"DNS over TLS" or "DNS over HTTPS"

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3, 4  Next
Author Message
wabe
DD-WRT Guru


Joined: 17 Jun 2006
Posts: 687

PostPosted: Wed May 15, 2019 8:11    Post subject: Reply with quote
Alozaros wrote:
could you give us a step by step guide...?
i tried stubby with DoH but failed to connect...
back in the days with unbound i was heaving some fun stuff too, it was not that working always, but sadly its not present on low end routers...


The step I followed to get this to work was:
- Enter a ntp-server manually with ip-address (not FQDN) on"Setup" and test that it works.
- Enable Unbound on "Setup" and check that default configuration works. For some reason it took a fairly long time for the router to startup
-Copy configuration from /tmp/unbound.conf for editing
- Add the dns servers you want to use like this example to the bottom of unbound.conf:

forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.0.0.1@853#one.one.one.one
forward-addr: 1.1.1.1@853#one.one.one.one
forward-addr: 8.8.4.4@853#dns.google
forward-addr: 8.8.8.8@853#dns.google
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net

- Copy unbound.conf to /jffs/etc

-Restart router

_________________
AC-68U rev. C1 on Build 41328
AC-68U rev. A1 on Build 40270M
AC-68U rev. A1 on Build 41218
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 2910
Location: UK, London, just across the river..

PostPosted: Wed May 15, 2019 16:21    Post subject: Reply with quote
10x sadly, unbound is present only on my high grade routers and i can still use DNScrypt instead...
but thank you anyway i ll test it just to see whats on.. im more interested how to set either stubby or anything else, to be able to use DoH or DoT on a lower grade routers like 1043v2 for example....

_________________
Atheros
TP-Link WR740Nv1 ------DD-WRT 33772 BS WAP/Switch (wired)
TP-Link WR1043NDv2 ----DD-WRT 41369 BS (AP,PPPoE,NAT,AD Blocking,AP Isolation,Firewall,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 ----DD-WRT 41321 BS (AP,NAT,AD Blocking,Firewall,Wi-Fi OFF,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 ----Gargoyle OS 1.11.0 (AP,NAT,QoS,Quotas)
Qualcomm/IPQ8065
2x Netgear R7800 -------DD-WRT 40270M 4.9 Kong (AP,NAT,AD-Blocking,AP&Net Isolation,VLAN's,Firewall,Local DNS,DNSCrypt-proxy v2 x2)
Broadcom
Netgear R7000 -------DD-WRT 40270M Kong (AP,NAT,VLAN,AD-Blocking,Firewall,Local DNS,Forced DNS,DoT)
------------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 via Entware by mac913
vibranto
DD-WRT User


Joined: 30 Apr 2010
Posts: 64

PostPosted: Fri May 24, 2019 14:09    Post subject: Reply with quote
Orig I posted this in another thread with the post below which had come up on a search, before noticing it was a Broadcom forum etc. etc. so - this seems better forum/thread to add it to...

mbze430 wrote:
I have been looking at the request threads for DoT and DoH support since mid-last year (also seen some request on the SVN as well). I was wondering if there have been any new development on adding these features into DDWRT (including a GUI)

I believe Stubby is the forefront spear in with DoT. I believe DNSCrypt-Proxy is the forefront of DoH.

I tried both on my ASUS Merlin and pretty simple. Even the latest Merlin has integrated GUI for Stubby.

Just waiting for DDWRT!


This describes me to a T.

Except I gave config'ing stubby a shot today on one of my WNDR4300's and it was super straight-forward and worked great.

High-level:
  • Setup USB drive on target router
  • Installed Entware
  • Installed ca-certificates
  • Installed stubby (getdns is auto installed dependency)
  • Added DNSmasq options via GUI (other ways to do that obv -scripting etc., depends on your style..):
    no-resolv
    server=127.0.0.1#5453
  • Hard-coded an ntp server IP address
  • Edited /opt/etc/stubby/stubby.yml to my liking (added Google servers to Cloudflare, deleted ipv6)
  • Started stubby&


That was pretty much it. Worked right away.
Can netstat the 853 connections and watch it work away happily.

Was all working WAY easier than I thought.
None of the binary patching or any other fussing required.
Seems super fast although I've not done empirical testing.

At first I just tossed the stubby startup in the router startup script but I'm trying to cleanse that and keep everything substantial on /jffs or /opt so then I did it properly and added an init.d script S61stubby as follows
(note a prior version of this post linked to an example with 'nohup' apparently the base busybox doesn't support nohup so it was failing)

Code:
#!/bin/sh
export PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

ENABLED=yes
PROCS=stubby
ARGS="-g -v 5 -C /opt/etc/stubby/stubby.yml 2>/opt/var/log/stubby.log"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func


Probably there's a better way to handle the ntp situation - i see references to making an exception for ntp.pool.org - but haven't figured it out yet.

Bit surprised this subject isn't more updated - most threads here make this sound like its still not all sorted out by now. I suspect its one of those things that guys who tried found worked so easily that they never bothered to go back and mention it.

_________________
Site 1:
Asus AC-RT3200: asuswrt-merlin 384.11_2
Site 2:
Netgear WNDR4300: DD-WRT v3.0-r39800 std
Netgear WNDR3700: DD-WRT v3.0-r39800 std
Site 3:
Netgear WNDR4300: DD-WRT v3.0-r...? std
On-shelf old crap w. DD-WRT:
Buffalo WHR-HP-G300N
Netgear WNDR3300
Linksys WRT54Gv8
Buffalo WBR2-G54S
Plus buncha other old crap


Last edited by vibranto on Sat May 25, 2019 16:55; edited 1 time in total
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 1180
Location: Indiana

PostPosted: Sat May 25, 2019 15:41    Post subject: Reply with quote
vibranto wrote:
I gave config'ing stubby a shot today on one of my WNDR4300's and it was super straight-forward and worked great.

I have been running stubby on the Linux laptop and your post inspired me to try it on the R7800 again.

I have it working now using your guide Very Happy
TYVM

_________________
SUPPORTED DEVICES -- DON'T USE ROUTER DATABASE!
--IMPORTANT UPGRADE INFORMATION--Stubby DoT
Qualcomm-Atheros:
R7800 x2 kongat & BS WDS AP & Sta- R7500V2 BS std WDS STA- WNDR3700v4 BS std WDS STA- Nanostation M2 AirOS- LocoM2 AirOS
Broadcom:
R6200v2 kongac WLAN Repeater Archer C9 v1 OEM WAP

DDWRT Policy Based Routing guide by egc
vibranto
DD-WRT User


Joined: 30 Apr 2010
Posts: 64

PostPosted: Sat May 25, 2019 16:50    Post subject: Reply with quote
That's great...

One note - I'll edit prior post in a second - the Entware stubby startup script I originally linked above does NOT work. So I had yet another round of debbugging overnight reboot fail.

_________________
Site 1:
Asus AC-RT3200: asuswrt-merlin 384.11_2
Site 2:
Netgear WNDR4300: DD-WRT v3.0-r39800 std
Netgear WNDR3700: DD-WRT v3.0-r39800 std
Site 3:
Netgear WNDR4300: DD-WRT v3.0-r...? std
On-shelf old crap w. DD-WRT:
Buffalo WHR-HP-G300N
Netgear WNDR3300
Linksys WRT54Gv8
Buffalo WBR2-G54S
Plus buncha other old crap
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 2910
Location: UK, London, just across the river..

PostPosted: Fri May 31, 2019 10:57    Post subject: Reply with quote
is there anyone who is using dnscrypt-proxy2 2.0.23-1 via Entware...
tried to do it last night on an Atheros unit (1043v2), but Im not a Linux geek and was hard to find any configuration guidelines too...
i do have fully working install of Entware + DNSCrypt v2 + stubby tried them both but it seems im missing something any step by step guides...
As well how to edit stubby .yml config file ... im very bad at those ... any ideas ...
Thanks in advance!

_________________
Atheros
TP-Link WR740Nv1 ------DD-WRT 33772 BS WAP/Switch (wired)
TP-Link WR1043NDv2 ----DD-WRT 41369 BS (AP,PPPoE,NAT,AD Blocking,AP Isolation,Firewall,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 ----DD-WRT 41321 BS (AP,NAT,AD Blocking,Firewall,Wi-Fi OFF,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 ----Gargoyle OS 1.11.0 (AP,NAT,QoS,Quotas)
Qualcomm/IPQ8065
2x Netgear R7800 -------DD-WRT 40270M 4.9 Kong (AP,NAT,AD-Blocking,AP&Net Isolation,VLAN's,Firewall,Local DNS,DNSCrypt-proxy v2 x2)
Broadcom
Netgear R7000 -------DD-WRT 40270M Kong (AP,NAT,VLAN,AD-Blocking,Firewall,Local DNS,Forced DNS,DoT)
------------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 via Entware by mac913
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 1180
Location: Indiana

PostPosted: Fri May 31, 2019 14:50    Post subject: Reply with quote
Alozaros wrote:
but it seems im missing something any step by step guides

I am not very good at step by step, I will leave something out!

This worked for me to use stubby.
Used this startup script:
Code:
 #!/bin/sh
logger -t S61stubby "Starting Stubby DNS over TLS $0"
# set environment PATH to system binaries
export PATH=/sbin:/bin:/usr/sbin:/usr/bin:$PATH
ENABLED=yes
PROCS=stubby
ARGS="-g -v 5 -C /opt/etc/stubby/stubby.yml 2>/opt/var/log/stubby.log"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
. /opt/etc/init.d/rc.func


(The original script had PREARGS="nohup" @vibranto said busybox did not support that. I think it worked both ways for me.)
Named it S61stubby.sh
Put it in /opt/etc/init.d
Made it executable chmod +x /opt/etc/init.d/S61stubby.sh using CLI.

Called it with /opt/etc/init.d/S61stubby.sh start save as startup

Edit stubby.yml using nano opkg install nano
nano /opt/etc/stubby/stubby.yml

I also edit using linux text editor "Kate".

I bet if using Windows text editor you have to eliminate non-linux line ends.
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1157109#1157109

I also saw an issue with having to stop OVPN client, then call the stubby, then restart OVPN. Not sure what was up with that but I added sleep 6 before the stubby startup command and havn't had another problem.

I use this command from @egc to see port 853 being used.
Code:
watch -tn5 "cat /proc/net/nf_conntrack | grep ' dport=853 ' | sort -nrk3"

(might need to use ip_conntrack instead)

Maybe I got it all, hope it works for you.

_________________
SUPPORTED DEVICES -- DON'T USE ROUTER DATABASE!
--IMPORTANT UPGRADE INFORMATION--Stubby DoT
Qualcomm-Atheros:
R7800 x2 kongat & BS WDS AP & Sta- R7500V2 BS std WDS STA- WNDR3700v4 BS std WDS STA- Nanostation M2 AirOS- LocoM2 AirOS
Broadcom:
R6200v2 kongac WLAN Repeater Archer C9 v1 OEM WAP

DDWRT Policy Based Routing guide by egc
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 1180
Location: Indiana

PostPosted: Fri May 31, 2019 16:51    Post subject: Reply with quote
bushant wrote:
I will leave something out!

Yip, forgot I was already using 216.239.35.4 as NTP server.(time.google.com)
You probably told me to sometime back Cool

_________________
SUPPORTED DEVICES -- DON'T USE ROUTER DATABASE!
--IMPORTANT UPGRADE INFORMATION--Stubby DoT
Qualcomm-Atheros:
R7800 x2 kongat & BS WDS AP & Sta- R7500V2 BS std WDS STA- WNDR3700v4 BS std WDS STA- Nanostation M2 AirOS- LocoM2 AirOS
Broadcom:
R6200v2 kongac WLAN Repeater Archer C9 v1 OEM WAP

DDWRT Policy Based Routing guide by egc
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 2910
Location: UK, London, just across the river..

PostPosted: Sun Jun 02, 2019 10:10    Post subject: Reply with quote
10x ill give it a try...and will report..

this will not work, but i can wireshak it i guess?

watch -tn5 "cat /proc/net/nf_conntrack | grep ' dport=853 ' | sort -nrk3"

watch: not found

_________________
Atheros
TP-Link WR740Nv1 ------DD-WRT 33772 BS WAP/Switch (wired)
TP-Link WR1043NDv2 ----DD-WRT 41369 BS (AP,PPPoE,NAT,AD Blocking,AP Isolation,Firewall,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 ----DD-WRT 41321 BS (AP,NAT,AD Blocking,Firewall,Wi-Fi OFF,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 ----Gargoyle OS 1.11.0 (AP,NAT,QoS,Quotas)
Qualcomm/IPQ8065
2x Netgear R7800 -------DD-WRT 40270M 4.9 Kong (AP,NAT,AD-Blocking,AP&Net Isolation,VLAN's,Firewall,Local DNS,DNSCrypt-proxy v2 x2)
Broadcom
Netgear R7000 -------DD-WRT 40270M Kong (AP,NAT,VLAN,AD-Blocking,Firewall,Local DNS,Forced DNS,DoT)
------------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 via Entware by mac913
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 1180
Location: Indiana

PostPosted: Sun Jun 02, 2019 14:40    Post subject: Reply with quote
When I had stubby running on the laptop, wireshark would pick up traffic on port 853.
With stubby running on the router, wireshark does not see that traffic. I don't know wireshark usage well.
netstat or netstat -p catches it intermittently.
Code:
netstat -p
tcp        0      0 38.65.xxx.xxx:45978      one.one.one.one:853     ESTABLISHED 1511/stubby
tcp        0      0 38.65.xxx.xxx:35014      145.100.185.15:853      ESTABLISHED 1511/stubby

_________________
SUPPORTED DEVICES -- DON'T USE ROUTER DATABASE!
--IMPORTANT UPGRADE INFORMATION--Stubby DoT
Qualcomm-Atheros:
R7800 x2 kongat & BS WDS AP & Sta- R7500V2 BS std WDS STA- WNDR3700v4 BS std WDS STA- Nanostation M2 AirOS- LocoM2 AirOS
Broadcom:
R6200v2 kongac WLAN Repeater Archer C9 v1 OEM WAP

DDWRT Policy Based Routing guide by egc
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 2910
Location: UK, London, just across the river..

PostPosted: Mon Jun 03, 2019 20:46    Post subject: Reply with quote
bushant wrote:
When I had stubby running on the laptop, wireshark would pick up traffic on port 853.
With stubby running on the router, wireshark does not see that traffic. I don't know wireshark usage well.
netstat or netstat -p catches it intermittently.
Code:
netstat -p
tcp        0      0 38.65.xxx.xxx:45978      one.one.one.one:853     ESTABLISHED 1511/stubby
tcp        0      0 38.65.xxx.xxx:35014      145.100.185.15:853      ESTABLISHED 1511/stubby


so far i think i made it to work it comes out on netstat -p as you said intermittently as well i can see on TOP too

what i did so far step by step is:
"for Atheros based non dual core routers"

turn on USB mount, it on OPT
cd /opt (click enter)
wget http://bin.entware.net/mipssf-k3.4/installer/generic.sh (click enter)
sh generic.sh (click enter)

opkg update (click enter)
opkg upgrade (click enter)
opkg install ca-certificates (click enter)
opkg update (click enter)
opkg install stubby (click enter)
opkg update (click enter)
opkg install nano (click enter)

than type:
nano /opt/etc/init.d/S61stubby.sh
paste this script:

#!/bin/sh
logger -t S61stubby "Starting Stubby DNS over TLS $0"
# set environment PATH to system binaries
export PATH=/sbin:/bin:/usr/sbin:/usr/bin:$PATH
ENABLED=yes
PROCS=stubby
ARGS="-g -v 5 -C /opt/etc/stubby/stubby.yml 2>/opt/var/log/stubby.log"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
. /opt/etc/init.d/rc.func

than press
(ctrl+x)
(click Y)
(click enter
)

than type
chmod +x /opt/etc/init.d/S61stubby.sh

than type:
nano /opt/etc/stubby/stubby.yml
(click enter)

edit to your preferences i used this one you can compare and edit your script:
DO NOTICE ON THIS SCRIPT SPACING IS CORRUPTED IF YOU INTEND TO COPY PASTE TO STUBBY

resolution_type: GETDNS_RESOLUTION_STUB
round_robin_upstreams: 1
appdata_dir: "/opt/var/lib/stubby"
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_min_version: GETDNS_TLS1_3
tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
tls_query_padding_blocksize: 128
edns_client_subnet_private: 1
idle_timeout: 10000
listen_addresses:
- 127.0.0.1@5453
dns_transport_list:
- GETDNS_TRANSPORT_TLS
upstream_recursive_servers:
- address_data: 1.1.1.1
tls_auth_name: "cloudflare-dns.com"
tls_port: 853
- address_data: 1.0.0.1
tls_auth_name: "cloudflare-dns.com"
tls_port: 853


than press
(ctrl+x)
(click Y)
(click enter)


finally added those to start up script via GUI

sleep 10
/opt/etc/init.d/rc.unslung start ----add this if you have other start up things running as well

/opt/etc/init.d/S61stubby.sh start ---- add this line if you want to start only stubby

and those to advanced DNSmasq
no-resolv
server=127.0.0.1#5453

finally make sure you have a decent NTP time server
selected in the main DDWRT GUI i use a
GGL NTP time 216.239.35.12 or 216.239.35.8


thanks for the help and guidelines .... Wink
P.S. Sadly i couldn't find how to check 9.9.9.9, I ended up using
1.1.1.1 cloudflare-dns.com instead of quad9
to test its working and using tls...(god know's how much, as i still see standard DNS requests in wireshark)

https://1.1.1.1/help

more info about Stubby default config and upstream servers
https://github.com/getdnsapi/stubby/blob/develop/stubby.yml.example

_________________
Atheros
TP-Link WR740Nv1 ------DD-WRT 33772 BS WAP/Switch (wired)
TP-Link WR1043NDv2 ----DD-WRT 41369 BS (AP,PPPoE,NAT,AD Blocking,AP Isolation,Firewall,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 ----DD-WRT 41321 BS (AP,NAT,AD Blocking,Firewall,Wi-Fi OFF,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 ----Gargoyle OS 1.11.0 (AP,NAT,QoS,Quotas)
Qualcomm/IPQ8065
2x Netgear R7800 -------DD-WRT 40270M 4.9 Kong (AP,NAT,AD-Blocking,AP&Net Isolation,VLAN's,Firewall,Local DNS,DNSCrypt-proxy v2 x2)
Broadcom
Netgear R7000 -------DD-WRT 40270M Kong (AP,NAT,VLAN,AD-Blocking,Firewall,Local DNS,Forced DNS,DoT)
------------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 via Entware by mac913


Last edited by Alozaros on Mon Sep 09, 2019 10:06; edited 11 times in total
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 2910
Location: UK, London, just across the river..

PostPosted: Tue Jun 11, 2019 23:03    Post subject: Reply with quote
i cannot state the stubby is fully working or at least prove it...
on wireshark i do not see anything going out via 853 port or coming back to it or the listening port...
i also do have DNS standard hits in wireshark witch leads me to believe that this stubby is not working as intended or im doing it wrong, the only thing that comes out of it is, my DNS is swapped with
1.1.1.1 and i see TLS is used in this https://1.1.1.1/help test and can see stubby from the router side netstat -p and in the router's Active IP Connections..... i can see 1.1.1.1 is connected to 853,
and all the DNS port 53 - router IP are dns UNREPLIED, and have the listening port connected to 127.0.0.1, but the actual results are different...

P.S. it seems there is a great confusion, as i capture the frames in my wi-fi DNS there are not tls encrypted
but it seems those DNS frames on my routers end are tls encrypted, so i guess i was sniffing at the wrong end,
ill try to install wireshark and check the routers end to confirm..., but so far if i have to relay on
the Active IP Connections results & https://1.1.1.1/help test, stubby is working...i guess...

_________________
Atheros
TP-Link WR740Nv1 ------DD-WRT 33772 BS WAP/Switch (wired)
TP-Link WR1043NDv2 ----DD-WRT 41369 BS (AP,PPPoE,NAT,AD Blocking,AP Isolation,Firewall,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 ----DD-WRT 41321 BS (AP,NAT,AD Blocking,Firewall,Wi-Fi OFF,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 ----Gargoyle OS 1.11.0 (AP,NAT,QoS,Quotas)
Qualcomm/IPQ8065
2x Netgear R7800 -------DD-WRT 40270M 4.9 Kong (AP,NAT,AD-Blocking,AP&Net Isolation,VLAN's,Firewall,Local DNS,DNSCrypt-proxy v2 x2)
Broadcom
Netgear R7000 -------DD-WRT 40270M Kong (AP,NAT,VLAN,AD-Blocking,Firewall,Local DNS,Forced DNS,DoT)
------------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 via Entware by mac913
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 2910
Location: UK, London, just across the river..

PostPosted: Wed Jun 12, 2019 17:42    Post subject: Reply with quote
ok.. on the router i ended installing tcpdump instead of wireshark...i can confirm i didn't see any hits on port 53 (DNS) in or out of eth0 all goes port 853 as intended so clearly its working as it is...
_________________
Atheros
TP-Link WR740Nv1 ------DD-WRT 33772 BS WAP/Switch (wired)
TP-Link WR1043NDv2 ----DD-WRT 41369 BS (AP,PPPoE,NAT,AD Blocking,AP Isolation,Firewall,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 ----DD-WRT 41321 BS (AP,NAT,AD Blocking,Firewall,Wi-Fi OFF,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 ----Gargoyle OS 1.11.0 (AP,NAT,QoS,Quotas)
Qualcomm/IPQ8065
2x Netgear R7800 -------DD-WRT 40270M 4.9 Kong (AP,NAT,AD-Blocking,AP&Net Isolation,VLAN's,Firewall,Local DNS,DNSCrypt-proxy v2 x2)
Broadcom
Netgear R7000 -------DD-WRT 40270M Kong (AP,NAT,VLAN,AD-Blocking,Firewall,Local DNS,Forced DNS,DoT)
------------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 via Entware by mac913
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 1180
Location: Indiana

PostPosted: Wed Jun 12, 2019 18:05    Post subject: Reply with quote
What might a firewall rule look like to drop/reject traffic to/from port 53?
_________________
SUPPORTED DEVICES -- DON'T USE ROUTER DATABASE!
--IMPORTANT UPGRADE INFORMATION--Stubby DoT
Qualcomm-Atheros:
R7800 x2 kongat & BS WDS AP & Sta- R7500V2 BS std WDS STA- WNDR3700v4 BS std WDS STA- Nanostation M2 AirOS- LocoM2 AirOS
Broadcom:
R6200v2 kongac WLAN Repeater Archer C9 v1 OEM WAP

DDWRT Policy Based Routing guide by egc
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 2910
Location: UK, London, just across the river..

PostPosted: Wed Jun 12, 2019 19:47    Post subject: Reply with quote
bushant wrote:
What might a firewall rule look like to drop/reject traffic to/from port 53?


don't know i tried few with no avail...
tried something like that too
iptables -t nat -D PREROUTING -i br0 -p udp --dport 53 -j DNAT --to `nvram get lan_ipaddr`
iptables -t nat -D PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to `nvram get lan_ipaddr`
iptables -t nat -I PREROUTING -i br0 -p udp --dport 853 -j DNAT --to `nvram get lan_ipaddr`
iptables -t nat -I PREROUTING -i br0 -p tcp --dport 853 -j DNAT --to `nvram get lan_ipaddr`

but the first 2 rules remain after restart, it seems there is no way to block it with a simple rules either

iptables -I FORWARD -p tcp --dport 53 -j DROP
iptables -I FORWARD -p udp --dport 53 -j DROP

but noticed if you mess up with port 53 than no NTP on router start and than stubby is not working and no dns at all...

the good thing is with tcpdump -i eth0 i don't see any hits on port 53 at all, all goes via 853
as well you can see in Active IP connections in GUI DNS port 53 are UNREPLIED, and port for stubby is listening...

so far im happy with stubby, it seems to work with the set up above...
was thinking to get dnscrypt instead, but not much info and my previous try's ware not successful...
will see, need to read more about it...

_________________
Atheros
TP-Link WR740Nv1 ------DD-WRT 33772 BS WAP/Switch (wired)
TP-Link WR1043NDv2 ----DD-WRT 41369 BS (AP,PPPoE,NAT,AD Blocking,AP Isolation,Firewall,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 ----DD-WRT 41321 BS (AP,NAT,AD Blocking,Firewall,Wi-Fi OFF,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 ----Gargoyle OS 1.11.0 (AP,NAT,QoS,Quotas)
Qualcomm/IPQ8065
2x Netgear R7800 -------DD-WRT 40270M 4.9 Kong (AP,NAT,AD-Blocking,AP&Net Isolation,VLAN's,Firewall,Local DNS,DNSCrypt-proxy v2 x2)
Broadcom
Netgear R7000 -------DD-WRT 40270M Kong (AP,NAT,VLAN,AD-Blocking,Firewall,Local DNS,Forced DNS,DoT)
------------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 via Entware by mac913
Goto page Previous  1, 2, 3, 4  Next Display posts from previous:    Page 3 of 4
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum