Maciej Soltysiak <maciej@soltysiak.com> writes:

> Therefore I have bought a VM at a cloud provider in my city and
> deployed the same thing they are but 7ms away. DNSCrypt-wrapper with a
> default config of unbound to provide recursive, DNSSEC validated NS.

An alternative approach is to simply run a full BIND resolver with
DNSSEC validation on the cerowrt box. That is doable, with a bit of
configuration (notably adding the root key config file). The biggest
issue is one of time: when the router boots up it doesn't know the time,
and hence can't validate DNSSEC, making it unable to contact an NTP
server. A way to solve this is to get hold of a USB GPS receiver and use
that as a time source either on the cerowrt box itself, or on another
box that the router can reach when it boots up (and configure that in
/etc/hosts or simply input an IP into the NTP config). I suppose
configuring a known good NTP server by IP (or in /etc/hosts) would work
as well.

I use this setup (with a GPS on my home server) and it works quite well. :)

-Toke