DD-WRT :: View topic - "DNS over TLS" or "DNS over HTTPS"

"DNS over TLS" or "DNS over HTTPS"

DD-WRT Forum Index -> Advanced Networking

Goto page Previous 1, 2, 3, 4, 5, 6, 7 Next

View previous topic :: View next topic

Author

Message

budimanjojo
DD-WRT Novice

Joined: 12 Oct 2018
Posts: 5

Posted: Sat Nov 10, 2018 17:17 Post subject:

Sigals wrote:

I managed to get this working using unbound from opkg and pointing dnsmasq at it to handle the queries.

Can you show us how to do it? Thanks before Wink

Sponsor

Alozaros
DD-WRT Guru

Joined: 16 Nov 2015
Posts: 6435
Location: UK, London, just across the river..

Posted: Sat Nov 10, 2018 17:59 Post subject:

yep interesting how and what test you used to show us this results...
i managed it, and do like FFx DNS via DoH option using quad9 and have DNSmasq set to point to 9.9.9.9 and test it with Wireshark so far so good..its using tls1.3 and https for DNS resolving...

but interesting witch browser you use now, witch test and approach you succeed could you give us more info...
personally i couldn't make it work with chrome as it goes to its own shit
_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55779 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913

dareino
DD-WRT User

Joined: 06 Apr 2018
Posts: 70

Posted: Sat Nov 10, 2018 19:44 Post subject:
Wow,things just keep getting better and better....... FF and Chrome both on TLSv1.3...there's no DOH for Chrome so Ill stick to FF... d

Sigals
DD-WRT Novice

Joined: 09 Nov 2018
Posts: 12

Posted: Sat Nov 10, 2018 20:17 Post subject:

I set it up something like this:

Code:

opkg install unbound
opkg install unbound-anchor
unbound-anchor -a /opt/etc/unbound/getdns-root.key
opkg install shadow-useradd
useradd unbound -s /bin/false

<modify unbound.conf>

unbound -v -c /opt/etc/unbound/unbound.conf
dig @127.0.0.1 -p 53535 www.example.com

----- add additional options to DNSMasq on DD-WRT --> Services Web Page -----
no-resolv
server=127.0.0.1#53535

Setup your DHCP static dns to be your DD-WRT IP address.

Here is a pcap from tcpdump on the router itself showing a DNS query:

And the output of it is clearly encrypted with SSL Smile

Quote:

....
......d3..7..........F..C..(......M.T.....0.,.(.$...
.........k.j.i.h.9.8.7.6.2...*.&.......=.5./.+.'.#.............g.@.?.>.3.2.1.0.1.-.).%.......<./.......................
.
...
......P.........
.....................
.......
.#...
. .................................

...[...W..|A;+....[.u.V....QL.C..cDOWNGRD. ......~Bz..'..C.;........
.@|^...,..........#......................0...0..z........l...e.'...n....0
..*.H.=...0L1.0...U....US1.0...U.
..DigiCert Inc1&0$..U....DigiCert ECC Secure Server CA0..
180330000000Z.
200325120000Z0l1.0...U....US1.0...U....CA1.0...U...
San Francisco1.0...U.
..Cloudflare, Inc.1.0...U....*.cloudflare-dns.com0Y0...*.H.=....*.H.=....B...E.1.Pc.!.|4#...SE..z1........%..u..?..Q.[.=....s .>t..K..h.Dnb.....0...0...U.#..0.........9O.n......1.
.0...U........M.C..A.B.......W..0c..U...\0Z..*.cloudflare-dns.com..............cloudflare-dns.com..&.G.G.............&.G.G...........0...U...........0...U.%..0...+.........+.......0i..U...b0`0..,.*.(http://crl3.digicert.com/ssca-ecc-g1.crl0..,.*.(http://crl4.digicert.com/ssca-ecc-g1.crl0L..U. .E0C07..`.H...l..0*0(..+.........https://www.digicert.com/CPS0...g.....0{..+........o0m0$..+.....0...http://ocsp.digicert.com0E..+.....0..9http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0...U.......0.0
..*.H.=....h.0e.1......!.-.*.~......../@^....K.............!.......0.ydg.~.'.h..l>M..@..d........&0.y..m....fFY..g.....0...0..........
.(.F^.9.vtp....0
..*.H..
.....0a1.0...U....US1.0...U.
..DigiCert Inc1.0...U....www.digicert.com1 0...U....DigiCert Global Root CA0..
130308120000Z.
230308120000Z0L1.0...U....US1.0...U.
..DigiCert Inc1&0$..U....DigiCert ECC Secure Server CA0v0...*.H.=....+...".b....B.w.$..,d...@.#r..
.7?!6..S.....K....q......^....Z...So...?..[?G$......./.W..q..x:..[<kd.+.4+....!0...0...U.......0.......0...U...........04..+........(0&0$..+.....0...http://ocsp.digicert.com0B..U...;0907.5.3.1http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=..U. .60402..U. .0*0(..+.........https://www.digicert.com/CPS0...U............9O.n......1.
.0...U.#..0.....P5V.L.f........=.U0
..*.H..
.............CK.t.....056n.V{H..c.{.W$W.o...m........sd...7
.I.?.&... ....*.f7.0...$.EH-..PJ1...._.*.I<a.y..f...*.{6X.,A.t...H.....Eq3.0zz.!.$..........j.w.5...'d.C...wV....G.._(..hL..`...y.jv&... ..>.z(edf.....t.nM}........N..U..8.4...?..Oj.t./*.s._..C.l.}...".O..w............A."8..>=V.ygaX0.eN........p....x.Zp.9a..I-..oH.?..............JM.....F0D. k....t.
...,....8y..........A..e. Ty.+{..CT....&m....e.==3....3F.a.........

....F...BA.?9...~....#KE..GO.C.o..j.Wx.[d.F .x...J?.l...!W.=Q...R.54.....P...........(.U.dz{[@...`...,.r0..e/U....a...q>.....

.....p...l..T`.f..................V..D..Qq..j@...0.........c.......'(.5...'..1. ...PiJ.A...+....<..8..q..)V(ux....]..xG.8.EJq....e.C.....p)..."..u...c.....K3I.c.. .qC.& ..-...j|L.=.>......._................).c.A..bqk......+Z.BU....l....1...0....?..K.*8..Q.......['nk=\..........2....#..)@u.^.....[.....r........F....0h.N`..0.TQY
.'.../.gX.....%....../.\W.H....A...H..iQt..V{..........(..........-.fK......:..+.....k5..YN..,.X

....N.U.dz{[A..xI.R...Q...`qp....>...h:a.D.8..5B?.N.d.w.48.@.i...8.A..1*.e%......g.

...............eB.\...k~.C.f...E........._<..y...3#.....$1&G.C.Q..%.....m..<..z.=..................m)B.ypH..r.+ ....~ad..t...UO..Wr...\.dQ........g.Fr......XX|ea.....nm'k..{J..`.{..u.........e. 5l
n.}..1C.Q.H.....I...Y...9..'.-W.j..W].gI......-.nyl.E....o.=k...~.L...%uRU.o..4..._7.t.....7.O.(.~.H..I.Y.....DE8g.Gv.l[H..c[^..31.N.ihZ.#..
...9.. ...'
.QQ..ZP..o...9~-.......FQ.@..g...i.f...~C..v.5.....d.09a^..5...yb).....>...CI:...(.0.jF.....g..}H...i....X....J.3........,.B..q..[.&...7..c.....6^=\.

......U.dz{[B....T.......R.2w..

Alozaros
DD-WRT Guru

Joined: 16 Nov 2015
Posts: 6435
Location: UK, London, just across the river..

Posted: Sat Nov 10, 2018 21:37 Post subject:

so Sigals you abandon getdns and stubby
and you installed unbound via opkg
i know Kong has unbound working on his builds but what is your router model and current build running

once im back at home i may try it on my R7000 & R7800 as they have unbound working..

but so far i don't have opkg on my lower grade routers or unbound working, especially on BS builds i even don't have DNSSEC ...so i will stick to FFx option as it seems less sketchy and working on browser level at least

but yea 10x for the info ill give it a try on Kong builds this days
_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55779 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913

Sigals
DD-WRT Novice

Joined: 09 Nov 2018
Posts: 12

Posted: Sat Nov 10, 2018 22:08 Post subject:

Hehe, yea getdns and stubby both seem broken on dd-wrt.

I'm running an Asus RT-N16 DD-WRT v3.0-r35034 big (02/17/1 Cool

Appreciate the kind words hopefully this can help some other people get more privacy.

Alozaros wrote:

Sigals
DD-WRT Novice

Joined: 09 Nov 2018
Posts: 12

Posted: Sat Dec 01, 2018 20:41 Post subject:

Alozaros wrote:

so Sigals you abandon getdns and stubby
and you installed unbound via opkg
i know Kong has unbound working on his builds but what is your router model and current build running

I actually just got getdns and stubby working, I had to compile it with this patch: https://github.com/getdnsapi/stubby/issues/140

ended up not using unbound as I found that it introduced too much latency and my internet browsing was negatively effected.

I'll try get stubby + dnsmask full setup soon and see if the performance is better.

edit:

Performance using DNSmasq and stubby as opposed to DNSmasq and unbound seems to be a lot better:

hyppo
DD-WRT User

Joined: 21 Mar 2015
Posts: 56

Posted: Tue Dec 18, 2018 22:49 Post subject:

Hi, on R7800 using Kong’s repo I can install getdns and stubby but can’t install unbound

Can I maintain dns over tls using getdns or stubby? If so, can you please share steps how to do it

Thx!

Code:

root@DD-WRT:~# opkg install unbound
Unknown package 'unbound'.
Collected errors:
* opkg_install_cmd: Cannot install package unbound.

root@DD-WRT:~# opkg install getdns
Installing getdns (1.4.2-1) to root...
Downloading http://desipro.de/opkg/getdns_1.4.2-1_arm_cortex-a9.ipk.
Installing libc (1.1.19-1) to root...
Downloading http://desipro.de/opkg/libc_1.1.19-1_arm_cortex-a9.ipk.
Installing libgcc (7.3.0-1) to root...
Downloading http://desipro.de/opkg/libgcc_7.3.0-1_arm_cortex-a9.ipk.
Installing libopenssl (1.0.2p-1a) to root...
Downloading http://desipro.de/opkg/libopenssl_1.0.2p-1a_arm_cortex-a9.ipk.
Configuring libgcc.
Configuring libc.
Configuring libopenssl.
Configuring getdns.

root@DD-WRT:~# opkg install stubby
Installing stubby (0.2.3-1) to root...
Downloading http://desipro.de/opkg/stubby_0.2.3-1_arm_cortex-a9.ipk.
Installing libyaml (0.2.1-1) to root...
Downloading http://desipro.de/opkg/libyaml_0.2.1-1_arm_cortex-a9.ipk.
Configuring libyaml.
Configuring stubby.

Alozaros
DD-WRT Guru

Joined: 16 Nov 2015
Posts: 6435
Location: UK, London, just across the river..

Posted: Wed Dec 19, 2018 12:15 Post subject:

hyppo wrote:

Hi, on R7800 using Kong’s repo I can install getdns and stubby but can’t install unbound

Can I maintain dns over tls using getdns or stubby? If so, can you please share steps how to do it

Thx!

Code:

if you read Sigals previous post he explains how to...
if you need to use dns over tls there are some other tutorials i believe Sigals goal it DoH...
i also couldn't make it with unbound on my 1043v2 and installed enthware and tried stubby but without unbound i didn't get anywhere close to work...
for some reasons it does not recognize the anchor...
so i bailed out and still using Firefox DoH option described above...and its working...
also noticed in wireshark if you use 9.9.9.9 as a DNS it does TLS by default...i can see the handshake tls 1.2

But i wonder if you have R7800 and can use DNScrypt instead, what's the point to chase tls or doh as they are not any better???
_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55779 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913

Sigals
DD-WRT Novice

Joined: 09 Nov 2018
Posts: 12

Posted: Thu Dec 20, 2018 15:00 Post subject:

You don't actually need to install unbound to have DNS-over-HTTPS.

I found it introduced performance issues.

You can use DNSMasq + Stubby to do the same with increased performance.

I'm not sure if they updated the Stubby+Getnds package in OPKG yet as I had to compile it from source with a patch.

You can see those instructions I followed here:

https://github.com/Entware/Entware/wiki/Using-GCC-for-native-compilation
Download getdns source and apply patch after that run configure.

Quote:

wget https://getdnsapi.net/dist/getdns-1.4.2.tar.gz
tar -xvzf getdns-1.4.2.tar.gz
cd getdns-1.4.2
wget https://github.com/getdnsapi/stubby/files/2629513/0001-Bugfix-getdnsapi-stubby-140-fallback-on-getentropy-f.patch.gz
gzip -d 0001-Bugfix-getdnsapi-stubby-140-fallback-on-getentropy-f.patch.gz
patch -p1 < 0001-Bugfix-getdnsapi-stubby-140-fallback-on-getentropy-f.patch
./configure --prefix=/opt --enable-stub-only --without-libidn --without-libidn2 --with-ssl="/opt" --with-stubby
make && make install

Once you have Stubby installed you can test it:

Quote:

[root@DD-WRT ~] stubby
[14:46:31.474242] STUBBY: Read config from file /opt/etc/stubby/stubby.yml
[14:46:31.480206] STUBBY: DNSSEC Validation is OFF
[14:46:31.481928] STUBBY: Transport list is:
[14:46:31.483503] STUBBY: - TLS
[14:46:31.485100] STUBBY: Privacy Usage Profile is Strict (Authentication required)
[14:46:31.486694] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
[14:46:31.488290] STUBBY: Starting DAEMON....

Quote:

[root@DD-WRT ~] dig @127.0.0.1 -p 5453 www.google.com

; <<>> DiG 9.11.3 <<>> @127.0.0.1 -p 5453 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 381
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;www.google.com. IN A

;; ANSWER SECTION:
www.google.com. 259 IN A 216.58.210.36

;; Query time: 381 msec
;; SERVER: 127.0.0.1#5453(127.0.0.1)
;; WHEN: Thu Dec 20 14:47:10 GMT 2018
;; MSG SIZE rcvd: 73

Then just add those additional options to DNSMasq:

Quote:

no-resolv
server=127.0.0.1#5453

Setup your DHCP static dns to be your DD-WRT IP address.

I've attached my stubby config file to this post as well.

If you find the Stubby version is still broken in opkg and you have the same architecture as me:

Quote:

[root@DD-WRT ~] file /opt/bin/stubby
/opt/bin/stubby: ELF 32-bit LSB executable, MIPS, MIPS32 rel2 version 1 (SYSV)

I can share the binary.

murtaza12
DD-WRT User

Joined: 19 Nov 2015
Posts: 122
Location: Pakistan

Posted: Wed Jan 30, 2019 16:56 Post subject:

Sigals wrote:

You don't actually need to install unbound to have DNS-over-HTTPS.

I found it introduced performance issues.

You can use DNSMasq + Stubby to do the same with increased performance.

Quote:

Stubby and getdns on entware both got updated recently.

So I decided to attempt again, however no luck.

Here's when I tried testing with Dig:

Quote:

root@EA8500TEST:~# dig @127.0.0.1 -p 5453 www.google.com

; <<>> DiG 9.11.5 <<>> @127.0.0.1 -p 5453 www.google.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

Any advice on where to proceed? Stubby is a clean install, config file is untouched. Still set to use CloudFlare DNS.
_________________
Active devices:
Netgear R7800 - Stock v1.0.2.68
Linksys EA8500 - OpenWRT 19.07.1
ASUS RP-AC68U - 3.0.0.4.382.40019

sachinss
DD-WRT Novice

Joined: 22 Jan 2019
Posts: 1

Posted: Fri Feb 01, 2019 5:26 Post subject:

Thanks a lot for the detailed instructions! When I try to compile getdns with the patch I keep getting an error on the ./configure command that it cannot find my OpenSSL libraries. I have the openssl package installed, and I also tried with different paths under --with-ssl.

Any ideas on how I can sort this out?

Sigals wrote:

Quote:

wabe
DD-WRT Guru

Joined: 17 Jun 2006
Posts: 889

Posted: Tue May 14, 2019 12:58 Post subject:

Fiddled around with the built-in unbound in BS 39715 a bit.

First managed to get it to work 'as is' by enabling on the setup package. I then created a custom configuration and placed that in /jffs/etc as described in the wiki and enabled a number of security options including 'dns over tls' against Google and Opendns.

Seems to work as intended. Only issue I have is that it takes more than 10 minutes after startup to get an the Wan IP. Have no idea what the cause is but everything works as intended
_________________
Netgear R7000 on Build 55109
Asus AC-AC68U rev. C1 (AP) on Build 55109
Asus AC-68U rev. A1 on Build 54604
Asus AC-68U rev. A1 on Build 53339

Alozaros
DD-WRT Guru

Joined: 16 Nov 2015
Posts: 6435
Location: UK, London, just across the river..

Posted: Wed May 15, 2019 7:46 Post subject:

could you give us a step by step guide...?
i tried stubby with DoH but failed to connect...
back in the days with unbound i was heaving some fun stuff too, it was not that working always, but sadly its not present on low end routers...
_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55779 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913

wabe
DD-WRT Guru

Joined: 17 Jun 2006
Posts: 889

Posted: Wed May 15, 2019 8:11 Post subject:

Alozaros wrote:

The step I followed to get this to work was:
- Enter a ntp-server manually with ip-address (not FQDN) on"Setup" and test that it works.
- Enable Unbound on "Setup" and check that default configuration works. For some reason it took a fairly long time for the router to startup
-Copy configuration from /tmp/unbound.conf for editing
- Add the dns servers you want to use like this example to the bottom of unbound.conf:

forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.0.0.1@853#one.one.one.one
forward-addr: 1.1.1.1@853#one.one.one.one
forward-addr: 8.8.4.4@853#dns.google
forward-addr: 8.8.8.8@853#dns.google
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net

- Copy unbound.conf to /jffs/etc

-Restart router
_________________
Netgear R7000 on Build 55109
Asus AC-AC68U rev. C1 (AP) on Build 55109
Asus AC-68U rev. A1 on Build 54604
Asus AC-68U rev. A1 on Build 53339

Goto page Previous 1, 2, 3, 4, 5, 6, 7 Next

Display posts from previous:

Page 2 of 7

DD-WRT Forum Index -> Advanced Networking

All times are GMT

Navigation

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum

Log in

"DNS over TLS" or "DNS over HTTPS"

Quick Links

Log in