OpenWRT + Unbound + adblock
I decided to do some work on my Linksys WRT32X running OpenWRT to make it a little more useful.
Unbound is a DNS resolver which I like because it’s recursive, meaning it directly queries the root servers instead of relying on existing DNS servers run by Google, Cloudflare, your ISP, or the like. I already have it running on several of my servers and computers, but I figured it would be great if everything on my network can use Unbound and be, well, unbound from all of those intermediary DNS servers.
Luckily, OpenWRT already has Unbound packaged, and also has a useful LuCI app
that goes with it (LuCI is the graphical web interface that comes with OpenWRT).
All I had to do was install luci-app-unbound
, which pulls in all of the
necessary dependencies to run unbound.
After that finished installing, I refreshed LuCI/OpenWRT and went to “Services” on the top, and there it is!
At this point, you’ll have to get your hands dirty. You can either dig through
some LuCI menus or SSH in and make some edits. For reference, I’m using
“Parallel dnsmasq” section from the README for unbound in the OpenWRT packages (which
has a lot of other useful information as well!). Essentially, I made the edits
to /etc/config/unbound
and /etc/config/dhcp
after SSH’ing in. However, you
can make the same edits through LuCI.
For the /etc/config/unbound
edits, you can make the edits to the file in
LuCI directly at “Services -> Recursive DNS -> Files -> Edit: UCI”:
For the /etc/config/dhcp
edits, you can make the edits by finding the same
fields under “Network -> DHCP and DNS”:
However, the field names are different from the lines in the config, so they
would need to be researched to determine which fields in LuCI map to which
lines in /etc/config/dhcp
.
At this point (or maybe after restarting unbound and dnsmasq, which is a lot
easier using SSH and /etc/init.d ... restart
as well), OpenWRT should now
be using unbound for resolving all DNS lookups, while dnsmasq is only used for
DHCP-DNS.
Bonus: you can also enable a nice status dashboard in LuCI under
“Services -> Recursive DNS -> Status”, but this requires installing several more
software packages: unbound-control
and unbound-control-setup
. You will also
need to change a line in /etc/config/unbound
:
...
option unbound_control '0'
...
becomes
...
option unbound_control '1'
...
A word of warning: there is another section on “Unbound and odhcpd” which tries to cut out dnsmasq completely. However, when I tried to set this up, I got myself into a lot of trouble (had to reset OpenWRT, re-install any extra software packages, and restore configuration from backup). It is also possible that if you mess up the configuration for the “Parallel dnsmasq” method, you could end up in a similar error state and have to start over. Please be careful when doing this and don’t change anything you’re not supposed to.
Now, moving on to adblock, which should be much simpler to setup. First,
install luci-app-adblock
and refresh. Navigate to “Services -> Adblock”:
Check the settings at the bottom. The only thing you need to get going is to go to the “Blocklist Sources” tab and choose your blocklists.
The adblock readme has some more info on what each list is. After that, make sure “Enabled” is checked under the “General Settings” tab:
and click the “Refresh” button above:
Then you’re good to go; adblock should work out of the box with unbound; cheers!
ADDENDUM: Another word of warning: once you’ve setup adblock, it will download
the blocklists, merge them into a single file at /var/lib/unbound/adb_list.overall
,
and try to restart unbound. I recommend not trying to view/interact with adblock
or unbound during this restart, which can take anywhere from 30 seconds - 2 minutes.
Just leave them alone in LuCI for a little bit…