What's new

Installing and configuring authoritative, recursive, and DoT/DNSSEC DNS server with Unbound

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Thanks!
Works fine (also don't forget to make dnsmasq.postconf executable)

dPkewXx.png
 
Last edited:
I changed the steps to configure the unbound. The Unbound will only cache services, and authoritative dns recursion. All services with Diversion, Stubby and Skynet will continue with dnsmasq.
 
I changed the steps to configure the unbound. The Unbound will only cache services, and authoritative dns recursion. All services with Diversion, Stubby and Skynet will continue with dnsmasq.
So now it doesn't do DNSSEC validation right? if so, when you enable DNSSEC in gui , it doesn't work because it needs more than 0 chache-size configured in dnsmsaq.conf which gets zeroed because of dnsmasq.postconf
 
Using the FW 384.12. Configuring the Unbound + Stubby gave to set up similar tests rootcanary of the solution dnsmasq + openssl Merlin on FW 384.13-Alpha.
dqEa2Z8.png
 
Last edited:
How to start unbound from Entware (I assume default prefix /opt is used). I still forward queries from dnsmasq (well it is a query forwarder) to unbound, listening to port 5453. The Unbound will cache services, and authoritative dns recursion. All services with Diversion, Stubby and Skynet will continue with dnsmasq.

Credits contributions [B][COLOR=#b30000]@SomeWhereOverTheRainBow[/COLOR][/B] @Swistheater (for Stubby.yml)


Contributions to this post are well received

Fire-Shot-Capture-001-ASUS-Wireless-Router-RT-AC86-U-Internet-Connection-10-0-30-1.png


Install unbound

Run unbound-control-setup for Unbound monitoring

Create /opt/var/lib/unbound directory

Change directory ownership to nobody, in case you want to drop daemon privileges from root to nobody

Edit /opt/etc/unbound/unbound.conf


Get root DNS server:
Code:
curl -o /opt/var/lib/unbound/root.hints https://www.internic.net/domain/named.cache

Edit and start unbound daemon
Code:
#!/bin/sh
export PATH=/sbin:/bin:/usr/sbin:/usr/bin:$PATH
export TZ=$(cat /etc/TZ)
ENABLED=yes
PROCS=unbound
ARGS="-c /opt/var/lib/unbound/unbound.conf"
PREARGS="nohup"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func


Create dnsmasq custom configuration in /jffs/scripts/dnsmasq.postconf:

Code:
CONFIG=$1
source /usr/sbin/helper.sh
pc_delete "no-negcache" /etc/dnsmasq.conf
pc_delete "bogus-priv" /etc/dnsmasq.conf
pc_delete "domain-needed" /etc/dnsmasq.conf
pc_append "server=127.0.1.1#5453" /etc/dnsmasq.conf
pc_replace "cache-size=1500" "cache-size=0" /etc/dnsmasq.conf

Configure Stubby for DNSSEC validation:
nano /jffs/configs/stubby.yml.add

Code:
tls_min_version: GETDNS_TLS1_2
tls_cipher_list: "EECDH+AESGCM:EECDH+CHACHA20"
tls_max_version: GETDNS_TLS1_3
tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
chmod +x /jffs/configs/stubby.yml.add

nano /jffs/scripts/stubby.postconf
Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_insert "  - GETDNS_TRANSPORT_TLS" "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG
pc_replace "idle_timeout: 9000" "idle_timeout: 2000" $CONFIG
pc_replace "tls_connection_retries: 2" "tls_connection_retries: 5" $CONFIG
pc_replace "timeout: 3000" "timeout: 2000" $CONFIG
pc_insert "dnssec_return_status: GETDNS_EXTENSION_TRUE" "return_both_v4_and_v6: GETDNS_EXTENSION_TRUE" $CONFIG
chmod +x /jffs/scripts/stubby.postconf
run service restart_stubby


this sets the TZ for accurate sysloging, and nohup allows for commands to be used to verify active listening addresses these different commands can be runned via command line
ps | grep unbound | grep -v grep
netstat -lnptu | grep unbound
netstat -lnpt | grep -E '^Active|^Proto|/unbound'


last thing, I treated this like a headless server situation
i opted to install haveged with
opkg install haveged
then I modified /opt/etc/init.d/S02haveged
nano /opt/etc/init.d/S02haveged
Code:
#!/bin/sh
if [ "$1" = "start" ] || [ "$1" = "restart" ]; then
        # Wait for NTP before starting
        logger -st "S02haveged" "Waiting for NTP to sync before starting..."
        ntptimer=0
        while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do
                ntptimer=$((ntptimer+1))
                sleep 1
        done

        if [ "$ntptimer" -ge "300" ]; then
                logger -st "S02haveged" "NTP failed to sync after 5 minutes - please check immediately!"
                echo ""
                exit 1
        fi
fi
export TZ=$(cat /etc/TZ)
ENABLED=yes
PROCS=haveged
ARGS="-w 1024 -d 32 -i 32 -v 1"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func
NOTE: It is advisable to configure swap memory.
i see you borrowed a page from my book. it should be noted that those modifications do not work well for the new 384.13 alpha as the style of DNSSEC has changed within dnsmasq, and the combination can be quite unstable.
 
those modifications do not work well for the new 384.13 alpha
Yes, it had noticed. Not even the Unbound works in the FW 384.13. I will stay a good time in the FW 384.12, if the incompatibility remains.
 
Update tips for FW 384.13_beta1
 
Update tips for FW 384.13_beta1
Thanks, So for those with 384.13 beta, we don't need to edit Stubby ? we skip the steps below the green headline? With 384.13 beta we need to enable DNSSEC in gui ?
 
With 384.13 beta-1 the 1.1.1.1 help page reports that I'm not on 1.1.1.1 and I'm not using DoT? Is that a false negative, I'm sure the router config was not changed from 384.12

upload_2019-7-26_14-17-30.png
 

Attachments

  • upload_2019-7-26_14-14-18.png
    upload_2019-7-26_14-14-18.png
    51 KB · Views: 303
  • upload_2019-7-26_14-14-50.png
    upload_2019-7-26_14-14-50.png
    29.1 KB · Views: 312
  • upload_2019-7-26_14-16-45.png
    upload_2019-7-26_14-16-45.png
    392 KB · Views: 277
With 384.13 beta-1 the 1.1.1.1 help page reports that I'm not on 1.1.1.1 and I'm not using DoT? Is that a false negative, I'm sure the router config was not changed from 384.12

View attachment 18746
I get the same regardless of Unbound with 1.1.1.1 test page, if you look down, it does say you are using 1.1.1.1 server and also cloudflare's ipv6 server
 
Last edited:
Don't forget to report your experience here.
Seems to work fine . DNSSEC and DoT working. But which one does the DNSSEC velidation? Unbound or Merlin's firmware?
 
DNSSEC Resolver Test
This test determines whether your DNS resolver validates DNSSEC signatures. For this test you need JavaScript turned on.
ok
fail


yeserror.png


Yes, your DNS resolver validates DNSSEC signatures.
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top