Last active
October 5, 2023 07:35
-
-
Save nomaster/777b7a88209ca7ae02de3edaae8c534c to your computer and use it in GitHub Desktop.
EdgeRouter: DNS forwarding to CloudFlare with DNSSEC
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| set service dns forwarding name-server 1.1.1.1 | |
| set service dns forwarding name-server 1.0.0.1 | |
| set service dns forwarding name-server '2606:4700:4700::1111' | |
| set service dns forwarding name-server '2606:4700:4700::1001' | |
| set service dns forwarding options dnssec | |
| set service dns forwarding options trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 | |
| set service dns forwarding options trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D | |
| set service dns forwarding options dnssec-check-unsigned | |
| set service dns forwarding options dnssec-timestamp=/config/dnsmasq/dnsmasq.time |
@nomaster Thank you - my final configuration running successfully on my ER-4:
set system name-server 127.0.0.1
set system ntp server 10.0.1.50 prefer # Stratum 1 PPS LAN-side NTP server
set system ntp server 17.253.34.251
set system ntp server 17.253.34.253
set system ntp server 45.66.39.122
set system ntp server 139.143.5.30
set system ntp server 139.143.5.31
set service dhcp-server shared-network-name LAN1 authoritative enable
set service dhcp-server shared-network-name LAN1 subnet 10.0.1.0/24 default-router 10.0.1.1
set service dhcp-server shared-network-name LAN1 subnet 10.0.1.0/24 dns-server 10.0.1.1
set service dhcp-server shared-network-name LAN1 subnet 10.0.1.0/24 ntp-server 10.0.1.50
set service dhcp-server static-arp disable
set service dhcp-server use-dnsmasq enable
set service dns forwarding cache-size 8000
set service dns forwarding listen-on eth3
set service dns forwarding listen-on eth3.1003
set service dns forwarding name-server 1.1.1.1
set service dns forwarding name-server '2606:4700:4700::1001'
set service dns forwarding name-server 9.9.9.9
set service dns forwarding name-server '2620:fe::9'
set service dns forwarding options all-servers
set service dns forwarding options bogus-priv
set service dns forwarding options domain-needed
set service dns forwarding options dhcp-authoritative
set service dns forwarding options 'dhcp-range=::,ra-stateless,ra-names'
set service dns forwarding options expand-hosts
set service dns forwarding options dnssec
set service dns forwarding options trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
set service dns forwarding options trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
set service dns forwarding options dnssec-check-unsigned
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I recommend adding at least one NTP server by IP address, so it can be reached before secure name resolution is established.
dnssec-no-timecheckshould not be needed then.