Using Unbound Alongside Dnsmasq

Installing and Using OpenWrt
1

Hi

I've switched over from DNSCrypt-Proxy2 to Unbound as my DNS upstream resolver to be able to encrypt DNS traffic. I specifically changed packages to get a GUI interface to setup and configure settings through LuCI. However, I'm confused on how I should set this all up.

Following this guide > https://openwrt.org/docs/guide-user/services/dns/unbound

I'm setting up Example 1 - Serial, dnsmasq first and Unbound second and it tells me to edit /etc/unbound/unbound.conf

However, before proceeding with that I tried changing the listening port through LuCI

Listening Port
Listening Port528×510 13.1 KB

and then adding

      option noresolv '1'
      list server '127.0.0.1#53535'

to /etc/config/dnsmasq. Unfortunately I could not connect to the internet. However, un-commenting port: 53 in /etc/unbound/unbound.conf and setting it to 53535 seemed to work.

What is the purpose of the LuCI Unbound app if changes I make still have to be done to a different config file?

On the guide website it says

"Releases LEDE 17.01 and OpenWrt 18.06 have included UCI/LuCI for the Unbound package and complete documentation in its README. The UCI/LuCI features should be familiar to those that have tweaked dnsmasq in the past. “How To” are available for integration with either dnsmasq or odhcpd. “How To” are available to configure Unbound as forwarding client of DoT."

I have followed the readme section here > https://github.com/openwrt/packages/blob/master/net/unbound/files/README.md#how-to-integrate-with-dhcp

This is where I don't seem to be able to reach my router via it's local domain name e.g. https://openwrt.lan and its as though the local DNS isn't querying properly.

I checked the LuCI app from the settings mention on the Github readme and it sets the dropdown box in the screenshot below to No Link

DHCP Unbound
DHCP Unbound546×689 18.1 KB

Could someone shed some light here please?

Many thanks in advance

Will

2

I don't think you really need Unbound as an addition to Dnsmasq.
You can easily add DNS encryption to the default setup by installing one of two or both - stubby for DNS-over-TLS and/or https_dns_proxy for DNS-over-HTTPS.
Then you can direct your dnsmasq to talk to either proxy using DNS forwardings setting in the GUI.

3

I assume local domain and/or domain insecure setting

Summary 
config unbound
	option add_extra_dns '0'
	option add_local_fqdn '0'
	option add_wan_fqdn '0'
	option dhcp_link 'none'
	option dhcp4_slaac6 '0'
	option dns64 '0'
	option dns64_prefix '64:ff9b::/96'
	option domain 'bsa.net'
#	option domain_type 'static'
	option domain_type 'refuse'
	option edns_size '1280'
	option extended_stats '0'
	option hide_binddata '1'
	option listen_port '5353'
	option localservice '1'
	option manual_conf '0'
	option num_threads '1'
	option protocol 'default'
	option query_minimize '0'
	option query_min_strict '0'
	option rebind_localhost '0'
	option rebind_protection '1'
	option recursion 'default'
	option resource 'default'
	option root_age '9'
	option ttl_min '120'
	option unbound_control '0'
	option validator '1'
	option validator_ntp '1'
	option verbosity '1'
	list trigger_interface 'lan'
	list trigger_interface 'wan'
	list domain_insecure 'bsa.net'

config zone
	option enabled '0'
	option fallback '1'
	option url_dir 'https://www.internic.net/domain/'
	option zone_type 'auth_zone'
	list server 'lax.xfr.dns.icann.org'
	list server 'iad.xfr.dns.icann.org'
	list zone_name '.'
	list zone_name 'arpa.'
	list zone_name 'in-addr.arpa.'
	list zone_name 'ip6.arpa.'

config zone
	option enabled '1'
	option zone_type 'forward_zone'
	option fallback '1'
	option resolv_conf '0'
	option tls_upstream '1'
	list server '2620:fe::9@853#dns.quad9.net'
	list server '9.9.9.9@853#dns.quad9.net'
	list server '8.8.8.8@853#dns.google'
	list server '2001:4860:4860::8888@853#dns.google'
	list server '1.1.1.1@853#cloudflare-dns.com'
	list server '2606:4700:4700::1111@853#cloudflare-dns.com'
	list zone_name '.'