Joined: 16 Nov 2015 Posts: 6435 Location: UK, London, just across the river..
Posted: Sat Nov 10, 2018 17:59 Post subject:
yep interesting how and what test you used to show us this results...
i managed it, and do like FFx DNS via DoH option using quad9 and have DNSmasq set to point to 9.9.9.9 and test it with Wireshark so far so good..its using tls1.3 and https for DNS resolving...
but interesting witch browser you use now, witch test and approach you succeed could you give us more info...
personally i couldn't make it work with chrome as it goes to its own shit _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55779 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 16 Nov 2015 Posts: 6435 Location: UK, London, just across the river..
Posted: Sat Nov 10, 2018 21:37 Post subject:
so Sigals you abandon getdns and stubby
and you installed unbound via opkg
i know Kong has unbound working on his builds but what is your router model and current build running
once im back at home i may try it on my R7000 & R7800 as they have unbound working..
but so far i don't have opkg on my lower grade routers or unbound working, especially on BS builds i even don't have DNSSEC ...so i will stick to FFx option as it seems less sketchy and working on browser level at least
but yea 10x for the info ill give it a try on Kong builds this days _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55779 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Hehe, yea getdns and stubby both seem broken on dd-wrt.
I'm running an Asus RT-N16 DD-WRT v3.0-r35034 big (02/17/1
Appreciate the kind words hopefully this can help some other people get more privacy.
Alozaros wrote:
so Sigals you abandon getdns and stubby
and you installed unbound via opkg
i know Kong has unbound working on his builds but what is your router model and current build running
once im back at home i may try it on my R7000 & R7800 as they have unbound working..
but so far i don't have opkg on my lower grade routers or unbound working, especially on BS builds i even don't have DNSSEC ...so i will stick to FFx option as it seems less sketchy and working on browser level at least
but yea 10x for the info ill give it a try on Kong builds this days
so Sigals you abandon getdns and stubby
and you installed unbound via opkg
i know Kong has unbound working on his builds but what is your router model and current build running
if you read Sigals previous post he explains how to...
if you need to use dns over tls there are some other tutorials i believe Sigals goal it DoH...
i also couldn't make it with unbound on my 1043v2 and installed enthware and tried stubby but without unbound i didn't get anywhere close to work...
for some reasons it does not recognize the anchor...
so i bailed out and still using Firefox DoH option described above...and its working...
also noticed in wireshark if you use 9.9.9.9 as a DNS it does TLS by default...i can see the handshake tls 1.2
But i wonder if you have R7800 and can use DNScrypt instead, what's the point to chase tls or doh as they are not any better??? _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55779 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
[root@DD-WRT ~] stubby
[14:46:31.474242] STUBBY: Read config from file /opt/etc/stubby/stubby.yml
[14:46:31.480206] STUBBY: DNSSEC Validation is OFF
[14:46:31.481928] STUBBY: Transport list is:
[14:46:31.483503] STUBBY: - TLS
[14:46:31.485100] STUBBY: Privacy Usage Profile is Strict (Authentication required)
[14:46:31.486694] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
[14:46:31.488290] STUBBY: Starting DAEMON....
; <<>> DiG 9.11.5 <<>> @127.0.0.1 -p 5453 www.google.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
Any advice on where to proceed? Stubby is a clean install, config file is untouched. Still set to use CloudFlare DNS. _________________ Active devices:
Netgear R7800 - Stock v1.0.2.68
Linksys EA8500 - OpenWRT 19.07.1
ASUS RP-AC68U - 3.0.0.4.382.40019
Thanks a lot for the detailed instructions! When I try to compile getdns with the patch I keep getting an error on the ./configure command that it cannot find my OpenSSL libraries. I have the openssl package installed, and I also tried with different paths under --with-ssl.
Fiddled around with the built-in unbound in BS 39715 a bit.
First managed to get it to work 'as is' by enabling on the setup package. I then created a custom configuration and placed that in /jffs/etc as described in the wiki and enabled a number of security options including 'dns over tls' against Google and Opendns.
Seems to work as intended. Only issue I have is that it takes more than 10 minutes after startup to get an the Wan IP. Have no idea what the cause is but everything works as intended _________________ Netgear R7000 on Build 55109
Asus AC-AC68U rev. C1 (AP) on Build 55109
Asus AC-68U rev. A1 on Build 54604
Asus AC-68U rev. A1 on Build 53339
Joined: 16 Nov 2015 Posts: 6435 Location: UK, London, just across the river..
Posted: Wed May 15, 2019 7:46 Post subject:
could you give us a step by step guide...?
i tried stubby with DoH but failed to connect...
back in the days with unbound i was heaving some fun stuff too, it was not that working always, but sadly its not present on low end routers... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55779 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
could you give us a step by step guide...?
i tried stubby with DoH but failed to connect...
back in the days with unbound i was heaving some fun stuff too, it was not that working always, but sadly its not present on low end routers...
The step I followed to get this to work was:
- Enter a ntp-server manually with ip-address (not FQDN) on"Setup" and test that it works.
- Enable Unbound on "Setup" and check that default configuration works. For some reason it took a fairly long time for the router to startup
-Copy configuration from /tmp/unbound.conf for editing
- Add the dns servers you want to use like this example to the bottom of unbound.conf:
-Restart router _________________ Netgear R7000 on Build 55109
Asus AC-AC68U rev. C1 (AP) on Build 55109
Asus AC-68U rev. A1 on Build 54604
Asus AC-68U rev. A1 on Build 53339