Looking to run unbound, but do not want to use it for the local system recursor..
uci -q delete network.wan.dns
uci add_list network.wan.dns="10.20.30.40"
uci add_list network.local.dns="10.20.30.40"
uci commit network
service network restart
cat /etc/resolv.conf
# /tmp/resolv.conf generated by Unbound UCI 2024-06-28T09:20:37-04:00
nameserver 127.0.0.1
nameserver ::1
search lan.
I also found this:
# Unbound Recursive DNS Server with UCI
<!-- markdownlint-disable -->
## Unbound Description
[Unbound](https://www.unbound.net/) is a validating, recursive, and caching DNS resolver. The C implementation of Unbound is developed and maintained by [NLnet Labs](https://www.nlnetlabs.nl/). It is based on ideas and algorithms taken from a java prototype developed by Verisign labs, Nominet, Kirei and ep.net. Unbound is designed as a set of modular components, so that also DNSSEC (secure DNS) validation and stub-resolvers (that do not run as a server, but are linked into an application) are easily possible.
## Package Overview
OpenWrt default build uses [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html) for DNS forwarding and DHCP. With a forward only resolver, dependence on the upstream recursors may be cause for concern. They are often provided by the ISP, and some users have switched to public DNS providers. Either way may result in problems due to performance, "snoop-vertising", hijacking (MiM), and other causes. Running a recursive resolver or resolver capable of TLS may be a solution.
Unbound may be useful on consumer grade embedded hardware. It is fully DNSSEC and TLS capable. It is _intended_ to be a recursive resolver only. NLnet Labs [NSD](https://www.nlnetlabs.nl/projects/nsd/) is _intended_ for the authoritative task. This is different than [ISC Bind](https://www.isc.org/downloads/bind/) and its inclusive functions. Unbound configuration effort and memory consumption may be easier to control. A consumer could have their own recursive resolver with 8/64 MB router, and remove potential issues from forwarding resolvers outside of their control.
This package builds on Unbounds capabilities with OpenWrt UCI. Not every Unbound option is in UCI, but rather, UCI simplifies the combination of related options. Unbounds native options are bundled and balanced within a smaller set of choices. Options include resources, DNSSEC, access control, and some TTL tweaking. The UCI also provides an escape option and works at the raw `unbound.conf` level.
## HOW TO: Ad Blocking
The UCI scripts will work with [net/adblock](https://github.com/openwrt/packages/blob/master/net/adblock/files/README.md), if it is installed and enabled. Its all detected and integrated automatically. In brief, the adblock scripts create distinct local-zone files that are simply included in the unbound conf file during UCI generation. If you don't want this, then disable adblock or reconfigure adblock to not send these files to Unbound.
A few tweaks may be needed to enhance the realiability and effectiveness. Ad Block option for delay time may need to be set for upto one minute (adb_triggerdelay), because of boot up race conditions with interfaces calling Unbound restarts. Also many smart devices (TV, microwave, or refigerator) will also use public DNS servers either as a bypass or for certain connections in general. If you wish to force exclusive DNS to your router, then you will need a firewall rule for example:
**/etc/config/firewall**:
```
This file has been truncated. show original
and added:
uci set unbound.ub_main.resolv_conf='1'
restarted unbound and network.. and resolv.conf shows the same way..
/etc/config/unbound
config unbound 'ub_main'
option add_extra_dns '0'
option add_local_fqdn '0'
option add_wan_fqdn '0'
option dhcp_link 'none'
option dns64 '0'
option edns_size '1232'
option extended_stats '1'
option hide_binddata '1'
option interface_auto '1'
option listen_port '53'
option localservice '1'
option manual_conf '0'
option num_threads '1'
option protocol 'ip4_only'
option rate_limit '0'
option rebind_localhost '0'
option rebind_protection '0'
option recursion 'default'
option resource 'default'
option root_age '99'
option ttl_min '300'
option ttl_neg_max '1000'
option unbound_control '1'
option validator '0'
option verbosity '1'
list iface_wan 'wan'
option enabled '1'
option resolv_conf '1'
again I'm looking for /etc/resolv.conf to have the values of network.wan.dns or network.local.dns
device does not do dhcp it is an edge device simply offering an outbound recursor forwarding tls upstream..
/lib/functions/network.sh
# determine the DNS servers of the given logical interface
# 1: destination variable
# 2: interface
# 3: consider inactive servers if "true" (optional)
network_get_dnsserver() {
__network_ifstatus "$1" "$2" "['dns-server'][*]" && return 0
[ "$3" = 1 -o "$3" = "true" ] && \
__network_ifstatus "$1" "$2" ".inactive['dns-server'][*]"
}
I couldn't figure out how /lib/netifd/netifd-proto.sh worked.. (lots going on there..)
Thank you in advance.
Nim
June 28, 2024, 2:09pm
2
The file /tmp/resolv.conf.d/resolv.conf.auto
has the resolvers from dhcp so I just linked /etc/resolv.conf
to /tmp/resolv.conf.d/resolv.conf.auto
I did this because I have a similar setup to you, with my AP running unbound and no dnsmasq. my AP gets it's IP and DNS servers from DHCP.
ls -lah /etc/ | grep resolv.conf
lrwxrwxrwx 1 root root 35 Jan 1 1970 resolv.conf -> /tmp/resolv.conf.d/resolv.conf.auto
This was from some posts on here about removing dnsmasq, but I can't find them right now.
1 Like
Thank you sir..
I did find that file, and was going to symlink it.. but thought it would/might go away..
will keep an eye on it..