Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:dns:dot_unbound [2020/10/31 17:10] – [Web interface] force relogin to apply changes vgaeteradocs:guide-user:services:dns:dot_unbound [2024/10/21 08:10] – Add chapter how to configure unbound with dnsmasq dpawlik
Line 1: Line 1:
-====== DNS over TLS with Unbound ====== +====== DoT with Unbound ====== 
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}} +{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
- +
-/* +
-This article is a simple how-to to enable DoT with Unbound. +
-It should work with just copy-paste on the current OpenWrt stable release out of the box for most users. +
-So let's leave advanced zone management, split DNS, manual config edits, etc. outside of the scope of this how-to to minimize the probability of mistakes and simplify the wiki maintenance. +
-The link to the main Unbound article [[docs:guide-user:services:dns:unbound]] is already included in the [[#introduction]] section. +
-*/+
  
 ===== Introduction ===== ===== Introduction =====
Line 17: Line 10:
 {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}} {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}}
  
-===== Instructions ===== +===== Command-line instructions ===== 
-[[docs:guide-user:base-system:dhcp_configuration#disabling_dns_role|Disable]] Dnsmasq DNS role or remove it completely optionally [[docs:guide-user:base-system:dhcp_configuration#replacing_dhcp_role_with_odhcpd|replacing]] its DHCP role with odhcpd.+[[docs:guide-user:base-system:dhcp_configuration#disabling_dns_role|Disable]] Dnsmasq DNS role or remove it completely optionally [[docs:guide-user:base-system:dhcp_configuration#replacing_dnsmasq_with_odhcpd_and_unbound|replacing]] its DHCP role with odhcpd.
  
-Install the packages and configure DNS encryption.+Install the required packages
 +Enable DNS encryption.
  
 <code bash> <code bash>
Line 28: Line 22:
  
 # Enable DNS encryption # Enable DNS encryption
-while uci -q delete unbound.@zone[0]; do :; done +uci set unbound.fwd_google.enabled="1" 
-uci set unbound.forward="zone" +uci set unbound.fwd_google.fallback="0"
-uci set unbound.forward.enabled="1" +
-uci set unbound.forward.fallback="0+
-uci set unbound.forward.zone_type="forward_zone" +
-uci set unbound.forward.tls_upstream="1" +
-uci set unbound.forward.tls_index="dns.google" +
-uci add_list unbound.forward.zone_name="." +
-uci add_list unbound.forward.server="2001:4860:4860::8888" +
-uci add_list unbound.forward.server="2001:4860:4860::8844" +
-uci add_list unbound.forward.server="8.8.8.8" +
-uci add_list unbound.forward.server="8.8.4.4"+
 uci commit unbound uci commit unbound
-/etc/init.d/unbound restart+service unbound restart
 </code> </code>
  
Line 54: Line 38:
 <code bash> <code bash>
 # Restart services # Restart services
-/etc/init.d/log restart; /etc/init.d/unbound restart+service log restart; service unbound restart
  
 # Log and status # Log and status
Line 61: Line 45:
 # Runtime configuration # Runtime configuration
 pgrep -f -a unbound pgrep -f -a unbound
 +head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
  
 # Persistent configuration # Persistent configuration
Line 68: Line 53:
 ===== Extras ===== ===== Extras =====
 ==== Web interface ==== ==== Web interface ====
-Install the necessary packages if you want to manage the settings using web interface.+If you want to manage the settings using web interface
 +Install the necessary packages.
  
 <code bash> <code bash>
Line 74: Line 60:
 opkg update opkg update
 opkg install luci-app-unbound opkg install luci-app-unbound
-/etc/init.d/rpcd restart+service rpcd restart
 </code> </code>
  
-Navigate to **[[http://openwrt.lan/|LuCI]] -> Services -> Recursive DNS** to configure Unbound.+Navigate to **LuCI -> Services -> Recursive DNS** to configure Unbound.
  
 ==== DoT provider ==== ==== DoT provider ====
 Unbound is configured with Google DNS. Unbound is configured with Google DNS.
-You can change it Cloudflare DNS or any other [[wp>Public_recursive_name_server|DoT provider]]. +You can change it to Cloudflare DNS or any other [[wp>Public_recursive_name_server|DoT provider]] including your own [[docs:guide-user:services:webserver:nginx#dns_over_tls|DoT server with Nginx]]. 
-Make sure the provider supports DNSSEC validation if required+Use resolvers supporting DNSSEC validation if necessary
-Specify several servers to improve fault tolerance.+Specify several resolvers to improve fault tolerance.
  
 +Change to Cloudflare DNS
 <code bash> <code bash>
 # Configure DoT provider # Configure DoT provider
-uci set unbound.forward.tls_index="cloudflare-dns.com+uci set unbound.fwd_google.enabled="0
-uci -q delete unbound.forward.server +uci set unbound.fwd_cloudflare.enabled="1" 
-uci add_list unbound.forward.server="2606:4700:4700::1111" +uci set unbound.fwd_cloudflare.fallback="0"
-uci add_list unbound.forward.server="2606:4700:4700::1001" +
-uci add_list unbound.forward.server="1.1.1.1" +
-uci add_list unbound.forward.server="1.0.0.1"+
 uci commit unbound uci commit unbound
-/etc/init.d/unbound restart+service unbound restart 
 +</code> 
 + 
 +Change to other [[wp>Public_recursive_name_server|DoT provider]]  
 +<code bash> 
 +# Configure DoT provider (example: "Cloudflare Family Protection"
 +uci set unbound.fwd_google.enabled="0" 
 +uci set unbound.fwd_cloudflare.enabled="0" 
 +while uci -q del unbound.@zone[4]; do :; done 
 +uci add unbound zone 
 +uci set unbound.@zone[-1].enabled="1" 
 +uci set unbound.@zone[-1].fallback="0" 
 +uci set unbound.@zone[-1].zone_type="forward_zone" 
 +uci add_list unbound.@zone[-1].zone_name="." 
 +uci add_list unbound.@zone[-1].server="1.1.1.3" 
 +uci add_list unbound.@zone[-1].server="1.0.0.3" 
 +uci add_list unbound.@zone[-1].server="2606:4700:4700::1113" 
 +uci add_list unbound.@zone[-1].server="2606:4700:4700::1003" 
 +uci set unbound.@zone[-1].tls_upstream="1" 
 +uci set unbound.@zone[-1].tls_index="family.cloudflare-dns.com" 
 +uci commit unbound 
 +service unbound restart
 </code> </code>
  
 ==== DNSSEC validation ==== ==== DNSSEC validation ====
 Enforce [[wp>Domain_Name_System_Security_Extensions|DNSSEC]] validation if your DNS provider does not support it, or you want to perform the validation yourself. Enforce [[wp>Domain_Name_System_Security_Extensions|DNSSEC]] validation if your DNS provider does not support it, or you want to perform the validation yourself.
-Beware of performance issues.+Beware of fault tolerance and performance issues.
  
 <code bash> <code bash>
Line 105: Line 110:
 uci set unbound.@unbound[0].validator="1" uci set unbound.@unbound[0].validator="1"
 uci commit unbound uci commit unbound
-/etc/init.d/unbound restart+service unbound restart
 </code> </code>
  
 +
 +===== Configure unbound with dnsmasq =====
 +Unbound can also act as a resolver for dnsmasq. How to install and how to change the [[wp>Public_recursive_name_server|DoT provider]] were described earlier.
 +Here would be just described how to configure unbound with dnsmasq.
 +
 +=== Command-line instructions ===
 + 
 +<code bash>
 +# Change unbound port to 5353, because dnsmasq is running already on port 53
 +sed -i "s/option listen_port '53'/option listen_port '5353'/g" /etc/config/unbound
 +
 +# configure dnsmasq to forward to localhost 5353
 +service dnsmasq stop
 +uci set dhcp.@dnsmasq[0].noresolv="1"
 +uci set dhcp.@dnsmasq[0].localuse="1"
 +uci set dhcp.@dnsmasq[0].cachesize='0'
 +uci -q delete dhcp.@dnsmasq[0].server
 +uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#5353"
 +uci commit dhcp
 +service dnsmasq start
 +service unbound restart
 +
 +# Optional - ensure, that the NTP server can work without DNS
 +uci del system.ntp.server
 +uci add_list system.ntp.server='194.177.4.1'    # 0.openwrt.pool.ntp.org
 +uci add_list system.ntp.server='213.222.217.11' # 1.openwrt.pool.ntp.org
 +uci add_list system.ntp.server='80.50.102.114'  # 2.openwrt.pool.ntp.org
 +uci add_list system.ntp.server='193.219.28.60'  # 3.openwrt.pool.ntp.org
 +uci commit system
 +</code>
  • Last modified: 2024/11/20 13:42
  • by dpawlik