Skip to content

Instantly share code, notes, and snippets.

@nomaster
Last active October 5, 2023 07:35
Show Gist options
  • Save nomaster/777b7a88209ca7ae02de3edaae8c534c to your computer and use it in GitHub Desktop.
Save nomaster/777b7a88209ca7ae02de3edaae8c534c to your computer and use it in GitHub Desktop.
EdgeRouter: DNS forwarding to CloudFlare with DNSSEC
set service dns forwarding name-server 1.1.1.1
set service dns forwarding name-server 1.0.0.1
set service dns forwarding name-server '2606:4700:4700::1111'
set service dns forwarding name-server '2606:4700:4700::1001'
set service dns forwarding options dnssec
set service dns forwarding options trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
set service dns forwarding options trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
set service dns forwarding options dnssec-check-unsigned
set service dns forwarding options dnssec-timestamp=/config/dnsmasq/dnsmasq.time
@RobbieTT
Copy link

RobbieTT commented Feb 3, 2022

@nomaster Thank you - my final configuration running successfully on my ER-4:

set system name-server 127.0.0.1
set system ntp server 10.0.1.50 prefer # Stratum 1 PPS LAN-side NTP server
set system ntp server 17.253.34.251
set system ntp server 17.253.34.253
set system ntp server 45.66.39.122
set system ntp server 139.143.5.30
set system ntp server 139.143.5.31
set service dhcp-server shared-network-name LAN1 authoritative enable
set service dhcp-server shared-network-name LAN1 subnet 10.0.1.0/24 default-router 10.0.1.1
set service dhcp-server shared-network-name LAN1 subnet 10.0.1.0/24 dns-server 10.0.1.1
set service dhcp-server shared-network-name LAN1 subnet 10.0.1.0/24 ntp-server 10.0.1.50
set service dhcp-server static-arp disable
set service dhcp-server use-dnsmasq enable
set service dns forwarding cache-size 8000
set service dns forwarding listen-on eth3
set service dns forwarding listen-on eth3.1003
set service dns forwarding name-server 1.1.1.1
set service dns forwarding name-server '2606:4700:4700::1001'
set service dns forwarding name-server 9.9.9.9
set service dns forwarding name-server '2620:fe::9'
set service dns forwarding options all-servers
set service dns forwarding options bogus-priv
set service dns forwarding options domain-needed
set service dns forwarding options dhcp-authoritative
set service dns forwarding options 'dhcp-range=::,ra-stateless,ra-names'
set service dns forwarding options expand-hosts
set service dns forwarding options dnssec
set service dns forwarding options trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
set service dns forwarding options trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
set service dns forwarding options dnssec-check-unsigned

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment