-
-
Save nomaster/777b7a88209ca7ae02de3edaae8c534c to your computer and use it in GitHub Desktop.
set service dns forwarding name-server 1.1.1.1 | |
set service dns forwarding name-server 1.0.0.1 | |
set service dns forwarding name-server '2606:4700:4700::1111' | |
set service dns forwarding name-server '2606:4700:4700::1001' | |
set service dns forwarding options dnssec | |
set service dns forwarding options trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 | |
set service dns forwarding options trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D | |
set service dns forwarding options dnssec-check-unsigned | |
set service dns forwarding options dnssec-timestamp=/config/dnsmasq/dnsmasq.time |
nomaster
commented
Apr 6, 2018
FYI: Works also perfectly on a Unifi Secure Gateway without further modification.
It works well on Edgerouter ERLite 3, perfect, my surfing has became to quick. Thanks. Does it use the DoH? It would be great.
I noted an issue when rebooting and the /var
directory being cleared. Solution is to move the timestamp file into /config
and create a directory for dnsmasq to write there:
sudo mkdir /config/dnsmasq
sudo chown dnsmasq:nogroup /config/dnsmasq
It works well on Edgerouter ERLite 3, perfect, my surfing has became to quick. Thanks. Does it use the DoH? It would be great.
This is regular DNS over UDP, not DNS over HTTP. For that, the underlying service dnsmasq lacks to support it.
I was checking syntax and stumbled on this excellent and clear script. The only question I have is regarding the time check on routers that have no HW clock (in my case ER-4).
To overcome the lack of NTP name resolution immediately post-boot, some recommend the use of:
set service dns forwarding options dnssec-no-timecheck
I have been somewhat confused by this apparent issue as there would be no name resolution required for NTP if a real external IP address was used or the ER-4 NTP was pointed at a LAN-side NTP server IP address.
As your script ignores it I presume the dnssec-no-timecheck
is not required for the NTP scenarios given above but thought it wise to check?
I recommend adding at least one NTP server by IP address, so it can be reached before secure name resolution is established. dnssec-no-timecheck
should not be needed then.
@nomaster Thank you - my final configuration running successfully on my ER-4:
set system name-server 127.0.0.1
set system ntp server 10.0.1.50 prefer # Stratum 1 PPS LAN-side NTP server
set system ntp server 17.253.34.251
set system ntp server 17.253.34.253
set system ntp server 45.66.39.122
set system ntp server 139.143.5.30
set system ntp server 139.143.5.31
set service dhcp-server shared-network-name LAN1 authoritative enable
set service dhcp-server shared-network-name LAN1 subnet 10.0.1.0/24 default-router 10.0.1.1
set service dhcp-server shared-network-name LAN1 subnet 10.0.1.0/24 dns-server 10.0.1.1
set service dhcp-server shared-network-name LAN1 subnet 10.0.1.0/24 ntp-server 10.0.1.50
set service dhcp-server static-arp disable
set service dhcp-server use-dnsmasq enable
set service dns forwarding cache-size 8000
set service dns forwarding listen-on eth3
set service dns forwarding listen-on eth3.1003
set service dns forwarding name-server 1.1.1.1
set service dns forwarding name-server '2606:4700:4700::1001'
set service dns forwarding name-server 9.9.9.9
set service dns forwarding name-server '2620:fe::9'
set service dns forwarding options all-servers
set service dns forwarding options bogus-priv
set service dns forwarding options domain-needed
set service dns forwarding options dhcp-authoritative
set service dns forwarding options 'dhcp-range=::,ra-stateless,ra-names'
set service dns forwarding options expand-hosts
set service dns forwarding options dnssec
set service dns forwarding options trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
set service dns forwarding options trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
set service dns forwarding options dnssec-check-unsigned