After realizing that my ISP (ONO) was hijacking the NXDOMAIN DNS responses, I decided to improve the security of the DNS queries for my entire LAN using DNSSEC.
I choosed to replace dnsmasq for unbound in my OpenWrt router. These are the steps I followed.
First I installed the required packages:
# opkg update # opkg install unbound unbound-anchor unbound-control unbound-control-setup unbound-host
As dnsmasq is also the DHCP server, I’m not going to disable it, only change the DNS port to 5353. In /etc/config/dhcp
config dnsmasq
option port '5353'
# /etc/init.d/dnsmasq restart
Now, some modifications to /etc/unbound/unbound.conf
server:
interface: 0.0.0.0
interface: ::0
access-control: 0.0.0.0/0 allow
access-control: ::0/0 allow
use-syslog: yes
private-domain: "lan."
domain-insecure: "lan."
domain-insecure: "168.192.in-addr.arpa."
do-not-query-localhost: no
local-zone: "168.192.in-addr.arpa" nodefault
forward-zone:
name: "lan."
forward-addr: 127.0.0.1@5353
forward-zone:
name: "168.192.in-addr.arpa."
forward-addr: 127.0.0.1@5353
To set the service as enabled and start it:
# /etc/init.d/unbound enable # /etc/init.d/unbound start
The part about the lan domain is to forward all queries of .lan to dnsmasq. This way we can query the hostnames connected by DHCP with hostname.lan. Best of both worlds!
If your device doesn’t have a hardware clock, you should add something like this to your /etc/rc.local or to the unbound init script. This way, the certificates don’t fail to validate because wrong dates:
/usr/sbin/ntpd -n -q -N -p <ntp server IP>
Finally, check if you are using DNSSEC in a place like: http://test.dnssec-or-not.com/
Edited on Jun 30 2014: added forwading of zone 168.192.in-addr.arpa. and NTP bootstrapping.