1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Simple Tomato DNSSEC (Unbound + Dnsmasq)

Discussion in 'Tomato Firmware' started by DimBulb, Mar 21, 2014.

  1. DimBulb

    DimBulb Reformed Router Member

    Best of both worlds (until Dnsmasq's DNSSEC support stabilizes, which is in progress).

    Summary: DNSMasq will do its normal thing for the local network, passing anything it can't resolve to unbound on a local port, which does the heavy recursive DNSSEC lifting. (Since the recursive lookups take time, you will not get the benefits of a heavy usage ISP DNS server and things may be slower to look up.)

    1) Install unbound via your normal mechanism (opkg etc).
    2) Edit unbound.conf. Key line to change is "port: 10053" (pick any port)
    3) In Tomato's DNSmasq conf setup (Advanced --> DHCP/DNS), add this:

    #forward to unbound queries we don't understand and proxy the replies.
    server=127.0.0.1#10053
    proxy-dnssec
    #Ignore DHCP provided ISP DNS servers, defeats the purpose.
    no-resolv
     
  2. leandroong

    leandroong Addicted to LI Member

    deleted
     
    Last edited: Sep 18, 2014

Share This Page