Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:dns:dot_unbound [2021/12/05 11:26] – [DoT provider] vgaeteradocs:guide-user:services:dns:dot_unbound [2024/10/21 08:10] – Add chapter how to configure unbound with dnsmasq dpawlik
Line 1: Line 1:
 ====== DoT with Unbound ====== ====== DoT with Unbound ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
Line 25: Line 25:
 uci set unbound.fwd_google.fallback="0" uci set unbound.fwd_google.fallback="0"
 uci commit unbound uci commit unbound
-/etc/init.d/unbound restart+service unbound restart
 </code> </code>
  
Line 38: Line 38:
 <code bash> <code bash>
 # Restart services # Restart services
-/etc/init.d/log restart; /etc/init.d/unbound restart+service log restart; service unbound restart
  
 # Log and status # Log and status
Line 60: Line 60:
 opkg update opkg update
 opkg install luci-app-unbound opkg install luci-app-unbound
-/etc/init.d/rpcd restart+service rpcd restart
 </code> </code>
  
Line 68: Line 68:
 Unbound is configured with Google DNS. Unbound is configured with Google DNS.
 You can change it to Cloudflare DNS or any other [[wp>Public_recursive_name_server|DoT provider]] including your own [[docs:guide-user:services:webserver:nginx#dns_over_tls|DoT server with Nginx]]. You can change it to Cloudflare DNS or any other [[wp>Public_recursive_name_server|DoT provider]] including your own [[docs:guide-user:services:webserver:nginx#dns_over_tls|DoT server with Nginx]].
-Be sure the resolvers support DNSSEC validation if necessary.+Use resolvers supporting DNSSEC validation if necessary.
 Specify several resolvers to improve fault tolerance. Specify several resolvers to improve fault tolerance.
  
 +Change to Cloudflare DNS
 <code bash> <code bash>
 # Configure DoT provider # Configure DoT provider
Line 77: Line 78:
 uci set unbound.fwd_cloudflare.fallback="0" uci set unbound.fwd_cloudflare.fallback="0"
 uci commit unbound uci commit unbound
-/etc/init.d/unbound restart+service unbound restart 
 +</code> 
 + 
 +Change to other [[wp>Public_recursive_name_server|DoT provider]]  
 +<code bash> 
 +# Configure DoT provider (example: "Cloudflare Family Protection"
 +uci set unbound.fwd_google.enabled="0" 
 +uci set unbound.fwd_cloudflare.enabled="0" 
 +while uci -q del unbound.@zone[4]; do :; done 
 +uci add unbound zone 
 +uci set unbound.@zone[-1].enabled="1" 
 +uci set unbound.@zone[-1].fallback="0" 
 +uci set unbound.@zone[-1].zone_type="forward_zone" 
 +uci add_list unbound.@zone[-1].zone_name="." 
 +uci add_list unbound.@zone[-1].server="1.1.1.3" 
 +uci add_list unbound.@zone[-1].server="1.0.0.3" 
 +uci add_list unbound.@zone[-1].server="2606:4700:4700::1113" 
 +uci add_list unbound.@zone[-1].server="2606:4700:4700::1003" 
 +uci set unbound.@zone[-1].tls_upstream="1" 
 +uci set unbound.@zone[-1].tls_index="family.cloudflare-dns.com" 
 +uci commit unbound 
 +service unbound restart
 </code> </code>
  
Line 88: Line 110:
 uci set unbound.@unbound[0].validator="1" uci set unbound.@unbound[0].validator="1"
 uci commit unbound uci commit unbound
-/etc/init.d/unbound restart+service unbound restart
 </code> </code>
  
 +
 +===== Configure unbound with dnsmasq =====
 +Unbound can also act as a resolver for dnsmasq. How to install and how to change the [[wp>Public_recursive_name_server|DoT provider]] were described earlier.
 +Here would be just described how to configure unbound with dnsmasq.
 +
 +=== Command-line instructions ===
 + 
 +<code bash>
 +# Change unbound port to 5353, because dnsmasq is running already on port 53
 +sed -i "s/option listen_port '53'/option listen_port '5353'/g" /etc/config/unbound
 +
 +# configure dnsmasq to forward to localhost 5353
 +service dnsmasq stop
 +uci set dhcp.@dnsmasq[0].noresolv="1"
 +uci set dhcp.@dnsmasq[0].localuse="1"
 +uci set dhcp.@dnsmasq[0].cachesize='0'
 +uci -q delete dhcp.@dnsmasq[0].server
 +uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#5353"
 +uci commit dhcp
 +service dnsmasq start
 +service unbound restart
 +
 +# Optional - ensure, that the NTP server can work without DNS
 +uci del system.ntp.server
 +uci add_list system.ntp.server='194.177.4.1'    # 0.openwrt.pool.ntp.org
 +uci add_list system.ntp.server='213.222.217.11' # 1.openwrt.pool.ntp.org
 +uci add_list system.ntp.server='80.50.102.114'  # 2.openwrt.pool.ntp.org
 +uci add_list system.ntp.server='193.219.28.60'  # 3.openwrt.pool.ntp.org
 +uci commit system
 +</code>
  • Last modified: 2024/11/20 13:42
  • by dpawlik