Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:dns:dot_unbound [2020/06/15 20:37] – headers corrected vgaetera | docs:guide-user:services:dns:dot_unbound [2024/10/21 08:10] – Add chapter how to configure unbound with dnsmasq dpawlik | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== | + | ====== |
| - | DNS over TLS is fully supported with Unbound configuration helpers in UCI and LuCI. **You should be able to find it all in the README.** You can manage zone recursion, zone forward, and zone transfer preferences. These are present in a form similar to how the firewall pin point rules work. You may forward specific domains to specific DNS servers with or without TLS. This may be useful where you need location specific resolution for ISP colocated services such as is often done by Google (www.youtube.com by 8.8.8.8), but wish to have a private DNS like CloudFlare (1.1.1.1) mask location while resolving general look-ups. | + | {{section> |
| - | * [[https:// | + | |
| - | * [[https:// | + | |
| - | + | ||
| - | ===== Command-line interface | + | |
| - | {{section> | + | |
| ===== Introduction ===== | ===== Introduction ===== | ||
| * This how-to describes the method for setting up [[wp> | * This how-to describes the method for setting up [[wp> | ||
| * It relies on [[docs: | * It relies on [[docs: | ||
| - | * Follow [[docs: | + | * Follow [[docs: |
| ===== Goals ===== | ===== Goals ===== | ||
| {{section> | {{section> | ||
| - | ===== Instructions | + | ===== Command-line instructions |
| [[docs: | [[docs: | ||
| - | Install the packages | + | Install the required |
| + | Enable | ||
| <code bash> | <code bash> | ||
| Line 26: | Line 22: | ||
| # Enable DNS encryption | # Enable DNS encryption | ||
| - | while uci -q delete unbound.@zone[0]; | + | uci set unbound.fwd_google.enabled=" |
| - | uci set unbound.forward=" | + | uci set unbound.fwd_google.fallback=" |
| - | uci set unbound.forward.enabled=" | + | |
| - | uci set unbound.forward.fallback=" | + | |
| - | uci set unbound.forward.zone_type=" | + | |
| - | uci set unbound.forward.tls_upstream=" | + | |
| - | uci set unbound.forward.tls_index=" | + | |
| - | uci add_list unbound.forward.zone_name=" | + | |
| - | uci add_list unbound.forward.server=" | + | |
| - | uci add_list unbound.forward.server=" | + | |
| - | uci add_list unbound.forward.server=" | + | |
| - | uci add_list unbound.forward.server=" | + | |
| uci commit unbound | uci commit unbound | ||
| - | / | + | service |
| </ | </ | ||
| Line 51: | Line 37: | ||
| <code bash> | <code bash> | ||
| - | # Restart | + | # Restart services |
| - | / | + | service |
| # Log and status | # Log and status | ||
| Line 59: | Line 45: | ||
| # Runtime configuration | # Runtime configuration | ||
| pgrep -f -a unbound | pgrep -f -a unbound | ||
| + | head -v -n -0 / | ||
| # Persistent configuration | # Persistent configuration | ||
| Line 66: | Line 53: | ||
| ===== Extras ===== | ===== Extras ===== | ||
| ==== Web interface ==== | ==== Web interface ==== | ||
| - | Install the necessary packages if you want to manage the settings | + | If you want to manage the settings |
| + | Install the necessary packages. | ||
| <code bash> | <code bash> | ||
| Line 72: | Line 60: | ||
| opkg update | opkg update | ||
| opkg install luci-app-unbound | opkg install luci-app-unbound | ||
| + | service rpcd restart | ||
| </ | </ | ||
| - | Navigate to **[[http:// | + | Navigate to **LuCI -> Services -> Recursive DNS** to configure Unbound. |
| ==== DoT provider ==== | ==== DoT provider ==== | ||
| - | Unbound | + | Unbound |
| - | You can change it Cloudflare DNS or any other [[wp> | + | You can change it to Cloudflare DNS or any other [[wp> |
| - | Make sure the provider supports | + | Use resolvers supporting |
| - | Specify several | + | Specify several |
| + | Change to Cloudflare DNS | ||
| <code bash> | <code bash> | ||
| # Configure DoT provider | # Configure DoT provider | ||
| - | uci set unbound.forward.tls_index="one.one.one.one" | + | uci set unbound.fwd_google.enabled="0" |
| - | uci -q delete | + | uci set unbound.fwd_cloudflare.enabled=" |
| - | uci add_list unbound.forward.server=" | + | uci set unbound.fwd_cloudflare.fallback=" |
| - | uci add_list unbound.forward.server=" | + | |
| - | uci add_list unbound.forward.server="1.1.1.1" | + | |
| - | uci add_list | + | |
| uci commit unbound | uci commit unbound | ||
| - | /etc/init.d/unbound restart | + | service unbound restart |
| + | </code> | ||
| + | |||
| + | Change to other [[wp> | ||
| + | <code bash> | ||
| + | # Configure DoT provider (example: " | ||
| + | uci set unbound.fwd_google.enabled=" | ||
| + | uci set unbound.fwd_cloudflare.enabled=" | ||
| + | while uci -q del unbound.@zone[4]; | ||
| + | uci add unbound zone | ||
| + | uci set unbound.@zone[-1].enabled=" | ||
| + | uci set unbound.@zone[-1].fallback=" | ||
| + | uci set unbound.@zone[-1].zone_type=" | ||
| + | uci add_list unbound.@zone[-1].zone_name=" | ||
| + | uci add_list unbound.@zone[-1].server=" | ||
| + | uci add_list unbound.@zone[-1].server=" | ||
| + | uci add_list unbound.@zone[-1].server=" | ||
| + | uci add_list unbound.@zone[-1].server=" | ||
| + | uci set unbound.@zone[-1].tls_upstream=" | ||
| + | uci set unbound.@zone[-1].tls_index=" | ||
| + | uci commit unbound | ||
| + | service | ||
| </ | </ | ||
| ==== DNSSEC validation ==== | ==== DNSSEC validation ==== | ||
| Enforce [[wp> | Enforce [[wp> | ||
| - | Beware of performance issues. | + | Beware of fault tolerance and performance issues. |
| <code bash> | <code bash> | ||
| Line 102: | Line 110: | ||
| uci set unbound.@unbound[0].validator=" | uci set unbound.@unbound[0].validator=" | ||
| uci commit unbound | uci commit unbound | ||
| - | / | + | service |
| </ | </ | ||
| + | |||
| + | ===== Configure unbound with dnsmasq ===== | ||
| + | Unbound can also act as a resolver for dnsmasq. How to install and how to change the [[wp> | ||
| + | Here would be just described how to configure unbound with dnsmasq. | ||
| + | |||
| + | === Command-line instructions === | ||
| + | |||
| + | <code bash> | ||
| + | # Change unbound port to 5353, because dnsmasq is running already on port 53 | ||
| + | sed -i " | ||
| + | |||
| + | # configure dnsmasq to forward to localhost 5353 | ||
| + | service dnsmasq stop | ||
| + | uci set dhcp.@dnsmasq[0].noresolv=" | ||
| + | uci set dhcp.@dnsmasq[0].localuse=" | ||
| + | uci set dhcp.@dnsmasq[0].cachesize=' | ||
| + | uci -q delete dhcp.@dnsmasq[0].server | ||
| + | uci add_list dhcp.@dnsmasq[0].server=" | ||
| + | uci commit dhcp | ||
| + | service dnsmasq start | ||
| + | service unbound restart | ||
| + | |||
| + | # Optional - ensure, that the NTP server can work without DNS | ||
| + | uci del system.ntp.server | ||
| + | uci add_list system.ntp.server=' | ||
| + | uci add_list system.ntp.server=' | ||
| + | uci add_list system.ntp.server=' | ||
| + | uci add_list system.ntp.server=' | ||
| + | uci commit system | ||
| + | </ | ||