What's new

Installing and configuring authoritative, recursive, and DoT/DNSSEC DNS server with Unbound

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Not working ,,, did what you wrote with some fixes

1/ not working, tried curl -sS -L --compressed-ssh ... and it passed
curl -sS -L --compressed "http://pgl.yoyo.org/adserve
rs/serverlist.php?hostformat=unbound&showintro=0&mimetype=plaintext" > /jffs/ads
ervers
curl: option --compressed: the installed libcurl version doesn't support this
curl: try 'curl --help' for more information



/opt/etc/init.d/S61unbound check
Checking unbound... dead.

unbound-checkconf
unbound-checkconf: no errors in /opt/var/lib/unbound/unbound.conf


it starts but then dies
 
How does Unbound compare to the built-in DNS Privacy options ?
Unbound has advantages over root server scanning, recursion, and more sophisticated security policies
 
So to play safe, use dnsmasq.conf.add, and if necessary, use dnsmasq.postconf to tweak/alter/delete any variables
e.g. 'cache-size=1500' to 'cache-size=0' (not this old discussion again! :eek:)
I will adapt
 
How to start unbound from Entware (I assume default prefix /opt is used). I still forward queries from dnsmasq (well it is a query forwarder) to unbound, listening to port 40.

Contributions to this post are well received

1) install unbound

2) run unbound-anchor and unbound-control-setup

3) create /opt/var/lib/unbound directory

4) copy root.key to unbound directory

5) change directory ownership to nobody, in case you want to drop daemon privileges from root to nobody

6) edit /opt/etc/unbound/unbound.conf


7) Edit and start unbound daemon
Code:
#!/bin/sh

ENABLED=yes
PROCS=unbound
ARGS="-c /opt/var/lib/unbound/unbound.conf"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func


8) Create dnsmasq custom configuration in /jffs/config/dnsmasq.conf:

Code:
pid-file=/var/run/dnsmasq.pid
pid-file=/var/run/dnsmasq.pid
user=nobody
bind-dynamic
interface=br0
interface=pptp*
no-dhcp-interface=pptp*
no-resolv
servers-file=/tmp/resolv.dnsmasq
no-poll
cache-size=0
server=127.0.0.1#40
min-port=4096
bogus-priv
domain-needed
dhcp-range=lan,10.0.30.10,10.0.30.50,255.255.255.0,86400s
dhcp-option=lan,3,10.0.30.1
dhcp-option=lan,252,"\n"
dhcp-authoritative
dhcp-option=option:ntp-server,10.0.30.1

AdBloking on Unbound:

Create a scheduler in the Merlin scripts CRU:


Configure the unbound.conf file in the directory:


local-zone: " " transparent ---> Domain settings whitelist

Get root DNS server:

Code:
curl -o /opt/var/lib/unbound/root.hints https://www.internic.net/domain/named.cache

NOTE: Implementing Adblock on Unbound requires sufficient RAM. It is advisable to configure swap memory.
pardon my ignorance of the facts but what is this section for in the unbound.conf
Code:
# private networks:
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16

when would we need to add or change anything here?

in reality shouldn't this look more like this ?
Code:
private-address: 0.0.0.0/8       
private-address: 10.0.0.0/8
private-address: 100.64.0.0/10
private-address: 127.0.0.0/8     
private-address: 172.16.0.0/12
private-address: 192.0.0.0/24   
private-address: 192.0.2.0/24   
private-address: 192.168.0.0/16
private-address: 192.254.0.0/16
private-address: 198.18.0.0/15   
private-address: 198.51.100.0/24
private-address: 203.0.113.0/24 
private-address: 233.252.0.0/24 
private-address: ::1/128         
private-address: 2001:db8::/32   
private-address: fc00::/8       
private-address: fd00::/8       
private-address: fe80::/10
 
Last edited:
pardon my ignorance of the facts but what is this section for in the unbound.conf
Code:
# private networks:
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16

when would we need to add or change anything here?

in reality shouldn't this look more like this ?
Code:
private-address: 0.0.0.0/8      
private-address: 10.0.0.0/8
private-address: 100.64.0.0/10
private-address: 127.0.0.0/8    
private-address: 172.16.0.0/12
private-address: 192.0.0.0/24  
private-address: 192.0.2.0/24  
private-address: 192.168.0.0/16
private-address: 192.254.0.0/16
private-address: 198.18.0.0/15  
private-address: 198.51.100.0/24
private-address: 203.0.113.0/24
private-address: 233.252.0.0/24
private-address: ::1/128        
private-address: 2001:db8::/32  
private-address: fc00::/8      
private-address: fd00::/8      
private-address: fe80::/10
This option tells Unbound which private networks to use on your internal network. These are the ones I listed. When you add 0.0.0.0/8, you are informing all possible networks.
 
This option tells Unbound which private networks to use on your internal network. These are the ones I listed. When you add 0.0.0.0/8, you are informing all possible networks.
this is in relation to rebind protection correct?
 
this is in relation to rebind protection correct?
Yes, but for the internal network. It leaves the Unbound smarter. In general, I do not like to assign 0.0.0.0/8 listeners to Unbound. The more descriptive the Unbound configuration file is, the better.
 
Yes, but for the internal network. It leaves the Unbound smarter. In general, I do not like to assign 0.0.0.0/8 listeners to Unbound. The more descriptive the Unbound configuration file is, the better.
Code:
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com

shouldn't #cloudflare-dns.com be appended to the addresses to insure proper TLS handshake
 
first thing i did was use /jffs/scripts/dnsmasq.postconf
Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

if [ "$(nvram get ntp_ready)" = "1" ]; then
   pc_replace "servers-file=/tmp/resolv.dnsmasq" "server=127.0.0.1#40" $CONFIG
   pc_replace "cache-size=1500" "cache-size=0" $CONFIG
fi

then I modified /opt/etc/init.d/S61unbound
to be
Code:
#!/bin/sh
if [ "$1" = "start" ] || [ "$1" = "restart" ]; then
        # Wait for NTP before starting
        logger -st "S61unbound" "Waiting for NTP to sync before starting..."
        ntptimer=0
        while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do
                ntptimer=$((ntptimer+1))
                sleep 1
        done

        if [ "$ntptimer" -ge "300" ]; then
                logger -st "S61unbound" "NTP failed to sync after 5 minutes - please check immediately!"
                echo ""
                exit 1
        fi
fi

export PATH=/sbin:/bin:/usr/sbin:/usr/bin:$PATH
export TZ=$(cat /etc/TZ)
ENABLED=yes
PROCS=unbound
ARGS="-c /opt/var/lib/unbound/unbound.conf"
PREARGS="nohup"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func
this sets the TZ for accurate sysloging, and nohup allows for commands to be used to verify active listening addresses these different commands can be runned via command line
ps | grep unbound | grep -v grep
netstat -lnptu | grep unbound
netstat -lnpt | grep -E '^Active|^Proto|/unbound'

last thing, I treated this like a headless server situation
i opted to install haveged with
opkg install haveged
then I modified /opt/etc/init.d/S02haveged
nano /opt/etc/init.d/S02haveged
Code:
#!/bin/sh
if [ "$1" = "start" ] || [ "$1" = "restart" ]; then
        # Wait for NTP before starting
        logger -st "S02haveged" "Waiting for NTP to sync before starting..."
        ntptimer=0
        while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do
                ntptimer=$((ntptimer+1))
                sleep 1
        done

        if [ "$ntptimer" -ge "300" ]; then
                logger -st "S02haveged" "NTP failed to sync after 5 minutes - please check immediately!"
                echo ""
                exit 1
        fi
fi
export TZ=$(cat /etc/TZ)
ENABLED=yes
PROCS=haveged
ARGS="-w 1024 -d 32 -i 32 -v 1"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

if anyone wants to forward using only the TLS for stubby no TLS upstream needed.
just append /opt/etc/unbound/unbound.conf

to
edited it should be appended to /opt/var/lib/unbound/unbound.conf
Code:
forward-zone:
  name: "."
    forward-addr: 127.0.1.1@53
since stubby listens on 127.0.1.1

EDIT: just to let people know , you must turn off GUI dnssec when using this setup, dnsmasq will not work properly with it turned on and dnsmasq cache set to 0.

Dnssec can be configured inside /opt/var/lib/unbound/unbound.conf

Code:
# DNSSEC and DNS-over-TLS
#module-config: "validator iterator"
#auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
tls-cert-bundle: /opt/etc/ssl/certs/ca-certificates.crt
#domain-insecure: "vaka.me"
by removing the # next to auto-trust-anchor, and module-config
 
Last edited:
I hope someone will make an install script for this (Unbound+DNSSEC+DNS OVER TLS+adblock) , failed last time, I will try the new updated setup . Thanks.
 
We changed the installation process. Try again.
I tried, worked fine, but was too slow with ad block (don't know why, any suggestions to increase performance are welcomed) .

On step ( : 6 ) edit /opt/etc/unbound/unbound.conf
it suppose to be /opt/var/lib/unbound/unbound.conf (also unbound -c /opt/etc/unbound/unbound.conf can be used to change default config file path)

-another mistake in this guide : "Create a scheduler in the Merlin scripts CRU:"
instead of
Code:
curl -sS -L --compressed "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=unbound&showintro=0&mimetype=plaintext" > /jffs/adservers

Should be :

curl -sS -L --compressed "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=unbound&showintro=0&mimetype=plaintext" > /opt/etc/unbound/adservers
 
I tried, worked fine, but was too slow with ad block (don't know why, any suggestions to increase performance are welcomed) .

On step ( : 6 ) edit /opt/etc/unbound/unbound.conf
it suppose to be /opt/var/lib/unbound/unbound.conf (also unbound -c /opt/etc/unbound/unbound.conf can be used to change default config file path)

-another mistake in this guide : "Create a scheduler in the Merlin scripts CRU:"
instead of
Code:
curl -sS -L --compressed "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=unbound&showintro=0&mimetype=plaintext" > /jffs/adservers

Should be :

curl -sS -L --compressed "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=unbound&showintro=0&mimetype=plaintext" > /opt/etc/unbound/adservers
Use Diversion. Comment out the Adblock line in the unbound.conf file
 
Use Diversion. Comment out the Adblock line in the unbound.conf file
I also have a question regarding DNS server. I want to use this DNS server instead of cloudflare, how can I configure it in unbound.conf ?

145.100.185.18
port: 853
2001:610:1:40ba:145:100:185:18

Hostname for TLS authentication: dnsovertls3.sinodun.com

SPKI pin(s) for TLS authentication(RFC7858): 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8=
 
configure it in unbound.conf ?
We changed the steps at the beginning of the post. Now you can use Merlin's native Stubby. There you choose.
 
We changed the steps at the beginning of the post. Now you can use Merlin's native Stubby. There you choose.
Ohh another change, thanks. What about DNSSEC ? leave it enabled in Merlin or is it enabled via Unbound (by removing the # next to auto-trust-anchor, and module-config)?
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top