Unbound as a secondary DNS resolverPublished: 2015-08-31
If you're looking on how to implement Unbound as your primary DNS resolver, read on here.
Dnsmasq requires a bit more work in this scenario.
- First, we comment the
resolvfileline, since that file will contain your ISP's DNS servers.
noresolvoption needs to be set to 1, so queries outside the LAN get passed on.
- The final line defines the DNS server you pass it on to, in this case Unbound, and which will be listening on localhost and port 54.
Your configuration should look like this:
# option resolvfile '/tmp/resolv.conf.auto' option noresolv '1' list server '127.0.0.1#54'
Now, DNSSEC validation requires an accurate time to be set - the validation needs to occur within a certain timeframe and if your clock is off upon boot, that means DNS just won't work. The cleanest way to fix this is to have dnsmasq handle the DNS query for the NTP pool. You could add an NTP query with a server IP in
/etc/rc.local, but that's yet another file to keep track of, and you're bound to forget. So we add an extra line:
list server '/pool.ntp.org/188.8.131.52'
This line will have dnsmasq use the IP listed as the DNS server for that URL. In this case, it is an OpenDNS server; if you'd rather use something else, you can use Google's 184.108.40.206 or 220.127.116.11, or have a look at the list of the OpenNIC project for a DNS server close to your location (speed is everything on the web).
unbound-anchor packages through
opkg After that, fetch the root anchor manually:
# unbound-anchor -a "/etc/unbound/root.key"
The default configuration should be pretty much OK. All you need to change is the port Unbound listens on, so it doesn't conflict with dnsmasq's:
# vim /etc/unbound/unbound.conf port: 54
You also might want to add
prefetch: yes to get Unbound to refresh popular records before they expire.
Some domains (in my case: my own dynamic DNS domain) might not resolve with Unbound as a secondary server; you then need to provide an exception in
/etc/config/dhcp so the DNS query doesn't get passed to Unbound but gets handled by dnsmasq. For this blog, e.g., I added an OpenDNS server:
list server '/volatilesystems.org/18.104.22.168'
Alternatively, you can list it as
domain-insecure: volatilesystems.org in
unbound.conf, so Unbound knows it does not support DNSSEC.