How To Guide: Encrypt DNS on your WRT

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.)
Author Message
NBA Jam
DD-WRT Novice


Joined: 25 Nov 2018
Posts: 39

PostPosted: Wed May 22, 2019 1:35    Post subject: How To Guide: Encrypt DNS on your WRT Reply with quote
----------------------------------------------------------------------------------
Updates

04/26/20: If Cloudflare's DoT checker is not verifying encrypted DNS

Cloudflare's DNS over TLS checker has recently been unable to verify if DoT is set up for me using multiple routers with different firmwares (DD-WRT and Merlin).

The easiest way to verify it is to disable NTP and reboot your router. Your router must have the correct time for DoT to work. If DNS stops working, then you can be reasonably sure that DoT is set up correctly.

The other option that will truly verify it is by plugging a switch in between your modem and the router and running Wireshark on another device on the same switch. Filter it down to port 853. It is working if DNS queries are going out of port 853.

04/19/20: Updated for unbound v1.10.0

- unbound.conf should be stored in /jffs/unbound
- Additional files needed (updates in Configuration steps 1-5)

Thanks, tinkeruntilitworks!
Source: Unbound DNS over TLS Adblock up-to-date root.hints

----------------------------------------------------------------------------------

I recently just got DNS over TLS (DoT) set up on my WRT1900AC. Here's a guide on how I got it set up. If nothing works, it's completely reversible by unchecking Recursive DNS Resolving (Unbound) on the Setup page.

This works successfully on a WRT1900AC v1 with Firmware Version r39572. This will probably work on other models as well, especially those of the WRT type, but I have not tested them.

GUI Settings

1. Set a time server by IP Address

DoT requires that your time be set correctly, otherwise nothing can be validated and the DNS server gets all fussy. Since you need DNS to resolve a domain name, you have to use an IP address of a time server.

Check the NIST International Time Server List for one that will work for you. This must work on boot-up, so try out a few to see which ones respond right away. For me, 128.138.141.172 (utcnist2.colorado.edu) worked great.

2. Enable Recursive DNS Resolving (Unbound)

On your Setup page, check the "Recursive DNS Resolving (Unbound)" box under DHCP.



When you check this box, you're effectively giving control over from DNSMasq to Unbound for your DNS queries. Wanna know more about Unbound? The nice folks on the DD-WRT Wiki made this handy dandy guide.

3. Get a JFFS share set up

You'll need this to save your Unbound configuration file permanently, but it can also be used to install Entware.

Head over to the Administration page and check "Enable" under JFFS2 Support for Internal Flash Storage and check "Clean internal flash storage." Once you do this, reboot your router. You should now have JFFS space available. The router will automatically uncheck the "Clean internal flash storage" option after the reboot to prevent clearing all of your JFFS space every time you reboot.



Command Line Settings

Now's the fun part where you get to play around as root in Bash. How often do you get to do that without needing to document why you made every keystroke to some 450-question million-dollar documentation system that asks you if you're really really really sure you copied and pasted a 32kb text document correctly? At home where you can break your own shit without consequence, that's when.

Go ssh into your router as root.

1. Create a new file

Run the below script to create a new file.
Code:
cd /tmp
touch yourmom

lol

2. Install Entware

Follow this guide to get it installed.

The preferred method is to plug a USB stick into the back of the router and install Entware there. If you're lazy like me, you have plenty of extra Flash storage available to do this.

If you go the flash route, remember that it has a limited write life and was not designed for write-heavy applications. You'll probably never write to it enough to get to that point, but keep that in mind if you decide to install additional software on it.

Important Note: If your JFFS space is mounted in flash, you'll need to mount it to /opt before installing Entware. Do that with this script.

Code:
mkdir /jffs/opt
mount -o bind /jffs/opt /opt

The first line creates a new directory called opt in JFFS. This is where all of your stuff will get written. The second mounts it to /opt where Entware is looking during the install. This forces Entware to install to the internal flash JFFS.

Configuring Unbound

A temporary configuration file for Unbound has been created for you already. You just need to make a few slight modifications to it and save it as a permanent file.

1. Create the unbound directory in JFFS

Unbound will look for a permanent configuration file here, if it exists.

Code:
mkdir /jffs/unbound


2. Copy the pre-made Unbound config file to /jffs/unbound

Self-explanatory.

Code:
cp /etc/unbound/unbound.conf /jffs/unbound


3. Download root hints
(Credit: tinkeruntilitworks)

Code:
curl -sS --output /jffs/unbound/root.hints https://www.internic.net/domain/named.cache


4. Copy the root key
(Credit: tinkeruntilitworks)

Code:
cp /etc/unbound/root.key /jffs/unbound


5. Edit the unbound configuration file to use DNS over TLS

You'll have to do this through.....vi. Yes, I know. It's weird if you haven't used it. Look, it's not that bad. It's just from a different time! I'll walk you through it. It's going to be okay.

Code:
vi /jffs/unbound/unbound.conf

Here's all you need to know.

1. Hit 'i' to start inserting and writing text. Navigate with the arrow keys (it's all you'll need with how small this is)
2. When you're done, hit 'esc'
3. Type ':', then hit 'wq'. This means write the changes and quit.

Use the below unbound.conf as a template. You'll need to edit the locations of chroot, directory , and root-hints. You'll also be adding a few different lines under forward-zone:.

Lines under forward-zone: tell Unbound that you'd like to use DNS over TLS, and give it the DNS servers that you'd like to use. Copy these verbatim. If you would like to use other DNS servers or want to know more about what these settings are doing, check out this more detailed guide.

Code:

server:
tls-cert-bundle: "/etc/ssl/ca-bundle.crt"
verbosity: 1
interface: 0.0.0.0@7053
interface: ::0@7053
outgoing-num-tcp: 10
incoming-num-tcp: 10
msg-buffer-size: 8192
msg-cache-size: 1m
num-queries-per-thread: 30
rrset-cache-size: 2m
infra-cache-numhosts: 200
username: ""
pidfile: "/var/run/unbound.pid"
chroot: "/jffs/unbound"
directory: "/jffs/unbound"
root-hints: "/jffs/unbound/named.cache"
hide-version: yes
hide-identity: yes
prefetch: yes
target-fetch-policy: "2 1 0 0 0 0"
harden-short-bufsize: yes
harden-large-queries: yes
key-cache-size: 100k
neg-cache-size: 10k
num-threads: 2
so-reuseport: yes
msg-cache-slabs: 2
rrset-cache-slabs: 2
infra-cache-slabs: 2
key-cache-slabs: 2
outgoing-range: 462
access-control: 127.0.0.0/8 allow
access-control: 192.168.1.0/24 allow
local-data: "localhost A 127.0.0.1"
local-data: "DD-WRT 192.168.1.1"
python:
remote-control:
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com


You should now be all set. Reboot your router and give it a whirl. If successful, you will be able to access the internet and also pass the Cloudflare DNS over TLS test.



Troubleshooting

Literally no website works

1. Check that your time server is successfully setting your time. Syslog will be your friend here

2. Make sure that your time zone is set correctly

3. Make sure that you spelled the name of the DNS servers after the # correctly in your unbound config file

4. Check that your CA certificate bundle is actually there

5. Check that your unbound.conf file points to your CA certificate bundle and that you didn't misspell anything while fiddling around in vi

Remember: you can always go back by unchecking Recursive DNS Resolving (Unbound) on the Setup page. If nothing is working right and you can't figure it out, simply turn it off and let DNSMasq take over. Grab a drink and take a whack at it tomorrow. Unless you're Edward Snowden or Jason Bourne, you can live another day with someone potentially knowing how many times your IP address visited that kinky site that day.

Cloudflare can't verify if DNS over TLS is working

From what I can tell, you need to use Cloudflare's DNS server for it to verify. Once you have it all verified and are certain that DNS over TLS is set up properly, you can use any DNS server that supports DNS over TLS.

Alternatively, you can use Wireshark between your modem and router to review your DNS queries. If your DNS queries are going out over port 853, then congratulations! It's set up!


Last edited by NBA Jam on Mon Apr 27, 2020 4:48; edited 25 times in total
Sponsor
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 934
Location: Appalachian mountains, USA

PostPosted: Thu May 23, 2019 2:28    Post subject: Reply with quote
Easy question: You say to check "Clean internal flash storage", but you show a screen shot with it unchecked. Which is it?

I don't really understand what this does. Does cleaning (like with a cloth?) mean the contents of flash gets wiped every time the router boots? Sounds counterproductive. Or does it only get cleaned the first time you click the button?

_________________
Five Linksys WRT1900ACSv2's on 42926, 44048
VLANs, multiple VAPs, NAS, client-mode travel router, OpenVPN client/PBR (AirVPN), wireguard/PBR (AzireVPN), two DNSCrypt servers (incl Quad9) routed through OpenVPN.
NBA Jam
DD-WRT Novice


Joined: 25 Nov 2018
Posts: 39

PostPosted: Thu May 23, 2019 2:40    Post subject: Reply with quote
SurprisedItWorks wrote:
Easy question: You say to check "Clean internal flash storage", but you show a screen shot with it unchecked. Which is it?

I don't really understand what this does. Does cleaning (like with a cloth?) mean the contents of flash gets wiped every time the router boots? Sounds counterproductive. Or does it only get cleaned the first time you click the button?


When you check it the first time and reboot, all of the extra writeable space will be cleared and the router will automatically uncheck the "Clean JFFS" option for you. It's basically a one-and-done thing. The screenshot you see is after the router has already rebooted (and after I already added all the files, but if successful you should see space available like in the screenshot).

When you first create it, you must first clean it. Unfortunately I don't know why. I haven't tried doing so without cleaning it as I initially followed these instructions the first time. You can give it a try and see what's there in the JFFS space before it's cleaned, I'd be curious what's there.
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 934
Location: Appalachian mountains, USA

PostPosted: Thu May 23, 2019 13:34    Post subject: Reply with quote
Thanks for that very clear explanation and, indeed, for this whole thread. As the DNSMasq config button - Encrypt DNS I think it was labeled - to enable DNSCrypt and offer up a menu of DNS servers that support DNSCrypt has disappeared in recent releases for our Linksys/Marvell WRT* routers, your DNS-over-TLS work may prove to be really valuable to our community. I wish going the DNS-over-TLS route didn't require dealing with jffs and entware and opkg, but meanwhile you have created a clean guide to wading through all that.
_________________
Five Linksys WRT1900ACSv2's on 42926, 44048
VLANs, multiple VAPs, NAS, client-mode travel router, OpenVPN client/PBR (AirVPN), wireguard/PBR (AzireVPN), two DNSCrypt servers (incl Quad9) routed through OpenVPN.
NBA Jam
DD-WRT Novice


Joined: 25 Nov 2018
Posts: 39

PostPosted: Thu May 23, 2019 22:34    Post subject: Reply with quote
SurprisedItWorks wrote:
Thanks for that very clear explanation and, indeed, for this whole thread. As the DNSMasq config button - Encrypt DNS I think it was labeled - to enable DNSCrypt and offer up a menu of DNS servers that support DNSCrypt has disappeared in recent releases for our Linksys/Marvell WRT* routers, your DNS-over-TLS work may prove to be really valuable to our community. I wish going the DNS-over-TLS route didn't require dealing with jffs and entware and opkg, but meanwhile you have created a clean guide to wading through all that.


Sure thing, no problem at all. It's great practice for my day job Smile

When DNSCrypt stopped being supported in DD-WRT, I wanted to learn a little more about DNS over TLS and how to make it work using what is available today. Overall it's not nearly as difficult as I thought it would've been. I found it basically boiled down to learning how to use Unbound and how to store stuff permanently on the router.
NBA Jam
DD-WRT Novice


Joined: 25 Nov 2018
Posts: 39

PostPosted: Sat May 25, 2019 0:08    Post subject: Reply with quote
One issue I've run into with Unbound is the configuration I'm using does not work with a VPN. I'll research that and figure out how to get the VPN interface to work.
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 934
Location: Appalachian mountains, USA

PostPosted: Sat Jun 01, 2019 17:35    Post subject: Reply with quote
Disregard this post. I had missed that the new config needed to be saved into /jffs/etc and that unbound would find it there!
_________________
Five Linksys WRT1900ACSv2's on 42926, 44048
VLANs, multiple VAPs, NAS, client-mode travel router, OpenVPN client/PBR (AirVPN), wireguard/PBR (AzireVPN), two DNSCrypt servers (incl Quad9) routed through OpenVPN.
johnnyNobody999
DD-WRT User


Joined: 10 Jan 2014
Posts: 345

PostPosted: Fri Dec 20, 2019 22:30    Post subject: Reply with quote
NBA Jam wrote:
When DNSCrypt stopped being supported in DD-WRT, I wanted to learn a little more about DNS over TLS and how to make it work using what is available today. Overall it's not nearly as difficult as I thought it would've been. I found it basically boiled down to learning how to use Unbound and how to store stuff permanently on the router.


Interesting that you're saying that dnscrypt is no longer supported even though I have a dnscrypt option on the services page. That said, I've never been able to get dnscrypt to work reliably. I tried again today on firmware r41664 on a WRT3200ACM but I have no dns resolution.
7heblackwolf
DD-WRT Novice


Joined: 21 Nov 2019
Posts: 43

PostPosted: Fri Dec 27, 2019 18:54    Post subject: Reply with quote
Thanks in advance for the guide, is nice to new ppl or people not used to deal with a terminal.

In my case, I've installed Entware in jffs successfully, set everything as mentioned, but done that, I completely lose web navigation.

Followed your troubleshooting doesn't helped in my case. Followed the guide another 3 times in case that I missed something, but no. Tried usb and then jffs just in case. Ironically, the web page of cloudflare that I left ready to test, shows (without domain resolution) that DNSSEC works lol.

I know that once unbound is enabled, DNS is completely delegated, but just in case, disabled "Cache DNSSEC data", "Validate DNS Replies (DNSSEC)" and "Check unsigned DNS replies" in DNSmasq options. No clue.

This is the relevant info that syslog shows:
Quote:
>>>> Dec 27 15:38:24 darkness daemon.debug process_monitor[2300]: Restarting unbound (time sync change)
>>>> Dec 27 15:38:24 darkness user.info : unbound : recursive dns resolver daemon successfully started
>>>> Dec 27 15:38:27 darkness user.info : unbound : recursive dns resolver daemon successfully started


Also reverted to a "stable" (r40559) version to ensure nothing new was messing in the middle. Model is WRT3200ACM.

Any suggestions?

_________________
Linksys WRT3200ACM
Firmware: DD-WRT v3.0-r41954 std (01/09/20)

Dnsmasq / Unbound / VAP / DNSCrypt / DNSSEC / QoS WAN.HTB.FQ_CODEL_FAST (custom netmask and svc) / Custom port setups for subnet delegation

kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 7213
Location: Texas, USA

PostPosted: Fri Dec 27, 2019 19:19    Post subject: Reply with quote
40559 is not 'stable'. Don't use the router database, it's not reliable or correct 100% of the time. You may want to check the build threads to see if, perchance, 41791 is good on your router.
_________________
Official Forum Rules, Guidelines, and Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
DON'T use Chromium-based browsersRTFM/STFW - TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is?
Please DO NOT PM me with questions; Ask in the forum.

---------------------------------------------------------

Linux User #377467 counter.li.org / linuxcounter.net
7heblackwolf
DD-WRT Novice


Joined: 21 Nov 2019
Posts: 43

PostPosted: Fri Dec 27, 2019 19:50    Post subject: Reply with quote
kernel-panic69 wrote:
40559 is not 'stable'. Don't use the router database, it's not reliable or correct 100% of the time. You may want to check the build threads to see if, perchance, 41791 is good on your router.


For me, with my settings and usage, is stable.
Apart of the hating, some advice about my question?
Thanks

_________________
Linksys WRT3200ACM
Firmware: DD-WRT v3.0-r41954 std (01/09/20)

Dnsmasq / Unbound / VAP / DNSCrypt / DNSSEC / QoS WAN.HTB.FQ_CODEL_FAST (custom netmask and svc) / Custom port setups for subnet delegation

kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 7213
Location: Texas, USA

PostPosted: Fri Dec 27, 2019 20:44    Post subject: Reply with quote
I don't know why unbound is restarting like that, I would have to look through a ton of commits to see why that is happening... don't recall seeing that issue in latest builds. But there has been a ton of things going on. I guess this is where I should ask, "Which build did you revert from?"....
_________________
Official Forum Rules, Guidelines, and Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
DON'T use Chromium-based browsersRTFM/STFW - TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is?
Please DO NOT PM me with questions; Ask in the forum.

---------------------------------------------------------

Linux User #377467 counter.li.org / linuxcounter.net
7heblackwolf
DD-WRT Novice


Joined: 21 Nov 2019
Posts: 43

PostPosted: Sat Dec 28, 2019 20:24    Post subject: Reply with quote
kernel-panic69 wrote:
I don't know why unbound is restarting like that, I would have to look through a ton of commits to see why that is happening... don't recall seeing that issue in latest builds. But there has been a ton of things going on. I guess this is where I should ask, "Which build did you revert from?"....


You can appreciate that piece of data that I've carefully put in my signature.

_________________
Linksys WRT3200ACM
Firmware: DD-WRT v3.0-r41954 std (01/09/20)

Dnsmasq / Unbound / VAP / DNSCrypt / DNSSEC / QoS WAN.HTB.FQ_CODEL_FAST (custom netmask and svc) / Custom port setups for subnet delegation

jauch888888
DD-WRT User


Joined: 23 Apr 2020
Posts: 91

PostPosted: Thu Apr 23, 2020 23:44    Post subject: Re: How To Guide: Encrypt DNS on your WRT Reply with quote
NBA Jam wrote:
04/19/20: Updated for unbound v1.10.0

- unbound.conf should be stored in /jffs/unbound
- Additional files needed
.


is it possible to show your ''/jffs/unbound/unbound.conf'' file, paste here?

thanks
NBA Jam
DD-WRT Novice


Joined: 25 Nov 2018
Posts: 39

PostPosted: Mon Apr 27, 2020 1:20    Post subject: Re: How To Guide: Encrypt DNS on your WRT Reply with quote
jauch888888 wrote:
NBA Jam wrote:
04/19/20: Updated for unbound v1.10.0

- unbound.conf should be stored in /jffs/unbound
- Additional files needed
.


is it possible to show your ''/jffs/unbound/unbound.conf'' file, paste here?

thanks


Yep, check the post now and you'll see it.

_________________
How-to: Encrypt your queries with DNS over TLS
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.) All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum