Hello,
I am working on this Instruction, which has also a few threads in this forum, the author is @directnupe. Unfortunately, all uci commands given in this tutorial result in a "Parse Error". After a couple of attempts to identify the cause for the error I felt it is getting too dangerous to mess around with configurations without knowing which ones are affected.
Then, there are some additional things that did not work in my hands. I have put together the Howto into a small list and refer to it when talking about the issues I experienced. 'My WORKING CONFIG' stands for directnupe's configs:
My WORKING CONFIG (adapt for your CPU/MEM) /etc/unbound/unbound_srv.conf
uci set ‘unbound.@unbound[0].query_minimize=1’
modify etc/config/stubby and set option manual '1'
My WORKING CONFIG /etc/stubby/stubby.yml
install drill, run drill txt qnamemintest.internet.nl
MY WORKING CONFIG /etc/unbound/unbound_ext.conf
uci set ‘dhcp.@dnsmasq[0].port=53535’ ; uci add_list “dhcp.lan.dhcp_option=option:dns-server,$(uci get network.lan.ipaddr)”; uci set ‘unbound.@unbound[0].dhcp_link=dnsmasq’
uci commit; /etc/init.d/unbound restart
modify /etc/config/dhcp: list server '127.0.0.1#5453'; option noresolv ‘1’
replace DNS servers by ISP with 127.0.0.1, along with Tenta nameservers 99.192.182.200 and 99.192.182.100
My WORKING CONFIG /etc/config/unbound
/etc/init.d/unbound restart
No. 3. gave a Parse Error
No. 6 returned "NO - QNAME minimisation is NOT enabled on your resolver"
No. 8 none of the commands worked. In particular the second one (...option:dns-server,$(uci get network.lan.ipaddr)), how does it look in a plain text file?
I stopped here, because it does not make sense to continue.
My OpenWRT version is 18.06.3.
Apologies if essential information is missing for good answers, I am familiar with command line and Linux, but no expert in this field.
Dear Oscar,
Hello and I hope that you are well. I do not know why you are getting parse errors- frankly, I have never heard of this. Perhaps you should try entering each uci command individually instead of using the colons and combining commands. Next get rid of the Tenta DNS SERVERS on the WAN Interface - only use the localhost ( 127.0.0.1 ) for DNS on WAN.
You also - did not mention how you edited the /etc/config/unbound file which is important - here is an example here:
Dear Oscar,
Oh yeah ! A light bulb just went off in my head. I run Davidc502 Builds - see here : https://dc502wrt.org/ and when Dave first bumped up to Linux Kernel 4.19 I encountered the same type of issue which you are talking about. The issue went away when he compiled his first non-test standard 4.19 Build. The workaround that I found after much trial and error was to limit the number of DNS RESOLVERS in the /etc/stubby/stubby.yml file to five or less. For example try this
# Note: by default on OpenWRT stubby configuration is handled via
# the UCI system and the file /etc/config/stubby. If you want to
# use this file to configure stubby, then set "option manual '1'"
# in /etc/config/stubby.
resolution_type: GETDNS_RESOLUTION_STUB
round_robin_upstreams: 1
appdata_dir: "/var/lib/stubby"
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private: 1
idle_timeout: 60000
listen_addresses:
- 127.0.0.1@5453
- 0::1@5453
dns_transport_list:
- GETDNS_TRANSPORT_TLS
tls_connection_retries: 5
tls_backoff_time: 900
timeout: 2000
tls_ca_path: "/etc/ssl/certs/"
upstream_recursive_servers:
### Test servers ###
#The BlahDNS German DNS TLS Server
- address_data: 159.69.198.101
tls_auth_name: "dot-de.blahdns.com"
tls_port: 443
tls_pubkey_pinset:
- digest: "sha256"
value: RzMGlPVE8DlsiA9DQRuW9CoVkwFBjS8j+we5PZ3eE0c=
#The BlahDNS Japan DNS TLS Server
- address_data: 108.61.201.119
tls_auth_name: "dot-jp.blahdns.com"
tls_port: 443
tls_pubkey_pinset:
- digest: "sha256"
value: 427fIEGdHRXL9C6i+PzEk+CstsrmNGXJaAnu9ECu+Hk=
## The Surfnet/Sinodun DNS TLS Server
- address_data: 145.100.185.18
tls_port: 853
tls_auth_name: "dnsovertls3.sinodun.com"
tls_pubkey_pinset:
- digest: "sha256"
value: 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8=
# The securedns.eu DNS TLS Server dot.securedns.eu ads-dot.securedns.eu
- address_data: 146.185.167.43
tls_auth_name: "dot.securedns.eu"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: h3mufC43MEqRD6uE4lz6gAgULZ5/riqH/E+U+jE3H8g=
#The dns.seby.io - Vultr DNS TLS Server
- address_data: 139.99.222.72
tls_auth_name: "dot.seby.io"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: 8A/1KQQiN+aFWenQon076nAINhlZjGkB15C4E/qogGw=
This worked for me - and even if you use the default /etc/config/stubby you still must use five ( 5 ) resolvers or less in the configuration. I may try to contact David Mora aka iamperson347 the developer and maintainer of GETDNS and STUBBY package for OpenWRT about this - however; as I said the problem went away - on Dave's first non experimental 4.19 Build. Hope this works.
Hello @directnupe ,
I really appreciate your support in this matter. However, I now found out that at least in my hands, the instructions in the on the uci commands contain syntax errors. An example:
uci set ‘dhcp.@dnsmasq[0].port=53535’
uci: Parse error
setting the quotes a little bit differently works
**uci set dhcp.@dnsmasq[0].port='53535’
uci commit
cat /etc/config/dhcp |grep port
option port '53535'
While I could help myself with this line I am totally stuck with the other:
uci add_list “dhcp.lan.dhcp_option=option:dns-server,$(uci get network.lan.ipaddr)”
What I understand is that the modification is on the /etc/config/dhcp file, section lan (config dhcp 'lan'). But, no matter what I try I can't find what exactly needs to be entered. May I ask you to provide the part of your dhcp file where the a.m. modification is in plain text? I would not ask if I had not spent a couple of hours on this matter already.
# Move dnsmasq to port 53535 where it will still serve local DNS from DHCP
# Network -> DHCP & DNS -> Advanced Settings -> DNS server port to 53535
uci set 'dhcp.@dnsmasq[0].port=53535'
# Configure dnsmasq to send a DNS Server DHCP option with its LAN IP
# since it does not do this by default when port is configured.
uci add_list "dhcp.lan.dhcp_option=option:dns-server,$(uci get network.lan.ipaddr)"
uci set 'unbound.@unbound[0].dhcp_link=dnsmasq'
# Save & Apply (will restart dnsmasq, DNS unreachable until unbound is up)
uci commit
# Restart (or start) unbound (System -> Startup -> unbound -> Restart)
/etc/init.d/unbound restart
It would not work correctly so I found and use this:
uci set dhcp.@dnsmasq[-1].noresolv=1
Other than that no issues - I run Davidc502 Builds found here: https://dc502wrt.org/ As for /etc/config/dhcp -you can enter all the options manually - I think whatever OpenWRT Build you are using may be quirky or you need to do a fresh install
Peace