Jump to content
TorGuard
Sign in to follow this  
directnupe

LEDE/ OpenWrt Proper Setup For New Native Unbound DNS-Over-TLS Feature Starting With UNBOUND 1.7.1

Rate this topic

Recommended Posts

Hello All,
I am the guy - directnupe - who wrote the guides - https://torguard.net/forums/index.php?/topic/1374-adding-dns-over-tls-support-to-openwrt-lede-with-unbound/
and https://forum.lede-project.org/t/adding-dns-over-tls-support-to-openwrt-lede-with-unbound/13765
You also can leave out GETDNS and STUBBY see here: https://blog.grobox.de/2018/what-is-dns-privacy-and-how-to-set-it-up-for-openwrt/ # "read all guides to see how to install and run UNBOUND"
Prerequisite
You have a ca cert bundle installed on your router.
You can do this by running the following
opkg update / opkg install ca-certificates / opkg install luci-ssl

For DNS-Over-TLS support to OpenWRT (LEDE) with Unbound without GETDNS and STUBBY - 
see this article - https://www.ctrl.blog/entry/unbound-tls-forwarding and https://www.monperrus.net/martin/randomization-encryption-dns-requests
In OpenWrt / Lede the ca-certificates package is located in /etc/ssl/certs/ca-certificates.crt much like Debian/Ubuntu.
So actually as the title of the article says in order to " Actually secure DNS over TLS in Unbound " 
you should configure it thusly ( using Coudflare and Quad9 for this example - IPV4 and IPV6 if you so choose ) :

First go into SSH shell and enter : nano /etc/unbound/unbound_srv.conf
enter the following in the new file:

server:
do-tcp: yes
prefetch: yes
qname-minimisation: yes
rrset-roundrobin: yes
use-caps-for-id: yes
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt" # For OpenWrt

Then hit ( Ctrl + o ) - you will be asked to write file - hit enter to save file
then ( Ctrl + x ) to close file and go back into shell

Next go into SSH shell and enter : nano /etc/unbound/unbound_ext.conf
enter the following in the new file:

forward-zone:
name: "."

forward-addr: 2620:fe::[email protected]#dns.quad9.net
forward-addr: [email protected]#dns.quad9.net
forward-addr: 2620:fe::[email protected]#dns.quad9.net
forward-addr: [email protected]#dns.quad9.net
forward-addr: 2606:4700:4700::[email protected]#cloudflare-dns.com
forward-addr: [email protected]#cloudflare-dns.com
forward-addr: 2606:4700:4700::[email protected]#cloudflare-dns.com
forward-addr: [email protected]#cloudflare-dns.com
forward-ssl-upstream: yes

Then hit ( Ctrl + o ) - you will be asked to write file - hit enter to save file
then ( Ctrl + x ) to close file and go back into shell

I use GetDns Stubby and Unbound - so this is not how I employ DNS-Over-TLS ( see first 2 links above if you wish to take a look at that option )

 

Look at bottom of page on reddit post for related entry

Peace,

directnupe

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×