Posted: Sun Sep 18, 2016 22:36 Post subject: Enabling DNSSEC with Unbound and Forwarding to DNSCrypt
How do you enable DNSSEC with Unbound and Forward to DNSCrypt ? DNSCrypt will be configured to contact a DNS Server that supports DNSSEC.
1) From what I've read, on the Services\Services tab, add "proxy-dnssec" in the Additional DNSMasq Options section ? Is that correct ? What is the syntax for adding multiple options in this field ?
2) Where do you configure Unbound to forward to DNSCrypt ? Is it the "forward-addr: <IP address>@<port> setting in the /etc/unbound/unbound.conf file ?
Posted: Mon Sep 26, 2016 16:12 Post subject: Re: Enabling DNSSEC with Unbound and Forwarding to DNSCrypt
Denna wrote:
How do you enable DNSSEC with Unbound and Forward to DNSCrypt ? DNSCrypt will be configured to contact a DNS Server that supports DNSSEC.
1) From what I've read, on the Services\Services tab, add "proxy-dnssec" in the Additional DNSMasq Options section ? Is that correct ? What is the syntax for adding multiple options in this field ?
Support for proxy-dnssec is currently not compiled into dnsmasq.
Quote:
2) Where do you configure Unbound to forward to DNSCrypt ? Is it the "forward-addr: <IP address>@<port> setting in the /etc/unbound/unbound.conf file ?
No unbound is currently using a generated config under /tmp/unbound.conf, everytime unbound starts this file is generated and your changes overwritten.
The only option right now would be to stop unbound, modify the file start unbound.
on my experience, when the GUI lacks the ability to change cmd line args of services, you can't simply use stopservice and then run the binary directly, cause iptables rules and other boilerplate config associated with that service will be deleted, so I had to use a script to periodically check the cmd line of current service instance, and if wrong, kill it and run the binary with the right cmd line without ever using servicestop...
here's the script, feel free to modify to ur needs...
So if DNSMasq for DNS and Unbound are disabled in the Web GUI, running the Unbound binary with it's associated resolve.conf, iptables, startup scripts, etc. off of /jffs, that should be OK correct ? _________________ Asus RT-AC88u running DD-WRT 12-15-2016-r30949