blog/content/posts/openwrt_plus_unbound.md

---
title: "OpenWRT + Unbound + adblock"
tags: ["Linux"]
date: 2021-02-05T19:03:15-05:00
draft: false
---
I decided to do some work on my Linksys WRT32X running OpenWRT to make it a
little more useful.

[Unbound](https://nlnetlabs.nl/projects/unbound/about/) is a DNS
resolver which I like because it's recursive, meaning it directly queries the
root servers instead of relying on existing DNS servers run by Google,
Cloudflare, your ISP, or the like. I already have it running on several of my
servers and computers, but I figured it would be great if everything on my
network can use Unbound and be, well, *unbound* from all of those intermediary
DNS servers.

Luckily, OpenWRT already has Unbound packaged, and also has a useful LuCI app
that goes with it (LuCI is the graphical web interface that comes with OpenWRT).
All I had to do was install `luci-app-unbound`, which pulls in all of the
necessary dependencies to run unbound.

![LuCI: Software](/luci_software.png)

![LuCI: Install](/luci_install.png)

After that finished installing, I
refreshed LuCI/OpenWRT and went to "Services" on the top, and there it is!

![LuCI: Services -> Recursive DNS](/luci_services.png)

At this point, you'll have to get your hands dirty. You can either dig through
some LuCI menus or SSH in and make some edits. For reference, I'm using
["Parallel dnsmasq"](https://github.com/openwrt/packages/blob/openwrt-19.07/net/unbound/files/README.md#parallel-dnsmasq) section from the README for unbound in the OpenWRT packages (which
has a lot of other useful information as well!). Essentially, I made the edits
to `/etc/config/unbound` and `/etc/config/dhcp` after SSH'ing in. However, you
can make the same edits through LuCI.

For the `/etc/config/unbound` edits, you can make the edits to the file in
LuCI directly at "Services -> Recursive DNS -> Files -> Edit: UCI":

![LuCI: Edit /etc/config/unbound](/unbound_config.png)

For the `/etc/config/dhcp` edits, you can make the edits by finding the same
fields under "Network -> DHCP and DNS":

![LuCI: Edit DHCP and DNS Settings](/dhcp_config.png)

However, the field names are different from the lines in the config, so they
would need to be researched to determine which fields in LuCI map to which
lines in `/etc/config/dhcp`.

At this point (or maybe after restarting unbound and dnsmasq, which is a lot
easier using SSH and `/etc/init.d ... restart` as well), OpenWRT should now
be using unbound for resolving all DNS lookups, while dnsmasq is only used for
DHCP-DNS.

Bonus: you can also enable a nice status dashboard in LuCI under
"Services -> Recursive DNS -> Status", but this requires installing several more
software packages: `unbound-control` and `unbound-control-setup`. You will also
need to change a line in `/etc/config/unbound`:

```
...
option unbound_control '0'
...
```
becomes
```
...
option unbound_control '1'
...
```

A word of warning: there is another section on "Unbound and odhcpd" which
tries to cut out dnsmasq completely. However, when I tried to set this up,
I got myself into a lot of trouble (had to reset OpenWRT, re-install any extra
software packages, and restore configuration from backup). It is also possible that if you mess up
the configuration for the "Parallel dnsmasq" method, you could end up in a
similar error state and have to start over. Please be careful when doing this
and don't change anything you're not supposed to.

Now, moving on to adblock, which should be **much** simpler to setup. First,
install `luci-app-adblock` and refresh. Navigate to "Services -> Adblock":

![Services -> Adblock](/adblock.png)

Check the settings at the bottom. The only thing you need to get going is
to go to the "Blocklist Sources" tab and choose your blocklists.

![Adblock: Blacklist sources](/adblock_blocklist.png)

The
[adblock readme](https://github.com/openwrt/packages/blob/master/net/adblock/files/README.md)
has some more info on what each list is. After that,
make sure "Enabled" is checked under the "General Settings" tab:

![Adblock: enable](/adblock_enable.png)

and click the "Refresh" button above:

![Adblock: refresh](/adblock_refresh.png)

Then you're good to go; adblock should work out of the box with unbound; cheers!

ADDENDUM: Another word of warning: once you've setup adblock, it will download
the blocklists, merge them into a single file at `/var/lib/unbound/adb_list.overall`,
and try to restart unbound. I recommend not trying to view/interact with adblock
or unbound during this restart, which can take anywhere from 30 seconds - 2 minutes.
Just leave them alone in LuCI for a little bit...
init 2021-01-29 00:00:00 -05:00			`---`
			`title: "OpenWRT + Unbound + adblock"`
			`tags: ["Linux"]`
			`date: 2021-02-05T19:03:15-05:00`
			`draft: false`
			`---`
			`I decided to do some work on my Linksys WRT32X running OpenWRT to make it a`
			`little more useful.`

			`[Unbound](https://nlnetlabs.nl/projects/unbound/about/) is a DNS`
			`resolver which I like because it's recursive, meaning it directly queries the`
			`root servers instead of relying on existing DNS servers run by Google,`
			`Cloudflare, your ISP, or the like. I already have it running on several of my`
			`servers and computers, but I figured it would be great if everything on my`
			`network can use Unbound and be, well, unbound from all of those intermediary`
			`DNS servers.`

			`Luckily, OpenWRT already has Unbound packaged, and also has a useful LuCI app`
			`that goes with it (LuCI is the graphical web interface that comes with OpenWRT).`
			All I had to do was install `luci-app-unbound`, which pulls in all of the
			`necessary dependencies to run unbound.`

			`![LuCI: Software](/luci_software.png)`

			`![LuCI: Install](/luci_install.png)`

			`After that finished installing, I`
			`refreshed LuCI/OpenWRT and went to "Services" on the top, and there it is!`

			`![LuCI: Services -> Recursive DNS](/luci_services.png)`

			`At this point, you'll have to get your hands dirty. You can either dig through`
			`some LuCI menus or SSH in and make some edits. For reference, I'm using`
			`["Parallel dnsmasq"](https://github.com/openwrt/packages/blob/openwrt-19.07/net/unbound/files/README.md#parallel-dnsmasq) section from the README for unbound in the OpenWRT packages (which`
			`has a lot of other useful information as well!). Essentially, I made the edits`
			to `/etc/config/unbound` and `/etc/config/dhcp` after SSH'ing in. However, you
			`can make the same edits through LuCI.`

			For the `/etc/config/unbound` edits, you can make the edits to the file in
			`LuCI directly at "Services -> Recursive DNS -> Files -> Edit: UCI":`

			`![LuCI: Edit /etc/config/unbound](/unbound_config.png)`

			For the `/etc/config/dhcp` edits, you can make the edits by finding the same
			`fields under "Network -> DHCP and DNS":`

			`![LuCI: Edit DHCP and DNS Settings](/dhcp_config.png)`

			`However, the field names are different from the lines in the config, so they`
			`would need to be researched to determine which fields in LuCI map to which`
			lines in `/etc/config/dhcp`.

			`At this point (or maybe after restarting unbound and dnsmasq, which is a lot`
			easier using SSH and `/etc/init.d ... restart` as well), OpenWRT should now
			`be using unbound for resolving all DNS lookups, while dnsmasq is only used for`
			`DHCP-DNS.`

			`Bonus: you can also enable a nice status dashboard in LuCI under`
			`"Services -> Recursive DNS -> Status", but this requires installing several more`
			software packages: `unbound-control` and `unbound-control-setup`. You will also
			need to change a line in `/etc/config/unbound`:

			```
			`...`
			`option unbound_control '0'`
			`...`
			```
			`becomes`
			```
			`...`
			`option unbound_control '1'`
			`...`
			```

			`A word of warning: there is another section on "Unbound and odhcpd" which`
			`tries to cut out dnsmasq completely. However, when I tried to set this up,`
			`I got myself into a lot of trouble (had to reset OpenWRT, re-install any extra`
			`software packages, and restore configuration from backup). It is also possible that if you mess up`
			`the configuration for the "Parallel dnsmasq" method, you could end up in a`
			`similar error state and have to start over. Please be careful when doing this`
			`and don't change anything you're not supposed to.`

			`Now, moving on to adblock, which should be much simpler to setup. First,`
			install `luci-app-adblock` and refresh. Navigate to "Services -> Adblock":

			`![Services -> Adblock](/adblock.png)`

			`Check the settings at the bottom. The only thing you need to get going is`
			`to go to the "Blocklist Sources" tab and choose your blocklists.`

			`![Adblock: Blacklist sources](/adblock_blocklist.png)`

			`The`
			`[adblock readme](https://github.com/openwrt/packages/blob/master/net/adblock/files/README.md)`
			`has some more info on what each list is. After that,`
			`make sure "Enabled" is checked under the "General Settings" tab:`

			`![Adblock: enable](/adblock_enable.png)`

			`and click the "Refresh" button above:`

			`![Adblock: refresh](/adblock_refresh.png)`

			`Then you're good to go; adblock should work out of the box with unbound; cheers!`

			`ADDENDUM: Another word of warning: once you've setup adblock, it will download`
			the blocklists, merge them into a single file at `/var/lib/unbound/adb_list.overall`,
			`and try to restart unbound. I recommend not trying to view/interact with adblock`
			`or unbound during this restart, which can take anywhere from 30 seconds - 2 minutes.`
			`Just leave them alone in LuCI for a little bit...`