Using unbound without upstream DNS servers

Hey,

the OpenWrt documentation only discusses the configuration and use of unbound with third party DoT servers.

Does anyone use unbound without third party DNS servers but directly with the authoritative root servers? And what packages would be needed to use unbound exclusively with the root servers?

As stated in the very minimal wiki article, https://openwrt.org/docs/guide-user/services/dns/unbound most of its documentation is in the github readme of the package https://github.com/openwrt/packages/blob/master/net/unbound/files/README.md

Afaik by default unbound comes already set to be authoritative so after you install unbound you only need to enable it and then configure the OpenWrt's existing dhcp and forwarding dns server dnsmasq to either give way (move its DNS service on a different port and put unbound on port 53, so it fully takes over) or to chainload unbound, i.e. put unbound to a random port like 1053 and then set upstream DNS as 127.0.0.1#1053 in dnsmasq so it is interrogating unbound as its upstream DNS. Both these are explained in this section of the readme https://github.com/openwrt/packages/blob/master/net/unbound/files/README.md#how-to-integrate-with-dhcp

It can all be done (and is clear/self-explanatory enough imho) with Luci web interface, install luci-app-unbound

1 Like

Thanks for your reply. As far as I understand, Parallel dnsmasq is as easy as Serial dnsmasq without the drawback performance-wise.

Probably a silly question, but was is meant with yourdomain? Is it not simply 127.0.0.1?

Edit: Oh, I didn't read the sentence It will look over to dnsmasq for DHCP-DNS resolution. This sounds like unbound receives DNS requests by devices in the network, but asks dnsmasq for resolving these. I. e., dnsmasq does the resolving by asking the ISP DNS (in default state). That's not what I want.

Puh, quite complicated for a beginner. :woozy_face:

You can assign a local domain name to your stuff and write a static hostname in the dnsmasq or whatever local DHCP/DNS you are using, in the DHCP static lease page in Luci for example.

So for example if you have a home server with a web interface you can set a static lease with a hostname and then reach it by writing myhomeserver.mydomian instead of a IP address, and this will be resolved by the router's onboard DNS server (dnsmasq) to point to whatever IP the device has been assigned.

See https://openwrt.org/docs/guide-user/base-system/dhcp

Afaik by default, the domain name aka "mydomain" is "lan", you can find it in the dhcp/dns settings.

This matters if you have a NAS or a VM or some form of local service in your LAN. If all devices in your LAN are clients and all they do in the LAN is access the Internet, it's unnecessary to set hostnames and domain names.

that means unbound will ask dnsmasq when it needs to reach a device where the hostname/address is myhostname.mydomian, because since you told him "mydomain" is the domain of devices in local LAN.

Upstream DNS have no idea of what IP you have assigned myhostname.mydomian in your LAN, the only application that knows is your own DHCP server, dnsmasq in this case.

So in both cases unbound is NOT talking to upstream DNS servers and only doing requests to the root servers.

I followed the instructions for Parallel dnsmasq by setting the following in LuCI:

  • Services/Recursive DNS/Unbound/DHCP/DHCP Link to dnsmasq
  • Set Network/ DHCP and DNS/Server Settings/Advanced Settings/DNS server port to 1053
  • Check Network/ DHCP and DNS/Server Settings/Resolv and Hosts Files/Server Settings

The latter option caused the entry field Resolve file to disappear, which means /etc/config/dhcp no longer contains the line option resolvfile '/tmp/resolv.conf.auto'. For list dhcp_option 'option:dns-server,0.0.0.0' I'm not sure, which option in LuCI corresponds to that.

In DNS leakage tests my own IP adress is now shown as DNS server. I guess this means, that unbound works correctly.

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.