What's new

Installing and configuring authoritative, recursive, and DoT/DNSSEC DNS server with Unbound

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Nope, DNSSEC not working for me. I flushed Dns in windows, restarted dnsmasq and stubby, restarted Unbound which running fine and DNSSEC went away. Worked first time but no longer works...

Is haveged needed? because i didn't install it
 
Last edited:
Worked first time but no longer works...
run unbound-anchor
on unbound.conf
Code:
# DNSSEC and DNS-over-TLS
module-config: "validator iterator"
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
#tls-cert-bundle: /opt/etc/ssl/certs/ca-certificates.crt
 
Try the stubby hint steps
Ok.. It seems that when VPN Client is running on the router , even if my device is not on rules list, DNSSEC not working . When turning off VPN , DNSSEC works (even when Unbound not running and DNSSEC not enabled on GUI) .


UPDATE 1: So, I created stubby files as noted on guide! which suppose to be for 384.12 but they also work on 384.13 beta, added what you wrote to unbound.conf AND for the first time I get more cypher validation than with Merlin's implementation with Surfnet's Dns servers:

UPDATE 2: Changing Accept DNS Configuration on VPN client page from Stricted to Exclusive , solved the issue I had when DNSSEC was not working with VPN. Now everything is fine.

So to sum it up, I did the steps suggested for 384.12 (regarding stubby) on 384.13 beta 1 + installed 'unbound-anchor'+added what you suggested to unbound.conf:
Code:
# DNSSEC and DNS-over-TLS
module-config: "validator iterator"
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
tls-cert-bundle: /opt/etc/ssl/certs/ca-certificates.crt
dVE9Wq1.png
 
Last edited:
The great advantage of Unbound is its validation on root servers. Only Stubby and Dnsmasq do not deliver the required reliability in queries.
 
the only disadvantages i could see is the recursive nature, if not configured properly, could be vulnerable- such as dns-amplification attacks due to ip spoofing, what happens is
servers that support this type of request are vulnerable to fake requests from a spoofed IP address (the victim of the attack), the spoofed IP address can get overwhelmed by the number of DNS results it receives and be unable to serve regular Internet traffic. This is called an Amplifier attack because this method takes advantage of DNS servers to reflect the attack onto a target while also amplifying the volume of packets sent to the victim.

A consequence of this activity is that third party Network administrators (the ISP) who detect these requests may block your IP addresses. Your server could even be placed upon DNS blacklists.
 
Last edited:
The great advantage of Unbound is its validation on root servers. Only Stubby and Dnsmasq do not deliver the required reliability in queries.
The big issue I am having right now is turning 'local caching..' on. The clock doesn't sync after restart and I have no connection (the reason why Merlin changed to NO on default). I have to turn off local caching when rebooting the router and after clock syncing, I need to turn it off as mentioned in the guide ..
 
The big issue I am having right now is turning 'local caching..' on. The clock doesn't sync after restart and I have no connection (the reason why Merlin changed to NO on default). I have to turn off local caching when rebooting the router and after clock syncing, I need to turn it off as mentioned in the guide ..
you should try this with S61unbound
Code:
#!/bin/sh
if [ "$1" = "start" ] || [ "$1" = "restart" ]; then
       # Wait for NTP before starting
       logger -st "S61unbound" "Waiting for NTP to sync before starting..."
       ntptimer=0
       while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do
               ntptimer=$((ntptimer+1))
               sleep 1
       done

       if [ "$ntptimer" -ge "300" ]; then
               logger -st "S61unbound" "NTP failed to sync after 5 minutes - please check immediately!"
               echo ""
               exit 1
       fi
fi

export PATH=/sbin:/bin:/usr/sbin:/usr/bin:$PATH
export TZ=$(cat /etc/TZ)
ENABLED=yes
PROCS=unbound
ARGS="-c /opt/var/lib/unbound/unbound.conf"
PREARGS="nohup"
PRECMD="service restart_dnsmasq"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

and this with dnsmasq.postconf
Code:
#!/bin/sh
  if [ "$(nvram get dnspriv_enable)" = "1" ]; then
        if [ "$(nvram get ntp_ready)" = "1" ]; then
           if [ -f /opt/etc/init.d/S61unbound ]; then
              source /usr/sbin/helper.sh
              pc_delete "no-negcache" /etc/dnsmasq.conf
              pc_delete "bogus-priv" /etc/dnsmasq.conf
              pc_delete "domain-needed" /etc/dnsmasq.conf
              pc_delete "server=127.0.1.1" /tmp/resolv.dnsmasq
              pc_delete "server=127.0.1.1#5453" /tmp/resolv.dnsmasq
              pc_append "server=127.0.1.1#5453" /tmp/resolv.dnsmasq
              pc_replace "cache-size=1500" "cache-size=0" /etc/dnsmasq.conf
           else
              source /usr/sbin/helper.sh
              pc_delete "server=127.0.1.1#5453" /tmp/resolv.dnsmasq
              pc_delete "server=127.0.1.1" /tmp/resolv.dnsmasq
              pc_append "server=127.0.1.1" /tmp/resolv.dnsmasq
           fi
        fi
    fi
if [ "$(nvram get dns_local_cache)" = "1" ]; then
   {
      NTPSERVERS=""
      for VAR in 0 1; do
          NTP="$(nvram get "ntp_server$VAR")"
          [ -n "$NTP" ] && NTPSERVERS="$NTPSERVERS/$NTP"
      done
      [ -z "$NTPSERVERS" ] && NTPSERVERS="/pool.ntp.org"
      for DNS in $(nvram get wan_dns); do
          echo "server=$NTPSERVERS/$DNS"
      done
      for DNS in $(nvram get ipv6_get_dns); do
          echo "server=$NTPSERVERS/$DNS"
      done
      for VAR in 1 2 3; do
          DNS="$(nvram get "ipv6_dns$VAR")"
          [ -n "$DNS" ] && echo "server=$NTPSERVERS/$DNS"
      done
          echo "server=$NTPSERVERS/127.0.1.1"
   } >> "$1"
fi

it handles the clock syncing problem by only apply modifications only when the clock is synced and if your storage is mounted else it will use regular dnsmasq.

The biggest problem to overcome is only allowing the settings to be added once the clock syncs, because applying changes too soon will manipulate the process and order of how things occur within the router itself.

Edit: I added an extra piece to the bottom of dnsmasq.postconf
 
Last edited:
The biggest problem to overcome is only allowing the settings to be added once the clock syncs, because applying changes too soon will manipulate the process and order of how things occur within the router itself.
Seems to me old dilemma of "chicken-egg" starts with system time still on 'Unix Epoch'. Used to solve this with hostip binary. In NTP address options, add NTP server IP number
 
I added a fun little piece to the bottom of dnsmasq.postconf

Code:
if [ "$(nvram get dns_local_cache)" = "1" ]; then
   {
     NTPSERVERS=""
     for VAR in 0 1; do
         NTP="$(nvram get "ntp_server$VAR")"
         [ -n "$NTP" ] && NTPSERVERS="$NTPSERVERS/$NTP"
     done
     [ -z "$NTPSERVERS" ] && NTPSERVERS="/pool.ntp.org"
     for DNS in $(nvram get wan_dns); do
         echo "server=$NTPSERVERS/$DNS"
     done
     for DNS in $(nvram get ipv6_get_dns); do
         echo "server=$NTPSERVERS/$DNS"
     done
     for VAR in 1 2 3; do
         DNS="$(nvram get "ipv6_dns$VAR")"
         [ -n "$DNS" ] && echo "server=$NTPSERVERS/$DNS"
     done
         echo "server=$NTPSERVERS/127.0.1.1"
   } >> "$1"
fi
this will tell time to be fetched by your ISP DNS when sync begins.
 
Last edited:
Code:
#!/bin/sh
if [ "$1" = "start" ] || [ "$1" = "restart" ]; then
       # Wait for NTP before starting
       logger -st "S61unbound" "Waiting for NTP to sync before starting..."
       ntptimer=0
       while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do
               ntptimer=$((ntptimer+1))
               sleep 1
       done

       if [ "$ntptimer" -ge "300" ]; then
               logger -st "S61unbound" "NTP failed to sync after 5 minutes - please check immediately!"
               echo ""
               exit 1
       fi
It's an inconvenience for me 'Wait for NTP ...' I eliminated. More may be useful in other cases.
 
[
Please post the complete dnsmasq.postconf file
this is what i recommend for dnsmasq.postconf
Code:
#!/bin/sh
  if [ "$(nvram get dnspriv_enable)" = "1" ]; then
        if [ "$(nvram get ntp_ready)" = "1" ]; then
           if [ -f /opt/etc/init.d/S61unbound ]; then
              source /usr/sbin/helper.sh
              pc_delete "no-negcache" /etc/dnsmasq.conf
              pc_delete "bogus-priv" /etc/dnsmasq.conf
              pc_delete "domain-needed" /etc/dnsmasq.conf
              pc_delete "server=127.0.1.1" /tmp/resolv.dnsmasq
              pc_delete "server=127.0.1.1#5453" /tmp/resolv.dnsmasq
              pc_append "server=127.0.1.1#5453" /tmp/resolv.dnsmasq
              pc_replace "cache-size=1500" "cache-size=0" /etc/dnsmasq.conf
           else
              source /usr/sbin/helper.sh
              pc_delete "server=127.0.1.1#5453" /tmp/resolv.dnsmasq
              pc_delete "server=127.0.1.1" /tmp/resolv.dnsmasq
              pc_append "server=127.0.1.1" /tmp/resolv.dnsmasq
           fi
        fi
    fi
if [ "$(nvram get dns_local_cache)" = "1" ]; then
   {
     NTPSERVERS=""
     for VAR in 0 1; do
         NTP="$(nvram get "ntp_server$VAR")"
         [ -n "$NTP" ] && NTPSERVERS="$NTPSERVERS/$NTP"
     done
     [ -z "$NTPSERVERS" ] && NTPSERVERS="/pool.ntp.org"
     for DNS in $(nvram get wan_dns); do
         echo "server=$NTPSERVERS/$DNS"
     done
     for DNS in $(nvram get ipv6_get_dns); do
         echo "server=$NTPSERVERS/$DNS"
     done
     for VAR in 1 2 3; do
         DNS="$(nvram get "ipv6_dns$VAR")"
         [ -n "$DNS" ] && echo "server=$NTPSERVERS/$DNS"
     done
         echo "server=$NTPSERVERS/127.0.1.1"
   } >> "$1"
fi

with the new addition of the part at the bottom, the wait will be minimal because the time has a direct defined pathway and only takes a couple of seconds, where normally it would be around 10 to 15 seconds.
 
Last edited:
Code:
#!/bin/sh
if [ "$1" = "start" ] || [ "$1" = "restart" ]; then
       # Wait for NTP before starting
       logger -st "S61unbound" "Waiting for NTP to sync before starting..."
       ntptimer=0
       while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do
               ntptimer=$((ntptimer+1))
               sleep 1
       done

       if [ "$ntptimer" -ge "300" ]; then
               logger -st "S61unbound" "NTP failed to sync after 5 minutes - please check immediately!"
               echo ""
               exit 1
       fi
It's an inconvenience for me 'Wait for NTP ...' I eliminated. More may be useful in other cases.

@rgnldo

I recommend trying it out with all the pieces that have been quantitatively added and see if you still feel the same way about your quote above.

you should try this with S61unbound
Code:
#!/bin/sh
if [ "$1" = "start" ] || [ "$1" = "restart" ]; then
       # Wait for NTP before starting
       logger -st "S61unbound" "Waiting for NTP to sync before starting..."
       ntptimer=0
       while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do
               ntptimer=$((ntptimer+1))
               sleep 1
       done

       if [ "$ntptimer" -ge "300" ]; then
               logger -st "S61unbound" "NTP failed to sync after 5 minutes - please check immediately!"
               echo ""
               exit 1
       fi
fi

export PATH=/sbin:/bin:/usr/sbin:/usr/bin:$PATH
export TZ=$(cat /etc/TZ)
ENABLED=yes
PROCS=unbound
ARGS="-c /opt/var/lib/unbound/unbound.conf"
PREARGS="nohup"
PRECMD="service restart_dnsmasq"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

and this with dnsmasq.postconf
Code:
#!/bin/sh
  if [ "$(nvram get dnspriv_enable)" = "1" ]; then
        if [ "$(nvram get ntp_ready)" = "1" ]; then
           if [ -f /opt/etc/init.d/S61unbound ]; then
              source /usr/sbin/helper.sh
              pc_delete "no-negcache" /etc/dnsmasq.conf
              pc_delete "bogus-priv" /etc/dnsmasq.conf
              pc_delete "domain-needed" /etc/dnsmasq.conf
              pc_delete "server=127.0.1.1" /tmp/resolv.dnsmasq
              pc_delete "server=127.0.1.1#5453" /tmp/resolv.dnsmasq
              pc_append "server=127.0.1.1#5453" /tmp/resolv.dnsmasq
              pc_replace "cache-size=1500" "cache-size=0" /etc/dnsmasq.conf
           else
              source /usr/sbin/helper.sh
              pc_delete "server=127.0.1.1#5453" /tmp/resolv.dnsmasq
              pc_delete "server=127.0.1.1" /tmp/resolv.dnsmasq
              pc_append "server=127.0.1.1" /tmp/resolv.dnsmasq
           fi
        fi
    fi
if [ "$(nvram get dns_local_cache)" = "1" ]; then
   {
     NTPSERVERS=""
     for VAR in 0 1; do
         NTP="$(nvram get "ntp_server$VAR")"
         [ -n "$NTP" ] && NTPSERVERS="$NTPSERVERS/$NTP"
     done
     [ -z "$NTPSERVERS" ] && NTPSERVERS="/pool.ntp.org"
     for DNS in $(nvram get wan_dns); do
         echo "server=$NTPSERVERS/$DNS"
     done
     for DNS in $(nvram get ipv6_get_dns); do
         echo "server=$NTPSERVERS/$DNS"
     done
     for VAR in 1 2 3; do
         DNS="$(nvram get "ipv6_dns$VAR")"
         [ -n "$DNS" ] && echo "server=$NTPSERVERS/$DNS"
     done
         echo "server=$NTPSERVERS/127.0.1.1"
   } >> "$1"
fi

it handles the clock syncing problem by only apply modifications only when the clock is synced and if your storage is mounted else it will use regular dnsmasq.

The biggest problem to overcome is only allowing the settings to be added once the clock syncs, because applying changes too soon will manipulate the process and order of how things occur within the router itself.

Edit: I added an extra piece to the bottom of dnsmasq.postconf


test it with DNS local caching turned on and tell me what you think.

testing it would involve seeing how it performs on reboots and what not.
 
Last edited:
Test add IP number NTP without script wait NTP

NTP.png
 
Test add IP number NTP without script wait NTP

NTP.png
The only reason I do not go the route of using a direct IP, for ntp service, is because there may be multiple IP's attached to an ntp server and you would lose out on the benefit of it switching to another IP if the ip you have in its place fails or goes down.

so for short, It may work in the meantime, but in the long run it will not produce a long longevity outcome especially if the ntp server switches the IP's at sync time to reduce the load on the ntp server. it may block you in the long run if your time syncs is constantly hitting the one IP instead of allowing the ip's to be rotated if that is how the NTP server is designed.
 
I think about enabling this option to dnsmasq
Code:
pc_append "listen-address=127.0.0.1" /etc/dnsmasq.conf
 
i modified the IPV6 part of the ntp server directives to also use ISP's ipv6 if dns servers have not been defined on ipv6 page (meaning it is set to automatic instead of manually defined) for some reason NVRAM variables for predefined and automatic are different when dealing with IPV6.
Code:
if [ "$(nvram get dns_local_cache)" = "1" ]; then
   {
     NTPSERVERS=""
     for VAR in 0 1; do
         NTP="$(nvram get "ntp_server$VAR")"
         [ -n "$NTP" ] && NTPSERVERS="$NTPSERVERS/$NTP"
     done
     [ -z "$NTPSERVERS" ] && NTPSERVERS="/pool.ntp.org"
     for DNS in $(nvram get wan_dns); do
         echo "server=$NTPSERVERS/$DNS"
     done
     for DNS in $(nvram get ipv6_get_dns); do
         echo "server=$NTPSERVERS/$DNS"
     done
     for VAR in 1 2 3; do
         DNS="$(nvram get "ipv6_dns$VAR")"
         [ -n "$DNS" ] && echo "server=$NTPSERVERS/$DNS"
     done
         echo "server=$NTPSERVERS/127.0.1.1"
   } >> "$1"
fi
 
Last edited:

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top