I was able to get my DNSSEC working with the following:
Please note, I added the plugin luci-app-unbound and set my port to 5353 and tested it.
It worked right out of the box.
I next enabled ADGUARD HOME to make it work with Unbound
Settings/DNS Settings
-Upstream DNS servers:127.0.0.1:5353
Note: port 5353 is the value I set in Unbound-Cache Size: (made empty)
-Optomistic Caching (unchecked)
Settings/Encryption Settings
-Enable Encryption (HTTPS,DNS-over-HTTPS, and DNS-over-TLS): Unchecked
At this point Unbound was working but DNSSEC failed.
Flint3/Network Settings/DNS
-DNS Rebinding Attack Protection:CHECKED
-Override DNS Settings of All Clients:NOT-CHECKED
-Allow Custom DNS to Override VPN DNS:NOT-CHECKED
Flint3/Luci/Network/DHCP and DNS
-DNSSEC:CHECKED
-DNSSEC check unsigned:CHECKED
#Restart DNSMASQ
/etc/init.d/dnsmasq restart #Verify by visiting DNSSEC Resolver Test ...SUCCESS!
Thank you for sharing!!! I have been struggling so much before finally finding this.
I did a few extra things on top of what you did.
To give unbound a nice status dashboard in luci, I installed “unbound-control” and “unbound control setup”
To make work easier, I added a terminal in luci, I installed “luci-app-ttyd”
Reboot router
Under services, go to Terminal, and login as root
vi /etc/config/unbound , press i, scroll down and edit option unbound_control '0' to become option unbound_control '1'
press escape, then type :wq ENTER and EXIT
Back in luci, go to Recursive DNS
under Basic, check "enable DNSSEC"
under DHCP, set DHCP link to dnsmasq
under Resources, set unbound control app to "local host no encryption"
under Advanced, check "filter local host rebind"
Limit dnsmasq function to only DHCP - under DHCP and DNS, Devices and Ports, change the DNS server port from 53 to 0
To force devices like smart TVs and iphones to not bypass my Adguard Home, I made a firewall rule in the terminal
vim /etc/config/firewall
config rule
option dest 'wan'
option dest_port '53 853 5353'
option enabled '1'
option family 'any'
option name 'Block-Public-DNS'
option proto 'tcpudp'
option src 'lan'
option target 'REJECT'
I tried for hours to get setup odhcpd instead of dnsmasq, but no matter what I did, it always resulted in bricking the router and me having to do a full reset. So far, this new config seems to be working.
Ahhh...correction. After disabling the dnsmasq DNS function by changing the listening port, I lost dns resolving ability completely (no internet).
When i changed the listening port back to 53, I regained dns resolving ability (and internet).
a quick check with "dig example. com @127.0.0.1" returned "no servers located"
a quick check with "dig example. com" returned an IP address and indicated the server as [my router ip address]#53
running an ip leak test, it shows my external ip address as the DNS server
At this point, I'm stumped. Anybody have any idea what's going on here?
Unbound listening port is set to #5353
Yes, AdGuard Home is running on the Flint 2 router.
The AdGuard Home Upstream DNS Server is set to: 127.0.0.1:5353
If “AdGuard Home Handle Client Requests” is not enabled, it is expected that LAN clients cannot resolve domain names after disabling the DNS function of dnsmasq.
The DNS forwarding path in your scene is:
LAN clients send DNS queries to 192.168.8.1:53
dnsmasq on the Flint 2 listens on port 53 and forwards requests to AdGuard Home on port 3053
AdGuard Home then forwards the requests to its configured upstream DNS server (in this case, Unbound on port 5353)
If you intend to disable the DNS functionality of dnsmasq, you can consider enable “AdGuard Home Handle Client Requests”, allowing firewall rules to redirect DNS traffic directly to AdGuard Home (and onward to Unbound).
This is normal behavior.
Because Unbound is acting as a recursive DNS server, responsible for communicating with the authoritative DNS server for the IP leak test.
