Full-featured custom build for Dynalink DL-WRX36 (AX3600)

So the move to unbound isnt a recent one, for me at least. Ive used unbound for DNS + DHCP for probably 4 or 5 years now, and the last version of this custom firmware used it as well.

As far as why I chose to go with unbound instead of the standard dnsmasq setup? Well, there are a few reasons:

Reason #1: Performance

When I switched over to unbound, dnsmasq had not-so-great performance. This was especially true with large adblock-provided blocklists (500k+ entries), where the performance with dnsmasq was borderline unusable.

Unbound handled (and still handles) blocklists with 500,000+ entries with virtually zero decrease in performance. When i last tested it the time for lookups increased by an average of 1-2ms with a 600k entry blocklist (relative to no blocklist), which is less than the "noise threshold" and not statistically significant.

Perhaps dnsmasq has improved in this area in recent versions....I really wouldnt know though.

Reason #2: privacy

Unbound is a recursive resolver - it directly queries the authoritative dns servers recursively until it can resolve the name into an IP address. There is no "upstream DNS server" that you are forwarding result to/from (unbound can be setup this way as well, but it isnt in my firmware build).

This has the benefit that you arent giving anyone else a list of all your DNS requests and by extension every website you visit. Sure your ISP could still pull that information out of your raw internet traffic if they really wanted to, but chances are they arent (unless they are court ordered to or something similar). I'd also guess that the logs of the raw internet traffic are deleted far more frequently than the DNS query logs, limiting how far back in time your ISP could theoretically make a list of your visited websites.

Reason #3: security

DNS servers that serve millions of people are natural targets for bad actors who might, for example, poison the DNS cache so that www.yourbank.com leads to an website IP that looks identical to your bank's website but isnt and is run by shady people in Nigeria. Unless you are personally and specifically being targeted, no one is going to go through the trouble of trying to do something like this when unbound has better-than-average security and is only serving people on your home network.

I think unbound is absolutely the best choice (by a fairly good margin) for anyone with a router that is similarly (or more) capable as the dynalink dl-wrx36 is (in terms of memory capacity and to a lesser extent CPU power and flash capacity).

For the devices that are closer to the "minimum openwrt hardware requirements", which (unfortunately) describes a lot of the routers that openwrt supports, there is distinctly less benefit. Unbound will be much less performant, since you might not have the flash space to compile in all the goodies (libevent, libpthread, etc.) and use the extra unbound packages (like unbound-control, which is needed to use unbound+odhcpd for DHCP). The cache would need to be toned down, as would how aggressive the recursion is for lookups. recursive DNS queries might take considerably longer than using a forwarding resolver here, and setting up unbound as a stub resolver you lose the security and privacy benefits mentioned above. In this situation, there is minimal benefit to using unbound over the lighter weight (and more established) dnsmasq.

Unbound is fairly lightweight, but if you only have, say, 16 mb of flash storage and 64 mb of ram to work with, the even lighter-weight dnsmasq is an appealing option.

So I cannot even test this build because I use the pbr package, which relies on dnsmasq-full. Maybe you could have two versions - one that uses dnsmasq-full and another that uses unbound.

I am using SmartDNS as upstream server for DNSMasq to use secure DNS (DoT), works quite well and fast, I use Adblock via DNSmasq with about 300.000 entries without any apparent lag.
Not the most sophisticated setup but being accustomed to DNSMasq this also gets me secure DNS while still using my trusted DNSMasq

What is your opinion about SmartDNS?

Edit: I am totally going off topic, sorry for that

Its good to hear that the situation re: dnsmasq is better now then when I last tried it. I seem to recall when I last tried it (maybe 2020-ish?) a fairly major dnsmasq update was about to be released that was supposed to improve performance quite a bit.

I havent used it personally, but looking into it a little bit it looks to be an interesting and fairly effective solution for unblocking geo-locked content. If this capability is one you need and use frequently, I could definitely see that outweighing the privacy/security benefits of running your own local/private recursive DNS server.

Its worth noting that you can setup unbound as a stub resolver (i.e., have it query an upstream DNS server such smartdns) instead of a recursive resolver. As a stub resolver it supports DoT and DoH. You can also set it up as a stub resolver that will fall back to doing a recursive lookup if the upstream dns resolver is unable to resolve the DNS query. I havent used unbound like this myself, but I have no reason to think that performance would be anything less than excellent.

I can probably do this, though the dnsmasq/dhcp configuration will just be whatever openwrt defaults to (to get unbound to work out of the box I create the build with custom UCI configs for dhcp and unbound)

Ill go ahead and post the imagebuilder archive too so people can generate custom images without needing to recompile anything....assuming I can figure out how to get github's large file service (or whatever it is called) working. Worst case Ill post it as a split archive to stay under github's "100 mb per file" limit.

Dear jkool702,
Hello and I hope that you are well. I am sure that I speak for many when I say that we are all anxiously awaiting your publishing your NSS Build which features dnsmaq-full. Maybe you can include some instructions which will detail how to replicate and / or rebase your Builds. Thanks for all you have done to make NSS available for those of us who are less proficient in OpenWRT development.
Peace

+1 for this request. If we can get an interface like the one at https://firmware-selector.openwrt.org, even the better it will be, otherwise we can just install the other packages manually.

Dear jkool702,
Any news on the
Maybe you could have two versions - one that uses dnsmasq-full and another that uses unbound.
Just asking as I really am an interested party
@odhiambo speaks to my rationale
I cannot even test this build because I use the pbr package, which relies on dnsmasq-full.
Hopefully the dnsmasq-full version will drop soon
Peace

BTW - I hope that @jkool702 is monitoring this thread as it is his own - and therefore I pray that he is amenable to the customary give and take on the forum

if you do not want to make a dnsmasq-full version readily available - would you please make a config file readily available by where those of us who are interested in this option can compile their own custom builds with this alternative
Thanks one more again

Hey @jkool702,

I wanted to ask if you could assist me to make a custom firmware for an outdoor 5g modem router. I am working together with the guys from the ROOTer Project and we made a general firmware for it. However I want to tweak it to the MT7621AT SoC which is built in.

I want to add the optimizations and NSS like you did. I just need someone who can help me a little bit out to understand things.

You customized the kernel for example. The timer is set to 100Hz now. What do I need to do to make it 1000 Hz? Can we get in contact together so I can try out things? It would be perfect!

NSS refers to dedicated hardware ubicom32-le cores present on Qualcomm-Atheros ipq806x/ ipq807x (and ipq50xx, ipq60xx, ipq53xx, ipq95xx) and running Qualcomm's proprietary NSS firmware, it's specific to Qualcomm and does not exist on Mediatek SOCs.

Are you sure about that? Did you find out something about Mediatek SoCs or do you just assume that they do not provide propietary NSS firmware?

I'll leave that to your batch of homework, after all you want to do to that.

Sounds a little bit rude. So maybe not commenting at all next time in my opinion is a better move...

Maybe you should spend a few minutes on researching your topic, before responding.

But hey, what do I know, I'd be dying to see the result, might be worth a Nobel Price - make my day.

What is the sense of commenting my questions when you don't want to provide answers? Just to pull out and make me look stupid. Can't take that serious. You don't want to help so just do not comment. I would not be here when I already knew everything. I just asked the author to get some starting points and not to get pinned down by a random guy like you. I am ending this here now because it is non sense.

I gave you the facts in my first response - believe them or not. If you don't, it's up to you to prove me wrong - and I'd still strongly suggest to do a little research before disagreeing, it's not rocket science.

I did not disagree. I just asked questions First you tell me to look up myself, now you mixing up my written words? Good job.

I did not disagree in any circumstances. I just asked questions. And can we stop this now please? This does not belong here into a forum...

None of the questions you asked are on topic for this thread. If you've got questions or points about the Dynalink WRX36, please carry on.

If not, find an appropriate thread for your SoC and ask there.

The reference goes to the optimizations he uses here and I also wrote here to get politely in touch with him because there is no other way.

Instead I get constantly mocked down by random people writing under my comments and telling me what I have to do or what I do not have to do. This is still a place of discussion and education. I want to transfer his work or a part of his work to other devices, so the community can benefit from it...

There is a reason why I am here. I also own the router which is mentioned in the topic. I also use his firmware. I am also very happy. And yes I understand that NSS is not possible for my device. Still did not like the tone and way of communication here. Actually I was refering only to him and not to any of you.

@jkool702 if it is possible, please DM me or let's get in contact somehow else if it is okay. I believe I placed some fire here only because I asked questions...

EDIT:
And I am sorry from my point that maybe I sound a little bit harsh but it is because of the way of communication here I picked up. I only asked sth. one time.

so that is an entire new project ... I don't know what needs to be done for the MT7621AT from a Qualcomm perspective (that is the SOC for the dynalink) it has two nss cores, one for HW offload and another for crypto. Suggest you look at https://git.codelinaro.org/clo/qsdk. I thought mediatek has their own hw offload acceleration ... but honestly can't think anything that can help you apart from looking at the code to perhaps draw some exemplars .