Posted: Wed May 15, 2019 20:00 Post subject: DNS over TLS or DNS over HTTPS (DoT / DoH)
I have been looking at the request threads for DoT and DoH support since mid-last year (also seen some request on the SVN as well). I was wondering if there have been any new development on adding these features into DDWRT (including a GUI)
I believe Stubby is the forefront spear in with DoT. I believe DNSCrypt-Proxy is the forefront of DoH.
I tried both on my ASUS Merlin and pretty simple. Even the latest Merlin has integrated GUI for Stubby.
Just waiting for DDWRT! _________________ ASUS RT-AC3200 - Deployed Client's site
ASUS RT-AC5200 - Merlin
ASUS RT-AX88U - Merlin
# forward-addr format must be ip "@" port number "#" followed by the valid public hostname
# in order for unbound to use the tls-cert-bundle to validate the dns server certificate.
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.0.0.1@853#one.one.one.one
forward-addr: 1.1.1.1@853#one.one.one.one
forward-addr: 8.8.4.4@853#dns.google
forward-addr: 8.8.8.8@853#dns.google
I see in the "Setup -> Basic Setup -> Network Setup -> Network Address Server Settings (DHCP) -> Recursive DNS Resolving (Unbound)" Is that the part where you can enable Unbound?
or simply creating /jffs/etc/unbound.conf automagically start Unbound? _________________ ASUS RT-AC3200 - Deployed Client's site
ASUS RT-AC5200 - Merlin
ASUS RT-AX88U - Merlin
Mike-Lile
Is that a tested configuration on dd-wrt?
I tried something similar, worked in general but not in DNS-tls mode unfortunately. Hard to debug also since switching on logging doesn’t seem to work _________________ Netgear R7000 on Build 55109
Asus AC-AC68U rev. C1 (AP) on Build 55109
Asus AC-68U rev. A1 on Build 54604
Asus AC-68U rev. A1 on Build 53339
I see in the "Setup -> Basic Setup -> Network Setup -> Network Address Server Settings (DHCP) -> Recursive DNS Resolving (Unbound)" Is that the part where you can enable Unbound?
Yes _________________ Netgear R7000 on Build 55109
Asus AC-AC68U rev. C1 (AP) on Build 55109
Asus AC-68U rev. A1 on Build 54604
Asus AC-68U rev. A1 on Build 53339
According to the latest DD-WRT v3.0-r39827 std (05/20/19). DNSCrypt-Proxy is part of the firmware.. and I can confirm that the app is there
Code:
root@ddwrt-ac3200:~# dnscrypt-proxy
Wed May 22 09:48:43 2019 [ERROR] Error: no resolver name given, no configuration file either.
Wed May 22 09:48:43 2019 [ERROR] The easiest way to get started is to edit the example configuration file
Wed May 22 09:48:43 2019 [ERROR] and to append the full path to that file to the dnscrypt-proxy command.
Wed May 22 09:48:43 2019 [ERROR] Example: dnscrypt-proxy /usr/local/etc/dnscrypt-proxy.conf
Wed May 22 09:48:43 2019 [ERROR] The local list of public resolvers is loaded from: [/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv]
Wed May 22 09:48:43 2019 [ERROR] Consult https://dnscrypt.org for more information about dnscrypt-proxy.
However I don't see an GUI to enable it. Assuming right now if I want to use DNSCrypt-Proxy on the router itself I have to set up my own startup script? _________________ ASUS RT-AC3200 - Deployed Client's site
ASUS RT-AC5200 - Merlin
ASUS RT-AX88U - Merlin
I have a Netgear r7000p
the bs builds have option for recursive dns. is this encrypted by default? or do I have to alter a config file?
the kong build(last stable) had dnscrypt-proxy but the available listed servers don't seem to be up to date.
wondering best way to set up
Enabling recursive dns will not get you encryption by default. The config needs to be altered. Have experimented with this option and it seems to be broken. My router takes about 10 minutes to start after enabling, without altering the config _________________ Netgear R7000 on Build 55109
Asus AC-AC68U rev. C1 (AP) on Build 55109
Asus AC-68U rev. A1 on Build 54604
Asus AC-68U rev. A1 on Build 53339
