DD-WRT :: View topic - Enabling DNSSEC with Unbound and Forwarding to DNSCrypt

Enabling DNSSEC with Unbound and Forwarding to DNSCrypt

DD-WRT Forum Index -> Broadcom SoC based Hardware

View previous topic :: View next topic

Author

Message

Denna
DD-WRT User

Joined: 16 Sep 2016
Posts: 101

Posted: Sun Sep 18, 2016 22:36 Post subject: Enabling DNSSEC with Unbound and Forwarding to DNSCrypt

How do you enable DNSSEC with Unbound and Forward to DNSCrypt ? DNSCrypt will be configured to contact a DNS Server that supports DNSSEC.

Sponsor

<Kong>
DD-WRT Guru

Joined: 15 Dec 2010
Posts: 4339
Location: Germany

Posted: Mon Sep 26, 2016 16:12 Post subject: Re: Enabling DNSSEC with Unbound and Forwarding to DNSCrypt

Denna wrote:

How do you enable DNSSEC with Unbound and Forward to DNSCrypt ? DNSCrypt will be configured to contact a DNS Server that supports DNSSEC.

Support for proxy-dnssec is currently not compiled into dnsmasq.

Quote:

2) Where do you configure Unbound to forward to DNSCrypt ? Is it the "forward-addr: <IP address>@<port> setting in the /etc/unbound/unbound.conf file ?

No unbound is currently using a generated config under /tmp/unbound.conf, everytime unbound starts this file is generated and your changes overwritten.

The only option right now would be to stop unbound, modify the file start unbound.

Therefore it is a bit difficult to do this with the current implementation in dd-wrt.
_________________
KONG PB's: http://www.desipro.de/ddwrt/
KONG Info: http://tips.desipro.de/

Denna
DD-WRT User

Joined: 16 Sep 2016
Posts: 101

Posted: Mon Sep 26, 2016 16:59 Post subject:
So running an Unbound binary would provide more flexibility ? _________________ Asus RT-AC88u running DD-WRT 12-15-2016-r30949

ironmanlok
DD-WRT User

Joined: 16 Jul 2012
Posts: 59

Posted: Tue Sep 27, 2016 1:59 Post subject:

on my experience, when the GUI lacks the ability to change cmd line args of services, you can't simply use stopservice and then run the binary directly, cause iptables rules and other boilerplate config associated with that service will be deleted, so I had to use a script to periodically check the cmd line of current service instance, and if wrong, kill it and run the binary with the right cmd line without ever using servicestop...

here's the script, feel free to modify to ur needs...

Code:

#!/bin/sh

# $1 service name, $2 correct cmd line
fix_service()
{
PID=$(ps | grep "$1" | grep -v "grep" | grep -v "fix_service" | sed -e 's/^ *//' | cut -d " " -f 1)
if [ ! -z "$PID" ] && [ -f "/proc/$PID/cmdline" ] && [ "$(cat /proc/$PID/cmdline | tr -d ' ')" == "$(echo -n $2 | tr -d ' ')" ] && [ "$3" != "force" ]; then
return 0
fi

[ ! -z "$PID" ] && kill -TERM $PID

$2
return 1
}

[ ! -z "$2" ] && sleep $2

fix_service "lighttpd" "lighttpd -f /jffs/lighttpd.conf" "$1"
fix_service "dnsmasq" "dnsmasq -u root -g root --conf-file=/tmp/dnsmasq.conf --cache-size=1500 --dhcp-option=252,http://wpad/wpad.dat" "$1"

Denna
DD-WRT User

Joined: 16 Sep 2016
Posts: 101

Posted: Tue Sep 27, 2016 19:32 Post subject:
ironmanlok, Thanks for the detailed reply and script. So if DNSMasq for DNS and Unbound are disabled in the Web GUI, running the Unbound binary with it's associated resolve.conf, iptables, startup scripts, etc. off of /jffs, that should be OK correct ? _________________ Asus RT-AC88u running DD-WRT 12-15-2016-r30949

Display posts from previous:

Page 1 of 1

DD-WRT Forum Index -> Broadcom SoC based Hardware

All times are GMT

Navigation

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum

Log in

Enabling DNSSEC with Unbound and Forwarding to DNSCrypt

Quick Links

Log in