Skip to content

Instantly share code, notes, and snippets.

@nomaster
Last active October 5, 2023 07:35
Show Gist options
  • Save nomaster/777b7a88209ca7ae02de3edaae8c534c to your computer and use it in GitHub Desktop.
Save nomaster/777b7a88209ca7ae02de3edaae8c534c to your computer and use it in GitHub Desktop.
EdgeRouter: DNS forwarding to CloudFlare with DNSSEC
set service dns forwarding name-server 1.1.1.1
set service dns forwarding name-server 1.0.0.1
set service dns forwarding name-server '2606:4700:4700::1111'
set service dns forwarding name-server '2606:4700:4700::1001'
set service dns forwarding options dnssec
set service dns forwarding options trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
set service dns forwarding options trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
set service dns forwarding options dnssec-check-unsigned
set service dns forwarding options dnssec-timestamp=/config/dnsmasq/dnsmasq.time
@nomaster
Copy link
Author

nomaster commented Apr 6, 2018

nomaster@office:~$ show dns forwarding statistics
----------------
Cache statistics
----------------
Cache size: 10000
Queries forwarded: 324
Queries answered locally: 80
Total DNS entries inserted into cache: 1117
DNS entries removed from cache before expiry: 0

---------------------
Nameserver statistics
---------------------
Server: 2606:4700:4700::1001
Queries sent: 399
Queries retried or failed: 0

Server: 2606:4700:4700::1111
Queries sent: 63
Queries retried or failed: 0

Server: 1.0.0.1
Queries sent: 29
Queries retried or failed: 0

Server: 1.1.1.1
Queries sent: 135
Queries retried or failed: 0

@xenji
Copy link

xenji commented Apr 6, 2018

FYI: Works also perfectly on a Unifi Secure Gateway without further modification.

@itcrowd0
Copy link

It works well on Edgerouter ERLite 3, perfect, my surfing has became to quick. Thanks. Does it use the DoH? It would be great.

@nomaster
Copy link
Author

nomaster commented Oct 5, 2019

I noted an issue when rebooting and the /var directory being cleared. Solution is to move the timestamp file into /config and create a directory for dnsmasq to write there:

sudo mkdir /config/dnsmasq
sudo chown dnsmasq:nogroup /config/dnsmasq

@nomaster
Copy link
Author

nomaster commented Oct 5, 2019

It works well on Edgerouter ERLite 3, perfect, my surfing has became to quick. Thanks. Does it use the DoH? It would be great.

This is regular DNS over UDP, not DNS over HTTP. For that, the underlying service dnsmasq lacks to support it.

@RobbieTT
Copy link

I was checking syntax and stumbled on this excellent and clear script. The only question I have is regarding the time check on routers that have no HW clock (in my case ER-4).

To overcome the lack of NTP name resolution immediately post-boot, some recommend the use of:

set service dns forwarding options dnssec-no-timecheck

I have been somewhat confused by this apparent issue as there would be no name resolution required for NTP if a real external IP address was used or the ER-4 NTP was pointed at a LAN-side NTP server IP address.

As your script ignores it I presume the dnssec-no-timecheck is not required for the NTP scenarios given above but thought it wise to check?

@nomaster
Copy link
Author

nomaster commented Feb 2, 2022

I recommend adding at least one NTP server by IP address, so it can be reached before secure name resolution is established. dnssec-no-timecheck should not be needed then.

@RobbieTT
Copy link

RobbieTT commented Feb 3, 2022

@nomaster Thank you - my final configuration running successfully on my ER-4:

set system name-server 127.0.0.1
set system ntp server 10.0.1.50 prefer # Stratum 1 PPS LAN-side NTP server
set system ntp server 17.253.34.251
set system ntp server 17.253.34.253
set system ntp server 45.66.39.122
set system ntp server 139.143.5.30
set system ntp server 139.143.5.31
set service dhcp-server shared-network-name LAN1 authoritative enable
set service dhcp-server shared-network-name LAN1 subnet 10.0.1.0/24 default-router 10.0.1.1
set service dhcp-server shared-network-name LAN1 subnet 10.0.1.0/24 dns-server 10.0.1.1
set service dhcp-server shared-network-name LAN1 subnet 10.0.1.0/24 ntp-server 10.0.1.50
set service dhcp-server static-arp disable
set service dhcp-server use-dnsmasq enable
set service dns forwarding cache-size 8000
set service dns forwarding listen-on eth3
set service dns forwarding listen-on eth3.1003
set service dns forwarding name-server 1.1.1.1
set service dns forwarding name-server '2606:4700:4700::1001'
set service dns forwarding name-server 9.9.9.9
set service dns forwarding name-server '2620:fe::9'
set service dns forwarding options all-servers
set service dns forwarding options bogus-priv
set service dns forwarding options domain-needed
set service dns forwarding options dhcp-authoritative
set service dns forwarding options 'dhcp-range=::,ra-stateless,ra-names'
set service dns forwarding options expand-hosts
set service dns forwarding options dnssec
set service dns forwarding options trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
set service dns forwarding options trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
set service dns forwarding options dnssec-check-unsigned

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment