Unbound - Authoritative Recursive Caching DNS Server
- Thread starter rgnldo
- Start date
- Status
First I would like to thank the amazing job everyone is doing. Thanks to you all and Martineau script unbound is running perfectly for a week now.
So much so I would like to use unbound as my private dns on my android devides, but I am not sure on how to proceed.
I wonder if there is a way for unbound to listen to the port 853 on WAN, and since I have the asuscomm DDNS setup with Let's encrypt ssl certificate I should set /jffs/.le/example.asuscomm.com/example.asuscomm.com.cer and /jffs/.le/example.asuscomm.com/example.asuscomm.com.key as either ssl_certificate/tls-service-pem and ssl_certificate_key/tls-service-key.
I found these 2 posts but I am not sure if they are up to date.
So much so I would like to use unbound as my private dns on my android devides, but I am not sure on how to proceed.
I wonder if there is a way for unbound to listen to the port 853 on WAN, and since I have the asuscomm DDNS setup with Let's encrypt ssl certificate I should set /jffs/.le/example.asuscomm.com/example.asuscomm.com.cer and /jffs/.le/example.asuscomm.com/example.asuscomm.com.key as either ssl_certificate/tls-service-pem and ssl_certificate_key/tls-service-key.
I found these 2 posts but I am not sure if they are up to date.
rgnldo
Very Senior Member
From what I notice, he is already working with certificates. It's a good start. I paused the attempt with the unbound in TLS mode. I will return this proposal.
So I am "almost" able to make it work. My android device is able to connect to the private DNS using my asus DDNS FQDN but only when I am connect to my LAN as soon I change to the mobile data it can no longer connect. It might be because I did something wrong when creating the iptables rules or forgot to set something so I count on your help with that.
I have a AC86U with asus merlin 384.17 and Skynet and unbound installed with amtm. I will describe what I have changed bellow, and I have a few question:
- Is there a way to listen only to the WAN interface instead of all? i.e. 0.0.0.0
- Is that a good security practice or is it better just leave listening to al?
- How to correctly open port 853 on iptables?
- Why all my local domain get DNS_PROBE_FINISHED_NXDOMAIN when I have the private DNS activated(I am connected to my local lan)?
The changes I made to the unbound.conf generated by unbound_manager was adding the "tls-port", additional interface 0.0.0.0:53, commented out the self-signed tls-cert-bundle and use tls-service-key and tls-service-pem using the files Lets Encrypt create to my asus DDNS. You could just replace the self-signed with the tls-cert-bundle that Lets Encrypt generate if you want to keep the file short.
Code:
#tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt" # v1.01 as per @dave14305 minimal config
# Enable DoT to be used
tls-port: 853
interface: 0.0.0.0@853
tls-service-key: "/etc/key.pem" # I look through all the source code to see how the system copy the files from lets encrypt but could not find how. I just know that this file is the same as /jffs/.le/example.asuscomm.com/example.asuscomm.com.key because I diff them.
tls-service-pem: "/etc/cert.pem" # I look through all the source code to see how the system copy the files from lets encrypt but could not find how. I just know that this file is the same as /jffs/.le/example.asuscomm.com/fulchain.pem because I diff them.
#tls-cert-bundle: "/etc/server.pem" #You could use this file if you want to keep the config file as short as possible. This is the only one I could find on the source code and is basically key.pem + cert.pemAnd these are the change I made to iptables:
Code:
iptables -I INPUT -p tcp --destination-port 853 -j ACCEPT
ptables -I INPUT -p udp --destination-port 853 -j ACCEPT
iptables -S | grep 853
-A INPUT -p udp -m udp --dport 853 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 853 -j ACCEPT
-A FORWARD -i br0 -p tcp -m tcp --dport 853 -j DNSFILTER_DOTI don't know the 100% safe way to open the firewall, but you need to be sure to insert your ACCEPT rules before the last DROP or logdrop in the INPUT chain. Look at iptables -S INPUT and see if your rules are before or after that final drop command.
EDIT: now I see you did use -I INPUT so it would insert at the top of the chain. No idea then.
It seems that they are.
Also, I just did a test with getdnsapi.net when using options "return_call_reporting" I get "status": GETDNS_RESPSTATUS_ALL_TIMEOUT, and when using "dnssec_return_status" and got the answer "status":GETDNS_RESPSTATUS_GOOD
Code:
iptables -S INPUT
-P INPUT ACCEPT
-A INPUT -p udp -m udp --dport 853 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 853 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i eth0 -p igmp -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j INPUT_PING
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j logdrop
-A INPUT ! -i br0 -j PTCSRVWAN
-A INPUT -i br0 -j PTCSRVLAN
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -m state --state NEW -j OVPN
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p icmp -j INPUT_ICMP
-A INPUT -j logdropAlso, I just did a test with getdnsapi.net when using options "return_call_reporting" I get "status": GETDNS_RESPSTATUS_ALL_TIMEOUT, and when using "dnssec_return_status" and got the answer "status":GETDNS_RESPSTATUS_GOOD
Last edited:
rgnldo
Very Senior Member
Very good. The problem now is external listening, DDNS. With Unbound it's solved. How did you generate your certificates?
I use the option "Free Certificate from Let's Encrypt" Under Wan > DDNS and I used asus ddns. After checking almost everything on the merlin github I don't know how is done, but I know that the lets encrypt fullchain.pem is copied as /etc/cert.pem, the domain.key -> /etc/key.pem and /etc/server.pem can be used as tsl-cert-bundle.
@rgnldo Any idea on how to fix the external listening problem?
@rgnldo Any idea on how to fix the external listening problem?
rgnldo
Very Senior Member
Without the Unbound TLS environment enabled, can you access?
I am not usre how to test the accessibility of the port 853. I know that the DDNS is accessible because I have a openvpn server running on my router and I use the ddns on all my ovpn config files.
As you can see on my "iptables -S INPUT" output I have a similar rule "-A INPUT -p udp -m udp --dport 1194 -j ACCEPT" to the port my ovpn server uses.
I am sorry if I didn't help much, I am a noob in network and scripting language.
One thing I notice is that the port 853 does not show up on the PREROUTING chain.
Apparently yes but only on TCP, assuming this means that there was some traffic on that port " 3497 373K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:853"
Code:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:853
3497 373K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:853
1467 120K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
539 19404 ACCEPT 2 -- eth0 * 0.0.0.0/0 0.0.0.0/0
20444 1713K INPUT_PING icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
20M 17G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4138 178K logdrop all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
3515K 772M PTCSRVWAN all -- !br0 * 0.0.0.0/0 0.0.0.0/0
686K 99M PTCSRVLAN all -- br0 * 0.0.0.0/0 0.0.0.0/0
686K 99M ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
3510K 770M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
5274 1322K OVPN all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
1 383 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 INPUT_ICMP icmp -- * * 0.0.0.0/0 0.0.0.0/0
5273 1322K logdrop all -- * * 0.0.0.0/0 0.0.0.0/0Also make sure your unbound.conf access-control: 0.0.0.0/0 allow
@dave14305 @rgnldo Is there a way to set unbound to listen only the WAN interface on the 853 instead of 0.0.0.0@853? Would that be better?
I already have Skynet installed. Is there any special setting I should do to protect the specific 853 port?
Good catch I will check that.
I already have Skynet installed. Is there any special setting I should do to protect the specific 853 port?
It would be better, but does your WAN IP change often? You would need to trigger an unbound.conf update from ddns-start script I think. Complicated.
If that help to improve my router security I would be willing to do it and submit a PR to Martineau script.
I am just not sure what is the DDNS workflow on the firmware, I try to find the ddns-start but I couldn't.
Should the config look something like this? Also, is there any special settings on skynet before opening the port 853?
Code:
interface: WAN_IP@853
access-control: WAN_IP/32 allowaccess-control: would still need to be 0.0.0.0/0 allow unless you can identify the range of possible WAN IPs when your Android phone is on cellular networking.
https://github.com/RMerl/asuswrt-merlin.ng/wiki/User-scripts#ddns-start
This explains the /jffs/scripts/ddns-start script you would need to create. But it would take some fancy sed commands to replace the WAN IP in unbound.conf with $1 in the ddns-start script. Quite possible, but takes some work to do reliably. Martineau is very good at swapping values in the unbound.conf script.
Does the DoT connection work yet from the WAN? Once it does, you could enable logging to see the source IPs from the Internet to determine if they fall within a more specific IP range.
Skynet will block bad IPs regardless of port, so no special configuration required.
- Status
Similar threads
Similar threads
-
Can't connect to DYNDNS when Unbound is enabled !
- Started by ComputerSteve
- Replies: 10
-
-
Unbound + Wireguard: is this combination possible at all?
- Started by louisschneider
- Replies: 6
Latest threads
-
-
Ubuntu Linux impacted by decade-old 'needrestart' flaw that gives root- Started by PR3MIUM
- Replies: 0
-
-
-
Support SNBForums w/ Amazon
If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!