Say Bye to Provider’s DNS Servers – Be Your Own DNS Resolver

by kacang bawang

Have you ever wanted to NOT use your provider’s DNS services? Maybe they are engaged in censorship, or are modifying non-existent domains to point at pages full of advertisement? One popular solution is to use public DNS servers, such as Google’s. But ask yourself this – how much information are you giving up to a DNS server? Every time you visit a new web page, the DNS server will know about it. You can build a pretty nifty profile on a person using just that info. Well, how else would you do it? You’ve got to ask somebody for the IP address. Actually there is a better way – ask the source, and avoid the middlemen.

In this article I will show you how to set up your OpenWrt router to do its own DNS resolution. We will look up domains starting from root DNS servers, without the use of 3rd parties such as provider/Google/OpenDNS.

Our solution consists of replacing the default (dnsmasq) caching DNS server with a different one (unbound) that is capable of recursive resolving. Why unbound? Because there is a package for it in OpenWrt. Let’s install it.

OpenWrt, by default, comes with dnsmasq, which I have written about before. It is our DHCP and local DNS server (since only the DHCP server knows which names were given to which local IP). For that reason we do not want to remove it. Let’s move it to a different port, and prohibit it from forwarding queries to anyone else. Its services will be called upon by unbound, and if nothing is found – that is that.

“Option noresolv 1” is a custom option. We must parse it in:

Now, configure unbound itself. Note that we’re counting on a good firewall here in accepting requests from all IPs.

The meat of the configuration is placed in a separate file – unbound.user, so as to not change the default config file too much. Create unbound.user and put this into it:

Reset/launch services.

Now we have a DNS server that will do its own lookups, while maintaining local names given out with DHCP. We have not enabled DNSSEC, as our goal was only to do our own lookups. If you encounter problems, set verbosity to 3 in unbound.conf and keep an eye on /var/log/messages.