Hi there,
i try to use unbound as an tls connection to blahdns. After 3 Days i need someone how can help me.
I user an tp-link-wdr3600 with openwrt18.6.1. installed the certificates and unbound and followed at last these instruction:
Move dnsmasq to port 53535 where it will still serve local DNS from DHCP
Network -> DHCP & DNS -> Advanced Settings -> DNS server port to 53535
uci set 'dhcp.@dnsmasq[0].port=53535'
Configure dnsmasq to send a DNS Server DHCP option with its LAN IP
since it does not do this by default when port is configured.
uci add_list "dhcp.lan.dhcp_option=option:dns-server,$(uci get network.lan.ipaddr)"
uci set 'unbound.@unbound[0].dhcp_link=dnsmasq'
Save & Apply (will restart dnsmasq, DNS unreachable until unbound is up)
uci commit
Restart (or start) unbound (System -> Startup -> unbound -> Restart)
/etc/init.d/unbound restart
i guess unbound server conf and unbound ext.conf is set correctly.
But i my dns request are send to my isp and not the Servers i configured.
Systemlog show folling errors
Thu Dec 13 18:13:47 2018 daemon.info odhcpd[979]: Using a RA lifetime of 0 seconds on br-lan
Thu Dec 13 18:19:36 2018 daemon.notice unbound: [4096:0] notice: sendto failed: Permission denied
Thu Dec 13 18:19:36 2018 daemon.notice unbound: [4096:0] notice: remote address is 2001:12f8:c::10 port 53
If you are just following this, dnsmasq should still be at port 53 and talking to unbound at port 53535. Easier to just show relevant bits from /etc/config/ directory.
LOG_NOTICE Conditions that are not error conditions, but should
possibly be handled specially.
As in, "I'm using the built-in root hints, which isn't the best thing in the world. One day you should consider a proper root anchor or set of root hints."
after 5 hours without internet and hours of trying i gived up and plan to go with dnscrypt.
Does somebody know if adblock will work over dnsmask with dnscrypt?
I will buy a second router for testing.
Thx everybody for try helping.
Have a nice day
Fred
To simplify your life a little bit, a cron job to fetch the root.hints file is major overkill.
That file is used to resolve the Catch-22 of "How do I find a root server by name if I need a root server to determine the IP address of the root server?" The file contents change very, very slowly and as long as you've got one valid entry that's up (of A-M for 18 servers), a robust resolver will work just fine. Once a quarter, once a year, even once every few years is probably more than enough. I'd bet that a 20-year-old root.hints file would be functional today assuming that you've got IPv4 connectivity.