%
image/svg+xml

OpenWRT + Unbound: Using DoT

Article published the ; modified the
4 minutes to read

This article has 829 words.
RAW source of the article:
Commit version: beb80d0

Description

The purpose is to add unbound to enable the DoT (DNS-over-TCP) protocol, slightly modifying dnsmasq, installed by default:

Reasons are:

  • encrypt DNS traffic to improve its confidentiality.
  • prevent DNS leaks and hijacking
  • bypass regional restrictions, or those imposed by your ISP (Internet Service Provider) .

Installation

Install packages needed: unbound unbound-control luci-app-unbound

:# opkg update
:# opkg install unbound unbound-control luci-app-unbound

May usefull to install too:

  • unbound-checkconf: to ensure the compliance of the configuration
  • unbound-control-setup: allows you to install/create the required certificates for the tool control
  • unbound-host: test…

Configuration

dnsmasq

First, edit the file /etc/config/dhcp, to use two options:

option noresolv '1'
list server '127.0.0.1#531'
  • the first requires that the file /etc/resolv.conf not be use
  • the second requires redirecting DNS requests locally to the selected port, here: 531.

Of course, these options can be modified directly using LUCI:

  • ‘Resolv and Hosts Files’ > Ignore resolv file option
  • ‘General Settings’ > DNS forwardings option

About using uci, in your terminal:

uci set dhcp.@dnsmasq[0].noresolv='1'
uci set dhcp.@dnsmasq[0].server='127.0.0.1#531'
uci commit

Restart your dnsmasq service!

unbound

The simplest thing to do is to enable Unbound and check Manual Conf option to edit manually the configuration file through LUCI.

Add your networks in the Trigger Networks option, at least lan.

  • File configuration : /var/lib/unbound/unbound.conf

The minimum changes to be made correspond to the following variables:

server:
(…)
    port: 531
    do-ip4: yes
    do-ip6: yes
    do-tcp: yes
    hide-identity: yes
    hide-version: yes
    qname-minimisation: yes
    prefetch: yes
    rrset-roundrobin: yes
    minimal-responses: yes
    tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
(…)

Regarding the port number chosen, here 531: we dont choose 5353, which is normally reserved for the mdns service. Of course, you can change it, in the dnsmasq configuration; but, be sure to choose it from amont the preferred port numbers. (ie. below 1024…)

⇒ Be sure to add/modify the access-control variables to allow only:

    access-control: 0.0.0.0/0 refuse
    access-control: ::0/0 refuse
    access-control: 127.0.0.0/8 allow
    access-control: ::1 allow

Then declare the LAN’s IPv(4|6), or even your Wi-Fi…

It’s necessary to modify the forward-zone section:

forward-zone:
    name: "."
    forward-tls-upstream: yes

Then add all IP addresses of the DoT servers; of course, both IPv4 and IPv6 are functional.

    forward-addr: 9.9.9.9@853       # Quad9
    forward-addr: 1.1.1.1@853       # Cloudflare
    forward-addr: 149.112.112.112@853       # Quad9 secondaire
    forward-addr: 1.0.0.1@853       # Cloudflare secondaire
    forward-addr: 2620:fe::fe@853       # Quad9 / IPv6
    forward-addr: 2606:4700:4700::1111@853  # Cloudflare / IPv6
    forward-addr: 2606:4700:4700::1001@853  # Cloudflare secondaire / IPv6

The above example shows how the “greats of this world” are used.

Here some interesting alternatives:

    # FDN DoT
    forward-addr: 80.67.169.12@853
    forward-addr: 80.67.169.40@853
    forward-addr: 2001:910:800::12@853
    forward-addr: 2001:910:800::40@853
    # dns.sb
    forward-addr: 185.222.222.222@853
    forward-addr: 45.11.45.11@853
    forward-addr: 2a09::@853
    forward-addr: 2a11::@853
    # dns4eu
    forward-addr: 86.54.11.11@853
    forward-addr: 86.54.11.211@853
    forward-addr: 2a13:1001::86:54:11:11@853
    forward-addr: 2a13:1001::86:54:11:211@853
    # dot.bortzmeyer.fr
    forward-addr: 193.70.85.11@853
    forward-addr: 2001:41d0:302:2200::180@853
    # applied-privacy.net
    forward-addr: 146.255.56.98@853
    forward-addr: 2a02:1b8:10:234::2@853
    # cleanbrowsing.org: family filter https://cleanbrowsing.org/filters/
    forward-addr: 185.228.168.168@853
    forward-addr: 185.228.169.168@853
    forward-addr: 2a0d:2a00:1::@853
    forward-addr: 2a0d:2a00:2::@853
    # cz.nic
    #forward-addr: 193.17.47.1@853
    #forward-addr: 185.43.135.1@853
    #forward-addr: 2001:148f:ffff::1@853
    #forward-addr: 2001:148f:fffe::1@853
    # dnsforfamily.com
    forward-addr: 78.47.64.161@853
    forward-addr: 94.130.180.225@853
    forward-addr: 2a01:4f8:1c0c:40db::1@853
    forward-addr: 2a01:4f8:1c17:4df8::1@853
    # he.net
    #forward-addr: 74.82.42.42@853
    #forward-addr: 2001:470:20::2@853
    # libredns.gr
    forward-addr: 116.202.176.26@853
    forward-addr: 2a01:4f8:1c0c:8274::1@853
    # dns4all
    forward-addr: 194.0.5.3@853
    forward-addr: 194.0.5.64@853
    forward-addr: 2001:678:8::3@853
    forward-addr: 2001:678:8::64@853

That’s for the basic configuration, which should allow you to use unbound with dnsmasq.

Be sure to restart the unbound service!

Check

⇒ If you decide to install the unbound-checkconf tool, now it’s time to use it to verify all are correct. If it’s well, the tool returns this informational message:

# unbound-checkconf
unbound-checkconf: no errors in /var/lib/unbound/unbound.conf

If there are any errors, the tool will tell you where!

⇒ If you decide to install the unbound-host tool, you can test the connection, for example:

# unbound-host -vf /var/lib/unbound/root.key com.
com. has no address (secure)
com. has no IPv6 address (secure)
com. has no mail handler record (secure)

Do the same for the www.ripe.net, www.afnic.fr, dnssec.cz addresses. The (secure) label guarantess a secure connection.

Control

A brief note about checking that unbound works properly. It’s necessary to initialize the settings:

# unbound-control-setup
setup in directory /var/lib/unbound/
generating unbound_server.key
Generating RSA private key, 3072 bit long modulus
...............................................................................................................++
............................................................++
e is 65537 (0x10001)
generating unbound_control.key
Generating RSA private key, 3072 bit long modulus
........................................................................++
..................++
e is 65537 (0x10001)
create unbound_server.pem (self signed certificate)
create unbound_control.pem (signed client certificate)
Signature ok
subject=/CN=unbound-control
Getting CA Private Key
Setup success. Certificates created. Enable in unbound.conf file to use

Then modify the unbound configuration file to add/uncomment the remote-control section, as follows:

remote-control:
    control-enable: yes
    control-interface: 127.0.0.1
    control-interface: ::1
    control-port: 8953
    control-use-cert: no
    server-key-file: "/var/lib/unbound/unbound_server.key"
    server-cert-file: "/var/lib/unbound/unbound_server.pem"
    control-key-file: "/var/lib/unbound/unbound_control.key"
    control-cert-file: "/var/lib/unbound/unbound_control.pem"

After restarting the service, all that remains is to test it with the unbound-control tool, as in this example:

# unbound-control -s ::1 status
version: 1.17.0
verbosity: 1
threads: 4
modules: 2 [ validator iterator ]
uptime: 3482 seconds
options: reuseport control
unbound (pid 32307) is running...

It’s possible to find the value of any option by using get_option option followed by the name of the option. Similarly, it’s still possible to dump the cache for flow analysis, using the dump_cache option redirected to a file name.

Voila!

Enjoy-ID!
Enjoy-IT!