Installing and configuring authoritative, recursive, and DoT/DNSSEC DNS server with Unbound

[Delusion]

Not working ,,, did what you wrote with some fixes

1/ not working, tried curl -sS -L --compressed-ssh ... and it passed
curl -sS -L --compressed "http://pgl.yoyo.org/adserve
rs/serverlist.php?hostformat=unbound&showintro=0&mimetype=plaintext" > /jffs/ads
ervers
curl: option --compressed: the installed libcurl version doesn't support this
curl: try 'curl --help' for more information



/opt/etc/init.d/S61unbound check
Checking unbound... dead.

unbound-checkconf
unbound-checkconf: no errors in /opt/var/lib/unbound/unbound.conf


it starts but then dies

 

[Xentrk]

How does Unbound compare to the built-in DNS Privacy options ?

https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby

See our Stubby configuration guide.

Note that some users use Stubby in combination wtih Unbound - Unbound provides a local cache and Stubby manages the upstream TLS connections (since Unbound cannot yet re-use TCP/TLS connections). And example configuration is available on this page.

 

[rgnldo]

How does Unbound compare to the built-in DNS Privacy options ?

Unbound has advantages over root server scanning, recursion, and more sophisticated security policies

 

[rgnldo]

So to play safe, use dnsmasq.conf.add, and if necessary, use dnsmasq.postconf to tweak/alter/delete any variables
e.g. 'cache-size=1500' to 'cache-size=0' (not this old discussion again! )

I will adapt

 

[SomeWhereOverTheRainBow]

How to start unbound from Entware (I assume default prefix /opt is used). I still forward queries from dnsmasq (well it is a query forwarder) to unbound, listening to port 40.

Contributions to this post are well received

1) install unbound

2) run unbound-anchor and unbound-control-setup

3) create /opt/var/lib/unbound directory

4) copy root.key to unbound directory

5) change directory ownership to nobody, in case you want to drop daemon privileges from root to nobody

6) edit /opt/etc/unbound/unbound.conf


7) Edit and start unbound daemon

#!/bin/sh

ENABLED=yes
PROCS=unbound
ARGS="-c /opt/var/lib/unbound/unbound.conf"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

8) Create dnsmasq custom configuration in /jffs/config/dnsmasq.conf:

pid-file=/var/run/dnsmasq.pid
pid-file=/var/run/dnsmasq.pid
user=nobody
bind-dynamic
interface=br0
interface=pptp*
no-dhcp-interface=pptp*
no-resolv
servers-file=/tmp/resolv.dnsmasq
no-poll
cache-size=0
server=127.0.0.1#40
min-port=4096
bogus-priv
domain-needed
dhcp-range=lan,10.0.30.10,10.0.30.50,255.255.255.0,86400s
dhcp-option=lan,3,10.0.30.1
dhcp-option=lan,252,"\n"
dhcp-authoritative
dhcp-option=option:ntp-server,10.0.30.1

AdBloking on Unbound:

Create a scheduler in the Merlin scripts CRU:


Configure the unbound.conf file in the directory:


local-zone: " " transparent ---> Domain settings whitelist

Get root DNS server:

curl -o /opt/var/lib/unbound/root.hints https://www.internic.net/domain/named.cache

NOTE: Implementing Adblock on Unbound requires sufficient RAM. It is advisable to configure swap memory.

pardon my ignorance of the facts but what is this section for in the unbound.conf

# private networks:
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16

when would we need to add or change anything here?

in reality shouldn't this look more like this ?

private-address: 0.0.0.0/8       
private-address: 10.0.0.0/8
private-address: 100.64.0.0/10
private-address: 127.0.0.0/8     
private-address: 172.16.0.0/12
private-address: 192.0.0.0/24   
private-address: 192.0.2.0/24   
private-address: 192.168.0.0/16
private-address: 192.254.0.0/16
private-address: 198.18.0.0/15   
private-address: 198.51.100.0/24
private-address: 203.0.113.0/24 
private-address: 233.252.0.0/24 
private-address: ::1/128         
private-address: 2001:db8::/32   
private-address: fc00::/8       
private-address: fd00::/8       
private-address: fe80::/10

 

[rgnldo]

pardon my ignorance of the facts but what is this section for in the unbound.conf

# private networks:
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16

when would we need to add or change anything here?

in reality shouldn't this look more like this ?

private-address: 0.0.0.0/8      
private-address: 10.0.0.0/8
private-address: 100.64.0.0/10
private-address: 127.0.0.0/8    
private-address: 172.16.0.0/12
private-address: 192.0.0.0/24  
private-address: 192.0.2.0/24  
private-address: 192.168.0.0/16
private-address: 192.254.0.0/16
private-address: 198.18.0.0/15  
private-address: 198.51.100.0/24
private-address: 203.0.113.0/24
private-address: 233.252.0.0/24
private-address: ::1/128        
private-address: 2001:db8::/32  
private-address: fc00::/8      
private-address: fd00::/8      
private-address: fe80::/10

This option tells Unbound which private networks to use on your internal network. These are the ones I listed. When you add 0.0.0.0/8, you are informing all possible networks.

 

[Swistheater]

This option tells Unbound which private networks to use on your internal network. These are the ones I listed. When you add 0.0.0.0/8, you are informing all possible networks.

this is in relation to rebind protection correct?

 

[rgnldo]

this is in relation to rebind protection correct?

Yes, but for the internal network. It leaves the Unbound smarter. In general, I do not like to assign 0.0.0.0/8 listeners to Unbound. The more descriptive the Unbound configuration file is, the better.

 

[SomeWhereOverTheRainBow]

Yes, but for the internal network. It leaves the Unbound smarter. In general, I do not like to assign 0.0.0.0/8 listeners to Unbound. The more descriptive the Unbound configuration file is, the better.

forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com

shouldn't #cloudflare-dns.com be appended to the addresses to insure proper TLS handshake

 

[SomeWhereOverTheRainBow]

first thing i did was use /jffs/scripts/dnsmasq.postconf

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

if [ "$(nvram get ntp_ready)" = "1" ]; then
   pc_replace "servers-file=/tmp/resolv.dnsmasq" "server=127.0.0.1#40" $CONFIG
   pc_replace "cache-size=1500" "cache-size=0" $CONFIG
fi

then I modified /opt/etc/init.d/S61unbound
to be

#!/bin/sh
if [ "$1" = "start" ] || [ "$1" = "restart" ]; then
        # Wait for NTP before starting
        logger -st "S61unbound" "Waiting for NTP to sync before starting..."
        ntptimer=0
        while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do
                ntptimer=$((ntptimer+1))
                sleep 1
        done

        if [ "$ntptimer" -ge "300" ]; then
                logger -st "S61unbound" "NTP failed to sync after 5 minutes - please check immediately!"
                echo ""
                exit 1
        fi
fi

export PATH=/sbin:/bin:/usr/sbin:/usr/bin:$PATH
export TZ=$(cat /etc/TZ)
ENABLED=yes
PROCS=unbound
ARGS="-c /opt/var/lib/unbound/unbound.conf"
PREARGS="nohup"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

this sets the TZ for accurate sysloging, and nohup allows for commands to be used to verify active listening addresses these different commands can be runned via command line
ps | grep unbound | grep -v grep
netstat -lnptu | grep unbound
netstat -lnpt | grep -E '^Active|^Proto|/unbound'

last thing, I treated this like a headless server situation
i opted to install haveged with
opkg install haveged
then I modified /opt/etc/init.d/S02haveged
nano /opt/etc/init.d/S02haveged

#!/bin/sh
if [ "$1" = "start" ] || [ "$1" = "restart" ]; then
        # Wait for NTP before starting
        logger -st "S02haveged" "Waiting for NTP to sync before starting..."
        ntptimer=0
        while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do
                ntptimer=$((ntptimer+1))
                sleep 1
        done

        if [ "$ntptimer" -ge "300" ]; then
                logger -st "S02haveged" "NTP failed to sync after 5 minutes - please check immediately!"
                echo ""
                exit 1
        fi
fi
export TZ=$(cat /etc/TZ)
ENABLED=yes
PROCS=haveged
ARGS="-w 1024 -d 32 -i 32 -v 1"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

if anyone wants to forward using only the TLS for stubby no TLS upstream needed.
just append /opt/etc/unbound/unbound.conf

to
edited it should be appended to /opt/var/lib/unbound/unbound.conf

forward-zone:
  name: "."
    forward-addr: 127.0.1.1@53

since stubby listens on 127.0.1.1

EDIT: just to let people know , you must turn off GUI dnssec when using this setup, dnsmasq will not work properly with it turned on and dnsmasq cache set to 0.

Dnssec can be configured inside /opt/var/lib/unbound/unbound.conf

# DNSSEC and DNS-over-TLS
#module-config: "validator iterator"
#auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
tls-cert-bundle: /opt/etc/ssl/certs/ca-certificates.crt
#domain-insecure: "vaka.me"

by removing the # next to auto-trust-anchor, and module-config

 

[Delusion]

I hope someone will make an install script for this (Unbound+DNSSEC+DNS OVER TLS+adblock) , failed last time, I will try the new updated setup . Thanks.

 

[rgnldo]

I will try the new updated setup

We changed the installation process. Try again.

 

[rgnldo]

Good suggestions from @SomeWhereOverTheRainBow.

 

[Delusion]

We changed the installation process. Try again.

I tried, worked fine, but was too slow with ad block (don't know why, any suggestions to increase performance are welcomed) .

On step ( : 6 ) edit /opt/etc/unbound/unbound.conf
it suppose to be /opt/var/lib/unbound/unbound.conf (also unbound -c /opt/etc/unbound/unbound.conf can be used to change default config file path)

-another mistake in this guide : "Create a scheduler in the Merlin scripts CRU:"
instead of

curl -sS -L --compressed "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=unbound&showintro=0&mimetype=plaintext" > /jffs/adservers

Should be :

curl -sS -L --compressed "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=unbound&showintro=0&mimetype=plaintext" > /opt/etc/unbound/adservers

 

[rgnldo]

I tried, worked fine, but was too slow with ad block (don't know why, any suggestions to increase performance are welcomed) .

On step ( : 6 ) edit /opt/etc/unbound/unbound.conf
it suppose to be /opt/var/lib/unbound/unbound.conf (also unbound -c /opt/etc/unbound/unbound.conf can be used to change default config file path)

-another mistake in this guide : "Create a scheduler in the Merlin scripts CRU:"
instead of

curl -sS -L --compressed "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=unbound&showintro=0&mimetype=plaintext" > /jffs/adservers

Should be :

curl -sS -L --compressed "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=unbound&showintro=0&mimetype=plaintext" > /opt/etc/unbound/adservers

Use Diversion. Comment out the Adblock line in the unbound.conf file

 

[Delusion]

Use Diversion. Comment out the Adblock line in the unbound.conf file

I also have a question regarding DNS server. I want to use this DNS server instead of cloudflare, how can I configure it in unbound.conf ?

145.100.185.18
port: 853
2001:610:1:40ba:145:100:185:18

Hostname for TLS authentication: dnsovertls3.sinodun.com

SPKI pin(s) for TLS authentication(RFC7858): 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8=

 

[rgnldo]

configure it in unbound.conf ?

We changed the steps at the beginning of the post. Now you can use Merlin's native Stubby. There you choose.

 

[rgnldo]

I hope the @Xentrk, @Adamm and @SomeWhereOverTheRainBow create a self-installation script, as they did with Stubby, for the FW Merlin

 

[Delusion]

We changed the steps at the beginning of the post. Now you can use Merlin's native Stubby. There you choose.

Ohh another change, thanks. What about DNSSEC ? leave it enabled in Merlin or is it enabled via Unbound (by removing the # next to auto-trust-anchor, and module-config)?

 

[rgnldo]

What about DNSSEC ? leave it enabled in Merlin or is it enabled via Unbound?

Uncheck any DNSMASQ option in the GUI of FW Merlin. Unbound and Stubby charge of DNSSEC. Take the test on https://dnssec.vs.uni-due.de and https://rootcanary.org/test.html