Folks
I got a lot of help on this forum to install a standalone Unbound on a spare wndr4700 which was flashed with openwrt. I feel my internet browsing is more responsive. I suspect that may be because instead of making sever DNS requests to outside dns, it now gets served by local dns.
Recipe:
After flashing Rev 25.05.5, I added an unused and spare 2.5" storage sata (250GB) and extrooted it.
Then I installed following packages (some of these may not be needed but I had a lot of spare storage):
opkg update && opkg install nano rsync luci-theme-material luci-theme-openwrt-2020 luci-app-ttyd auc luci-app-attendedsysupgrade unbound-daemon unbound-control unbound-control-setup luci-app-unbound unbound-anchor unbound-host unbound-checkconf
After that I disabled, firewall, dnsmasq, deleted wan and turned it into a dumb switch with 5 ports. After that I installed odhcpd and removed dnsmasq. My switch is configured to fixed ip address / Mac address static fixed by the AT&T supplied CPE.
I did very simple unbound configuration using Luci and here is the code at /etc/config/unbound
config unbound 'ub_main'
option add_extra_dns '3'
option add_local_fqdn '2'
option add_wan_fqdn '1'
option dhcp_link 'odhcpd'
option dhcp4_slaac6 '1'
option dns64 '0'
option domain 'lan'
option domain_type 'transparent'
option edns_size '1232'
option extended_stats '1'
option hide_binddata '1'
option interface_auto '1'
option listen_port '53'
option localservice '0'
option manual_conf '0'
option num_threads '1'
option protocol 'ip6_local'
option rate_limit '0'
option rebind_localhost '0'
option rebind_protection '0'
option recursion 'aggressive'
option resource 'medium'
option root_age '9'
option ttl_min '120'
option ttl_neg_max '1000'
option unbound_control '1'
option validator '0'
option verbosity '1'
option enabled '1'
option iface_lan 'lan'
option iface_wan 'lan'
option iface_trig 'lan'
config zone 'auth_icann'
option enabled '1'
option fallback '1'
option url_dir 'https://www.internic.net/domain/'
option zone_type 'auth_zone'
list server 'lax.xfr.dns.icann.org'
list server 'iad.xfr.dns.icann.org'
list zone_name '.'
list zone_name 'arpa.'
list zone_name 'in-addr.arpa.'
list zone_name 'ip6.arpa.'
config zone 'fwd_isp'
option enabled '0'
option fallback '1'
option resolv_conf '1'
option zone_type 'forward_zone'
list zone_name 'isp-bill.example.com.'
list zone_name 'isp-mail.example.net.'
config zone 'fwd_google'
option enabled '0'
option fallback '1'
option tls_index 'dns.google'
option tls_upstream '1'
option zone_type 'forward_zone'
list server '8.8.4.4'
list server '8.8.8.8'
list server '2001:4860:4860::8844'
list server '2001:4860:4860::8888'
list zone_name '.'
config zone 'fwd_cloudflare'
option enabled '0'
option fallback '1'
option tls_index 'cloudflare-dns.com'
option tls_upstream '1'
option zone_type 'forward_zone'
list server '1.1.1.1'
list server '1.0.0.1'
list server '2606:4700:4700::1111'
list server '2606:4700:4700::1001'
list zone_name '.'
Also I removed all external dns addresses from all interfaces and pointed them to my internal interface at 192.168.200.100.
Here is the result showing improvement with dig after completing:
agarg@ZBOX-CI327:~$ while true; do dig openwrt.org @192.168.200.100 | grep time; sleep 2; done
;; Query time: 6 msec
;; Query time: 6 msec
;; Query time: 5 msec
;; Query time: 7 msec
;; Query time: 5 msec
^C
agarg@ZBOX-CI327:~$ while true; do dig openwrt.org @9.9.9.9 | grep time; sleep 2; done
;; Query time: 30 msec
;; Query time: 26 msec
;; Query time: 26 msec
;; Query time: 26 msec
^C
agarg@ZBOX-CI327:~$ while true; do dig openwrt.org @8.8.8.8 | grep time; sleep 2; done
;; Query time: 34 msec
;; Query time: 33 msec
;; Query time: 33 msec
;; Query time: 34 msec
;; Query time: 34 msec
^C
agarg@ZBOX-CI327:~$ while true; do dig openwrt.org @1.1.1.1 | grep time; sleep 2; done
;; Query time: 27 msec
;; Query time: 27 msec
;; Query time: 27 msec
;; Query time: 26 msec
^C