Posted: Thu Mar 14, 2019 3:39 Post subject: How to do Encrypt DNS, Static DNS and Pi-hole Co-Op?
If I enable Encrypt DNS service in dnsmasq settings, and select one of the encrypt dns provier in the dropdown list, does this mean the staic dns settings in setup-Network Address Server Settings (DHCP) will be ignored? _________________ [Broadcom]
DIR868L RevA -> r51506
DIR868L RevA -> r51440
Linksys EA6900-> r42819 STD
WL-500gP v2 --->
[Ralink]
DIR-600 Rev.B -> DD-WRT v3.0-r34886
Last edited by skygunner on Thu Mar 14, 2019 3:59; edited 3 times in total
Posted: Thu Mar 14, 2019 3:43 Post subject: Re: Encrypt DNS in Dnsmasq and Static DNS settings
skygunner wrote:
If I enable Encrypt DNS service in dnsmasq settings, and select one of the encrypt dns provier in the dropdown list, does this mean the staic dns settings in setup-Network Address Server Settings (DHCP) will be ignored?
I had the above question because all the dns service provier in the encrypt dns dropdown list is slow and far from me.
On the other hand, if I have a Pi-hole setup on the network, and it is setting up like this:
Pi-hole use gateway ip as DNS server (DD-WRT), DD-WRT dnsmasq dhcp-option 6 given out the Pi-hole ip address (Pi-hole recommanded setup, which is method 2 )
DD-WRT have encrypt dns disabled and have static dns setting for faster dns servers like couldflare/google. Dnsmasq options: dnsmasq, local dns enabled, everything else disabled.
Pi-hole has this settings enabled: DNSSEC
Quote:
Validate DNS replies and cache DNSSEC data. When forwarding DNS queries, Pi-hole requests the DNSSEC records needed to validate the replies. If a domain fails validation or the upstream does not support DNSSEC, this setting can cause issues resolving domains. Use Google, Cloudflare, DNS.WATCH, Quad9, or another DNS server which supports DNSSEC when activating DNSSEC. Note that the size of your log might increase significantly when enabling DNSSEC. A DNSSEC resolver test can be found here.
Would my setup give me both fast dns resolve as well as DNSSEC?
Is DNSSEC same as Encrypt DNS?
Do I need to enable any of the options in dnsmasq settings with my setup?
like
Quote:
Cache DNSSEC data,
Validate DNS Replies (DNSSEC),
Check unsigned DNS replies,
No DNS Rebind,
Query DNS in Strict Order,
Add Requestor MAC to DNS Query?
What's the recommanded settings for DD-WRT's network, dnsmasq settings and Pi-hole's settings to take advantage of both sides (and avoid double work on some of the functions)?
2. Advertise Pi-hole’s IP address via dnsmasq in the router (if supported)
This method is very similar to method 1, but if your router has an advanced firmware (OpenWRT, DD-WRT, Tomato, etc.), you probably have more options available then what you would find on a stock router purchased from the store.
Rationale
If you have this capability, there are a few benefits:
Per-host tracking on Pi-hole
The ability to resolve hostnames on the LAN
Ad blocking/network monitoring provided by Pi-hole
Setup
On the router, use a custom dnsmasq config entry to advertise the IP of the Pi-hole box. Many firmwares have a section in their respective web GUIs listed under DHCP or DNS for this. The screenshot below was taken from DD-WRT and is only meant to be illustrative:
ddwrt
The syntax is: dhcp-option=6,IP_of_Pi-hole. This is simply doing what the method 1 above is obscuring (setting DHCP option 6 1.4k)
Example: If Pi-hole is running on a machine whose IP address is 192.168.1.250, this becomes: dhcp-option=6,192.168.1.250
On Pi-hole, login to the web interface (http://pi.hole 8.3k) > Settings > DNS and instead of choosing upstream servers like Google or OpenDNS, set the upstream to be the IP address of the router as the only upstream DNS server. Do not define any other DNS entries for Pi-hole:
Joined: 16 Nov 2015 Posts: 6446 Location: UK, London, just across the river..
Posted: Thu Mar 14, 2019 14:33 Post subject:
skygunner wrote:
What's the recommanded settings for DD-WRT's network, dnsmasq settings and Pi-hole's settings to take advantage of both sides (and avoid double work on some of the functions)?
2. Advertise Pi-hole’s IP address via dnsmasq in the router (if supported)
This method is very similar to method 1, but if your router has an advanced firmware (OpenWRT, DD-WRT, Tomato, etc.), you probably have more options available then what you would find on a stock router purchased from the store.
Rationale
If you have this capability, there are a few benefits:
Per-host tracking on Pi-hole
The ability to resolve hostnames on the LAN
Ad blocking/network monitoring provided by Pi-hole
Setup
On the router, use a custom dnsmasq config entry to advertise the IP of the Pi-hole box. Many firmwares have a section in their respective web GUIs listed under DHCP or DNS for this. The screenshot below was taken from DD-WRT and is only meant to be illustrative:
ddwrt
The syntax is: dhcp-option=6,IP_of_Pi-hole. This is simply doing what the method 1 above is obscuring (setting DHCP option 6 1.4k)
Example: If Pi-hole is running on a machine whose IP address is 192.168.1.250, this becomes: dhcp-option=6,192.168.1.250
On Pi-hole, login to the web interface (http://pi.hole 8.3k) > Settings > DNS and instead of choosing upstream servers like Google or OpenDNS, set the upstream to be the IP address of the router as the only upstream DNS server. Do not define any other DNS entries for Pi-hole:
router
i don't think its very rational to have them both for DNS services...
DD-WRT router is fully capable of doing all those things but you'd need a high class DD-WRT router that has DNScrypt on it, also you can either run privoxy for ADblocking or script based ADblocking...
As well you can use DNSSEC & DNScrypt at the same time and force your DNS so all clients will use those DNS you've selected, as well you have full control over DHCP & DNS via DNSmasq so PI hole is not needed at all unless you want to stick to it and leave all DNS services on it... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
I've also been using simple dnsmasq addn-hosts option to block domains for long time (but not together with privoxy), this one line job is same as what pi-hole is actually doing. Well, I wrote a script to pull the various domain blocking list from the github, combine them and feed to dnsmasq's config file, then restart it. There's even dnsmasq-fast-lookup fork made for this purpose becase the blocking list is really big, like 30,0000 domains blocked.
Both are working well, simple, tidy and cheap, but I want it to be a little better, it's just personal choice.
What pi-hole brings other than one line dnsmasq option:
Quote:
Most easy to use web ui to control blacklist,whitelist, don't have to go into the script or shell.
Very fast dnsmasq fork (Pihole-FTL), though not fast as light.
Support regex for blacklist, this gives great control,efficiency and ease to block something that is not possible before, and maybe ads in video sites.
Query log to detect/process malicious software/virus request. I suprised to find what my printer, secure cameras are doing all day.
One click to temporary dns ad blocking for a short period of time.
Rest API.
Now regarding let ddwrt and pihole both running dns service, that is a thing or not.
Have two dns servers running on the same network doesn't bring problem. Not like dhcp.
And actually dd-wrt's dnsmasq service is doing dhcp job, and telling the dhcp clients that the dns server is pi-hole.
In pi-hole's setting, I can put in whatever upstream dns servers I like, it could be google, cloudflare, or my dd-wrt (has either static dns set or encrypt dns server selected).
Pi-hole's dns servers all clients except dd-wrt.
DD-wrt's dns servers only Pi-hole. _________________ [Broadcom]
DIR868L RevA -> r51506
DIR868L RevA -> r51440
Linksys EA6900-> r42819 STD
WL-500gP v2 --->
