Setting up a DNS-over-TLS forwarding cache on OpenWrt Snapshot (r6693 or later)

This article describes how to set up a local DNS caching server on OpenWrt, which forwards unresolved DNS queries to recursive resolvers through DNS-over-TLS, to prevent eavesdropping and tampering of DNS queries on their network path.

Software

OS: OpenWrt Snapshot (r6693 or later)
DNS Privacy stub resolver: Stubby
DNS resolver and cache: Unbound

Configuration

First, do some network configurations. Since we're configuring openwrt as a DNS server instead of a router, we need to disable dnsmasq and odhcpd. In our example, the router IP address is 192.168.1.1 and the local domain name is "lan", and we assign 192.168.1.53 to openwrt.

# service dnsmasq stop
# service odhcpd stop
# service dnsmasq disable
# service odhcpd disable
# uci set network.lan.ipaddr="192.168.1.53"
# uci set network.lan.gateway="192.168.1.1"
# uci commit
# rm /etc/resolv.conf
# echo -e "search lan\nnameserver 192.168.1.1" > /etc/resolv.conf
# service network restart

Now install stubby and unbound:

# opkg update
# opkg install stubby ca-certificates unbound unbound-control

Edit /etc/stubby/stubby.yml so that its upstream_recursive_servers section contains only trusted public resolvers, which support DNS-over-TLS, e.g.:

upstream_recursive_servers:
# Cloudflare 1.1.1.1 and 1.0.0.1
  - address_data: 1.1.1.1
    tls_auth_name: "cloudflare-dns.com"
  - address_data: 1.0.0.1
    tls_auth_name: "cloudflare-dns.com"

Restart stubby:

# service stubby restart

Configure unbound to forward the local zone "lan." and the reverse zone "1.168.192.in-addr.arpa." to the router, and all other DNS queries to stubby:

# uci set unbound.@unbound[0].domain_type="transparent"
# uci commit

# echo 'do-not-query-localhost: no
local-zone: "1.168.192.in-addr.arpa." transparent' >> /etc/unbound/unbound_srv.conf

# echo 'stub-zone:
  name: "lan."
  stub-addr: 192.168.1.1

stub-zone:
  name: "1.168.192.in-addr.arpa."
  stub-addr: 192.168.1.1

forward-zone:
  name: "."
  forward-addr: 127.0.0.1@5453' >> /etc/unbound/unbound_ext.conf

# service unbound restart

Unbound is now ready to answer DNS queries at 192.168.1.53 for local LAN clients.

References

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.