Configure Unbound DNSSEC resolver in OpenWrt

After realizing that my ISP (ONO) was hijacking the NXDOMAIN DNS responses, I decided to improve the security of the DNS queries for my entire LAN using DNSSEC.

I choosed to replace dnsmasq for unbound in my OpenWrt router. These are the steps I followed.

First I installed the required packages:

# opkg update
# opkg install unbound unbound-anchor unbound-control unbound-control-setup unbound-host

As dnsmasq is also the DHCP server, I’m not going to disable it, only change the DNS port to 5353. In /etc/config/dhcp

config dnsmasq
      option port '5353'

# /etc/init.d/dnsmasq restart

Now, some modifications to /etc/unbound/unbound.conf

server:
      interface: 0.0.0.0
      interface: ::0
      access-control: 0.0.0.0/0 allow
      access-control: ::0/0 allow
      use-syslog: yes
      private-domain: "lan."
      domain-insecure: "lan."                                               
      domain-insecure: "168.192.in-addr.arpa."
      do-not-query-localhost: no
      local-zone: "168.192.in-addr.arpa" nodefault

forward-zone:
      name: "lan."
      forward-addr: 127.0.0.1@5353

forward-zone:
      name: "168.192.in-addr.arpa."
      forward-addr: 127.0.0.1@5353

To set the service as enabled and start it:

# /etc/init.d/unbound enable
# /etc/init.d/unbound start

The part about the lan domain is to forward all queries of .lan to dnsmasq. This way we can query the hostnames connected by DHCP with hostname.lan. Best of both worlds!

If your device doesn’t have a hardware clock, you should add something like this to your /etc/rc.local or to the unbound init script. This way, the certificates don’t fail to validate because wrong dates:

/usr/sbin/ntpd -n -q -N -p <ntp server IP>

Finally, check if you are using DNSSEC in a place like: http://test.dnssec-or-not.com/

Edited on Jun 30 2014: added forwading of zone 168.192.in-addr.arpa. and NTP bootstrapping.

Advertisements

5 thoughts on “Configure Unbound DNSSEC resolver in OpenWrt”

  1. This works, but please be advised that DNSmaq itself has DNSSEC-capabilities as well, nowadays. And it also has a way to work around the time bootstrap problem (–dnssec-no-timecheck option).

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s