OpenWRT + UnboundでDNS over TLSキャッシュサーバを作る

はじめに

• DNSはUDPプロトコルを使う
• しかし、UDPプロトコルは欠けることがある
• 名前解決リクエストが欠けてDNSサーバから応答がない場合、利用者からの見え方は「ページを開くのが遅い」
• ならば、UDPじゃなくてTCPで名前解決すればいいじゃない

今回試したOpenWRT

• Model: TP-LINK Archer C7 v4
• Firmware Version: OpenWrt 18.06.1 r7258-5eb055306f / LuCI openwrt-18.06 branch (git-18.228.31946-f64b152)

構成（設定前）

PC--->[udp:53@dnsmasq]OpenWRT--->[udp:53]DGW+DNS

• 前の構成では、dnsmasqは上流（プロバイダ）のDHCPから配布されたudp port 53へ問い合わせる。

構成（設定後）

PC--->udp:53@dnsmasqOpenWRT---DGW--->[tcp+tls:853]1.1.1.1

• 後の構成では、dnsmasqはunboundにDNSクエリを転送し、unboundはCloudFlareのtcp+tls port 853へ問い合わせる。

設定

設定は、CUIからする方法と、OpenWRTのWebGUIからする方法がある。
以下に、前半はCUIで設定し、後半はその設定がWebGUIからどう見えるか掲載する。

• unboundをインストール

opkg update
opkg install unbound unbound-control luci-app-unbound

• UnboundのConfigに、CloudFlareのdns over tlsを転送先に設定

/etc/unbound/unbound_ext.conf

forward-zone:
  name: "."
  forward-addr: 1.1.1.1@853                   
  forward-addr: 1.0.0.1@853                             
  #forward-addr: 2606:4700:4700::1111@853
  #forward-addr: 2606:4700:4700::1001@853
  forward-ssl-upstream: yes   

• unboundの待受portを53から5453に変更

config unbound
        option rebind_protection '1'
        option unbound_control '1'
        option enabled '1'
        option manual_conf '0'
        option localservice '0'
        option validator '0'
        option dns64 '0'
        option rebind_localhost '0'
        option protocol 'default'
        option resource 'default'
        option recursion 'default'
        option extended_stats '0'
        option edns_size '4096'
        option ttl_min '512'
        option root_age '9'
        option trigger_interface 'lan'
        option dhcp_link 'none'
        option domain_type 'deny'
        option add_local_fqdn '0'
        option add_wan_fqdn '0'
        option add_extra_dns '0'
        option listen_port '5453' # '53' --> '5453'
        option extended_luci '1'

• port:53で受けたDNSリクエストの問い合わせ先を ::1:5453 に設定

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        list server '::1#5453'   # 追加

• dhcpとunboundをリスタート

service unbound restart
service unbound enable
service dnsmasq restart

• unboundとodhcpdが動いていることを確認

root@LEDE:~# ps w | grep unbound
17504 unbound   9124 S    /usr/sbin/unbound -d -c /var/lib/unbound/unbound.conf
30232 root      1200 R    grep unbound
root@LEDE:/# ps w | grep dnsmasq
 2788 dnsmasq   1332 S    /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg01411c -k -x /var/run/dnsmasq/dnsmasq.cfg01411c.pid
30285 root      1200 S    grep dnsmasq
root@LEDE:~# netstat -anp | grep unbound
tcp        0      0 0.0.0.0:5453            0.0.0.0:*               LISTEN      17504/unbound
tcp        0      0 127.0.0.1:8953          0.0.0.0:*               LISTEN      17504/unbound
tcp        0      0 :::5453                 :::*                    LISTEN      17504/unbound
tcp        0      0 ::1:8953                :::*                    LISTEN      17504/unbound
udp        0      0 0.0.0.0:5453            0.0.0.0:*                           17504/unbound
udp        0      0 :::5453                 :::*                                17504/unbound
unix  3      [ ]         STREAM     CONNECTED     147457 17504/unbound       
unix  3      [ ]         STREAM     CONNECTED     147456 17504/unbound       
unix  2      [ ]         DGRAM                    147451 17504/unbound       
root@LEDE:/# netstat -anp | grep dnsmasq
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      2788/dnsmasq
tcp        0      0 192.168.32.253:53       0.0.0.0:*               LISTEN      2788/dnsmasq
tcp        0      0 ::1:53                  :::*                    LISTEN      2788/dnsmasq
tcp        0      0 fe80::b24e:26ff:fe02:4813:53 :::*                    LISTEN      2788/dnsmasq
tcp        0      0 fd83:497f:e263::1:53    :::*                    LISTEN      2788/dnsmasq
tcp        0      0 fe80::b24e:26ff:fe02:4813:53 :::*                    LISTEN      2788/dnsmasq
tcp        0      0 fe80::b24e:26ff:fe02:4813:53 :::*                    LISTEN      2788/dnsmasq
udp        0      0 127.0.0.1:53            0.0.0.0:*                           2788/dnsmasq
udp        0      0 192.168.32.253:53       0.0.0.0:*                           2788/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           2788/dnsmasq
udp        0      0 ::1:53                  :::*                                2788/dnsmasq
udp        0      0 fe80::b24e:26ff:fe02:4813:53 :::*                                2788/dnsmasq
udp        0      0 fd83:497f:e263::1:53    :::*                                2788/dnsmasq
udp        0      0 fe80::b24e:26ff:fe02:4813:53 :::*                                2788/dnsmasq
udp        0      0 fe80::b24e:26ff:fe02:4813:53 :::*                                2788/dnsmasq
unix  3      [ ]         STREAM     CONNECTED       7232 2788/dnsmasq        
unix  2      [ ]         DGRAM                      7229 2788/dnsmasq        
root@LEDE:/# logread | grep unbound
Sun Dec  9 09:33:49 2018 daemon.info unbound: [2540:0] info: server stats for thread 0: 1840 queries, 127 answers from cache, 1713 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Sun Dec  9 09:33:49 2018 daemon.info unbound: [2540:0] info: server stats for thread 0: requestlist max 35 avg 2.91302 exceeded 0 jostled 0
Sun Dec  9 09:33:49 2018 daemon.info unbound: [2540:0] info: average recursion processing time 0.816272 sec
Sun Dec  9 09:33:49 2018 daemon.info unbound: [2540:0] info: histogram of recursion processing times
Sun Dec  9 09:33:49 2018 daemon.info unbound: [2540:0] info: [25%]=0.221933 median[50%]=0.417136 [75%]=0.819838
Sun Dec  9 09:33:49 2018 daemon.info unbound: [2540:0] info: lower(secs) upper(secs) recursions
Sun Dec  9 09:33:49 2018 daemon.info unbound: [2540:0] info:    0.000000    0.000001 6
Sun Dec  9 09:33:49 2018 daemon.info unbound: [2540:0] info:    0.004096    0.008192 1
Sun Dec  9 09:33:49 2018 daemon.info unbound: [2540:0] info:    0.008192    0.016384 11
Sun Dec  9 09:33:49 2018 daemon.info unbound: [2540:0] info:    0.016384    0.032768 10
Sun Dec  9 09:33:49 2018 daemon.info unbound: [2540:0] info:    0.032768    0.065536 12
Sun Dec  9 09:33:49 2018 daemon.info unbound: [2540:0] info:    0.065536    0.131072 138
Sun Dec  9 09:33:49 2018 daemon.info unbound: [2540:0] info:    0.131072    0.262144 361
Sun Dec  9 09:33:49 2018 daemon.info unbound: [2540:0] info:    0.262144    0.524288 537
Sun Dec  9 09:33:49 2018 daemon.info unbound: [2540:0] info:    0.524288    1.000000 336
Sun Dec  9 09:33:49 2018 daemon.info unbound: [2540:0] info:    1.000000    2.000000 187
Sun Dec  9 09:33:49 2018 daemon.info unbound: [2540:0] info:    2.000000    4.000000 68
Sun Dec  9 09:33:49 2018 daemon.info unbound: [2540:0] info:    4.000000    8.000000 18
Sun Dec  9 09:33:49 2018 daemon.info unbound: [2540:0] info:    8.000000   16.000000 25
Sun Dec  9 09:33:49 2018 daemon.info unbound: [2540:0] info:   16.000000   32.000000 3
Sun Dec  9 09:33:49 2018 daemon.notice unbound: [17328:0] notice: init module 0: iterator
Sun Dec  9 09:33:49 2018 daemon.info unbound: [17328:0] info: start of service (unbound 1.8.1).

• 名前解決できているか確認

root@LEDE:# nslookup openwrt.org
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:      openwrt.org
Address 1: 139.59.209.225
Address 2: 2a03:b0c0:3:d0::1af1:1

• service -> Recursive DNS
• Extended Tabs にチェックして Save & Apply

• Network -> DHCP and DNS

• System -> Startup

動作確認

• tcpdumpをしかけつつ、 http://test-ipv6.jp をPCのブラウザで開く

opkg install tcpdump

root@LEDE:~# tcpdump -n -i lo port 53 or port 5453
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
12:33:09.658017 IP6 ::1.30627 > ::1.5453: UDP, length 36
12:33:09.662440 IP6 ::1.58585 > ::1.5453: UDP, length 46
12:33:09.662860 IP6 ::1.43285 > ::1.5453: UDP, length 38
12:33:09.663259 IP6 ::1.29077 > ::1.5453: UDP, length 33
12:33:09.883091 IP6 ::1.5453 > ::1.30627: UDP, length 52
12:33:09.887197 IP6 ::1.5453 > ::1.58585: UDP, length 62
12:33:09.889635 IP6 ::1.5453 > ::1.43285: UDP, length 54
12:33:09.905030 IP6 ::1.5453 > ::1.29077: UDP, length 49

root@LEDE:~# tcpdump -n host 1.1.1.1 or host 1.0.0.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
12:33:56.320512 IP 1.0.0.1.853 > 192.168.32.253.37054: Flags [S.], seq 1248523186, ack 257751725, win 29200, options [mss 1414,nop,nop,sackOK,nop,wscale 10], length 0
12:33:56.321113 IP 1.0.0.1.853 > 192.168.32.253.37058: Flags [S.], seq 2895618164, ack 4230885144, win 29200, options [mss 1414,nop,nop,sackOK,nop,wscale 10], length 0
12:33:56.321442 IP 1.0.0.1.853 > 192.168.32.253.37056: Flags [S.], seq 3932341765, ack 1392067511, win 29200, options [mss 1414,nop,nop,sackOK,nop,wscale 10], length 0
12:33:56.341400 IP 1.0.0.1.853 > 192.168.32.253.37054: Flags [.], ack 272, win 30, length 0
12:33:56.342238 IP 1.0.0.1.853 > 192.168.32.253.37054: Flags [.], seq 1:1415, ack 272, win 30, length 1414
12:33:56.342392 IP 1.0.0.1.853 > 192.168.32.253.37054: Flags [P.], seq 1415:2238, ack 272, win 30, length 823
12:33:56.342521 IP 1.0.0.1.853 > 192.168.32.253.37058: Flags [.], ack 272, win 30, length 0
12:33:56.342593 IP 1.0.0.1.853 > 192.168.32.253.37056: Flags [.], ack 272, win 30, length 0
12:33:56.342790 IP 1.0.0.1.853 > 192.168.32.253.37058: Flags [.], seq 1:1415, ack 272, win 30, length 1414
12:33:56.342907 IP 1.0.0.1.853 > 192.168.32.253.37058: Flags [P.], seq 1415:2237, ack 272, win 30, length 822
12:33:56.343008 IP 1.0.0.1.853 > 192.168.32.253.37056: Flags [.], seq 1:1415, ack 272, win 30, length 1414
12:33:56.406025 IP 1.0.0.1.853 > 192.168.32.253.37054: Flags [P.], seq 2238:2662, ack 398, win 30, length 424
12:33:56.443698 IP 1.0.0.1.853 > 192.168.32.253.37056: Flags [P.], seq 2236:2660, ack 398, win 30, length 424
12:33:56.486064 IP 1.0.0.1.853 > 192.168.32.253.37058: Flags [P.], seq 2237:2661, ack 398, win 30, length 424
12:33:56.505523 IP 1.0.0.1.853 > 192.168.32.253.37058: Flags [P.], seq 2661:3160, ack 472, win 30, length 499
12:33:56.524271 IP 1.0.0.1.853 > 192.168.32.253.37060: Flags [S.], seq 4140691539, ack 3482710292, win 29200, options [mss 1414,nop,nop,sackOK,nop,wscale 10], length 0
12:33:56.525077 IP 1.0.0.1.853 > 192.168.32.253.37058: Flags [F.], seq 3160, ack 503, win 30, length 0
12:33:56.525243 IP 1.0.0.1.853 > 192.168.32.253.37058: Flags [.], ack 504, win 30, length 0
12:33:56.527395 IP 1.0.0.1.853 > 192.168.32.253.37054: Flags [.], ack 468, win 30, length 0
12:33:56.527698 IP 1.0.0.1.853 > 192.168.32.253.37056: Flags [.], ack 473, win 30, length 0
12:33:56.545116 IP 1.0.0.1.853 > 192.168.32.253.37060: Flags [.], ack 272, win 30, length 0
12:33:56.545587 IP 1.0.0.1.853 > 192.168.32.253.37060: Flags [.], seq 1:1415, ack 272, win 30, length 1414
12:33:56.545762 IP 1.0.0.1.853 > 192.168.32.253.37060: Flags [P.], seq 1415:2237, ack 272, win 30, length 822
12:33:56.607521 IP 1.0.0.1.853 > 192.168.32.253.37060: Flags [P.], seq 2237:2661, ack 398, win 30, length 424
12:33:56.628128 IP 1.0.0.1.853 > 192.168.32.253.37060: Flags [P.], seq 2661:3160, ack 468, win 30, length 499
12:33:56.649061 IP 1.0.0.1.853 > 192.168.32.253.37060: Flags [F.], seq 3160, ack 500, win 30, length 0
12:33:56.751853 IP 1.0.0.1.853 > 192.168.32.253.37054: Flags [P.], seq 2662:3161, ack 468, win 30, length 499
12:33:56.770763 IP 1.0.0.1.853 > 192.168.32.253.37054: Flags [.], ack 499, win 30, length 0
12:33:56.771415 IP 1.0.0.1.853 > 192.168.32.253.37054: Flags [F.], seq 3161, ack 499, win 30, length 0
12:33:56.771632 IP 1.0.0.1.853 > 192.168.32.253.37054: Flags [.], ack 500, win 30, length 0
12:33:57.058494 IP 1.0.0.1.853 > 192.168.32.253.37056: Flags [P.], seq 2660:3159, ack 473, win 30, length 499
12:33:57.078964 IP 1.0.0.1.853 > 192.168.32.253.37062: Flags [S.], seq 3019741958, ack 2871487956, win 29200, options [mss 1414,nop,nop,sackOK,nop,wscale 10], length 0
12:33:57.079168 IP 1.0.0.1.853 > 192.168.32.253.37056: Flags [.], ack 504, win 30, length 0
12:33:57.079241 IP 1.0.0.1.853 > 192.168.32.253.37056: Flags [F.], seq 3159, ack 504, win 30, length 0
12:33:57.079549 IP 1.0.0.1.853 > 192.168.32.253.37056: Flags [.], ack 505, win 30, length 0
12:33:57.098817 IP 1.0.0.1.853 > 192.168.32.253.37062: Flags [.], ack 272, win 30, length 0
12:33:57.099310 IP 1.0.0.1.853 > 192.168.32.253.37062: Flags [.], seq 1:1415, ack 272, win 30, length 1414
12:33:57.099869 IP 1.0.0.1.853 > 192.168.32.253.37062: Flags [P.], seq 1415:2236, ack 272, win 30, length 821
12:33:57.159535 IP 1.0.0.1.853 > 192.168.32.253.37062: Flags [P.], seq 2236:2660, ack 398, win 30, length 424
12:33:57.178574 IP 1.0.0.1.853 > 192.168.32.253.37062: Flags [P.], seq 2660:3159, ack 476, win 30, length 499
12:33:57.197648 IP 1.0.0.1.853 > 192.168.32.253.37062: Flags [F.], seq 3159, ack 507, win 30, length 0
12:33:57.198438 IP 1.0.0.1.853 > 192.168.32.253.37062: Flags [.], ack 508, win 30, length 0

• Network -> Diagnostics

結果

http://test-ipv6.jp の結果が早く出るようになった（気がする）

その他

• いじる前後にConfigのバックアップをとろう。
• バックアップから戻したら、なんかエラーでunboundが起動しない場合

root@LEDE:/# logread | grep unbound
Sat Dec  8 19:07:09 2018 daemon.info procd: Instance unbound::unbound s in a crash loop 6 crashes, 0 seconds since last crash
Sat Dec  8 19:08:54 2018 daemon.err uhttpd[1076]: chown: unknown user/group unbound:unbound
Sat Dec  8 19:08:55 2018 daemon.err uhttpd[1076]: chown: unknown user/group unbound:unbound

forceオプション付きで入れ直すと直る。

opkg install unbound --force-reinstall

• 今回は pc --> odhcpd --> unbound --> dns であり、理想は pc --> unbound --> dns の設定なのだが、DHCPが機能しなくなりうまくいかなかった。

参考

https://blog.cloudflare.com/dns-over-tls-for-openwrt/
https://github.com/openwrt/packages/tree/master/net/unbound/files#how-to-integrate-with-dhcp