Recommended DNSMasq settings

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2
Author Message
fizikz
DD-WRT User


Joined: 10 Nov 2016
Posts: 94

PostPosted: Sat Jan 27, 2018 23:30    Post subject: Reply with quote
@mrjcd Yes! The DNS rebind attack log entries you described is what I had with DNSCrypt enabled with some resolver/servers. And if some resolvers also do DNSSEC, that might also explain why some pages were unreachable.

So this illustrates a concern with using DNSCrypt: the resolver becomes a single point of failure which can disable the user's internet connection. For this reason https://dnscrypt.ca/ recommends using more than one resolver, but I don't see that option in ddwrt.

As a side note, even when I disabled DNSCrypt in ddwrt, I saw syslog entries relating to dnscrypt-proxy (fetching server certificates). Not sure if something's broken. I had to ssh in and kill the process.

@rizla7 I understand your skepticism and concerns about performance, but I don't think security is just for the paranoid. There's a question of trust, which I think has clearly been shown to have been abused by various organizations. One way to fix this is by not requiring trust.

The problem I see with DNSCrypt is that it still requires trust in the one running the resolver or at least their server. There's no guarantee that person isn't keeping logs, or that unknown to them their server might be compromised, etc. So, the value of DNSCrypt is unclear to me, especially given the serious usability impact from potential resolver failures.

As for DNSSEC, I disabled both DNSCrypt and DNSSEC related options under Services and went here https://dnssec.vs.uni-due.de/ to check if DNSSEC validation is being done... and it is. Assuming that ddwrt's gui isn't lying to me, that might imply my ISP is doing DNSSEC validation?
Sponsor
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 4704
Location: Texas

PostPosted: Sun Jan 28, 2018 0:17    Post subject: Reply with quote
Yea that is the thing with dd-wrt DNSCrypt in its current state, you are using only one DNS server.
You can of course add to that --- many do ... don't ask me specifics on that, I'm not really a big
fan of DNSCrypt although I use it from time to time. My main router runs unbound so yea everything
is DNSSEC and I don't have to worry about getting to where I intend to go.

https://dnssec.vs.uni-due.de/ is cute an all and fairly accurate but if you really want to
see about DNSSEC you should visit http://dnssectest.sidnlabs.nl/
Do the test and if whatever resolver you are using is actually using DNSSEC it will tel you
and you can also continue with 'Further connection testing' and see exactly what algorithm your
said resolver is using. I just run this -- here is what unbound does --

Fairly common stuff there.
unbound will never fail -- yea it uses root servers -- I've used it for long time and never ever had a problem or failure.

If you run same test using DNSSEC validation w/dd-wrt for some individual resolvers or combined with
DNSCrypt on valid resolvers you may see some that will handle more signing algorithm combinations but
you will also likely always see many combinations that will show SERVERFAIL. Unbound don't do that --
that's one reason I like him ---- and before someone jumps in and says it's not as fast you should
run some tests ---- and besides a piece of a millisecond doesn't mean much to me at the age I'm getting Rolling Eyes

NOTE:
Doing tests after changing these types of configs you should reboot your
router first to get any meaningful info --
fizikz
DD-WRT User


Joined: 10 Nov 2016
Posts: 94

PostPosted: Sun Jan 28, 2018 1:44    Post subject: Reply with quote
With DNSCrypt and DNSSEC disabled in ddwrt, and using my ISPs DNS, I get this final result with https://internet.nl/ :



mrjcd, when you mentioned SERVERFAILs, did you mean there would be some combinations with that result after the test is fully completed? During the testing I saw the icons change almost randomly between the three possible outcomes, including SERVERFAIL, until it settled on the result above.

As rizla7 pointed out, it seems I don't need to deal with DNSSEC myself. And I'm not enthusiastic about DNSCrypt after considering the weaknesses pointed out in this thread.
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 4704
Location: Texas

PostPosted: Sun Jan 28, 2018 2:15    Post subject: Reply with quote
fizikz wrote:
With DNSCrypt and DNSSEC disabled in ddwrt, and using my ISPs DNS, I get this final result with https://internet.nl/ :



mrjcd, when you mentioned SERVERFAILs, did you mean there would be some combinations with that result after the test is fully completed? During the testing I saw the icons change almost randomly between the three possible outcomes, including SERVERFAIL, until it settled on the result above.

As rizla7 pointed out, it seems I don't need to deal with DNSSEC myself. And I'm not enthusiastic about DNSCrypt after considering the weaknesses pointed out in this thread.

certain algorithms will give the complete red X serverfail when checked from some resolvers.

What ISP you gave?
Looks good to me. There has been a big push towards DNSSec for long time but it seemed slow to catch on ---- maybe some ISPs are finally doing the right thing. At least your DNS queries should always get to where they are meant to go ....but just because they can't be redirected don't mean they can't be seen......that is where DNSCrypt comes in.

Edit:
Haven't seen any doing that many algorithms for DNSSEC but maybe Google.
Just connected to ovpn server that uses Google DNS and yea they cover 'bout everything but looks like they have completely dropped any MD5 stuff .....those showing server fail using Google but not surprised MD5 is ancient and unsecure these days Razz


Last edited by mrjcd on Sun Jan 28, 2018 2:34; edited 1 time in total
fizikz
DD-WRT User


Joined: 10 Nov 2016
Posts: 94

PostPosted: Sun Jan 28, 2018 2:32    Post subject: Reply with quote
mrjcd wrote:
At least your DNS queries should always get to where they are meant to go ....but just because they can't be redirected don't mean they can't be seen......that is where DNSCrypt comes in.


If I'm using my ISP's DNS, it shouldn't be possible to snoop, should it? Unless someone is on the line between my computer and ISP's servers...
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 4704
Location: Texas

PostPosted: Sun Jan 28, 2018 2:47    Post subject: Reply with quote
fizikz wrote:
mrjcd wrote:
At least your DNS queries should always get to where they are meant to go ....but just because they can't be redirected don't mean they can't be seen......that is where DNSCrypt comes in.


If I'm using my ISP's DNS, it shouldn't be possible to snoop, should it? Unless someone is on the line between my computer and ISP's servers...

The ISP is what most are concerned about Twisted Evil
Everyone has their own opinions about things and I will just say, as I have a few times over the years, no one can setup your network to suit you but your own self.

No one is going to capture your DNS queries and wreck havoc on your life .....unless you may be doing something highly illegal and if so you probably have more to worry about than just DNS.
Most people simply don't like anyone knowing their private bussiness ....well, if you ever use any type smartphone then what you do with it and how you use it is known and not much you can do about it....
fizikz
DD-WRT User


Joined: 10 Nov 2016
Posts: 94

PostPosted: Sun Jan 28, 2018 3:31    Post subject: Reply with quote
mrjcd wrote:
The ISP is what most are concerned about  Twisted Evil


Haha, valid point. I somewhat trust my ISP not to be evil, but again, I think it's better to remove the need to trust at all, as much as possible.

So, to conclude, the recommended DNSmasq settings seem to be as in mwchang's config image, except with "Query DNS in strict order" enabled.
rizla7
DD-WRT User


Joined: 11 May 2012
Posts: 293

PostPosted: Sun Jan 28, 2018 4:46    Post subject: Reply with quote
Sorry, I'm busy coding a syslog server, cuz everything available that's opensource is garbage. Rolling Eyes

This one uses DataGridView with sorting and filtering. Now it also tracks IPs and connection counts, does a reverse DNS lookup, color-codes the tables, etc... Bug fixing time... I still need to make a tab for system messages though. Embarassed

I should add geolocation links like DD-WRT. Ohhh... just thought of that myself... huehue

Also just realized the growth of port-scanning services is off the fucking scale now... being scanned by several of these 'security firms', dozens of times every few seconds... then there's the kiddie hackers on top of those...

Rooted my Android phone, so gotta make sure it's not up to any funny business.

Yea, just use your ISP, that's what it's for. Of course, since most domains/sites don't support DNSSEC, that doesn't mean all queries will be authenticated. But, the major sites will, so you can be sure you're not connecting to joe.simpson.com... for smaller sites, it's all up to the site/domain owner if they want to support it or not, so you have no guarantee even if your ISP supports it. There is no requirement for them to support it.

DNSSEC doesn't do encryption, so it's not for privacy. it's for authentication purposes only, to validate the host (sometimes client, dynamic DNS for LAN or WAN).
smhawkes
DD-WRT Novice


Joined: 21 Mar 2008
Posts: 4

PostPosted: Sun Jan 28, 2018 17:20    Post subject: Reply with quote
rizla7 wrote:
smhawkes wrote:
I'm not sure you know what dnssec is used for.


I'm not sure you even know how to read, but you certainly can wiki. I specifically said as an end-user. I was trying not to complicate matters.

If you were an ISP, which is a topic I don't care to get into, that's what you'd use it for. But, reading comprehension seems to a big issue these days, and over-reliance on wiki/google.

Anyways, to conclude I suppose, you don't need it, since the DNS server is on your ISP's network, and you do not pass through any other networks. So unless you ISP decides to screw with you and alter the responses, then there is no need. Plus, your ISP doesn't support DNSSEC for clients.


You should be on the Reddit sub r/iamverysmart.
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 576
Location: Hung Hom, Hong Kong

PostPosted: Sun Jan 28, 2018 17:38    Post subject: Reply with quote
rizla7 wrote:
mwchang wrote:
Throwing in my settings!


Although it doesn't seem to apply to your config, duplicating options that already exist in dnsmasq.conf will kill the dnsmasq process. Not sure which options it applies to, but dhcp-max-leases does. It can only be listed once. This is also documented on the wiki.

..... <snipped> ...

I wouldn't use 'no-negcache' though. If the domain does not exist, then it does not exist. I wouldn't be too concerned about it.

Thank you, Master! Wink

_________________
Router: Asus RT-N18U (rev. A1)

May the Force and farces be with you! Live long and proper!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
rizla7
DD-WRT User


Joined: 11 May 2012
Posts: 293

PostPosted: Sun Jan 28, 2018 23:07    Post subject: Reply with quote
smhawkes wrote:
You should be on the Reddit sub r/iamverysmart.


I'm not on reddit, but try /r/iamverystupid.
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum