OpenWRT and Unbound - using DoT protocol

OpenWRT and Unbound : using DoT protocol

By BSD Blockchain | Linux BSD Blockchain | 12 May 2025

The purpose of this article is to add unbound to allow DNS queries via the DoT protocol, while slightly modifying the default dnsmasq.

The purpose is to:

  • encrypt DNS traffic to improve traffic privacy.
  • prevent DNS leaks and hijacking of your DNS traffic.
  • bypassing regional or ISP restrictions.

A. Installation Process

Install the required packages: unbound unbound-control luci-app-unbound

# opkg update
# opkg install unbound unbound-control luci-app-unbound

 

It may be useful to install other unbound packages, such asL

  • unbound-checkconf: which ensures configuration compliance.
  • unbound-control-setup : which allows to install/create certificates needed for tool control.
  • unbound-host: for testing.

B. Configuration Process

dnsmasq

Edit the dnsmasq server configuration file /etc/config/dhcp, to ensure the following two options:

option noresolv '1'
list server '127.0.0.1#531'

 

Unbound

Edit the /var/lib/unbound/unbound.conf file

server:
(…)
    port: 531
    do-ip4: yes
    do-ip6: yes
    do-tcp: yes
    hide-identity: yes
    hide-version: yes
    qname-minimisation: yes
    prefetch: yes
    rrset-roundrobin: yes
    minimal-responses: yes
    tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
(…)

 

About the chosen port number, here 531: no, we did not choose 5353 which is usually reserved for mdns service; of course you can change it, just do it according to dnsmasq configuration, but make sure to choose it in the context of privileged port numbers, that is below 1024. Make sure to add/modify the access control variables to authorize only.

access-control: 0.0.0.0/0 refuse
access-control: ::0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: ::1 allow

 

Then state the IPv(4|6) addressing of your LAN, or your Wifi, after that modify the zone section.

forward-zone:
    name: "."
    forward-tls-upstream: yes

 

Then add all the IP addresses of the servers affected by DoT; of course both IPv4 and IPv6 protocols work.

 forward-addr: 9.9.9.9@853       # Quad9
    forward-addr: 1.1.1.1@853       # Cloudflare
    forward-addr: 149.112.112.112@853       # Quad9 secondaire
    forward-addr: 1.0.0.1@853       # Cloudflare secondaire
    forward-addr: 2620:fe::fe@853       # Quad9 / IPv6
    forward-addr: 2606:4700:4700::1111@853  # Cloudflare / IPv6
    forward-addr: 2606:4700:4700::1001@853  # Cloudflare secondaire / IPv6

 

 # FDN DoT
    ## https://www.fdn.fr/ouverture-des-services-dot-doh/
    forward-addr: 80.67.169.12@853
    forward-addr: 80.67.169.40@853
    forward-addr: 2001:910:800::12@853
    forward-addr: 2001:910:800::40@853
    # see: https://dnsprivacy.org/public_resolvers/
    # adguard.com: family protection
    ## https://adguard.com/en/blog/adguard-dns-announcement.html
    forward-addr: 94.140.14.15@853
    forward-addr: 94.140.15.16@853
    forward-addr: 2a10:50c0::bad1:ff@853
    forward-addr: 2a10:50c0::bad2:ff@853
    # applied-privacy.net
    forward-addr: 146.255.56.98@853
    forward-addr: 2a02:1b8:10:234::2@853
    # cleanbrowsing.org: family filter
    forward-addr: 185.228.168.168@853
    forward-addr: 185.228.169.168@853
    forward-addr: 2a0d:2a00:1::@853
    forward-addr: 2a0d:2a00:2::@853
    # controld.com
    ## https://controld.com/free-dns?
    forward-addr: 76.76.2.4@853
    forward-addr: 76.76.10.4@853
    forward-addr: 2606:1a40::4@853
    forward-addr: 2606:1a40:1::4@853
    # cz.nic
    forward-addr: 193.17.47.1@853
    forward-addr: 185.43.135.1@853
    forward-addr: 2001:148f:ffff::1@853
    forward-addr: 2001:148f:fffe::1@853
    # dnsforfamily.com
    forward-addr: 78.47.64.161@853
    forward-addr: 94.130.180.225@853
    forward-addr: 2a01:4f8:1c0c:40db::1@853
    forward-addr: 2a01:4f8:1c17:4df8::1@853
    # dot.sb
    forward-addr: 185.222.222.222@853
    forward-addr: 45.11.45.11@853
    forward-addr: 2a09::@853
    forward-addr: 2a11::@853
    # he.net
    forward-addr: 74.82.42.42@853
    forward-addr: 2001:470:20::2@853
    # libredns.gr
    forward-addr: 116.202.176.26@853
    forward-addr: 2a01:4f8:1c0c:8274::1@853
    # switch.ch
    forward-addr: 130.59.31.248@853
    forward-addr: 130.59.31.251@853
    forward-addr: 2001:620:0:ff::2@853
    forward-addr: 2001:620:0:ff::3@853

 

C. Run a Check

If you are thinking about installing the unbound-checkconf tool, now is the time to run it to verify that the changes/writes made to the configuration file are correct. If all goes well, the tool will return this informational message to you.

# unbound-checkconf
unbound-checkconf: no errors in /var/lib/unbound/unbound.conf

 

If there is an error, it will let you know. If you are thinking of installing an unbound-host tool, then you can test the connection that should be secured, in a way like this, for example,

# unbound-host -vf /var/lib/unbound/root.key com.
com. has no address (secure)
com. has no IPv6 address (secure)
com. has no mail handler record (secure)

 

A brief explanation of how to control how unbound works. It is necessary to initialize the settings.

# unbound-control-setup
setup in directory /var/lib/unbound/
generating unbound_server.key
Generating RSA private key, 3072 bit long modulus
...............................................................................................................++
............................................................++
e is 65537 (0x10001)
generating unbound_control.key
Generating RSA private key, 3072 bit long modulus
........................................................................++
..................++
e is 65537 (0x10001)
create unbound_server.pem (self signed certificate)
create unbound_control.pem (signed client certificate)
Signature ok
subject=/CN=unbound-control
Getting CA Private Key
Setup success. Certificates created. Enable in unbound.conf file to use

 

Then edit the unbound configuration file, to add/remove comments on the remote control section, for example:

remote-control:
    control-enable: yes
    control-interface: 127.0.0.1
    control-interface: ::1
    control-port: 8953
    control-use-cert: no
    server-key-file: "/var/lib/unbound/unbound_server.key"
    server-cert-file: "/var/lib/unbound/unbound_server.pem"
    control-key-file: "/var/lib/unbound/unbound_control.key"
    control-cert-file: "/var/lib/unbound/unbound_control.pem"

 

After restarting the service, all that remains is to test with the unbound control tool, as in the example:

# unbound-control -s ::1 status
version: 1.17.0
verbosity: 1
threads: 4
modules: 2 [ validator iterator ]
uptime: 3482 seconds
options: reuseport control
unbound (pid 32307) is running...

 

Thus, it is possible to find out the value of any option by using the get_option option followed by the option name. Similarly, it is still possible to dump the cache for stream analysis, using the dump_cache option redirected to a filename.

Resources

  1. https://ko-fi.com/s/03a3074217
  2. https://gitflic.ru/project/iwanse1212/the-freebsd-handbook-system-administrator
Bitcoin (BTC) Crypto Ethereum (ETH) Crypto News Blog

How do you rate this article?

2
BSD Blockchain
BSD Blockchain

https://unixwinbsd.site

Linux BSD Blockchain
Linux BSD Blockchain

Opensource Blog (FreeBSD, Linux, OpenBSD) For Blockchain Network

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.
BlackRock Just Pulled $2 Billion From Bitcoin. Here's Why It's Not What You Think. BlackRock Just Pulled $2 Billion From Bitcoin. Here's Why It's Not What You Think.
Mohammad Ali Kamran Jalali

Mohammad Ali Kamran Jalali

3 hours ago
4 minute read

MEXC Tops New Contract Listings in CoinGecko's 2026 State of Crypto Perpetuals Report MEXC Tops New Contract Listings in CoinGecko's 2026 State of Crypto Perpetuals Report
Blockman PR

Blockman PR

2 hours ago
2 minute read

[The $0 Growth Hack]: How To Build a 1-Million-User Empire in 2 months [The $0 Growth Hack]: How To Build a 1-Million-User Empire in 2 months
scamtester94

scamtester94

12 hours ago
3 minute read