Proper Setup For New Native Unbound DNS-Over-TLS Feature Starting With UNBOUND 1.7.1

Hello All,
First, read this quote from Daniel Aleksandersen - the author of the first article referenced in this post entitled
" Actually secure DNS over TLS in Unbound ".

For all of those who are using UNBOUND with tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt" # For OpenWrt option:
This will have to wait until OpenSSL 1.1.x is included in OpenWrt/Lede or Unbound devs to find a way to validate it without using a function only available in OpenSSL 1.1.x - so the current OpenSSL version ( 1.0.2o ) does not support this feature. If you need more storage and swap memory for your router see here: http://ediy.com.my/index.php/blog/item/118-how-to-increase-storage-on-tp-link-tl-mr3020-with-extroot and here: https://samhobbs.co.uk/2013/11/more-space-for-packages-with-extroot-on-your-openwrt-router.

You’ll find quite a few blog posts and tutorials on how to configure encrypted DNS over TLS forwarding in Unbound. I’ve yet to find a single one that actually sets up TLS securely with certificate domain validation, however. Without TLS certificate domain validation your DNS can still be intercepted, monitored, or manipulated by a man-in-the-middle attacker with nothing more than a self-signed certificate. Here is how you set it up more securely.

I am the guy - directnupe - who wrote the guides - https://torguard.net/forums/index.php?/topic/1374-adding-dns-over-tls-support-to-openwrt-lede-with-unbound/ and Adding DNS-Over-TLS support to OpenWrt (LEDE) with Unbound. You also can leave out GETDNS and STUBBY see here: https://blog.grobox.de/2018/what-is-dns-privacy-and-how-to-set-it-up-for-openwrt/
Prerequisite
You have a ca cert bundle installed on your router.
You can do this by running the following
opkg update / opkg install ca-certificates / opkg install luci-ssl

For DNS-Over-TLS support to OpenWRT (LEDE) with Unbound without GETDNS and STUBBY - see these articles - https://www.ctrl.blog/entry/unbound-tls-forwarding and https://www.monperrus.net/martin/randomization-encryption-dns-requests

In OpenWrt / Lede the ca-certificates package is located in /etc/ssl/certs/ca-certificates.crt much like Debian/Ubuntu.
So actually as the title of the article says in order to " Actually secure DNS over TLS in Unbound " you should configure it thusly:

First go into SSH and enter : nano/etc/unbound/unbound_srv.conf
enter the following in the new file:

server:
access-control: 127.0.0.0/8 allow # install unbound-control
interface: 127.0.0.1
minimal-responses: yes
cache-max-ttl: 14400
cache-min-ttl: 900
do-tcp: yes
hide-identity: yes
hide-version: yes
minimal-responses: yes
prefetch: yes
qname-minimisation: yes
rrset-roundrobin: yes
use-caps-for-id: yes
verbosity: 1
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt" # For OpenWrt

Then hit ( Ctrl + o ) - you will be asked to write file - hit enter to save file
then ( Ctrl + x ) to close file and go back into shell

Next go into SSH enter : nano /etc/unbound/unbound_ext.conf

forward-zone:
name: "." # Allow all DNS queries

forward-addr: 145.100.185.15@443#dnsovertls.sinodun.com
forward-addr: 145.100.185.16@443#dnsovertls1.sinodun.com
forward-addr: 94.130.110.185@853#ns1.dnsprivacy.at
forward-addr: 185.49.141.37@853#getdnsapi.net
forward-addr: 199.58.81.218@443#dns.cmrg.net
forward-addr: 94.130.110.178@853#ns2.dnsprivacy.at
forward-ssl-upstream: yes

Then hit ( Ctrl + o ) - you will be asked to write file - hit enter to save file
then ( Ctrl + x ) to close file and go back into shell

Lastly, on Wan use 127.0.0.1 as first DNS Server then your VPN Provider DNS Servers or
http://www.freenom.world/en/index.html?lang=en Servers

I use GetDns Stubby and Unbound - so this is not how I employ DNS-Over-TLS ( see first 2 links above if you wish to take a look at that option )

See original post here: ( near bottom of page )

Take a look at the following guides: https://torguard.net/forums/index.php?/topic/1374-adding-dns-over-tls-support-to-openwrt-lede-with-unbound/ 1
It is for DNS OVER TLS - This method combines Unbound (as a caching proxy) and Stubby (as fully featured TLS forwarder).

Peace and God Bless,

directnupe

3 Likes

It looks like from the release notes for 1.7.1, that unbound can still benefit from stubby to manage the TLS connections and their reuse, yes?

Yes - and if you read carefully - you see that I have written up tutorial ( s ) on the subject of DNS-Over-TLS support to OpenWRT (LEDE) with Unbound using GETDNS and STUBBY. They are the first two links mentioned in this post. And yes you are correct. Read here from the linked tutorial above:

Unbound As A DNS TLS Client Features:
Unbound can be run as a local caching forwarder, configured to use SSL upstream, however it cannot yet authenticate upstreams, re-use TCP/TLS connections, be configured for Opportunistic mode or send several of the privacy related options (padding, ECS privacy) etc. Some users combine Unbound (as a caching proxy with other features such as DNS Blacklisting) and Stubby (as a fully featured TLS forwarder).

I do indicate that I still prefer GETDNS and STUBBY for all the reasons I list in the tutorial as STUBBY is a fully featured TLS forwarder. There is even work to bring caching capability to STUBBY in the near future.
With all that being said there are those who may have difficulties installing and configuring all the components necessary for DNS-Over-TLS for OpenWRT (LEDE) with Unbound - using STUBBY and GETDNS.
For that reason. I thought that I would share a method of encrypting one's DNS on OpenWrt / LEDE that is less labor intensive and sophisticated in its' setup and implementation. DNS PRIVACY ( the developers of GETDNS and STUBBY ) state on their website and I quote " Stubby is in the early stages of development but is suitable for technical/advanced users. A more generally user-friendly version is on the way! " So, that in a nutshell is why I am sharing this simpler alternative for DNS OVER TLS with UNBOUND for OpenWrt / LEDE.

2 Likes

@directnupe

Nice tutorial as usual.

One question:

What should be the dns in the wan? Leave it blank?

Dear itachi,
Thanks for the compliment. And how are you doing? As far as DNS look at this:
https://artkus.com/DNS-over-TLS.html

First go into SSH shell and enter : nano /etc/unbound/unbound_srv.conf
enter the following in the new file:

server:
access-control: 127.0.0.0/8 allow # install unbound-control
interface: 127.0.0.1
minimal-responses: yes
cache-max-ttl: 14400
cache-min-ttl: 900
do-tcp: yes
hide-identity: yes
hide-version: yes
minimal-responses: yes
prefetch: yes
qname-minimisation: yes
rrset-roundrobin: yes
use-caps-for-id: yes
verbosity: 1
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt" # For OpenWrt

Next go into SSH shell and enter : nano /etc/unbound/unbound_ext.conf
enter the following in the new file:

forward-zone:
name: "."    # Allow all DNS queries

forward-addr: 145.100.185.15@443#dnsovertls.sinodun.com  
forward-addr: 145.100.185.16@443#dnsovertls1.sinodun.com  
forward-addr: 94.130.110.185@853#ns1.dnsprivacy.at 
forward-addr: 185.49.141.37@853#getdnsapi.net  
forward-addr: 199.58.81.218@443#dns.cmrg.net 
forward-addr: 94.130.110.178@853#ns2.dnsprivacy.at
forward-ssl-upstream: yes

Lastly, on Wan use 127.0.0.1 as first DNS Server then your VPN Provider DNS Servers or
http://www.freenom.world/en/index.html?lang=en Servers

Peace,

directnupe

1 Like

Would it be possible to use stubby with dnsmasq, skipping the need for unbound completely?

Only problem with stubby is that it does not support uci. In the rest stubby significantly better.

Hi @directnupe

Unbound 1.7.3-2 crash with two option in unbound_srv.conf:

access-control: 127.0.0.0/8 allow
interface: 127.0.0.1

When remove it, everything work well.

Logread:
daemon.info procd: Instance unbound::unbound s in a crash loop 6 crashes, 2 seconds since last crash

Dear leeandy,
OK - I use DNS OVER TLS - using Stubby.
Would you use :slight_smile:
interface-automatic: yes
Like for Stubby.

Peace,

directnupe

Is there an advantage of customising your own config (/etc/unbound/unbound.conf) over using the UCI version? UCI's version of unbound config is in /etc/config/unbound, and it will generate everything within /tmp/lib/unbound/ directory:

I know this is old, but I just found out Unbound itself supports DNS-over-TLS and am looking into this myself. From what I can tell, not all Unbound options are parsed by the UCI implementation, which is why people are being pointed to the /etc/unbound/unbound_* files.

I cannot find the tls-cert-bundle option in /usr/lib/unbound/unbound.sh e.g.. The DoT guide for Unbound in the wiki points to the extended configuration files as well.

I think the maintainer is accepting PR's but that means someone should implement it and open a PR of course, to add the functionality.