Say Bye to Provider’s DNS Servers – Be Your Own DNS Resolver
by kacang bawang
Have you ever wanted to NOT use your provider’s DNS services? Maybe they are engaged in censorship, or are modifying non-existent domains to point at pages full of advertisement? One popular solution is to use public DNS servers, such as Google’s. But ask yourself this – how much information are you giving up to a DNS server? Every time you visit a new web page, the DNS server will know about it. You can build a pretty nifty profile on a person using just that info. Well, how else would you do it? You’ve got to ask somebody for the IP address. Actually there is a better way – ask the source, and avoid the middlemen.
In this article I will show you how to set up your OpenWrt router to do its own DNS resolution. We will look up domains starting from root DNS servers, without the use of 3rd parties such as provider/Google/OpenDNS.
Our solution consists of replacing the default (dnsmasq) caching DNS server with a different one (unbound) that is capable of recursive resolving. Why unbound? Because there is a package for it in OpenWrt. Let’s install it.
|
1 2 |
#no need to install any other unbound packages opkg install unbound |
OpenWrt, by default, comes with dnsmasq, which I have written about before. It is our DHCP and local DNS server (since only the DHCP server knows which names were given to which local IP). For that reason we do not want to remove it. Let’s move it to a different port, and prohibit it from forwarding queries to anyone else. Its services will be called upon by unbound, and if nothing is found – that is that.
|
1 2 3 4 5 6 7 |
/etc/config/dhcp config dnsmasq ... option port '5353' option noresolv 1 #option resolvfile '/tmp/resolv.conf.auto' ... |
“Option noresolv 1” is a custom option. We must parse it in:
|
1 2 3 4 5 |
/etc/init.d/dnsmasq ... #append_parm "$cfg" "resolvfile" "--resolv-file" append_bool "$cfg" "noresolv" "--no-resolv" ... |
Now, configure unbound itself. Note that we’re counting on a good firewall here in accepting requests from all IPs.
|
1 2 3 4 5 6 7 8 |
/etc/unbound/unbound.conf include: "unbound.user" interface: 0.0.0.0 access-control: 0.0.0.0/0 allow #interface: ::0 #access-control: ::0/0 allow #auto-trust-anchor-file: "/etc/unbound/root.key" #username: "" |
The meat of the configuration is placed in a separate file – unbound.user, so as to not change the default config file too much. Create unbound.user and put this into it:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
server: #dont forget to set file permissions username: nobody do-ip6: no do-not-query-localhost: no private-domain: "lan." domain-insecure: "lan." private-domain: "wifi." domain-insecure: "wifi." domain-insecure: "168.192.in-addr.arpa." local-zone: "168.192.in-addr.arpa" nodefault #blacklist NXDOMAIN intercept private-address: DNS.ad.page.ip forward-zone: name: "lan." forward-addr: 127.0.0.1@5353 forward-zone: name: "wifi." forward-addr: 127.0.0.1@5353 forward-zone: name: "168.192.in-addr.arpa." forward-addr: 127.0.0.1@5353 |
Reset/launch services.
|
1 2 3 |
/etc/init.d/dnsmasq reload /etc/init.d/unbound enable /etc/init.d/unbound start |
Now we have a DNS server that will do its own lookups, while maintaining local names given out with DHCP. We have not enabled DNSSEC, as our goal was only to do our own lookups. If you encounter problems, set verbosity to 3 in unbound.conf and keep an eye on /var/log/messages.
Please help
I have error
daemon.err unbound: [3679:0] error: cannot parse ip address: ‘DNS.ad.page.ip’
You should replace “DNS.ad.page.ip” with the IP address of your ISP’s NXDOMAIN redirection page. This is the ad-filled page where they send you if you try to visit a non-existent domain. If you don’t know what it is, just comment that line out.
Love the guide, simple and to the point.
But how does it protect our privacy is unbound is still fetching that data without encryption?
And will unbound work here in China where censorship is through the roof?
Glad you liked it! Yes, encryption will likely be needed. Providers usually middle-man the DNS traffic even if it does not go through their servers. Look towards
dnscrypt. I may do a post on it in the future. China? That’s a tough one. They do a heck of a lot more than mess with the DNS. From what I hear there are paid VPNs that manage to bypass it. From the free solutions, maybe shadow-socks, but not sure on current status.