Unbound Making Unbound into a DoT/DoH (rather than plain dns) for clients

[gspannu]

Could anyone please assist in modifying the unbound.conf file to enable DoT/DoH for downstream clients?

I am guessing, the lines I need to add are something like the following:

interface: 127.0.0.1@853
tls-service-key: "path/to/privatekeyfile.key"
tls-service-pem: "path/to/publiccertfile.pem"
tls-port: 853
https-port: 443

Some background

• I have unbound installed on the router (RTAX88u, v386.8) and it servers as a DNS server to local clients as well as some of my remote clients.
• If all my clients were local (like router DHCP clients), I would have been OK with unbound receiving plain dns requests as everything is contained within the router.
• Since I have some remote clients, I would want to enable DoT/DoH for these remote remote clients.
• Some of these remote clients are connected via a VPN to the router (again, I would be OK with plain dns) but I have a few remote clients that are not coming in via VPN, and these clients just use my router as a DNS server. Hence, I need to publish a DoT server.
• I understand that opening up the router as a DNS server to public addresses has its risks, but I plan to secure the access by only allowing these specific remote clients.

I think I need to use the above lines in my unbound.conf file.
I think I will also use other port numbers (rather than 853 and 443 defaults) as my remote clients can specify different ports.

a) Can someone provide some guidance on the tis-service-key and pem values to use ? b) What else would I need to change in the unbound.conf file or elsewhere?
3) And other recommendations?

 

[dave14305]

I don’t know how to setup DoT in Unbound, but I’m pretty sure that Entware’s Unbound package is compiled without DoH support, so focus on DoT.

 

[gspannu]

I don’t know how to setup DoT in Unbound, but I’m pretty sure that Entware’s Unbound package is compiled without DoH support, so focus on DoT.

Thanks for the update.

DoT will work for me... but I am unable to get DoT working either.

Are you aware of the version of Unbound is included in the package? Or how to manually update the Unbound files (not Unbound Manager) to the latest version ?

 

[gspannu]

@Martineau Could you assist on this please?

 

[dave14305]

Are you aware of the version of Unbound is included in the package?

# opkg info unbound-daemon
Package: unbound-daemon
Version: 1.16.1-1

 

[gspannu]

# opkg info unbound-daemon
Package: unbound-daemon
Version: 1.16.1-1

Thanks. I do have the same version running.

 

[heysoundude]

Go straight to the source:

unbound.conf(5) — Unbound 1.21.1 documentation

unbound.docs.nlnetlabs.nl

Maybe make your router a WireGuard Server?

 

[gspannu]

Go straight to the source:

unbound.conf(5) — Unbound 1.21.1 documentation

unbound.docs.nlnetlabs.nl

Maybe make your router a WireGuard Server?

I have gone through the documentation...

What I cannot figure out is what values to use for the tls-service-key and pem.
I have tried using my LetsEncrypt cert and key (/jffs/.le/mydomain.com/fullchain.pem and /jffs/.le/mydomain.com/mydomain.com.key) but it does not seem to work.

interface: 127.0.0.1@853
tls-service-key: "???????"
tls-service-pem: "???????????"
tls-port: 853

Also, how can I check on the router whether tls://127.0.0.1:853 is working or not?
Is there any dig command to verify this?

WireGuard does not help... as my clients do not use a VPN - they only need to connect to the router for resolving their DNS via DoT.

 

[dave14305]

Is there any dig command to verify this?

dig +tls www.snbforums.com @127.0.0.1 -p 853

port is optional if left as default 853.

 

[heysoundude]

WireGuard does not help... as my clients do not use a VPN - they only need to connect to the router for resolving their DNS via DoT.

consider: using wireguard for those clients to connect to your router (DNS server) through an encrypted tunnel is just like DoT

 

[Jumpstarter]

Doesn't the router already have DoT built-in using Stubby?

 

[New2This]

Have you looked into the unbound_manager advanced ( Then click on #3 for Advanced tools) There you can find some advanced items(DoT)

You can use this tool to see in real time

Tutorial - How to monitor DNS traffic in real-time

The following script allows for real-time monitoring of DNS on the router for the purposes of knowing what DNS servers are in use, and which network interfaces are being used. https://pastebin.com/AGNF8cC8 Overview One of the most difficult aspects of the router for users is managing DNS. DNS...

www.snbforums.com

 

[vdemarco]

I know that this is an old thread, but has anyone configured a dot/doh (I know they are different) using unbound? I have unbound manager installed, so that part is easy.

I tried to get a certificate on the device but that failed. (i am sure that i did something wrong) i have ddns setup through asus, but that address didn't work for lets encrypt (assuming i didn't really mess up)


any hints??

 

[Temp_val]

Hello,
Sorry, I am also doing some archeology, just as the person before me. Maybe it will help, as this post appeared in the top results and seems read two years after being created.
I already configured a functional DoT resolver with Unbound. Regarding this certificate generation, I used the command line

openssl req -x509 -newkey rsa:4096 -keyout privatekeyfile.key -out publiccertfile.pem -days 1000 -noenc

, which I read and adapted from this blog. I changed the -nodes to -noenc as the former was deprecated in OpenSSL 3.0. Also, you may remove the days limit if you do not want your certificate to expire.