Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:dns:dot_unbound [2021/03/04 14:06] – [DoT provider] optimize terminology vgaeteradocs:guide-user:services:dns:dot_unbound [2024/10/21 08:10] – Add chapter how to configure unbound with dnsmasq dpawlik
Line 1: Line 1:
-====== DNS over TLS with Unbound ====== +====== DoT with Unbound ====== 
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}} +{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
- +
-/* +
-This article is a simple how-to to enable DoT with Unbound. +
-It should work with just copy-paste on the current OpenWrt stable release out of the box for most users. +
-So let's leave advanced zone management, split DNS, manual config edits, etc. outside of the scope of this how-to to minimize the probability of mistakes and simplify the wiki maintenance. +
-The link to the main Unbound article [[docs:guide-user:services:dns:unbound]] is already included in the [[#introduction]] section. +
-*/+
  
 ===== Introduction ===== ===== Introduction =====
Line 17: Line 10:
 {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}} {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}}
  
-===== Instructions =====+===== Command-line instructions =====
 [[docs:guide-user:base-system:dhcp_configuration#disabling_dns_role|Disable]] Dnsmasq DNS role or remove it completely optionally [[docs:guide-user:base-system:dhcp_configuration#replacing_dnsmasq_with_odhcpd_and_unbound|replacing]] its DHCP role with odhcpd. [[docs:guide-user:base-system:dhcp_configuration#disabling_dns_role|Disable]] Dnsmasq DNS role or remove it completely optionally [[docs:guide-user:base-system:dhcp_configuration#replacing_dnsmasq_with_odhcpd_and_unbound|replacing]] its DHCP role with odhcpd.
  
-Install the packages and configure DNS encryption.+Install the required packages
 +Enable DNS encryption.
  
 <code bash> <code bash>
 # Install packages # Install packages
 opkg update opkg update
-opkg install unbound-daemon ca-bundle+opkg install unbound-daemon
  
 # Enable DNS encryption # Enable DNS encryption
-while uci -q delete unbound.@zone[0]; do :; done +uci set unbound.fwd_google.enabled="1" 
-uci set unbound.forward="zone" +uci set unbound.fwd_google.fallback="0"
-uci set unbound.forward.enabled="1" +
-uci set unbound.forward.fallback="0+
-uci set unbound.forward.zone_type="forward_zone" +
-uci set unbound.forward.tls_upstream="1" +
-uci set unbound.forward.tls_index="dns.google" +
-uci add_list unbound.forward.zone_name="." +
-uci add_list unbound.forward.server="2001:4860:4860::8888" +
-uci add_list unbound.forward.server="2001:4860:4860::8844" +
-uci add_list unbound.forward.server="8.8.8.8" +
-uci add_list unbound.forward.server="8.8.4.4"+
 uci commit unbound uci commit unbound
-/etc/init.d/unbound restart+service unbound restart
 </code> </code>
  
Line 54: Line 38:
 <code bash> <code bash>
 # Restart services # Restart services
-/etc/init.d/log restart; /etc/init.d/unbound restart+service log restart; service unbound restart
  
 # Log and status # Log and status
Line 66: Line 50:
 uci show unbound uci show unbound
 </code> </code>
- 
-[[https://forum.openwrt.org/t/dns-privacy-aka-dns-over-tls-for-openwrt-updated-w-bonus-videos-for-setup-and-verification/89772|WIP "How To" DoT for Snapshot on the forum]] 
  
 ===== Extras ===== ===== Extras =====
 ==== Web interface ==== ==== Web interface ====
-Install the necessary packages if you want to manage the settings using web interface.+If you want to manage the settings using web interface
 +Install the necessary packages.
  
 <code bash> <code bash>
Line 77: Line 60:
 opkg update opkg update
 opkg install luci-app-unbound opkg install luci-app-unbound
-/etc/init.d/rpcd restart+service rpcd restart
 </code> </code>
  
-Navigate to **[[http://openwrt.lan/|LuCI]] -> Services -> Recursive DNS** to configure Unbound.+Navigate to **LuCI -> Services -> Recursive DNS** to configure Unbound.
  
 ==== DoT provider ==== ==== DoT provider ====
 Unbound is configured with Google DNS. Unbound is configured with Google DNS.
-You can change it Cloudflare DNS or any other [[wp>Public_recursive_name_server|DoT provider]] including your own [[docs:guide-user:services:webserver:nginx#dns_over_tls|DoT server with Nginx]]. +You can change it to Cloudflare DNS or any other [[wp>Public_recursive_name_server|DoT provider]] including your own [[docs:guide-user:services:webserver:nginx#dns_over_tls|DoT server with Nginx]]. 
-Make sure the provider supports DNSSEC validation if required.+Use resolvers supporting DNSSEC validation if necessary.
 Specify several resolvers to improve fault tolerance. Specify several resolvers to improve fault tolerance.
  
 +Change to Cloudflare DNS
 <code bash> <code bash>
 # Configure DoT provider # Configure DoT provider
-uci set unbound.forward.tls_index="cloudflare-dns.com+uci set unbound.fwd_google.enabled="0
-uci -q delete unbound.forward.server +uci set unbound.fwd_cloudflare.enabled="1" 
-uci add_list unbound.forward.server="2606:4700:4700::1111" +uci set unbound.fwd_cloudflare.fallback="0"
-uci add_list unbound.forward.server="2606:4700:4700::1001" +
-uci add_list unbound.forward.server="1.1.1.1" +
-uci add_list unbound.forward.server="1.0.0.1"+
 uci commit unbound uci commit unbound
-/etc/init.d/unbound restart+service unbound restart 
 +</code> 
 + 
 +Change to other [[wp>Public_recursive_name_server|DoT provider]]  
 +<code bash> 
 +# Configure DoT provider (example: "Cloudflare Family Protection"
 +uci set unbound.fwd_google.enabled="0" 
 +uci set unbound.fwd_cloudflare.enabled="0" 
 +while uci -q del unbound.@zone[4]; do :; done 
 +uci add unbound zone 
 +uci set unbound.@zone[-1].enabled="1" 
 +uci set unbound.@zone[-1].fallback="0" 
 +uci set unbound.@zone[-1].zone_type="forward_zone" 
 +uci add_list unbound.@zone[-1].zone_name="." 
 +uci add_list unbound.@zone[-1].server="1.1.1.3" 
 +uci add_list unbound.@zone[-1].server="1.0.0.3" 
 +uci add_list unbound.@zone[-1].server="2606:4700:4700::1113" 
 +uci add_list unbound.@zone[-1].server="2606:4700:4700::1003" 
 +uci set unbound.@zone[-1].tls_upstream="1" 
 +uci set unbound.@zone[-1].tls_index="family.cloudflare-dns.com" 
 +uci commit unbound 
 +service unbound restart
 </code> </code>
  
Line 108: Line 110:
 uci set unbound.@unbound[0].validator="1" uci set unbound.@unbound[0].validator="1"
 uci commit unbound uci commit unbound
-/etc/init.d/unbound restart+service unbound restart
 </code> </code>
  
 +
 +===== Configure unbound with dnsmasq =====
 +Unbound can also act as a resolver for dnsmasq. How to install and how to change the [[wp>Public_recursive_name_server|DoT provider]] were described earlier.
 +Here would be just described how to configure unbound with dnsmasq.
 +
 +=== Command-line instructions ===
 + 
 +<code bash>
 +# Change unbound port to 5353, because dnsmasq is running already on port 53
 +sed -i "s/option listen_port '53'/option listen_port '5353'/g" /etc/config/unbound
 +
 +# configure dnsmasq to forward to localhost 5353
 +service dnsmasq stop
 +uci set dhcp.@dnsmasq[0].noresolv="1"
 +uci set dhcp.@dnsmasq[0].localuse="1"
 +uci set dhcp.@dnsmasq[0].cachesize='0'
 +uci -q delete dhcp.@dnsmasq[0].server
 +uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#5353"
 +uci commit dhcp
 +service dnsmasq start
 +service unbound restart
 +
 +# Optional - ensure, that the NTP server can work without DNS
 +uci del system.ntp.server
 +uci add_list system.ntp.server='194.177.4.1'    # 0.openwrt.pool.ntp.org
 +uci add_list system.ntp.server='213.222.217.11' # 1.openwrt.pool.ntp.org
 +uci add_list system.ntp.server='80.50.102.114'  # 2.openwrt.pool.ntp.org
 +uci add_list system.ntp.server='193.219.28.60'  # 3.openwrt.pool.ntp.org
 +uci commit system
 +</code>
  • Last modified: 2024/11/20 13:42
  • by dpawlik