Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:dns:dot_unbound [2020/06/13 22:07] – Encourage users to first use the package README for latest official releases ericluehrsendocs:guide-user:services:dns:dot_unbound [2024/10/21 08:10] – Add chapter how to configure unbound with dnsmasq dpawlik
Line 1: Line 1:
-====== DNS over TLS with Unbound ====== +====== DoT with Unbound ====== 
-DNS over TLS is fully supported with Unbound configuration helpers in UCI and LuCI. **You should be able to find it all in the README.** You can manage zone recursion, zone forward, and zone transfer preferences. These are present in a form similar to how the firewall pin point rules work. You may forward specific domains to specific DNS servers with or without TLS. This may be useful where you need location specific resolution for ISP colocated services such as is often done by Google (www.youtube.com by 8.8.8.8), but wish to have a private DNS like CloudFlare (1.1.1.1) mask location while resolving general look-ups. +{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
-  * [[https://github.com/openwrt/packages/tree/openwrt-19.07/net/unbound/files/README.md|README for Unbound 1.10.1 @ OpenWrt 19.07]] +
-  * [[https://github.com/openwrt/packages/tree/master/net/unbound/files/README.md|README for Unbound @ OpenWrt Snapshot]] +
- +
-====== Older Versions ====== +
-If you are using OpenWrt 18.06 or LEDE 17.01 as your base for custom builds, then the following may be useful.+
  
 ===== Introduction ===== ===== Introduction =====
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}} 
   * This how-to describes the method for setting up [[wp>DNS_over_TLS|DNS over TLS]] on OpenWrt.   * This how-to describes the method for setting up [[wp>DNS_over_TLS|DNS over TLS]] on OpenWrt.
   * It relies on [[docs:guide-user:services:dns:unbound|Unbound]] for performance and fault tolerance.   * It relies on [[docs:guide-user:services:dns:unbound|Unbound]] for performance and fault tolerance.
-  * Follow [[docs:guide-user:services:dns:start#encryption|DNS encryption]] for alternative methods or use [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.+  * Follow [[docs:guide-user:firewall:fw3_configurations:intercept_dns|DNS hijacking]] to intercept DNS traffic or use [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.
  
 ===== Goals ===== ===== Goals =====
 {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}} {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}}
  
-===== Instructions =====+===== Command-line instructions =====
 [[docs:guide-user:base-system:dhcp_configuration#disabling_dns_role|Disable]] Dnsmasq DNS role or remove it completely optionally [[docs:guide-user:base-system:dhcp_configuration#replacing_dnsmasq_with_odhcpd_and_unbound|replacing]] its DHCP role with odhcpd. [[docs:guide-user:base-system:dhcp_configuration#disabling_dns_role|Disable]] Dnsmasq DNS role or remove it completely optionally [[docs:guide-user:base-system:dhcp_configuration#replacing_dnsmasq_with_odhcpd_and_unbound|replacing]] its DHCP role with odhcpd.
  
-Use Unbound to encrypt both LAN client and local system DNS traffic+Install the required packages
- +Enable DNS encryption.
-In case of OpenWrt 19.07.+
  
 <code bash> <code bash>
Line 29: Line 22:
  
 # Enable DNS encryption # Enable DNS encryption
-while uci -q delete unbound.@zone[0]; do :; done +uci set unbound.fwd_google.enabled="1" 
-uci set unbound.forward="zone" +uci set unbound.fwd_google.fallback="0"
-uci set unbound.forward.enabled="1" +
-uci set unbound.forward.fallback="0+
-uci set unbound.forward.zone_type="forward_zone" +
-uci set unbound.forward.tls_upstream="1" +
-uci set unbound.forward.tls_index="dns.google" +
-uci add_list unbound.forward.zone_name="." +
-uci add_list unbound.forward.server="2001:4860:4860::8888" +
-uci add_list unbound.forward.server="2001:4860:4860::8844" +
-uci add_list unbound.forward.server="8.8.8.8" +
-uci add_list unbound.forward.server="8.8.4.4"+
 uci commit unbound uci commit unbound
-/etc/init.d/unbound restart+service unbound restart
 </code> </code>
  
-In case of OpenWrt 18.06 and earlier. +LAN clients and local system should use Unbound as a primary resolver assuming that Dnsmasq is disabled.
- +
-<code bash> +
-# Install packages +
-opkg update +
-opkg install unbound ca-bundle +
- +
-# Enable DNS encryption +
-sed -i -e "/^[^#]/d" /etc/unbound/unbound_ext.conf +
-cat << EOF >> /etc/unbound/unbound_ext.conf +
-server: +
-    tls-cert-bundle: "/etc/ssl/cert.pem" +
-forward-zone: +
-    name: "." +
-    forward-tls-upstream: yes +
-    forward-addr: 2001:4860:4860::8888@853#dns.google +
-    forward-addr: 2001:4860:4860::8844@853#dns.google +
-    forward-addr: 8.8.8.8@853#dns.google +
-    forward-addr: 8.8.4.4@853#dns.google +
-EOF +
-/etc/init.d/unbound restart +
-</code>+
  
 ===== Testing ===== ===== Testing =====
Line 75: Line 37:
  
 <code bash> <code bash>
-# Restart the services +# Restart services 
-/etc/init.d/log restart; /etc/init.d/unbound restart+service log restart; service unbound restart
  
 # Log and status # Log and status
Line 83: Line 45:
 # Runtime configuration # Runtime configuration
 pgrep -f -a unbound pgrep -f -a unbound
 +head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
  
 # Persistent configuration # Persistent configuration
 uci show unbound uci show unbound
-grep -v -e "^#" -e "^$" /etc/unbound/unbound_ext.conf 
 </code> </code>
  
 ===== Extras ===== ===== Extras =====
 ==== Web interface ==== ==== Web interface ====
-Install the necessary packages if you want to manage the settings via web interface.+If you want to manage the settings using web interface
 +Install the necessary packages.
  
 <code bash> <code bash>
Line 97: Line 60:
 opkg update opkg update
 opkg install luci-app-unbound opkg install luci-app-unbound
 +service rpcd restart
 </code> </code>
  
-Navigate to **[[http://openwrt.lan/|LuCI]] -> Services -> Recursive DNS** to configure Unbound.+Navigate to **LuCI -> Services -> Recursive DNS** to configure Unbound.
  
 ==== DoT provider ==== ==== DoT provider ====
-Unbound was configured with Google DNS above+Unbound is configured with Google DNS. 
-You can change it to CloudFlare, another [[wp>Public_recursive_name_server|DoT provider]]. +You can change it to Cloudflare DNS or any other [[wp>Public_recursive_name_server|DoT provider]] including your own [[docs:guide-user:services:webserver:nginx#dns_over_tls|DoT server with Nginx]]. 
-Make sure selected provider supports DNSSEC validation if required+Use resolvers supporting DNSSEC validation if necessary
-Specify several servers to improve fault tolerance+Specify several resolvers to improve fault tolerance.
- +
-In case of OpenWrt 19.07.+
  
 +Change to Cloudflare DNS
 <code bash> <code bash>
 # Configure DoT provider # Configure DoT provider
-uci set unbound.forward.tls_index="one.one.one.one+uci set unbound.fwd_google.enabled="0
-uci -q delete unbound.forward.server +uci set unbound.fwd_cloudflare.enabled="1" 
-uci add_list unbound.forward.server="2606:4700:4700::1111" +uci set unbound.fwd_cloudflare.fallback="0"
-uci add_list unbound.forward.server="2606:4700:4700::1001" +
-uci add_list unbound.forward.server="1.1.1.1" +
-uci add_list unbound.forward.server="1.0.0.1"+
 uci commit unbound uci commit unbound
-/etc/init.d/unbound restart+service unbound restart
 </code> </code>
  
-In case of OpenWrt 18.06 and earlier. +Change to other [[wp>Public_recursive_name_server|DoT provider]] 
 <code bash> <code bash>
-# Configure DoT provider +# Configure DoT provider (example: "Cloudflare Family Protection"
-sed -i -e "/^[^#]/d/etc/unbound/unbound_ext.conf +uci set unbound.fwd_google.enabled="0" 
-cat << EOF >> /etc/unbound/unbound_ext.conf +uci set unbound.fwd_cloudflare.enabled="0" 
-server+while uci -q del unbound.@zone[4]; do :; done 
-    tls-cert-bundle: "/etc/ssl/cert.pem+uci add unbound zone 
-forward-zone: +uci set unbound.@zone[-1].enabled="1" 
-    name: "." +uci set unbound.@zone[-1].fallback="0
-    forward-tls-upstream: yes +uci set unbound.@zone[-1].zone_type="forward_zone" 
-    forward-addr: 2606:4700:4700::1111@853#one.one.one.one +uci add_list unbound.@zone[-1].zone_name="." 
-    forward-addr: 2606:4700:4700::1001@853#one.one.one.one +uci add_list unbound.@zone[-1].server="1.1.1.3
-    forward-addr: 1.1.1.1@853#one.one.one.one +uci add_list unbound.@zone[-1].server="1.0.0.3" 
-    forward-addr: 1.0.0.1@853#one.one.one.one +uci add_list unbound.@zone[-1].server="2606:4700:4700::1113" 
-EOF +uci add_list unbound.@zone[-1].server="2606:4700:4700::1003" 
-/etc/init.d/unbound restart+uci set unbound.@zone[-1].tls_upstream="1
 +uci set unbound.@zone[-1].tls_index="family.cloudflare-dns.com" 
 +uci commit unbound 
 +service unbound restart
 </code> </code>
  
 ==== DNSSEC validation ==== ==== DNSSEC validation ====
 Enforce [[wp>Domain_Name_System_Security_Extensions|DNSSEC]] validation if your DNS provider does not support it, or you want to perform the validation yourself. Enforce [[wp>Domain_Name_System_Security_Extensions|DNSSEC]] validation if your DNS provider does not support it, or you want to perform the validation yourself.
-Beware of performance issues.+Beware of fault tolerance and performance issues.
  
 <code bash> <code bash>
Line 148: Line 110:
 uci set unbound.@unbound[0].validator="1" uci set unbound.@unbound[0].validator="1"
 uci commit unbound uci commit unbound
-/etc/init.d/unbound restart+service unbound restart
 </code> </code>
  
-==== Local system ==== 
-Local system uses Unbound as a primary resolver assuming that Dnsmasq is disabled. 
-Unbound provides a built-in workaround to avoid deadlock state when system time is not synchronized. 
-No additional action is required by default. 
  
 +===== Configure unbound with dnsmasq =====
 +Unbound can also act as a resolver for dnsmasq. How to install and how to change the [[wp>Public_recursive_name_server|DoT provider]] were described earlier.
 +Here would be just described how to configure unbound with dnsmasq.
 +
 +=== Command-line instructions ===
 + 
 +<code bash>
 +# Change unbound port to 5353, because dnsmasq is running already on port 53
 +sed -i "s/option listen_port '53'/option listen_port '5353'/g" /etc/config/unbound
 +
 +# configure dnsmasq to forward to localhost 5353
 +service dnsmasq stop
 +uci set dhcp.@dnsmasq[0].noresolv="1"
 +uci set dhcp.@dnsmasq[0].localuse="1"
 +uci set dhcp.@dnsmasq[0].cachesize='0'
 +uci -q delete dhcp.@dnsmasq[0].server
 +uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#5353"
 +uci commit dhcp
 +service dnsmasq start
 +service unbound restart
 +
 +# Optional - ensure, that the NTP server can work without DNS
 +uci del system.ntp.server
 +uci add_list system.ntp.server='194.177.4.1'    # 0.openwrt.pool.ntp.org
 +uci add_list system.ntp.server='213.222.217.11' # 1.openwrt.pool.ntp.org
 +uci add_list system.ntp.server='80.50.102.114'  # 2.openwrt.pool.ntp.org
 +uci add_list system.ntp.server='193.219.28.60'  # 3.openwrt.pool.ntp.org
 +uci commit system
 +</code>
  • Last modified: 2024/11/20 13:42
  • by dpawlik