DNSSEC on OpenWrt 18.06, 19.07, and 21.01

DNSSEC ensures that the results of DNS queries (for DNSSEC enabled domains) are authentic. For example, integralblue.com uses DNSSEC, so if an attacker (using a man in the middle or spoofing attack) changes the IP address that www.integralblue.com resolves to, then a DNS resolver supporting DNSSEC will be able to tell and return an error.

DNSSEC provides authentication and integrity; it does not provide for confidentiality. For confidentiality (so your ISP, for example, cannot tell what DNS queries are being made), you can easily add TLS over DNS which I’ve described how to do in OpenWrt in another post.

By setting up DNSSEC on your OpenWrt router, you protect your entire network as all clients will perform DNS requests using your OpenWrt router’s DNS server which in turn will do DNSSEC checking for all queries.

Setting up DNSSEC on OpenWrt 18.06 and 19.07 is remarkably easy. You can use the LuCI web interface to perform these steps or shell command over ssh; I’m providing the commands here.

  1. Refresh the package list: opkg update
  2. Swap dnsmasq for dnsmasq-full (-full includes DNSSEC support) and remove odhcpd-ipv6only: opkg install dnsmasq-full --download-only && opkg remove dnsmasq odhcpd-ipv6only && opkg install dnsmasq-full --cache . && rm *.ipk
  3. Edit /etc/config/dhcp
    In the config dnsmasq section, add (or change the values of, if these settings already exist) these settings:

    • option dnssec '1'
    • option dnsseccheckunsigned '1'
  4. Restart dnsmasq so the changes take effect: /etc/init.d/dnsmasq restart

Enjoy knowing that now no one is tampering with your DNS queries.

CC BY-SA 4.0 DNSSEC on OpenWrt 18.06, 19.07, and 21.01 by Craig Andrews is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

15 thoughts on “DNSSEC on OpenWrt 18.06, 19.07, and 21.01

  1. Dear Andrews!

    Sorry, my english is bad, but I have 1 question.

    Doing as writed, after the dnsmasq swap my opkg said, that it created a new /etc/config/dhcp-opkg configuration file, so I think it is the valid configuration file, after the swap.

    +1 question: Does my isp dns require any dnssec support?


    1. Your ISP doesn’t care about dnssec; it can’t require or not require it.

      You should always use dnssec as it ensures that the results of DNS queries (for DNSSEC enabled domains) are authentic.

  2. Tried it on OpwnWRT 18.06.1 but unfortunately it has a drawback. I noticed that my DHCP leases used to assign specific IP address to specific MAC adresses fail to work after some time (I think after first lease timeout). Those devices don’t get the set IP address anymore but instead an address from the free range I defined (*.100 to *.180). As I need specific devices to have specific IP addresses I had to remove the package again and go back to dnsmask. Now everything works again.

  3. This will work but it will result in IPv6 DHCP leases not showing on the status page. To fix this remove the package odhcpd-ipv6only in addition to removing dnsmasq. Dnsmasq-full replaces the functionality in both dnsmasq and odhcpd-ipv6only.

    1. I have odhcpd-ipv6only installed and I’m seeing the “Active DHCPv6 Leases” section of the status page at /cgi-bin/luci/admin/status/overview populated as expected.

      Are you sure that odhcpd-ipv6only should be removed? Can you link to something that indicates that?

  4. Thank you for this. I didn’t even know I wanted DNSSEC before!

    I can confirm that your shell commands work perfectly on OpenWrt 21.02 (RC3) as well.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.