[Solved] Using unbound along with vpn-policy-based-routing

vgaetera · January 4, 2021, 12:54pm

It appears that dnsmasq is still working as your main DNS server.

uci show dhcp

Dominik-1980 · January 4, 2021, 12:56pm


dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].confdir='/tmp/dnsmasq.d'
dhcp.@dnsmasq[0].dnssec='1'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.ra='server'
dhcp.lan.ignore='1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'

vgaetera · January 4, 2021, 1:05pm

Specify an alternative free port:

uci set unbound.@unbound[0].listen_port="5053"
uci commit unbound
/etc/init.d/unbound restart

And perform the troubleshooting again.

Dominik-1980 · January 4, 2021, 1:23pm

Looks much better!


root@OpenWrt:/etc/config# logread -e unbound; netstat -l -n -p | grep -e unbound
Mon Jan  4 14:20:25 2021 daemon.notice unbound: [6548:0] notice: init module 0: validator
Mon Jan  4 14:20:25 2021 daemon.notice unbound: [6548:0] notice: init module 1: iterator
Mon Jan  4 14:20:25 2021 daemon.info unbound: [6548:0] info: start of service (unbound 1.11.0).
tcp        0      0 0.0.0.0:5053            0.0.0.0:*               LISTEN      6548/unbound
tcp        0      0 :::5053                 :::*                    LISTEN      6548/unbound
udp        0      0 0.0.0.0:5053            0.0.0.0:*                           6548/unbound
udp        0      0 :::5053                 :::*                                6548/unbound
root@OpenWrt:/etc/config# pgrep -f -a unbound
6548 /usr/sbin/unbound -d -c /var/lib/unbound/unbound.conf
root@OpenWrt:/etc/config# uci show unbound
unbound.@unbound[0]=unbound
unbound.@unbound[0].add_extra_dns='0'
unbound.@unbound[0].add_local_fqdn='1'
unbound.@unbound[0].add_wan_fqdn='0'
unbound.@unbound[0].dhcp_link='none'
unbound.@unbound[0].dns64='0'
unbound.@unbound[0].domain='lan'
unbound.@unbound[0].domain_type='static'
unbound.@unbound[0].edns_size='1280'
unbound.@unbound[0].extended_stats='0'
unbound.@unbound[0].hide_binddata='1'
unbound.@unbound[0].interface_auto='1'
unbound.@unbound[0].localservice='1'
unbound.@unbound[0].manual_conf='0'
unbound.@unbound[0].num_threads='1'
unbound.@unbound[0].protocol='default'
unbound.@unbound[0].rate_limit='0'
unbound.@unbound[0].rebind_localhost='0'
unbound.@unbound[0].rebind_protection='1'
unbound.@unbound[0].recursion='default'
unbound.@unbound[0].resource='default'
unbound.@unbound[0].root_age='9'
unbound.@unbound[0].ttl_min='120'
unbound.@unbound[0].unbound_control='0'
unbound.@unbound[0].validator_ntp='1'
unbound.@unbound[0].verbosity='1'
unbound.@unbound[0].trigger_interface='lan' 'wan'
unbound.@unbound[0].enabled='1'
unbound.@unbound[0].validator='1'
unbound.@unbound[0].listen_port='5053'
unbound.forward=zone
unbound.forward.enabled='1'
unbound.forward.fallback='0'
unbound.forward.zone_type='forward_zone'
unbound.forward.tls_upstream='1'
unbound.forward.tls_index='dns.google'
unbound.forward.zone_name='.'
unbound.forward.server='2001:4860:4860::8888' '2001:4860:4860::8844' '8.8.8.8' '8.8.4.4'

What’s next?

vgaetera · January 4, 2021, 1:24pm

Disable dnsmasq DNS role:
https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#disabling_dns_role

Set Unbound as default DNS:

uci set unbound.@unbound[0].listen_port="53"
uci commit unbound
/etc/init.d/unbound restart

Dominik-1980 · January 4, 2021, 1:30pm

Did it


root@OpenWrt:/etc/config# logread -e unbound; netstat -l -n -p | grep -e unbound
Mon Jan  4 14:29:27 2021 daemon.notice unbound: [7067:0] notice: init module 0: validator
Mon Jan  4 14:29:27 2021 daemon.notice unbound: [7067:0] notice: init module 1: iterator
Mon Jan  4 14:29:27 2021 daemon.info unbound: [7067:0] info: start of service (unbound 1.11.0).
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      7067/unbound
tcp        0      0 :::53                   :::*                    LISTEN      7067/unbound
udp        0      0 0.0.0.0:53              0.0.0.0:*                           7067/unbound
udp        0      0 :::53                   :::*                                7067/unbound

Dominik-1980 · January 4, 2021, 1:33pm

Is unbound working now?
vpn-pbr seems to work to...
Should I restart the router to test if everything works after a reboot?

vgaetera · January 4, 2021, 1:41pm

Check out:

cat /etc/resolv.conf; nslookup example.org

Well, it doesn't hurt to try.

Dominik-1980 · January 4, 2021, 1:42pm

I did an reboot. Seems to work...


# /tmp/resolv.conf generated by Unbound UCI 2021-01-04T14:37:55+0100
nameserver 127.0.0.1
nameserver ::1
search lan.
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:      openwrt.org
Address 1: 139.59.209.225
Address 2: 2a03:b0c0:3:d0::1af1:1

Dominik-1980 · January 4, 2021, 1:56pm

Hmmm. My openVPN tunnel and adblock seems to stop working...

vgaetera · January 4, 2021, 1:59pm

uci set adblock.global.adb_dns="unbound"
uci commit adblock
/etc/init.d/adblock restart

See also: Adblock Config Options

In addition, performing DNSSEC locally is known to be problematic, so it's best to disable:

uci set unbound.@unbound[0].validator="0"
uci commit unbound
/etc/init.d/unbound restart

And rely on the upstream DNS provider that supports DNSSEC.

Dominik-1980 · January 4, 2021, 2:09pm

Great VPN and adbock seems to work!
vpn-pbr is working, too!

Dominik-1980 · January 4, 2021, 2:21pm

One last thing.
Could you please help me to set up an DNS over TLS connection to a DNS provider which protects my privacy?

vgaetera · January 4, 2021, 2:38pm

This mostly depends on personal preferences.
Select a DoT provider that you trust and reconfigure Unbound accordingly.

Dominik-1980 · January 4, 2021, 2:44pm

I think I will chose 1.1.1.1
Is DNSSEC and DNS over TLS set by default?
Do I just have to change the IP address in the unbound config file?
Does DNS over TLS doesn’t need a key or something within the config?

vgaetera · January 4, 2021, 2:58pm

Good, major providers are typically more fault-tolerant.

Yep, for Cloudflare.

The server certificate should be verified using the ca-bundle package and the option tls_index in the unbound config that you should specify according to the link above.

Dominik-1980 · January 4, 2021, 3:00pm

I think I got it...

What does Encrypted SNI mean? Is this relevant for a privat person?

If I get it right the only thing that is visible is, that I am making TLS requests to 1.1.1.1, right?

vgaetera · January 4, 2021, 3:21pm

ESNI/ECH is a separate feature related to HTTP/HTTPS protocols with its own security implications:
https://en.wikipedia.org/wiki/Server_Name_Indication#Security_implications

Its support relies on the web server and client browser, so it's unrelated to OpenWrt.

Dominik-1980 · January 4, 2021, 3:30pm

Okay. Thank you very much!

Everything works now as excepted!

tmomas · January 4, 2021, 5:19pm

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.