How To Guide: Encrypt DNS on your WRT

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.)
Author Message
NBA Jam
DD-WRT Novice


Joined: 25 Nov 2018
Posts: 27

PostPosted: Wed May 22, 2019 1:35    Post subject: How To Guide: Encrypt DNS on your WRT Reply with quote
I recently just got DNS over TLS set up on my WRT1900AC. Here's a guide on how I got it set up. If nothing works, it's completely reversible by unchecking Recursive DNS Resolving (Unbound) on the Setup page.

This works successfully on a WRT1900AC v1 with Firmware Version r39572. This will probably work on other models as well, especially those of the WRT type, but I have not tested them.

GUI Settings

1. Set a time server by IP Address

DNS over TLS requires that your time be set correctly, otherwise nothing can be validated and the DNS server gets all fussy. Since you need DNS to resolve a domain name, you have to use an IP address of a time server.

Check the NIST International Time Server List for one that will work for you. This must work on boot-up, so try out a few to see which ones respond right away. For me, 128.138.141.172 (utcnist2.colorado.edu) worked great.

2. Enable Recursive DNS Resolving (Unbound)

On your Setup page, check the "Recursive DNS Resolving (Unbound)" box under DHCP.



When you check this box, you're effectively giving control over from DNSMasq to Unbound for your DNS queries. Wanna know more about Unbound? The nice folks on the DD-WRT Wiki made this handy dandy guide.

3. Get a JFFS share set up

You'll need this to save your Unbound configuration file permanently, but it can also be used to install Entware.

Head over to the Administration page and check "Enable" under JFFS2 Support for Internal Flash Storage and check "Clean internal flash storage." Once you do this, reboot your router. You should now have JFFS space available. The router will automatically uncheck the "Clean internal flash storage" option after the reboot to prevent clearing all of your JFFS space every time you reboot.



Command Line Settings

Now's the fun part where you get to play around as root in Bash. How often do you get to do that without needing to document why you made every keystroke to some 450-question million-dollar documentation system that asks you if you're really really really sure you copied and pasted a 32kb text document correctly? At home where you can break your own shit without consequence, that's when.

Go ssh into your router as root.

1. Create a new file

Run the below script to create a new file.
Code:
cd /tmp
touch yourmom

lol

2. Install Entware

Follow this guide to get it installed.

The preferred method is to plug a USB stick into the back of the router and install Entware there. If you're lazy like me, you have plenty of extra Flash storage available to do this.

If you go the flash route, remember that it has a limited write life and was not designed for write-heavy applications. You'll probably never write to it enough to get to that point, but keep that in mind if you decide to install additional software on it.

Important Note: If your JFFS space is mounted in flash, you'll need to mount it to /opt before installing Entware. Do that with this script.

Code:
mkdir /jffs/opt
mount -o bind /jffs/opt /opt

The first line creates a new directory called opt in JFFS. This is where all of your stuff will get written. The second mounts it to /opt where Entware is looking during the install. This forces Entware to install to the internal flash JFFS.

3. Install a CA Certificate Bundle

This will install a system CA cert bundle, which is required for DNS over TLS.

Code:
opkg install ca-bundle

ca-certificates.crt will be installed to /opt/etc/ssl/certs. We'll need this later.

Configuring Unbound

A temporary configuration file for Unbound has been created for you already. You just need to make a few slight modifications to it and save it as a permanent file.

1. Create the etc directory in JFFS

Unbound will look for a permanent configuration file here, if it exists.

Code:
mkdir /jffs/etc

2. Copy the pre-made Unbound config file to /jffs/etc

Self-explanatory.

Code:
cp /etc/unbound/unbound.conf /jffs/etc

3. Edit the unbound configuration file to use DNS over TLS

You'll have to do this through.....vi. Yes, I know. It's weird if you haven't used it. Look, it's not that bad. It's just from a different time! I'll walk you through it. Take a deep breath. It's going to be okay.

Code:
vi /jffs/etc/unbound.conf

Here's all you need to know.

1. Hit 'i' to start inserting and writing text. Navigate with the arrow keys (it's all you'll need with how small this is)
2. When you're done, hit 'esc'
3. Type ':', then hit 'wq'. This means write the changes and quit.

Use the below unbound.conf as a template. You'll be adding a few different lines under server: and forward-zone:.

Lines under forward-zone: tell Unbound that you'd like to use DNS over TLS, and give it the DNS servers that you'd like to use. Copy these verbatim. If you would like to use other DNS servers or want to know more about what these settings are doing, check out this more detailed guide.

Note: If you are using JFFS for your ca-certificates bundle, change location under tls-cert-bundle: from /opt/etc/ssl/... to /jffs/opt/etc/ssl/...

Code:
server:
tls-cert-bundle: /opt/etc/ssl/certs/ca-certificates.crt

........................................................
<Sections between here are specific to your router>
........................................................

forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.1@853#one.one.one.one
forward-addr: 1.0.0.1@853#one.one.one.one

Phew! That wasn't so bad, was it?

You should now be all set. Reboot your router and give it a whirl. If successful, you will be able to access the internet and also pass the Cloudflare DNS over TLS test.



Troubleshooting

Literally no website works

1. Check that your time server is successfully setting your time. Syslog will be your friend here

2. Make sure that your time zone is set correctly

3. Make sure that you spelled the name of the DNS servers after the # correctly in your unbound config file

4. Check that your CA certificate bundle is actually there

5. Check that your unbound.conf file points to your CA certificate bundle and that you didn't misspell anything while fiddling around in vi

Remember: you can always go back by unchecking Recursive DNS Resolving (Unbound) on the Setup page. If nothing is working right and you can't figure it out, simply turn it off and let DNSMasq take over. Grab a drink and take a whack at it tomorrow. Unless you're Edward Snowden or Jason Bourne, you can live another day with someone potentially knowing how many times your IP address visited that kinky site that day. You know the one I'm talking about. That one. I don't judge you for it.

Cloudflare can't verify if DNS over TLS is working

From what I can tell, you need to use Cloudflare's DNS server for it to verify. Once you have it all verified and are certain that DNS over TLS is set up properly, you can use any DNS server that supports DNS over TLS.

Alternatively, you can use Wireshark to review your DNS queries. If the text looks like someone took an ASCII dump on the screen, then congratulations! It's encrypted!


Last edited by NBA Jam on Thu May 23, 2019 2:44; edited 1 time in total
Sponsor
SurprisedItWorks
DD-WRT User


Joined: 04 Aug 2018
Posts: 373
Location: Appalachian mountains, USA

PostPosted: Thu May 23, 2019 2:28    Post subject: Reply with quote
Easy question: You say to check "Clean internal flash storage", but you show a screen shot with it unchecked. Which is it?

I don't really understand what this does. Does cleaning (like with a cloth?) mean the contents of flash gets wiped every time the router boots? Sounds counterproductive. Or does it only get cleaned the first time you click the button?

_________________
Six of the Linksys WRT1900ACSv2 on r38159, r40009, and r40784. On various:
VLANs, client-mode travel router, two DNSCrypt servers (incl Quad9), multiple VAPs, USB/NAS, QoS, OpenVPN client/PBR (random NordVPN server).
NBA Jam
DD-WRT Novice


Joined: 25 Nov 2018
Posts: 27

PostPosted: Thu May 23, 2019 2:40    Post subject: Reply with quote
SurprisedItWorks wrote:
Easy question: You say to check "Clean internal flash storage", but you show a screen shot with it unchecked. Which is it?

I don't really understand what this does. Does cleaning (like with a cloth?) mean the contents of flash gets wiped every time the router boots? Sounds counterproductive. Or does it only get cleaned the first time you click the button?


When you check it the first time and reboot, all of the extra writeable space will be cleared and the router will automatically uncheck the "Clean JFFS" option for you. It's basically a one-and-done thing. The screenshot you see is after the router has already rebooted (and after I already added all the files, but if successful you should see space available like in the screenshot).

When you first create it, you must first clean it. Unfortunately I don't know why. I haven't tried doing so without cleaning it as I initially followed these instructions the first time. You can give it a try and see what's there in the JFFS space before it's cleaned, I'd be curious what's there.
SurprisedItWorks
DD-WRT User


Joined: 04 Aug 2018
Posts: 373
Location: Appalachian mountains, USA

PostPosted: Thu May 23, 2019 13:34    Post subject: Reply with quote
Thanks for that very clear explanation and, indeed, for this whole thread. As the DNSMasq config button - Encrypt DNS I think it was labeled - to enable DNSCrypt and offer up a menu of DNS servers that support DNSCrypt has disappeared in recent releases for our Linksys/Marvell WRT* routers, your DNS-over-TLS work may prove to be really valuable to our community. I wish going the DNS-over-TLS route didn't require dealing with jffs and entware and opkg, but meanwhile you have created a clean guide to wading through all that.
_________________
Six of the Linksys WRT1900ACSv2 on r38159, r40009, and r40784. On various:
VLANs, client-mode travel router, two DNSCrypt servers (incl Quad9), multiple VAPs, USB/NAS, QoS, OpenVPN client/PBR (random NordVPN server).
NBA Jam
DD-WRT Novice


Joined: 25 Nov 2018
Posts: 27

PostPosted: Thu May 23, 2019 22:34    Post subject: Reply with quote
SurprisedItWorks wrote:
Thanks for that very clear explanation and, indeed, for this whole thread. As the DNSMasq config button - Encrypt DNS I think it was labeled - to enable DNSCrypt and offer up a menu of DNS servers that support DNSCrypt has disappeared in recent releases for our Linksys/Marvell WRT* routers, your DNS-over-TLS work may prove to be really valuable to our community. I wish going the DNS-over-TLS route didn't require dealing with jffs and entware and opkg, but meanwhile you have created a clean guide to wading through all that.


Sure thing, no problem at all. It's great practice for my day job Smile

When DNSCrypt stopped being supported in DD-WRT, I wanted to learn a little more about DNS over TLS and how to make it work using what is available today. Overall it's not nearly as difficult as I thought it would've been. I found it basically boiled down to learning how to use Unbound and how to store stuff permanently on the router.
NBA Jam
DD-WRT Novice


Joined: 25 Nov 2018
Posts: 27

PostPosted: Sat May 25, 2019 0:08    Post subject: Reply with quote
One issue I've run into with Unbound is the configuration I'm using does not work with a VPN. I'll research that and figure out how to get the VPN interface to work.
SurprisedItWorks
DD-WRT User


Joined: 04 Aug 2018
Posts: 373
Location: Appalachian mountains, USA

PostPosted: Sat Jun 01, 2019 17:35    Post subject: Reply with quote
Disregard this post. I had missed that the new config needed to be saved into /jffs/etc and that unbound would find it there!
_________________
Six of the Linksys WRT1900ACSv2 on r38159, r40009, and r40784. On various:
VLANs, client-mode travel router, two DNSCrypt servers (incl Quad9), multiple VAPs, USB/NAS, QoS, OpenVPN client/PBR (random NordVPN server).
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.) All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum