Over the past few years, I have been exploring various options for doing local DNSSEC validation. Validating locally is necessary in order to avoid DNS answers being forged on the path from the ISP resolvers (or from open validating resolvers) to the local network.
If validating on servers and laptops is a solved problem, doing so on mobile devices such as phones and tablets is still an open question. For these use cases, having a validating resolver running directly on a router is convenient. As it turns out, it’s a pretty simple two steps process to achieve this with OpenWrt.
Disabling Dnsmasq DNS component
Dnsmasq is used within OpenWrt as both DHCP and DNS server, but we only want to use its DHCP component and let Unbound perform DNS resolution.
For doing so, after logging into LuCI, please go to : Network => DHCP and DNS => Advanced Settings.
Set the DNS server port to 0, as shown in the following screenshot :
Installing and configuring Unbound
Using opkg install :
opkg install unbound
The bundled init script supports the following commands :
We start Unbound and enable autostart at boot time :
/etc/init.d/unbound start /etc/init.d/unbound enable
We also need to fetch (or update) the root anchor manually :
opkg install unbound-anchor unbound-anchor -a "/etc/unbound/root.key"
Configuring Unbound to validate answers :
# If you want to perform DNSSEC validation, run unbound-anchor before # you start unbound (i.e. in the system boot scripts). And enable: # Please note usage of unbound-anchor root anchor is at your own risk # and under the terms of our LICENSE (see that file in the source). auto-trust-anchor-file: "/etc/unbound/root.key"
We can easily verify that our local Unbound instance is answering queries :
dig version.bind CH txt +short "unbound 1.4.17"
Finally, let’s try to resolve a DNSSEC secured domain :
As we notice, the AD flag is set in the header, meaning the answer is secure.