Dear Community,
Hello and I hope that all are both safe and well. I am wondering if anyone can assist me in how to set up UNBOUND on the new OpenWRT snapshots. Specifically,unbound with dnsmasq for dhcp. I wrote many tutorials for OpenWRT DOT using stubby with unbound, dnsmasq.
If anyone can explain this new procedure to me then I will update the tutorials ( write new ones ) for all who used this configuration successfully. Thanks and God Bless. Please do not just point me to the UNBOUND readme as I really need and would prefer more detailed guidance and instructions.
I am well versed in SSH - so uci commands are fine.
This is my old tutorial here for reference below :
Here is how to forward DOT to one of the common choices. Fallback is disabled so unknowns will fail and not go into recursion. IPv6 shown but commented out.
config zone 'fwd_cloudflare'
option enabled '1'
option fallback '0'
option tls_index 'cloudflare-dns.com'
option tls_upstream '1'
option zone_type 'forward_zone'
list server '1.1.1.1'
list server '1.0.0.1'
#list server '2606:4700:4700::1111'
#list server '2606:4700:4700::1001'
list zone_name '.'
-or-
config zone 'fwd_google'
option enabled '1'
option fallback '0'
option tls_index 'dns.google'
option tls_upstream '1'
option zone_type 'forward_zone'
list server '8.8.4.4'
list server '8.8.8.8'
#list server '2001:4860:4860::8844'
#list server '2001:4860:4860::8888'
list zone_name '.'
-or-
config zone 'fwd_quad9'
option enabled '1'
option fallback '0'
option tls_index 'dns.quad9.net'
option tls_upstream '1'
option zone_type 'forward_zone'
list server '9.9.9.9'
list server '149.112.112.112'
#list server '2620:fe::fe'
#list server '2620:fe::9'
list zone_name '.'
Here is how to forward to all of them. You can only have one root zone definition in Unbound. Note however mixing like this may have odd results. They each have their own DNS naughty list (or not) and privacy policy. Quad9 has different server addresses for different behaviors. Read providers respective websites carefully.
config zone 'fwd_everywhere'
option enabled '1'
option fallback '0'
option tls_upstream '1'
option zone_type 'forward_zone'
# mixing servers so each line must be fully qualified
list server '1.1.1.1@853#cloudflare-dns.com'
list server '1.0.0.1@853#cloudflare-dns.com'
list server '8.8.4.4@853#dns.google'
list server '8.8.8.8@853#dns.google'
list server '9.9.9.9@853#dns.quad9.net'
list server '149.112.112.112@853#dns.quad9.net'
list zone_name '.'
As for mixing dnsmasq and unbound the serial method is easiest. dnsmasq serves the local domain as usual, but it believes the only upstream server is the local unbound instance.
Unbound only needs this one UCI change to listen on some other odd port, not #53.
option listen_port '1053'
dnsmasq needs to be told that all queries can only be answered by local host on #1053. You need to disable the resolve file and tell dnsmasq where to go.
Dear Eric,
Hello and I hope that all is well with you and that you and yours are safe in this world of ours. Thank you so very much for your reply. Which file should I enter the forward zone in - /etc/config/unbound ? or somewhere else ?
Also I want to integrate stubby in with unbound and dnsmasq. Would something like this below work ?:
config zone 'fwd_stubby'
option enabled '1'
option fallback '0'
option tls_upstream '1'
option zone_type 'forward_zone'
# mixing servers so each line must be fully qualified
list server '127.0.0.1@5453#/etc/stubby/stubby.yml file'
Basically - I am trying to follow this guide here below : https://blog.grobox.de/2018/what-is-dns-privacy-and-how-to-set-it-up-for-openwrt/
The issue which confounds me is - I used to forward dns requests from stubby ( 127.0.0.1#5453 ) to unbound - then move dnsmasq to port 53535
Lastly I would do the following below in dnsmasq file :
nano /etc/config/dhcp
list server '127.0.0.1#5453' # Stubby/Unbound Default Address/Port
option noresolv ā1ā # Make sure to change this as indicated
So - once again thanks for your assistance. I am truly grateful and confused ( a bit less after your intervention ). However - you see I am trying to use stubby along with unbound and serial dnsmasq . That is my ultimate goal. Thanks and God Bless You and Yours
Always In Peace
The forward zones are part of the Unbound UCI file. However now, I don't fully understand your topology. Why stubby and Unbound? Unbound is capable of DOT, and now fixed, it keeps TCP open for a few queries at a time. If you use stubby alone, then you can link it with libunbound and get cache which otherwise it lacks.
If you have Unbound forward to stubby, then disable TLS. Your local host doesn't have a certificate for "localhost" so the connection would fail.
config zone 'fwd_stubby'
option enabled '1'
option fallback '0'
option tls_upstream '0'
option zone_type 'forward_zone'
option port '5453'
list server '127.0.0.1'
list server '::1'
list zone '.'
Dear Eric,
Thanks a ton for your time, consideration and expertise regarding this matter. So, basically I can and should leave dnsmasq untouched - is that correct ?
Why stubby and Unbound?
The reason I prefer stubby with Unbound is the pinning and other features stubby provides / see below from stubby page on stubby homepage:
Some users combine Unbound (as a caching proxy with other features such as
DNS Blacklisting) and Stubby (as a fully featured TLS forwarder).
When you say Unbound UCI file - would I edit /etc/config/unbound ? -and if so would this zone go at the end of the file - or is there a designated area in which to enter the configuration which you were kind enough to layout above.
Thanks - and once I get this working - I will write up a new tutorial for those who wish to deploy DOT using stubby and Unbound. Naturally, I will give credit where credit is due - and that means you Eric - if that attribution is OK with you.
Peace and Be well
Dear anomeome,
My man - thank you so very much for this. Between you and Eric - I should be able to get this working ( hopefully ) in some shape, form, or fashion. What has been giving me problems is unbound-control. Do I need to install that package or I am just better off in not bothering with unbound-control at all ? Further to that point - what packages do you suggest to install when attempting to use Unbound with the current snapshots ? I have been using the packages listed below ( as they always worked well together up and until current stable release 19.07.6 ):
Maybe with the new snapshots some of those packages listed above are not needed and / or buggy. Thanks for your assistance. Lastly - do you have any recommendations as to the overall configuration of dns over tls using stubby, dnsmasq and unbound as I used to do as described in the first post - except now with an updated method for the current OpenWRT Snapshots.
Thanks for all the help - Peace and God Bless
Again as shown above, you will need to disable the resolve conf file in dnsmasq, otherwise it will forward to your ISP. Then you need to tell dnsmasq to forward all queries to Unbound at local host. Unbound and Stubby will need to listen on different non-standard ports each. That is I assume you are doing this: LAN -> dnsmasq#53 -> localhost -> unbound#5553 -> localhost -> stubby#5453 -> WAN
Dear Eric,
Thanks once again - can you set me straight on this inquiry before I dive into the pool - thanks in advance :
What packages do you suggest to install when attempting to use Unbound
with the current snapshots ? I have been using the packages listed
below ( as they always worked well together up and until current
stable release 19.07.6 ):
opkg update ; opkg install unbound-daemon unbound-control
unbound-control-setup luci-app-unbound unbound-anchor
unbound-host stubby getdns unbound-checkconf odhcpd
I just want to be sure that I am not installing any packages which are
superfluous and / or not necessary for Unbound to work
I keep getting an error with the old setup - that said unbound-control was set to no - and this caused Unbound to go into a loop and continually crash. So, I am asking is it best to omit unbound-control all together ?
Lastly, I am just about ready to tackle this. I can not begin to fully express my most sincere gratitude and appreciation for all the patience and assistance which you have given me here.
My understanding is much improved as to how to handle this. I just need your recommendation as to the unbound package ( s ) to install - and I will take it from there.
should be enough to just get unbound w. LuCI GUI. That being said, I have no idea what options are used by the bot for libunbound generation, and would assume your loop / crash is probably self-inflicted; it has been ~year since I have seen anything untoward with unbound in my environs.
Thanks anomeome - I ( at this point concur with your opinion that less is more ) - once again - I appreciate your help - so I am going to take a stab at this now - and will report back to you and Eric as to how I fared in this undertaking
Peace To You Guys
The crashing has nothing to do with unbound-control. The crashing is caused by the installation routine. It assumes, that no other program uses port 53, but dnsmasq does. Therefore unbound can't claim port 53 and crashes.
In order to solve the issue you must assign another port for unbound and start it again.
Thanks - I did give that a try - I did move Unbound to port '1053' as suggested by Eric - and still I got crashes - although the log message unbound-control is set to no was no longer present
I think something is wrong with Unbound package in the snapshot repo
I read something about this being a possibility here :
Dear Barney, vgaetera, Eric, anomeome and all who have helped me so far,
If folks check out the tutorial which I authored in the OP - I am well versed and experienced in setting this whole thing up. Specially, with regard to moving Unbound to another port - I followed this guide below :
# Move dnsmasq to port 53535 where it will still serve local DNS from DHCP
# Network -> DHCP & DNS -> Advanced Settings -> DNS server port to 53535
uci set 'dhcp.@dnsmasq[0].port=53535'
# Configure dnsmasq to send a DNS Server DHCP option with its LAN IP
# since it does not do this by default when port is configured.
uci add_list "dhcp.lan.dhcp_option=option:dns-server,$(uci get network.lan.ipaddr)"
uci set 'unbound.@unbound[0].dhcp_link=dnsmasq'
# Save & Apply (will restart dnsmasq, DNS unreachable until unbound is up)
uci commit
# Restart (or start) unbound (System -> Startup -> unbound -> Restart)
/etc/init.d/unbound restart
So, I do appreciate all the help. But if anyone cares to read through the entire guides of mine and / or Torsten's - and offer any advice as to how to get this working on the new OpenWRT snapshots- I will be most grateful. However, I can tell you all ( as I stated earlier ) the setup I wrote up still works flawlessly
on current stable 19.07.6 builds. I am running hnyman's Build for Netgear R7800 - stable openwrt-19.07 owrt1907-r11285 now with absolutely no issues whatsoever. Maybe there are bugs in Unbound with regard to the snapshots. However, I am appreciative to all - have my eyes and ears still open and hopefully in time - I will finally get this working on the snapshots.
What I am ultimately seeking to find out is are there any changes in Unbound 1.13.0-1 ( the current Unbound version in Snapshots ) with regards as to how it needs to be configured so that it will work as detailed in the OP tutorial ?
Peace and God Bless All
Dear All Who Have Helped Me So Far,
I am going to give this one more try - these are the Unbound packages which run flawlessly on
hnyman's Build for Netgear R7800 - stable openwrt-19.07 owrt1907-r11285
I do notice that unbound-daemon-heavy is not available in Snapshot package repository ; I read somewhere in the forums that this being absent may cause some issues on Unbound.
So, I am going to install and configure Unbound 1.13.0-1 on Snapshot instance. Then I will report back after running command
unbound -d -c /var/lib/unbound/unbound.conf -vvvv
as you have suggested. Thanks for all the assistance one more again.
Peace