Unbound - Authoritative Recursive Caching DNS Server

[rgnldo]

I await news @SomeWhereOverTheRainBow

 

[SomeWhereOverTheRainBow]

I think you can adapt.

as confusing as every ones debian guide is, I can happily say that entware has nginx compiled to support tls 1.3. I am happy about that.

 

[rgnldo]

support tls 1.3. I

I'm excited about a local DoT or DoH solution. Awaiting.

 

[dave14305]

I don't quite follow what's on the other end of this proxy? It doesn't do much good on the router, since you can't rely on every authoritative name server to accept DoT. Or is it supposed to run on my theoretical Unbound server in the cloud, so it will accept DoT requests with nginx running on the Linux instance, and the router using Unbound or Stubby to forward local queries over DoT?

 

[rgnldo]

I don't quite follow what's on the other end of this proxy? It doesn't do much good on the router, since you can't rely on every authoritative name server to accept DoT. Or is it supposed to run on my theoretical Unbound server in the cloud, so it will accept DoT requests with nginx running on the Linux instance, and the router using Unbound or Stubby to forward local queries over DoT?

Nginx is very light and takes up little process on the router. I have experience with Nginx shipped on Tomato. Honestly, a router that supports Diversion Adblock's load can handle almost everything. Let's go to the tests

 

[SomeWhereOverTheRainBow]

I don't quite follow what's on the other end of this proxy? It doesn't do much good on the router, since you can't rely on every authoritative name server to accept DoT. Or is it supposed to run on my theoretical Unbound server in the cloud, so it will accept DoT requests with nginx running on the Linux instance, and the router using Unbound or Stubby to forward local queries over DoT?

Basically it is pushing what ever servers you are ( weather it is google or cloudflare) out using a secure TLS connection. Basically your Google that you have become can be pushed out to be a AD blocking server if you have unbound configured correctly, Clients can then pull it back using forwarding option. the only problem is that Unbound has to open a new connection each time because it cannot reuse the same tcp/tls.

 

[rgnldo]

Basically it is pushing what ever servers you are ( weather it is google or cloudflare) out using a secure TLS connection. Basically your Google that you have become can be pushed out to be a AD blocking server if you have unbound configured correctly, Clients can then pull it back using forwarding option. the only problem is that Unbound has to open a new connection each time because it cannot reuse the same tcp/tls.

Awaiting setup steps.

 

[rgnldo]

The Pros and Cons of DNS Encryption
https://www.infosecurity-magazine.com/opinions/the-pros-and-cons-of-dns-encryption/

 

[dave14305]

I have switched my firmware from Merlin to John's fork, but I was able to get Unbound working as before. It's a little trickier/riskier because John's fork doesn't let the router rely on WAN DNS only, but must use dnsmasq for router lookups. So I have to be really sure that Unbound is up and running before I restart dnsmasq and remove the WAN DNS configuration.

So I made 3 changes to my configuration:

1. /opt/etc/init.d/S61unbound - I made the dnsmasq restart a POSTCMD instead of the PRECMD.
   

   #!/bin/sh
   if [ "$1" = "start" ] || [ "$1" = "restart" ]; then
          # Wait for NTP before starting
          logger -st "S61unbound" "Waiting for NTP to sync before starting..."
          ntptimer=0
          while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do
                  ntptimer=$((ntptimer+1))
                  sleep 1
          done
   
          if [ "$ntptimer" -ge "300" ]; then
                  logger -st "S61unbound" "NTP failed to sync after 5 minutes - please check immediately!"
                  echo ""
                  exit 1
          fi
   fi
   
   export TZ=$(cat /etc/TZ)
   ENABLED=yes
   PROCS=unbound
   ARGS="-c /opt/var/lib/unbound/unbound.conf"
   PREARGS="nohup"
   PRECMD=""
   POSTCMD="service restart_dnsmasq"
   DESC=$PROCS
   PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
   
   . /opt/etc/init.d/rc.func

2. /jffs/scripts/dnsmasq.postconf - I checked to make sure unbound is running before I remove the WAN DNS servers (changed to resolv-file in John's fork vs servers-file in Merlin).
   

   #!/bin/sh
   . /opt/share/diversion/file/post-conf.div # Added by Diversion
   
   CONFIG=$1
   source /usr/sbin/helper.sh
   
   if [ -n "`pidof unbound`" ]; then
           #pc_delete "servers-file" $CONFIG
           pc_delete "resolv-file=/tmp/resolv.conf" $CONFIG
           pc_append "server=127.0.0.1#5053" $CONFIG
           pc_append "proxy-dnssec" $CONFIG
   [*]fi

3. /opt/var/lib/unbound/unbound.conf - Since the CA bundle in John's fork is a bit older than in Merlin, I reverted to the Entware ca-bundle path.
   

   tls-cert-bundle: "/opt/etc/ssl/certs/ca-certificates.crt"

So far so good. I need to test a reboot again later tonight. I had some issues with the NTP sync before I added my dnsmasq postconf check, since I couldn't resolve the NTP server names. But so far so good!

EDIT: Turns out that the ca-bundle.crt are the same version in the firmware. My mistake. I'll leave it for now.
EDIT 2: Added proxy-dnssec to dnsmasq.postconf

 

[rgnldo]

/jffs/scripts/dnsmasq.postconf - I checked to make sure unbound is running before I remove the WAN DNS servers (changed to resolv-file in John's fork vs servers-file in Merlin).

Better to add the argument of the questions which WAN DNS files exist.

/opt/var/lib/unbound/unbound.conf - Since the CA bundle in John's fork is a bit older than in Merlin, I reverted to the Entware ca-bundle path.

I believe it is better to leave it by default.

 

[Delusion]

I have switched my firmware from Merlin to John's fork, but I was able to get Unbound working as before. It's a little trickier/riskier because John's fork doesn't let the router rely on WAN DNS only, but must use dnsmasq for router lookups. So I have to be really sure that Unbound is up and running before I restart dnsmasq and remove the WAN DNS configuration.

Spoiler

So I made 3 changes to my configuration:

1. /opt/etc/init.d/S61unbound - I made the dnsmasq restart a POSTCMD instead of the PRECMD.
   

   #!/bin/sh
   if [ "$1" = "start" ] || [ "$1" = "restart" ]; then
          # Wait for NTP before starting
          logger -st "S61unbound" "Waiting for NTP to sync before starting..."
          ntptimer=0
          while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do
                  ntptimer=$((ntptimer+1))
                  sleep 1
          done
   
          if [ "$ntptimer" -ge "300" ]; then
                  logger -st "S61unbound" "NTP failed to sync after 5 minutes - please check immediately!"
                  echo ""
                  exit 1
          fi
   fi
   
   export TZ=$(cat /etc/TZ)
   ENABLED=yes
   PROCS=unbound
   ARGS="-c /opt/var/lib/unbound/unbound.conf"
   PREARGS="nohup"
   PRECMD=""
   POSTCMD="service restart_dnsmasq"
   DESC=$PROCS
   PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
   
   . /opt/etc/init.d/rc.func

2. /jffs/scripts/dnsmasq.postconf - I checked to make sure unbound is running before I remove the WAN DNS servers (changed to resolv-file in John's fork vs servers-file in Merlin).
   

   #!/bin/sh
   . /opt/share/diversion/file/post-conf.div # Added by Diversion
   
   CONFIG=$1
   source /usr/sbin/helper.sh
   
   if [ -n "`pidof unbound`" ]; then
           #pc_delete "servers-file" $CONFIG
           pc_delete "resolv-file=/tmp/resolv.conf" $CONFIG
           pc_append "server=127.0.0.1#5053" $CONFIG
   fi

3. /opt/var/lib/unbound/unbound.conf - Since the CA bundle in John's fork is a bit older than in Merlin, I reverted to the Entware ca-bundle path.
   

   tls-cert-bundle: "/opt/etc/ssl/certs/ca-certificates.crt"

So far so good. I need to test a reboot again later tonight. I had some issues with the NTP sync before I added my dnsmasq postconf check, since I couldn't resolve the NTP server names. But so far so good!

EDIT: Turns out that the ca-bundle.crt are the same version in the firmware. My mistake. I'll leave it for now.

Dave what about cach-size in DNSMASQ ? do you also set it to 0 instead of the default 1500? the dnsmasq.postconf you posted is your entire config or is there more below the if section?

 

[dave14305]

Dave what about cach-size in DNSMASQ ? do you also set it to 0 instead of the default 1500? the dnsmasq.postconf you posted is your entire config or is there more below the if section?

I don't change anything else about dnsmasq yet. I'm not claiming my setup is production-ready for everyone. But it's working well for me at this time. I've got all this extra free memory now that I'm running John's fork.

EDIT: I did forget to re-add my proxy-dnssec statement.

 

[rgnldo]

Dave what about cach-size in DNSMASQ ? do you also set it to 0 instead of the default 1500?

This is the configuration scenario of the @dave14305 for Asuswrt-Merlin 374.43 LTS

CONFIG=$1
source /usr/sbin/helper.sh
if [ -n "`pidof unbound`" ]; then
         pc_delete "resolv-file=/tmp/resolv.conf" $CONFIG
         pc_append "server=127.0.0.1#53535" $CONFIG
         pc_delete "no-negcache" $CONFIG
         pc_replace "cache-size=1500" "cache-size=0" $CONFIG
         pc_append "proxy-dnssec" $CONFIG
[*]fi

 

[rgnldo]

unbound.conf with better performance.

server:
# port to answer queries from
port: 53535
verbosity: 2
logfile: "/opt/var/lib/unbound/unbound.log"
log-queries: yes
log-replies: yes

do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes

# don't be picky about interfaces but consider your firewall
interface: 127.0.0.1
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/24 allow
access-control: 192.168.1.0/24 allow
access-control: ::0/0 refuse
access-control: ::1 allow

# private networks:
private-address: 127.0.0.0/8
private-address: 169.254.0.0/16
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: fd00::/8
private-address: fe80::/10

# no threads and no memory slabs for threads
num-threads: 2
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
so-reuseport: yes
outgoing-range: 8192
num-queries-per-thread: 4096
outgoing-num-tcp: 10
incoming-num-tcp: 10
infra-cache-numhosts: 15000
infra-cache-lame-size: 10k

# tiny memory cache
key-cache-size: 16m
msg-cache-size: 8m
rrset-cache-size: 8m
cache-min-ttl: 3600
cache-max-ttl: 86400
cache-max-negative-ttl: 0
infra-host-ttl: 60
infra-lame-ttl: 120
edns-buffer-size: 1472

# prefetch
prefetch: yes
prefetch-key: yes
minimal-responses: yes

# gentle on recursion
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
rrset-roundrobin: yes
harden-glue: yes
harden-referral-path: no
harden-below-nxdomain: yes
harden-algo-downgrade: yes

# Self jail Unbound with user "unbound" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"
root-hints: "/opt/var/lib/unbound/root.hints"

# The pid file
pidfile: "/opt/var/run/unbound.pid"

# DNSSEC and DNS-over-TLS
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
auto-trust-anchor-file: "/root.key"

remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 953
server-key-file: "/opt/var/lib/unbound/unbound_server.key"
server-cert-file: "/opt/var/lib/unbound/unbound_server.pem"
control-key-file: "/opt/var/lib/unbound/unbound_control.key"
control-cert-file: "/opt/var/lib/unbound/unbound_control.pem"

 

[dave14305]

Dave what about cach-size in DNSMASQ ? do you also set it to 0 instead of the default 1500? the dnsmasq.postconf you posted is your entire config or is there more below the if section?

I've added the no-negcache and cache-size changes since the assumption is that Unbound is a more efficient caching server. So I'll continue to monitor how it performs.

 

[rgnldo]

I've added the no-negcache and cache-size

The change is important. Although dnsmasq is not forwarding queries, it is still monitoring and trying to store local cache.

 

[rgnldo]

@SomeWhereOverTheRainBow Proposal for local service DoT with Nginx. I think it's over here:

opkg install nginx

/opt/etc/nginx/nginx.conf

stream {
    upstream dns-servers {
        server    127.0.0.1:53535;
 
    }

    server {
        listen 853 ssl;
        proxy_pass dns-servers;

        ssl_certificate            /opt/etc/nginx/ssl/dot-server.crt;
        ssl_certificate_key        /opt/etc/nginx/ssl/dot-server.key;

        ssl_protocols       TLSv1.2 TLSv1.3;
        ssl_ciphers         ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
  
        ssl_handshake_timeout    10s;
        ssl_session_cache        shared:SSL:20m;
        ssl_session_timeout      4h;
    }
}

 

[Delusion]

@SomeWhereOverTheRainBow Proposal for local service DoT with Nginx. I think it's over here:

opkg install nginx

/opt/etc/nginx/nginx.conf

stream {
    upstream dns-servers {
        server    127.0.0.1:53535;
 
    }

    server {
        listen 853 ssl;
        proxy_pass dns-servers;

        ssl_certificate            /opt/etc/nginx/ssl/dot-server.crt;
        ssl_certificate_key        /opt/etc/nginx/ssl/dot-server.key;

        ssl_protocols       TLSv1.2 TLSv1.3;
        ssl_ciphers          HIGH:!aNULL:!MD5;
    
        ssl_handshake_timeout    10s;
        ssl_session_cache        shared:SSL:20m;
        ssl_session_timeout      4h;
    }
}

We need ngx_stream_module.so to make this work . So instead of opkg install nginx, we should use:
opkg install nginx-extras.
And at the top of nginx.conf we need to add this line (without double quotes):

"load_module /opt/lib/nginx/ngx_stream_module.so;"

But it fails to find the dot-server.crt and dot-server.key (I guess the path is incorrect)

 

[SomeWhereOverTheRainBow]

@SomeWhereOverTheRainBow Proposal for local service DoT with Nginx. I think it's over here:

opkg install nginx

/opt/etc/nginx/nginx.conf

stream {
    upstream dns-servers {
        server    127.0.0.1:53535;
 
    }

    server {
        listen 853 ssl;
        proxy_pass dns-servers;

        ssl_certificate            /opt/etc/nginx/ssl/dot-server.crt;
        ssl_certificate_key        /opt/etc/nginx/ssl/dot-server.key;

        ssl_protocols       TLSv1.2 TLSv1.3;
        ssl_ciphers          HIGH:!aNULL:!MD5;
   
        ssl_handshake_timeout    10s;
        ssl_session_cache        shared:SSL:20m;
        ssl_session_timeout      4h;
    }
}

That looks like it will work the only thing you may need to do is a firewall rule for tcp on port 853. And every body that decides to go this route has to make the directory for "/opt/etc/nginx/ssl" and provide their own ssl cert for their setup. Let it be noted you need to install the nginx-extras and not the basic nginx because nginx-extras is the full package deal

 

[rgnldo]

But it fails to find the dot-server.crt and dot-server.key

cd /opt/etc/nginx/ssl
chown -R nobody /opt/etc/nginx/ssl
openssl genrsa -out dot-server.key 2048
openssl req -key ca.key -new -x509 -days 720 -sha256 -extensions v3_ca -out dot-server.crt -subj "/CN=Nginx CA"