Setup TO to use AdGuard and Unbound on Raspberry Pi as DNS Server

Hi there

I’m running a TO with Turris OS version 3.11.23. In addition I did disable kresd for startup

kresd971×147 10.9 KB

And run dsnmasq. The reason for dnsmasq is that I can add some custom domains for resolution in /etc/hosts.add

Now I setup a Raspberry Pi 4b that has installd AdGuard Home and it’s also setup to use the installed Unbound as recursive DNS server.

Basically I want domain resolution byDHCP going as follow:

(1) Check TO (especially the locally added domains in /etc/hosts.add

(2) If TO doesn’t know about the domain and has no valid cached information, go to the Raspberry Pi (AdGuard Home with a few blocking lists for ads).

(3) If AdGuard Home doesn’t have an answer, it will then use its local Unbound (127.0.0.1:5335) which will then do recursive lookup.

The problem is, that I can’t make the DHCP clients use the Raspberry Pi as DNS server.

Foris does not let me select add a custom DNS Server but only a few from a dropdown.

In LuCi I did go to the DHCP and DNS settings and added the Raspberrypi to the DNS forwardings screen. That did not help.

kresd970×421 16.6 KB

I then read that I need to go to Network → Interface → LAN → DHCP Server → Advanced Settings and set it there:

kresd981×356 13.7 KB

That did not help either.

In ever other no-name brand router I can setup easily what upstream DNS server to use. Why won’t it work in TO?

Also funny thing: Remember that I did disabled kresd from startup?

Well, sshing into the TO box and runnning ps | grep 53 returns this:

root@turris:~# ps | grep 53 2613 root 25396 S {foris-controlle} /usr/bin/python3.6 /usr/bin/foris-controller -b openwrt -C /var/run/foris-controller-client.sock ubus --path /var/run/ubus.sock 2614 root 25396 S {foris-controlle} /usr/bin/python3.6 /usr/bin/foris-controller -b openwrt -C /var/run/foris-controller-client.sock ubus --path /var/run/ubus.sock 2615 root 25396 S {foris-controlle} /usr/bin/python3.6 /usr/bin/foris-controller -b openwrt -C /var/run/foris-controller-client.sock ubus --path /var/run/ubus.sock 2629 root 25396 S {foris-controlle} /usr/bin/python3.6 /usr/bin/foris-controller -b openwrt -C /var/run/foris-controller-client.sock ubus --path /var/run/ubus.sock 2633 root 25396 S {foris-controlle} /usr/bin/python3.6 /usr/bin/foris-controller -b openwrt -C /var/run/foris-controller-client.sock ubus --path /var/run/ubus.sock 2637 root 25300 S {foris-controlle} /usr/bin/python3.6 /usr/bin/foris-controller -b openwrt -C /var/run/foris-controller-client.sock ubus --path /var/run/ubus.sock 2642 root 25396 S {foris-controlle} /usr/bin/python3.6 /usr/bin/foris-controller -b openwrt -C /var/run/foris-controller-client.sock ubus --path /var/run/ubus.sock 5135 root 42484 S /usr/bin/kresd -c /tmp/kresd.config -f 1 /tmp/kresd -a 0.0.0.0#53 -a ::#53 5331 root 0 SW [kworker/0:2] 5931 root 1108 S grep 53

How comes kresd is running when I did disable it?

There is /etc/init.d/kresd that you disabled and also /etc/init.d/resolver and resolver enables kresd by default unless you selected dnsmasq. Also in TOS 5.2.3 that I am running there is an option in Foris to enable custom dns forwarding and you could point that to your Pi and still have dhcp entries resolved by your custom /etc/hosts. You would only need to add one entry in /etc/config/resolver. It was somewhere on turris wiki. All with kresd on Omnia. If you prefer to use ubound I cannot help.

EDIT:
I think its option hostname_config '/etc/hosts' into /etc/config/resolver but I am not sure in which section. Probbably main one so “resolver”.

Yes, but I don’t expect it would control dnsmasq settings. Using dnsmasq for DNS generally isn’t supported in Turris OS, though some people do manage to use it that way.

The three layers of DNS servers seem a bit too much. In case you wanted to simplify it, I’d probably approach the layers like:

1. adguard, i.e. configure DHCP to give that address to clients; I think your approach with luci and DHCP-Options is the best way and should work.
2. Turris OS default resolver. And you can configure it with extra names (assuming it’s not possible in adguard directly) and choose what happens in further layers (forwarding or not, etc.)

Or replace this second layer with Unbound on Raspberry, which is basically your original plan without the first dnsmasq layer. (It’s not hard to add extra names in Unbound either.)

Why the order: in principle it’s not ideal to point validators (e.g. kresd or unbound) to a modified source of DNS (e.g. ad-blockers).

Some people might prefer using LXC on Turris instead of Raspberry; though I don’t know if there could be some issue with that in this particular case.

Well, also in turris on Libera I was advised to update to latest TOS. I did so, however it did somehow wreck wifi. Devices couldn’t get an IP anymore. Hence I did factory reset, upgrade to latest TOS and then start configuration.

The whole DNS setup is still a huge PITA in TOS. I mean in LuCi you have the option:

Guess what happens if you set it up like this? Well, everybody would think that it would resolve the domain names contained in the /etc/hosts.add file right? Well, that’s not the case. It took me a while to figure out why it’s not working. It’s been years since I set it up the last time and it was the same PITA back then.

As the previous poster has posted, you need to add it directly to the configuration of kresd in /etc/config/resolver.

So question: Why is that in LuCi if it doesn’t do anything remotely to what is described there? And I think 5 years are plenty of time to fix that.

And the same goes with the hostnames

kresd960×311 8.04 KB

After TO failing to use that /etc/hosts.add file that was added through LuCi, I tried the hostnames again (years ago when I tried it, it also failed). I add the hostnames for lan resolution there. I did even reboot TO and dhcp clients. I expected the dhcp clients could now just ping the hostnames provided.

Well, again, it did not work.

With Tomato it’s easy. Just enable dnsmasq to use custom domain resolution and set IP of the resolver you want to have and it works. That’s all I require.

So, on the TO (with kesd line added), I have now a bunch of hostnames (around 50) that I want to resolve locally. So each dhcp client resolves them on the lan. For everything else, I want to query AdGuard Home that’s being run in the LAN on a raspberry pi.

How would I go about that?

(Most of) DNS options in LuCi don’t work. Those pages are designed by upstream OpenWrt and for dnsmasq only.

That one should work. (It works for me.) I assume you missed that all hostnames (from DHCP and this list) on Turris OS get nested under a suffix. By default it’s .lan but you can select it in (re)Foris.

We call that “forwarding”. You can simply add a custom target in reForis. (I’m assuming you’re on Turris OS 5.x now.)

As I wrote in my previous post, this ordering of DNS servers isn’t ideal in case blocking happens but it should work (just “less efficiently” in some cases).