Unbound

After installing Unbound in a OpenWrt router, I noticed that afer a reboot, the DNS was not working. I saw many of these errors in the log:

failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN

I have discovered that the system date was wrong. As this device lacks a hardware clock, when the machine boots, it cannot synchronize the time by NTP because there is no resolver (Unbound doesn’t start because the date validation of the ICANN certificate fails). It’s a chicken or the egg problem.

After realizing that my ISP (ONO) was hijacking the NXDOMAIN DNS responses, I decided to improve the security of the DNS queries for my entire LAN using DNSSEC.

I choosed to replace dnsmasq for unbound in my OpenWrt router. These are the steps I followed.

First I installed the required packages:

# opkg update # opkg install unbound unbound-anchor unbound-control unbound-control-setup unbound-host

As dnsmasq is also the DHCP server, I’m not going to disable it, only change the DNS port to 5353. In /etc/config/dhcp