Replacing DNSMasq DNS with Unbound

[Denna]

When replacing DNSMasq DNS with Unbound, how do you disable DNSMasq from providing DNS support ?

 

[swetoast]

dont think its a good idea turning off dnsmasq better to redirect the traffic to unbound look at how dnscrypt did it for asuswrt

https://github.com/thuantran/dnscrypt-asuswrt-installer/blob/master/installer

that will get you started

 

[Denna]

swetoast,

Thanks for the quick reply.

DNSMasq would still be used for DHCP.

entware-setup.sh was used to install Entware.

opkg was used to install unbound and dnscrypt-proxy.

I want to use unbound as a DNS cache that forwards to the DNSCrypt proxy.

Reading the link above, I can see how DNSCrypt is installed, but not how DNSCrypt takes over DNS. Perhaps in that example, DNSMasq is configured to forward to DNSCrypt.​

 

[swetoast]

its right there in the install script if you look at it

 

[Denna]

swetoast,

Are you referring to the "dnsmasq-dnscrypt-reconfig" script ?

The contents of this file is:

#!/bin/sh

append_on_demand () {
TARGET="$1"
shift
for LINE in "$@"; do
if [ -z "`grep -F \"$LINE\" $TARGET`" ]; then
echo "$LINE" >> $TARGET
fi
done
}

append_on_demand /etc/dnsmasq.conf "no-resolv" "server=127.0.0.1#65053"
​

Does this mean appending the following lines in the dnsmasq.conf file stops DNSMasq from acting as a DNS resolver ?

no-resolve
server=127.0.0.1#<port number Unbound is listening on>​

 

[swetoast]

never used unbound only dnscrypt so you have to figure that out on your own

 

[Denna]

swetoast,

But the two lines disable DNSMasq from acting as a DNS resolver and point to another resolver, correct ?​

 

[Denna]

What is the difference between adding those two lines to dnsmasq.conf and dnsmasq.conf.add ?

 

[swetoast]

https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files

 

[john9527]

swetoast,

But the two lines disable DNSMasq from acting as a DNS resolver and point to another resolver, correct ?​

Wrong.....those lines only tell dnsmasq not to use it's resolve files and use the server specified as it's upstream name server. It's still active as a DNS server. But you can then use that to point dnsmasq to your unbound server.

 

[swetoast]

again john i never messed with unbound only dnscrypt so i got no freaking idea how that works i only used that installer to show how to pass arguments from dnsmasq the rest is up to denna

 

[john9527]

the rest is up to denna

Absolutely agree....just correcting some info for Denna.

dnsmasq is so tightly integrated in the firmware, doing a firmware 'replace' is likely not to be easy. The only easy way I can think of is to specify the unbound server on the LAN page and disable the option to pass the router address so only the unbound server is passed to the clients for their DNS.

 

[Denna]

john9527,

I've been researching and trying for weeks to get Unbound and DNSCrypt working on Asuswrt Rmerlin to no avail.

As far as I've gotten is:

1) Installing Entware, Unbound and DNSCrypt on /dev/sda1 (external USB drive).

2) Adding the following lines in the /jffs/scripts/services-start file​

/tmp/mnt/Entware/entware/etc/init.d/S09dnscrypt-proxy start
/tmp/mnt/Entware/entware/etc/init.d/S61unbound start
​

3) Adding the following lines to the /jffs/configs/dnsmasq.conf.add file

port=0
dhcp-option=option:dns-server,192.168.1.1
​

4) Configuring the following in the /tmp/mnt/Entware/entware/etc/unbound.conf file

interface: 127.0.0.1
interface: 192.168.1.1
​

However, I don't see a way to determine if unbound is running. It does not show up when running top or ps.

 

[tomsk]

However, I don't see a way to determine if unbound is running. It does not show up when running top or ps

/opt/etc/init.d/rc.unslung check

will tell you what is running in entware ... if they reply "dead" it sometimes means they won't start because of a bad config

 

[Denna]

tomsk,

Is this a path issue ?​

 

[tomsk]

tomsk,

View attachment 8533

Is this a path issue ?​

yeah its weird... what kind of file system is on your USB stick? one of the flavours of EXT?

 

[Denna]

tomsk,

Ext4.​

 

[tomsk]

tomsk,

Ext4.​

Do you have a path to find in entware? find --version or "cd /opt/bin" you should be able to ls and see the find executable. The rc.unslung script calls find when it runs. You could do

/tmp/mnt/Entware/entware/etc/init.d/S09dnscrypt-proxy check
/tmp/mnt/Entware/entware/etc/init.d/S61unbound check

these should call the rc.func script which will tell you if these services are running

 

[Denna]

tomsk,

This is the contents of /tmp/mnt/Entware/entware/etc/init.d/rc.unslung.
-----

#!/bin/sh

PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

# Start/stop all init scripts in /opt/etc/init.d including symlinks
# starting them in numerical order and
# stopping them in reverse numerical order

#logger "Started $0${*:+ $*}."

ACTION=$1
CALLER=$2

if [ $# -lt 1 ]; then

printf "Usage: $0 {start|stop|restart|reconfigure|check|kill}\n" >&2
exit 1​

fi

[ $ACTION = stop -o $ACTION = restart -o $ACTION = kill ] && ORDER="-r"

for i in $(/opt/bin/find /opt/etc/init.d/ -perm '-u+x' -name 'S*' | sort $ORDER ) ;
do

case "$i" in

S* | *.sh )

# Source shell script for speed.
trap "" INT QUIT TSTP EXIT
#set $1
#echo "trying $i" >> /tmp/rc.log
. $i $ACTION $CALLER
;;​

*)

# No sh extension, so fork subprocess.
$i $ACTION $CALLER
;;​

esac​

done​

-----

Does this have to modified to point to the mounted drive since this is where Entware is installed ?​

 

[tomsk]

You shouldn't have to modify anything... the /opt symlink should take care of all that for you. There is something strange going on with your entware install though... can't quite see what as all the paths look good..... will have to think.... your rc.func has different permissions is one thing i notice

-rwxr-xr-x    1 tOmsK root          2786 Jan 13 19:25 rc.func

all the same for me