - | /etc/init.d/unbound restart | + | |
| - | </ | + | |
| ===== Testing ===== | ===== Testing ===== | ||
| Line 75: | Line 37: | ||
| <code bash> | <code bash> | ||
| - | # Restart | + | # Restart services |
| - | / | + | service |
| # Log and status | # Log and status | ||
| Line 83: | Line 45: | ||
| # Runtime configuration | # Runtime configuration | ||
| pgrep -f -a unbound | pgrep -f -a unbound | ||
| + | head -v -n -0 / | ||
| # Persistent configuration | # Persistent configuration | ||
| uci show unbound | uci show unbound | ||
| - | grep -v -e " | ||
| </ | </ | ||
| ===== Extras ===== | ===== Extras ===== | ||
| ==== Web interface ==== | ==== Web interface ==== | ||
| - | Install the necessary packages if you want to manage the settings | + | If you want to manage the settings |
| + | Install the necessary packages. | ||
| <code bash> | <code bash> | ||
| Line 97: | Line 60: | ||
| opkg update | opkg update | ||
| opkg install luci-app-unbound | opkg install luci-app-unbound | ||
| + | service rpcd restart | ||
| </ | </ | ||
| - | Navigate to **[[http:// | + | Navigate to **LuCI -> Services -> Recursive DNS** to configure Unbound. |
| ==== DoT provider ==== | ==== DoT provider ==== | ||
| - | Unbound | + | Unbound |
| - | You can change it to CloudFlare, another | + | You can change it to Cloudflare DNS or any other [[wp> |
| - | Make sure selected provider supports | + | Use resolvers supporting |
| - | Specify several | + | Specify several |
| - | + | ||
| - | In case of OpenWrt 19.07. | + | |
| + | Change to Cloudflare DNS | ||
| <code bash> | <code bash> | ||
| # Configure DoT provider | # Configure DoT provider | ||
| - | uci set unbound.forward.tls_index="one.one.one.one" | + | uci set unbound.fwd_google.enabled="0" |
| - | uci -q delete | + | uci set unbound.fwd_cloudflare.enabled=" |
| - | uci add_list unbound.forward.server=" | + | uci set unbound.fwd_cloudflare.fallback=" |
| - | uci add_list unbound.forward.server=" | + | |
| - | uci add_list unbound.forward.server="1.1.1.1" | + | |
| - | uci add_list | + | |
| uci commit unbound | uci commit unbound | ||
| - | / | + | service |
| </ | </ | ||
| - | In case of OpenWrt 18.06 and earlier. | + | Change to other [[wp> |
| <code bash> | <code bash> | ||
| - | # Configure DoT provider | + | # Configure DoT provider |
| - | sed -i -e "/^[^#]/d" | + | uci set unbound.fwd_google.enabled=" |
| - | cat << EOF >> /etc/unbound/ | + | uci set unbound.fwd_cloudflare.enabled=" |
| - | server: | + | while uci -q del unbound.@zone[4]; |
| - | tls-cert-bundle: | + | uci add unbound zone |
| - | forward-zone: | + | uci set unbound.@zone[-1].enabled="1" |
| - | | + | uci set unbound.@zone[-1].fallback=" |
| - | | + | uci set unbound.@zone[-1].zone_type=" |
| - | | + | uci add_list unbound.@zone[-1].zone_name=" |
| - | | + | uci add_list unbound.@zone[-1].server="1.1.1.3" |
| - | | + | uci add_list unbound.@zone[-1].server=" |
| - | forward-addr: 1.0.0.1@853# | + | uci add_list unbound.@zone[-1].server=" |
| - | EOF | + | uci add_list unbound.@zone[-1].server=" |
| - | / | + | uci set unbound.@zone[-1].tls_upstream=" |
| + | uci set unbound.@zone[-1].tls_index=" | ||
| + | uci commit unbound | ||
| + | service | ||
| </ | </ | ||
| ==== DNSSEC validation ==== | ==== DNSSEC validation ==== | ||
| Enforce [[wp> | Enforce [[wp> | ||
| - | Beware of performance issues. | + | Beware of fault tolerance and performance issues. |
| <code bash> | <code bash> | ||
| Line 148: | Line 110: | ||
| uci set unbound.@unbound[0].validator=" | uci set unbound.@unbound[0].validator=" | ||
| uci commit unbound | uci commit unbound | ||
| - | / | + | service |
| </ | </ | ||
| - | ==== Local system ==== | ||
| - | Local system uses Unbound as a primary resolver assuming that Dnsmasq is disabled. | ||
| - | Unbound provides a built-in workaround to avoid deadlock state when system time is not synchronized. | ||
| - | No additional action is required by default. | ||
| + | ===== Configure unbound with dnsmasq ===== | ||
| + | Unbound can also act as a resolver for dnsmasq. How to install and how to change the [[wp> | ||
| + | Here would be just described how to configure unbound with dnsmasq. | ||
| + | |||
| + | === Command-line instructions === | ||
| + | |||
| + | <code bash> | ||
| + | # Change unbound port to 5353, because dnsmasq is running already on port 53 | ||
| + | sed -i " | ||
| + | |||
| + | # configure dnsmasq to forward to localhost 5353 | ||
| + | service dnsmasq stop | ||
| + | uci set dhcp.@dnsmasq[0].noresolv=" | ||
| + | uci set dhcp.@dnsmasq[0].localuse=" | ||
| + | uci set dhcp.@dnsmasq[0].cachesize=' | ||
| + | uci -q delete dhcp.@dnsmasq[0].server | ||
| + | uci add_list dhcp.@dnsmasq[0].server=" | ||
| + | uci commit dhcp | ||
| + | service dnsmasq start | ||
| + | service unbound restart | ||
| + | |||
| + | # Optional - ensure, that the NTP server can work without DNS | ||
| + | uci del system.ntp.server | ||
| + | uci add_list system.ntp.server=' | ||
| + | uci add_list system.ntp.server=' | ||
| + | uci add_list system.ntp.server=' | ||
| + | uci add_list system.ntp.server=' | ||
| + | uci commit system | ||
| + | </ | ||