Installing and configuring authoritative, recursive, and DoT/DNSSEC DNS server with Unbound

[rgnldo]

Official post: https://www.snbforums.com/threads/unbound-recursive-caching-dns-server.58967/

 

[rgnldo]

@Xentrk

 

[Swistheater]

This is awesome

 

[L&LD]

@rgnldo, thank you very much for this!

https://nlnetlabs.nl/projects/unbound/about/

I will be trying this as soon as I can.

Do you have any suggestions on how to use this with the latest 384.11 RMerlin release and DoT it includes too? Or will they just play nice together?

Reading a bit more about this, will this affect Diversion and pixelserv-tls too?

While I appreciate having this guide and package available for our routers, I am not sure at all how it will impact the other scripts and options that we have too?

 

[spanjap]

Thank you very much for this tutorial.

There are 3 things that are not correct:
1) /opt/etc/unbound/init.d/S61unbound start
Should be:

/opt/etc/init.d/S61unbound start

2) I got a failure when starting the script. It couldn't find hints.root
I got it by running the following command:

curl -o /opt/var/lib/unbound/root.hints https://www.internic.net/domain/named.cache

3) /opt/etc/unbound/unbound.conf is in 6)
In the configuration it is: /opt/var/lib/unbound/unbound.conf
I think it should be the same....

 

[rgnldo]

3) /opt/etc/unbound/unbound.conf is in 6)
In the configuration it is: /opt/var/lib/unbound/unbound.conf
I think it should be the same....

Exactly. He had forgotten. This is the authoritative dns resource

 

[rgnldo]

Do you have any suggestions on how to use this with the latest 384.11 RMerlin release and DoT it includes too? Or will they just play nice together?

Yes. For Stubby Merlin

forward-zone:
# Cloudflare
name: "."
forward-tls-upstream: yes
forward-addr: 127.0.0.1@53

Reading a bit more about this, will this affect Diversion and pixelserv-tls too?

I have my own adblock script, generating it for Unbound. I do not need Pixelserv-tls

 

[spanjap]

I got another error:
unbound: [25585:0] fatal error: could not open autotrust file for writing, /root.key.25585-0: Permission denied (With verbosity: 2 instead of 1)

I changed unbound.conf file
username: "nobody" to:
username: "root"

I don't know this is the correct way......

 

[rgnldo]

 

[rgnldo]

 

[rgnldo]

I don't know this is the correct way......

Ok here.

unbound-checkconf: no errors in /opt/var/lib/unbound/unbound.conf

admin@rgnldo-lan:/tmp/home/root# /opt/etc/init.d/S61unbound check
 Checking unbound...              alive.

 

[JGrana]

Can I still utilize dnsmasq.conf.add to add additional hosts?
I have long abandoned storing my manual DHCP static list in nvram and use dnsmasq.conf.add instead. Much easier to update/support and very portable!

 

[rgnldo]

Can I still utilize dnsmasq.conf.add to add additional hosts?

You do not have to use it. Enough

/jffs/config/dnsmasq.conf

service restart_dnsmasq

 

[JGrana]

Actually I would still like to use dnsmasq.conf.add. This is how I assign fixed IP addresses on my network. Asus nvram has limits in this area. I now use dnsmasq (via dnsmasq.conf.add).

A few more questions It looks like the main change to dnsmasq.conf is to add:

server=127.0.0.1#40
cache-size=0

Correct? In other words, can I simply add "server=127.0.0.1#40" to dnsmasq.conf.add?
Also, I assume setting dnsmasq cache-size to 0 is to let unbound do all caching?

You do not have to use it. Enough

service restart_dnsmasq

 

[rgnldo]

This is how I assign fixed IP addresses on my network. Asus nvram has limits in this area. I now use dnsmasq (via dnsmasq.conf.add).

But you'll get more customization with /jffs/config/dnsmasq.conf
/jffs/config/dnsmasq.conf.add you just add rows. It will be in conflation with the line

cache.size=1500

Merlin pattern
Edit your dnsmasq.conf as you wish and restart

service restart_dnsmasq

 

[JGrana]

I see, unbound is using /jffs/config/dnsmasq.conf.
I can just add my fixed address assignments to that file just as easily. I will create a /jffs/config/dnsmasq.conf.add kind of script ">>" easy enough ;-)

 

[Xentrk]

Thanks @rgnldo
Perhaps I can clone the stubby installer and modify it for unbound. Am using Unbound + DoT on pfSense. Never could get the unbound part dialed in on Asuswrt-Merlin.

 

[Xentrk]

I see, unbound is using /jffs/config/dnsmasq.conf.
I can just add my fixed address assignments to that file just as easily. I will create a /jffs/config/dnsmasq.conf.add kind of script ">>" easy enough ;-)

Keep an eye on this setting in case things go awry. /jffs/configs/dnsmasq.conf.add and Diversion ad blocker append to /etc/dnsmasq.conf. I don't think dnsmasq.conf.add can be written off completely. May be worth checking if dnsmasq.conf.add and /jffs/configs/dnsmasq.conf play well together.

The purpose of /jffs/configs/dnsmasq.conf.add is to allow users to customize the firmware dnsmasq.conf file without touching it. I think the dnsmasq.conf.add settings override any firmware settings last time I checked.

 

[Martineau]

Keep an eye on this setting in case things go awry. /jffs/configs/dnsmasq.conf.add and Diversion ad blocker append to /etc/dnsmasq.conf. So I don't think dnsmasq.conf.add can be written off completely.

Using a custom dnsmasq.conf has caused issues in the past where directives/values have been modified for a new release of dnsmasq, and during the (dirty) upgrade reboot, dnsmasq didn't start.

So to play safe, use dnsmasq.conf.add, and if necessary, use dnsmasq.postconf to tweak/alter/delete any variables
e.g. 'cache-size=1500' to 'cache-size=0' (not this old discussion again! )

 

[#TY]

How does Unbound compare to the built-in DNS Privacy options ?