Need Guide for Unbound+odhcpd DNS over TLS for 19.07

I read that you can now use dns over TLS through LUCI in 19.07 using unbound luci but after trying for a awhile, I couldn't get it to work :open_mouth:

Anyone can kindly guide me through?

Edit: I am using Ath79 Generic Archer C7 v4

I found this chinese guide
https://aliyun5.rubyfish.cn/unbound-with-dnsmasq-on-openwrt

Apparently you need

opkg install unbound ca-bundle

However, when I typed that command, it give me an error that says

Unknown package 'unbound'.

Any idea why?

Edit: Apparently that "unbound" is redundant, not sure why it is part of the instruction.

So I redo everything, starting from factory reset.

I uninstalled "dnsmasq" and "odhcpd ipv6"
I installed "odhcpd", "luci-app-unbound", "unbound-control" and "ca-bundle"

config unbound
	option add_extra_dns '0'
	option add_local_fqdn '1'
	option dns64 '0'
	option domain 'lan'
	option domain_type 'static'
	option edns_size '1280'
	option extended_stats '0'
	option hide_binddata '1'
	option listen_port '53'
	option localservice '1'
	option manual_conf '0'
	option num_threads '1'
	option protocol 'default'
	option rebind_localhost '0'
	option rebind_protection '1'
	option recursion 'default'
	option resource 'default'
	option root_age '9'
	option ttl_min '120'
	option validator_ntp '1'
	option verbosity '1'
	option enabled '1'
	option validator '1'
	option dhcp_link 'odhcpd'
	option dhcp4_slaac6 '1'
	option add_wan_fqdn '1'
	option unbound_control '1'
	list trigger_interface 'lan'
	list trigger_interface 'wan'

config zone
	option zone_type 'forward_zone'
	option enabled '1'
	list server '1.1.1.1'
	list server '1.0.0.1'
	list server '2606:4700:4700::1111'
	list server '2606:4700:4700::1001'
	option tls_upstream '1'
	option tls_index 'cloudflare-dns.com'
	option fallback '0'
	list zone_name '.'
	option tls_port '853'

I then edited "/etc/config/dhcp"

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        list server '127.0.0.1#53'
        list server '0:0:0:0:0:0:0:1#53'
        option noresolv '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option dhcpv4 'server'
        option ra 'server'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '1'
        option leasefile '/var/lib/odhcpd/dhcp.leases'
        option leasetrigger '/usr/lib/unbound/odhcpd.sh'
        option loglevel '4'

Everything seems to work but https://1.1.1.1/help says I am not DOT? Is that something I should worry?

Edit: Ok, I give up! Gonna go back to stubby + ddnsmasq....odhcpd seems to have problem with ddns-script as well. might need to edit something but I don't know what.

odhcpd is completely unrelated to upstream DNS queries in any sense, it is just a DHCP server.

My node deploys unbound with DoT, though not CF, and that works just peachy.

Here's my setup. I left dnsqmasq in place for various reasons, so I made unbound listen on non-standard port and have dnsmasq query through unbound. Probably not the most efficient setup, please feel free to tailor this for your own needs.

In Luci on the DHCP and DNS general settings page:

DNS forwardings: 127.0.0.1#5553

/etc/config/unbound

config unbound
	option num_threads '2'
	option dns64 '0'
	option edns_size '1280'
	option hide_binddata '1'
	option localservice '1'
	option rebind_localhost '0'
	option rebind_protection '1'
	option recursion 'default'
	option validator '0'
	option enabled '1'
	option extended_luci '1'
	option manual_conf '0'
	option unbound_control '1'
	option protocol 'ip6_prefer'
	option resource 'large'
	option listen_port '5553'
	option root_age '24'
	option dhcp_link 'dnsmasq'
	option ttl_min '6'
	option extended_stats '0'
	list trigger_interface 'lan'
	list trigger_interface 'wan'

/etc/unbound/unbound_srv.conf

do-tcp: yes
prefetch: yes
qname-minimisation: yes
rrset-roundrobin: yes
use-caps-for-id: no
#
verbosity: 1 
#verbosity: 3
#log-queries: yes
#log-time-ascii: yes

/etc/unbound/unbound_ext.conf

forward-zone:
	name: "."
	forward-addr:	2001:67c:28a4::@853
	forward-ssl-upstream:	yes

regards,
Geof

Do you want a guide? And I give it to you: https://blog.cloudflare.com/dns-over-tls-for-openwrt/
It works perfectly, I use it on multiple devices, it works from LEDE to the latest snapshots. It replaces dnsmasq and odhcpd-ipv6only with unbound and the full version of odhcpd. Unbound-control is used to manage DNS requests. But you find everything in the guide. The 1.1.1.1/help site will prove me right.

1 Like

odhcpd is completely unrelated to upstream DNS queries in any sense, it is just a DHCP server.

I know odhcpd perfectly. The post was opened for this: Need Guide for Unbound + odhcpd DNS over TLS for 19.07.
odhcpd is to replace dnsmasq and avoid performance degradation by having two parallel resolvers.
why odhcpd?
If you read what I wrote I never said that odhcpd is connected in some way to DNS. Read before writing.

I did and would not have otherwise responded. You clearly stated

unbound is no replacement for either odhcpd-ipv6only nor for the full version odhcpd. One does DNS and the other DHCP, different subjects entirely.

Unbound is a validating, recursive, caching DNS resolver https://nlnetlabs.nl/projects/unbound/about/
odhcpd is a daemon for serving and relaying IP management protocols to configure clients and downstream routers
You may ask, "can Unbound replace dnsmasq?" You can have DHCP-DNS records with Unbound and odhcpd only. The UCI scripts will allow Unbound to act like dnsmasq. When odhcpd configures each DHCP lease, it will call a script. The script provided with Unbound will read the lease file for DHCP-DNS records. The unbound-control application is required, because simply rewriting conf-files and restarting unbound is too much overhead from https://openwrt.org/docs/techref/odhcpd
We say the same thing. Only here we were looking for a guide for DoT with unbound and odhcpd. I hope the sterile controversy ends here.
It replaces dnsmasq and odhcpd-ipv6only with unbound and the full version of odhcpd is not same of unbound is replacement for either odhcpd-ipv6only nor for the full version odhcpd.

Afraid we do not. You are now referring to some glue script that generates unbound PTR records for the local domain from odhcpd's DHCP lease file.

Which is not relevant at all to DNS upstream queries.

There is no such thing as odhcpd being involved with upstream DoT.


I do not ask and it does not jibe with

We can never finish it. An unsolicited computer or network lesson is not requested here. Don't write down every word. I posted a simple guide from the Cloudflare blog, which if followed allows you to use DoT on OpenWRT, which you can also handle with LuCI. In addition, if desired, you can choose other servers.
I don't doubt there are other ways to get the result. But here he wondered what is written in the title of the post.
And I know how odhcpd dnsmasq and unbound works. If I need further information I will ask you in private.

The guide and all is just fine but part of your statement along that is just misleading.

If you truly believe that odhcpd is any way involved with upstream DoT queries you could perhaps post some relevant odhcpd configuration that explains it how.

Listen, please, then enough, we are polluting this other post too.
odhcpd has nothing to do with DNS. I never said otherwise. I wrote substituted because: dnsmasq combined with unbound is a duplicate for DNS, so I delete dnsmasq. But the problem of the DHCP server remains. How can I do? I use odhcpd. So odhcpd for DHCP and unbound for DNS.
Don't put words in my mouth that I never said.
Live peaceful.

First, it helps to at-mention the package maintainer so that the Forum can notify them. All well maintained packages have on in the Makefile (@EricLuehrsen). I don't know if this issue is resolved yet.

In OpenWrt 19.07 and to support adding potentially bloated feature libraries I made the regrettable decision to have two package variants. Because of the way Unbound tools appear with it menuconfig, it made "Unbound-daemon" a little more obvious when compared to "Unbound-daemon-heavy."

OpenWrt 19.07 has UCI and LuCI for DoT as you discovered. However it does not have an automatic way to prevent applications and appliances from bypassing the router. They could go to 8.8.8.8#53 without encryption no problem. You need to add a firewall rule yourself. It should block or redirect all port 53 and 853 trying to leave your network.