After realizing that my ISP (ONO) was hijacking the NXDOMAIN DNS responses, I decided to improve the security of the DNS queries for my entire LAN using DNSSEC.
First I installed the required packages:
# opkg update
# opkg install unbound unbound-anchor unbound-control unbound-control-setup unbound-host
As dnsmasq is also the DHCP server, I’m not going to disable it, only change the DNS port to 5353. In
config dnsmasq option port '5353'
# /etc/init.d/dnsmasq restart
Now, some modifications to
server: interface: 0.0.0.0 interface: ::0 access-control: 0.0.0.0/0 allow access-control: ::0/0 allow use-syslog: yes private-domain: "lan." domain-insecure: "lan." domain-insecure: "168.192.in-addr.arpa." do-not-query-localhost: no local-zone: "168.192.in-addr.arpa" nodefault forward-zone: name: "lan." forward-addr: 127.0.0.1@5353 forward-zone: name: "168.192.in-addr.arpa." forward-addr: 127.0.0.1@5353
To set the service as enabled and start it:
# /etc/init.d/unbound enable
# /etc/init.d/unbound start
The part about the lan domain is to forward all queries of .lan to dnsmasq. This way we can query the hostnames connected by DHCP with hostname.lan. Best of both worlds!
If your device doesn’t have a hardware clock, you should add something like this to your /etc/rc.local or to the unbound init script. This way, the certificates don’t fail to validate because wrong dates:
/usr/sbin/ntpd -n -q -N -p <ntp server IP>
Finally, check if you are using DNSSEC in a place like: http://test.dnssec-or-not.com/
Edited on Jun 30 2014: added forwading of zone 168.192.in-addr.arpa. and NTP bootstrapping.