It appears that dnsmasq is still working as your main DNS server.
uci show dhcp
It appears that dnsmasq is still working as your main DNS server.
uci show dhcp
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].confdir='/tmp/dnsmasq.d'
dhcp.@dnsmasq[0].dnssec='1'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.ra='server'
dhcp.lan.ignore='1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
Specify an alternative free port:
uci set unbound.@unbound[0].listen_port="5053"
uci commit unbound
/etc/init.d/unbound restart
And perform the troubleshooting again.
Looks much better!
root@OpenWrt:/etc/config# logread -e unbound; netstat -l -n -p | grep -e unbound
Mon Jan 4 14:20:25 2021 daemon.notice unbound: [6548:0] notice: init module 0: validator
Mon Jan 4 14:20:25 2021 daemon.notice unbound: [6548:0] notice: init module 1: iterator
Mon Jan 4 14:20:25 2021 daemon.info unbound: [6548:0] info: start of service (unbound 1.11.0).
tcp 0 0 0.0.0.0:5053 0.0.0.0:* LISTEN 6548/unbound
tcp 0 0 :::5053 :::* LISTEN 6548/unbound
udp 0 0 0.0.0.0:5053 0.0.0.0:* 6548/unbound
udp 0 0 :::5053 :::* 6548/unbound
root@OpenWrt:/etc/config# pgrep -f -a unbound
6548 /usr/sbin/unbound -d -c /var/lib/unbound/unbound.conf
root@OpenWrt:/etc/config# uci show unbound
unbound.@unbound[0]=unbound
unbound.@unbound[0].add_extra_dns='0'
unbound.@unbound[0].add_local_fqdn='1'
unbound.@unbound[0].add_wan_fqdn='0'
unbound.@unbound[0].dhcp_link='none'
unbound.@unbound[0].dns64='0'
unbound.@unbound[0].domain='lan'
unbound.@unbound[0].domain_type='static'
unbound.@unbound[0].edns_size='1280'
unbound.@unbound[0].extended_stats='0'
unbound.@unbound[0].hide_binddata='1'
unbound.@unbound[0].interface_auto='1'
unbound.@unbound[0].localservice='1'
unbound.@unbound[0].manual_conf='0'
unbound.@unbound[0].num_threads='1'
unbound.@unbound[0].protocol='default'
unbound.@unbound[0].rate_limit='0'
unbound.@unbound[0].rebind_localhost='0'
unbound.@unbound[0].rebind_protection='1'
unbound.@unbound[0].recursion='default'
unbound.@unbound[0].resource='default'
unbound.@unbound[0].root_age='9'
unbound.@unbound[0].ttl_min='120'
unbound.@unbound[0].unbound_control='0'
unbound.@unbound[0].validator_ntp='1'
unbound.@unbound[0].verbosity='1'
unbound.@unbound[0].trigger_interface='lan' 'wan'
unbound.@unbound[0].enabled='1'
unbound.@unbound[0].validator='1'
unbound.@unbound[0].listen_port='5053'
unbound.forward=zone
unbound.forward.enabled='1'
unbound.forward.fallback='0'
unbound.forward.zone_type='forward_zone'
unbound.forward.tls_upstream='1'
unbound.forward.tls_index='dns.google'
unbound.forward.zone_name='.'
unbound.forward.server='2001:4860:4860::8888' '2001:4860:4860::8844' '8.8.8.8' '8.8.4.4'
What’s next?
Disable dnsmasq DNS role:
https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#disabling_dns_role
Set Unbound as default DNS:
uci set unbound.@unbound[0].listen_port="53"
uci commit unbound
/etc/init.d/unbound restart
Did it
root@OpenWrt:/etc/config# logread -e unbound; netstat -l -n -p | grep -e unbound
Mon Jan 4 14:29:27 2021 daemon.notice unbound: [7067:0] notice: init module 0: validator
Mon Jan 4 14:29:27 2021 daemon.notice unbound: [7067:0] notice: init module 1: iterator
Mon Jan 4 14:29:27 2021 daemon.info unbound: [7067:0] info: start of service (unbound 1.11.0).
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 7067/unbound
tcp 0 0 :::53 :::* LISTEN 7067/unbound
udp 0 0 0.0.0.0:53 0.0.0.0:* 7067/unbound
udp 0 0 :::53 :::* 7067/unbound
Is unbound working now?
vpn-pbr seems to work to...
Should I restart the router to test if everything works after a reboot?
Check out:
cat /etc/resolv.conf; nslookup example.org
Well, it doesn't hurt to try.
I did an reboot. Seems to work...
# /tmp/resolv.conf generated by Unbound UCI 2021-01-04T14:37:55+0100
nameserver 127.0.0.1
nameserver ::1
search lan.
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: openwrt.org
Address 1: 139.59.209.225
Address 2: 2a03:b0c0:3:d0::1af1:1
Hmmm. My openVPN tunnel and adblock seems to stop working...
uci set adblock.global.adb_dns="unbound"
uci commit adblock
/etc/init.d/adblock restart
See also: Adblock Config Options
In addition, performing DNSSEC locally is known to be problematic, so it's best to disable:
uci set unbound.@unbound[0].validator="0"
uci commit unbound
/etc/init.d/unbound restart
And rely on the upstream DNS provider that supports DNSSEC.
Great VPN and adbock seems to work!
vpn-pbr is working, too!
One last thing.
Could you please help me to set up an DNS over TLS connection to a DNS provider which protects my privacy?
This mostly depends on personal preferences.
Select a DoT provider that you trust and reconfigure Unbound accordingly.
I think I will chose 1.1.1.1
Is DNSSEC and DNS over TLS set by default?
Do I just have to change the IP address in the unbound config file?
Does DNS over TLS doesn’t need a key or something within the config?
Good, major providers are typically more fault-tolerant.
Yep, for Cloudflare.
The server certificate should be verified using the ca-bundle
package and the option tls_index
in the unbound config that you should specify according to the link above.
I think I got it...
What does Encrypted SNI mean? Is this relevant for a privat person?
If I get it right the only thing that is visible is, that I am making TLS requests to 1.1.1.1, right?
ESNI/ECH is a separate feature related to HTTP/HTTPS protocols with its own security implications:
https://en.wikipedia.org/wiki/Server_Name_Indication#Security_implications
Its support relies on the web server and client browser, so it's unrelated to OpenWrt.
Okay. Thank you very much!
Everything works now as excepted!
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.