Hello All,
First, read this quote from Daniel Aleksandersen - the author of the first article referenced in this post entitled
" Actually secure DNS over TLS in Unbound ".
For all of those who are using UNBOUND with tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt" # For OpenWrt option:
This will have to wait until OpenSSL 1.1.x is included in OpenWrt/Lede or Unbound devs to find a way to validate it without using a function only available in OpenSSL 1.1.x - so the current OpenSSL version ( 1.0.2o ) does not support this feature. If you need more storage and swap memory for your router see here: http://ediy.com.my/index.php/blog/item/118-how-to-increase-storage-on-tp-link-tl-mr3020-with-extroot and here: https://samhobbs.co.uk/2013/11/more-space-for-packages-with-extroot-on-your-openwrt-router.
You’ll find quite a few blog posts and tutorials on how to configure encrypted DNS over TLS forwarding in Unbound. I’ve yet to find a single one that actually sets up TLS securely with certificate domain validation, however. Without TLS certificate domain validation your DNS can still be intercepted, monitored, or manipulated by a man-in-the-middle attacker with nothing more than a self-signed certificate. Here is how you set it up more securely.
I am the guy - directnupe - who wrote the guides - https://torguard.net/forums/index.php?/topic/1374-adding-dns-over-tls-support-to-openwrt-lede-with-unbound/ and Adding DNS-Over-TLS support to OpenWrt (LEDE) with Unbound. You also can leave out GETDNS and STUBBY see here: https://blog.grobox.de/2018/what-is-dns-privacy-and-how-to-set-it-up-for-openwrt/
Prerequisite
You have a ca cert bundle installed on your router.
You can do this by running the following
opkg update / opkg install ca-certificates / opkg install luci-ssl
For DNS-Over-TLS support to OpenWRT (LEDE) with Unbound without GETDNS and STUBBY - see these articles - https://www.ctrl.blog/entry/unbound-tls-forwarding and https://www.monperrus.net/martin/randomization-encryption-dns-requests
In OpenWrt / Lede the ca-certificates package is located in /etc/ssl/certs/ca-certificates.crt much like Debian/Ubuntu.
So actually as the title of the article says in order to " Actually secure DNS over TLS in Unbound " you should configure it thusly:
First go into SSH and enter : nano/etc/unbound/unbound_srv.conf
enter the following in the new file:
server:
access-control: 127.0.0.0/8 allow # install unbound-control
interface: 127.0.0.1
minimal-responses: yes
cache-max-ttl: 14400
cache-min-ttl: 900
do-tcp: yes
hide-identity: yes
hide-version: yes
minimal-responses: yes
prefetch: yes
qname-minimisation: yes
rrset-roundrobin: yes
use-caps-for-id: yes
verbosity: 1
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt" # For OpenWrt
Then hit ( Ctrl + o ) - you will be asked to write file - hit enter to save file
then ( Ctrl + x ) to close file and go back into shell
Next go into SSH enter : nano /etc/unbound/unbound_ext.conf
forward-zone:
name: "." # Allow all DNS queries
forward-addr: 145.100.185.15@443#dnsovertls.sinodun.com
forward-addr: 145.100.185.16@443#dnsovertls1.sinodun.com
forward-addr: 94.130.110.185@853#ns1.dnsprivacy.at
forward-addr: 185.49.141.37@853#getdnsapi.net
forward-addr: 199.58.81.218@443#dns.cmrg.net
forward-addr: 94.130.110.178@853#ns2.dnsprivacy.at
forward-ssl-upstream: yes
Then hit ( Ctrl + o ) - you will be asked to write file - hit enter to save file
then ( Ctrl + x ) to close file and go back into shell
Lastly, on Wan use 127.0.0.1 as first DNS Server then your VPN Provider DNS Servers or
http://www.freenom.world/en/index.html?lang=en Servers
I use GetDns Stubby and Unbound - so this is not how I employ DNS-Over-TLS ( see first 2 links above if you wish to take a look at that option )
See original post here: ( near bottom of page )
Take a look at the following guides: https://torguard.net/forums/index.php?/topic/1374-adding-dns-over-tls-support-to-openwrt-lede-with-unbound/ 1
It is for DNS OVER TLS - This method combines Unbound (as a caching proxy) and Stubby (as fully featured TLS forwarder).
Peace and God Bless,
directnupe
