[Tutorial] Working Together Unbound and DNSMasq

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
mkaand
DD-WRT User


Joined: 06 Jan 2008
Posts: 307
Location: Istanbul

PostPosted: Wed Jun 21, 2017 11:53    Post subject: [Tutorial] Working Together Unbound and DNSMasq Reply with quote
Hello,

I was looking for solution to use Recursive DNS resolving (Unbound) and DNSMasq together. DNSMasq has easy settings. I use it for blocking some websites. On the other hand Unbound is very secure. But I couldn't us both of them at the same time. I wrote following starting script. I tested in well know DNS leak tests on the internet. And it passes all of them. The main problem was when I enabled Recursive DNS Resolving in GUI, it automatically disables DNSMasq. But my code fixes. You can try. I use WRT1900AC v1 Kong's 31100M Build

Here is the startup script:

Code:
# Working Together v1.0 (Unbound & DNSMasq)
# This startup script fixes battle of Unbound vs DNSMasq
# Written by Kaan Dogan - 21.06.2017

sleep 10
stopservice unbound
stopservice dnsmasq
sed -i '/server:/ a\port: 5153\' /tmp/unbound.conf
unbound -c /tmp/unbound.conf

sed -i '/port=0/d' /tmp/dnsmasq.conf
sed -i '/resolv-file=\/tmp\/resolv.dnsmasq/d' /tmp/dnsmasq.conf
dnsmasq --conf-file=/tmp/dnsmasq.conf


And here is Additional DNSMasq Options:

Code:
proxy-dnssec
no-resolv
port= 53
server=127.0.0.1#5153

_________________
Kaan's World | @mkaand | PLEX Archive | Trakt.tv
Sponsor
johnnyNobody999
DD-WRT User


Joined: 10 Jan 2014
Posts: 499

PostPosted: Sat Apr 25, 2020 17:39    Post subject: Reply with quote
Near as I can tell, both are enabled on my R7800 and things seem to be working OK. But, I came across your posting when searching to see if both can be enabled concurrently.
mkaand
DD-WRT User


Joined: 06 Jan 2008
Posts: 307
Location: Istanbul

PostPosted: Sat Apr 25, 2020 18:43    Post subject: Reply with quote
Hi,

During to pass years. I changed my mind and I use only UNBOUND. I do not use DNSMasq anymore.

_________________
Kaan's World | @mkaand | PLEX Archive | Trakt.tv
johnnyNobody999
DD-WRT User


Joined: 10 Jan 2014
Posts: 499

PostPosted: Sat Apr 25, 2020 19:46    Post subject: Reply with quote
I may try just using unbound tomorrow morning when internet use is low. Besides, after my previous post I found that although unbound was working when I first enabled it (even DNSSEC tests were good), it caused some kind of problem that caused the router to reboot within 10 minutes and then I had no name resolution until I turned the feature off and just used dnsmasq. It's always a mystery when something initially works fine and then quits. If there was a conflict one would think that it would show up immediately. Anyway, right now I'm testing unbound running on my PC and it's running just fine after 5 hours of operation.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6411
Location: UK, London, just across the river..

PostPosted: Sun Apr 26, 2020 9:30    Post subject: Reply with quote
johnnyNobody999 if you had a look of the top of the advanced networking forum thread you would find all the info for unbound
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320362

to presume again you'd need entware package manager to use unbound with options...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
tinkeruntilitworks
Guest





PostPosted: Sun Apr 26, 2020 12:20    Post subject: Reply with quote
if you have unbound on your router the very recent builds switched unbound to port 7053. i'm on r42954 on my netgear r7000p. possibly that might be an issue? if you have to install unbound via entware, stubby might be the better option. alozaros made a guide and linked it in his signature.
the folks at dns privacy project suggest a combo of unbound & stubby that i am debating trying out
johnnyNobody999
DD-WRT User


Joined: 10 Jan 2014
Posts: 499

PostPosted: Sun Apr 26, 2020 15:45    Post subject: Reply with quote
Alozaros wrote:
johnnyNobody999 if you had a look of the top of the advanced networking forum thread you would find all the info for unbound
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320362


Has anybody taken the time to create a tutorial or downloadable instruction pdf for this? I realize that it takes time to create tutorials and they're not always accurate or current but it sure would beat having to wade through several posts to try to figure out how to do stuff like this.

Alozaros wrote:
to presume again you'd need entware package manager to use unbound with options...


I have entware installed on a usb drive attached to the main router and I have used utilities like drill that was available via entware.
johnnyNobody999
DD-WRT User


Joined: 10 Jan 2014
Posts: 499

PostPosted: Sun Apr 26, 2020 16:03    Post subject: Reply with quote
tinkeruntilitworks wrote:
if you have unbound on your router the very recent builds switched unbound to port 7053. i'm on r42954 on my netgear r7000p. possibly that might be an issue? if you have to install unbound via entware, stubby might be the better option. alozaros made a guide and linked it in his signature.
the folks at dns privacy project suggest a combo of unbound & stubby that i am debating trying out


This is strange. I enabled unbound (dd-wrt firmware), saved, disabled dnsmasq (dd-wrt firmware), saved, then I clicked on Apply, unbound is working but for some reason dnsmasq got re-enabled. Everything has been running OK for over 2 hours. I'm at a loss to explain this but I'll "take it". We'll see if this holds up for a day or 2. I wish I had a way to experiment but with everyone home because of this COVID-19 it's difficult to get time to do extensive testing.
Redback813
DD-WRT Novice


Joined: 10 Nov 2015
Posts: 43

PostPosted: Mon Apr 27, 2020 5:52    Post subject: Reply with quote
johnnyNobody999 wrote:
tinkeruntilitworks wrote:
if you have unbound on your router the very recent builds switched unbound to port 7053. i'm on r42954 on my netgear r7000p. possibly that might be an issue? if you have to install unbound via entware, stubby might be the better option. alozaros made a guide and linked it in his signature.
the folks at dns privacy project suggest a combo of unbound & stubby that i am debating trying out


This is strange. I enabled unbound (dd-wrt firmware), saved, disabled dnsmasq (dd-wrt firmware), saved, then I clicked on Apply, unbound is working but for some reason dnsmasq got re-enabled. Everything has been running OK for over 2 hours. I'm at a loss to explain this but I'll "take it". We'll see if this holds up for a day or 2. I wish I had a way to experiment but with everyone home because of this COVID-19 it's difficult to get time to do extensive testing.


Problem I see with unbound is when enabling unbound through the web-gui there is a default setting and it's the only setting so any custom setting you have are simple ignored.
mkaand
DD-WRT User


Joined: 06 Jan 2008
Posts: 307
Location: Istanbul

PostPosted: Mon Apr 27, 2020 8:01    Post subject: Reply with quote
That's the way how to use custom settings at Unbound:

sleep 5
stopservice unbound -f
#killall unbound
unbound -c /tmp/mnt/sda1/Backups/jffs/unbound/unbound.conf

_________________
Kaan's World | @mkaand | PLEX Archive | Trakt.tv
johnnyNobody999
DD-WRT User


Joined: 10 Jan 2014
Posts: 499

PostPosted: Mon Apr 27, 2020 15:43    Post subject: Reply with quote
Redback813 wrote:
johnnyNobody999 wrote:
tinkeruntilitworks wrote:
if you have unbound on your router the very recent builds switched unbound to port 7053. i'm on r42954 on my netgear r7000p. possibly that might be an issue? if you have to install unbound via entware, stubby might be the better option. alozaros made a guide and linked it in his signature.
the folks at dns privacy project suggest a combo of unbound & stubby that i am debating trying out


This is strange. I enabled unbound (dd-wrt firmware), saved, disabled dnsmasq (dd-wrt firmware), saved, then I clicked on Apply, unbound is working but for some reason dnsmasq got re-enabled. Everything has been running OK for over 2 hours. I'm at a loss to explain this but I'll "take it". We'll see if this holds up for a day or 2. I wish I had a way to experiment but with everyone home because of this COVID-19 it's difficult to get time to do extensive testing.


Problem I see with unbound is when enabling unbound through the web-gui there is a default setting and it's the only setting so any custom setting you have are simple ignored.


That's why I'm considering enabling unbound from entware. There's a dnsmasq package in entware also. The problem with doing all this "fancy" stuff is being able to fix it when things go wrong..... I'll have to double check this but when I upgraded my router with the latest beta firmware this morning, I couldn't get any dns name resolution and I think it could be that the time didn't get set before unbound was brought up. As I recall, unbound requires the correct time to be set and the correct time can't be set if unbound comes up before the time can be set. A lot of "gotchas" to watch out for. Too many users on my network to experiment right now. I should pay for another IP so I can set up a test network - I need to win the lottery..... Also, I haven't got all the bugs worked out with DNS since refreshing web pages occasionally give me an unable to connect message.


Last edited by johnnyNobody999 on Mon Apr 27, 2020 15:59; edited 3 times in total
tinkeruntilitworks
Guest





PostPosted: Mon Apr 27, 2020 15:51    Post subject: Reply with quote
Redback813 wrote:
johnnyNobody999 wrote:
tinkeruntilitworks wrote:
if you have unbound on your router the very recent builds switched unbound to port 7053. i'm on r42954 on my netgear r7000p. possibly that might be an issue? if you have to install unbound via entware, stubby might be the better option. alozaros made a guide and linked it in his signature.
the folks at dns privacy project suggest a combo of unbound & stubby that i am debating trying out


This is strange. I enabled unbound (dd-wrt firmware), saved, disabled dnsmasq (dd-wrt firmware), saved, then I clicked on Apply, unbound is working but for some reason dnsmasq got re-enabled. Everything has been running OK for over 2 hours. I'm at a loss to explain this but I'll "take it". We'll see if this holds up for a day or 2. I wish I had a way to experiment but with everyone home because of this COVID-19 it's difficult to get time to do extensive testing.


Problem I see with unbound is when enabling unbound through the web-gui there is a default setting and it's the only setting so any custom setting you have are simple ignored.

if it finds another valid unbound.conf it uses the custom one
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6411
Location: UK, London, just across the river..

PostPosted: Mon Apr 27, 2020 16:28    Post subject: Reply with quote
johnnyNobody999 if i may ask, what is your final goal with unbound ??
the link i posted all the info is there 'how to unbound'...
do not try to bring the mountain to you, but you go to the mountain... as all say to you, default DDWRT unbound is funky n'stripped and you need either path to jffs or proper unbound opt install via entware...

In both cases you'd need USB mounted either jffs (witch could be funny) or opt/entware, witch is decent and has all updates via opkg...
if your final goal is recursive DNS and tls, DNSSEC...Stubby is much easy and less hassle + more stability and less resources...
Both stubby and unbound come from the same source GetDNS, both have excellent documentation inside their settings files and both work well with dnsmasq so you'd need it as its the backbone of DDWRT anyway...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
johnnyNobody999
DD-WRT User


Joined: 10 Jan 2014
Posts: 499

PostPosted: Mon Apr 27, 2020 16:53    Post subject: Reply with quote
Alozaros wrote:
johnnyNobody999 if i may ask, what is your final goal with unbound ??
the link i posted all the info is there 'how to unbound'...
do not try to bring the mountain to you, but you go to the mountain... as all say to you, default DDWRT unbound is funky n'stripped and you need either path to jffs or proper unbound opt install via entware...

In both cases you'd need USB mounted either jffs (witch could be funny) or opt/entware, witch is decent and has all updates via opkg...
if your final goal is recursive DNS and tls, DNSSEC...Stubby is much easy and less hassle + more stability and less resources...
Both stubby and unbound come from the same source GetDNS, both have excellent documentation inside their settings files and both work well with dnsmasq so you'd need it as its the backbone of DDWRT anyway...


I'm trying to set up a secure DNS without having to put in hours or days of effort. I've heard of stubby with unbound and maybe I'll take a look at it. Right now I'm exhausted from fighting these DNS issues and my postfix server after upgrading to Ubuntu 20.04 (what a mess!).
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum