Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Sun Dec 15, 2019 19:59 Post subject:
wabe wrote:
Alozaros wrote:
you have to set those servers to communicate via port 853 in stubby Then DNS will be encrypted...
on tcpdump i can see only 853 communications...
That’s exactly what I’ve done. Added Quad9 to stubby.yml and tested with tcpdump.
No traffic on port 853. What I noticed is that 9.9.9.9 resolves to a dns provider in NL (WoodyNet), could be that provider does not offer dns over tls? On the other hand if Quad 9 claim they offer this protocol all their partners ought to provide it too.
WoodyNet is what you want. I think Woody is the president of Quad9 or something, and WoodyNet is what they enter into the ISP field of some registration form. WoodyNet is how you know it's Quad9. Re that and instructions re TLS, see https://quad9.net. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
WoodyNet is what you want. I think Woody is the president of Quad9 or something, and WoodyNet is what they enter into the ISP field of some registration form. WoodyNet is how you know it's Quad9. Re that and instructions re TLS, see https://quad9.net.
I know how to set it up, but not working. Using the following stubby.yml entries for quad9
I’ve also tried w/o the tls_pubkey_pinset entries. No change _________________ Netgear R7000 on Build 55109
Asus AC-AC68U rev. C1 (AP) on Build 55109
Asus AC-68U rev. A1 on Build 54604
Asus AC-68U rev. A1 on Build 53339
WoodyNet is what you want. I think Woody is the president of Quad9 or something, and WoodyNet is what they enter into the ISP field of some registration form. WoodyNet is how you know it's Quad9. Re that and instructions re TLS, see https://quad9.net.
I know how to set it up, but not working. Using the following stubby.yml entries for quad9
Posted: Tue Apr 21, 2020 21:44 Post subject: Failed resolving address to hostname us.pool.ntp.org
FYI: It doesn't look like the server=/us.pool.ntp.org/DNS_SERVER_IP solution works for the ntp bootstrap problem because the ntp server appears to do a reverse ptr IP lookup for security reasons, and there are way too many IP aliases for that host name to cover with individual dnsmasq ptr-record entries.
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Thu Apr 23, 2020 6:09 Post subject:
ccbrianf wrote:
FYI: It doesn't look like the server=/us.pool.ntp.org/DNS_SERVER_IP solution works for the ntp bootstrap problem because the ntp server appears to do a reverse ptr IP lookup for security reasons, and there are way too many IP aliases for that host name to cover with individual dnsmasq ptr-record entries.
the only thing you have to do is to specify an IP in basic settings NTP time...
use GGL NTP time...IP --- 216.239.35.8 _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
the only thing you have to do is to specify an IP in basic settings NTP time...
use GGL NTP time...IP --- 216.239.35.8
Yes, I understand that is functional, and I hear not specifying one is as well. That is why I prefaced my post with FYI. I just wanted to report that there is a complication with the other solution proposed in this thread of setting a specific name server to use for your NTP server hostname using dnsmasq.
That said, I was also looking to see if anyone had any more robust solutions that better support friendly load balancing, fail-over, and security. Using a hard coded IP can be a single point of failure and more easily allow the possibility of that server providing bad data at some point.
the only thing you have to do is to specify an IP in basic settings NTP time...
use GGL NTP time...IP --- 216.239.35.8
Yes, I understand that is functional, and I hear not specifying one is as well. That is why I prefaced my post with FYI. I just wanted to report that there is a complication with the other solution proposed in this thread of setting a specific name server to use for your NTP server hostname using dnsmasq.
That said, I was also looking to see if anyone had any more robust solutions that better support friendly load balancing, fail-over, and security. Using a hard coded IP can be a single point of failure and more easily allow the possibility of that server providing bad data at some point.
i just tried this while running unbound on my netgear r7000p r42954
during boot i get this
Dec 31 19:00:28 DD-WRT daemon.err ntpclient[1222]: Failed resolving address to hostname 2.pool.ntp.org: Try again
Dec 31 19:00:28 DD-WRT daemon.err ntpclient[1222]: Failed resolving server 2.pool.ntp.org: Network is down
but then it grabs it with an ip address
it appears to work for me without giving an address
I'm not using unbound, but rather dnsmasq. But yes, I get a stream of those errors, and then I see evidence that by the time stubby tries to start that dnsmasq has exited for some reason. Maybe I need to dig into why that's happening more, or maybe you eventually got whatever the hard coded builtin ntp server is returned from DNS so it just worked .
It would be great to have built-in support for DNS-over-HTTPS or DNSCrypt (or DNS-over-QUIC).
With DNS-over-HTTPS SDNS stamps, you can disable outbound port 53 entirely. Normally, even with DNS-over-HTTPS, port 53 is used to boostrap to plaintext DNS, but with DNS-over-HTTPS SDNS stamps, no boostrapping is needed and only encrypted DNS traffic is sent (via TCP port 443).
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Thu Nov 19, 2020 9:28 Post subject:
MonarchX wrote:
It would be great to have built-in support for DNS-over-HTTPS or DNSCrypt (or DNS-over-QUIC).
With DNS-over-HTTPS SDNS stamps, you can disable outbound port 53 entirely. Normally, even with DNS-over-HTTPS, port 53 is used to boostrap to plaintext DNS, but with DNS-over-HTTPS SDNS stamps, no boostrapping is needed and only encrypted DNS traffic is sent (via TCP port 443).
DNSCrypt ver 1.95 option is present in GUI, on high grade routers... have aread and look around
if you want to use DoT or DoH, you can use SmartDNS, that is also present on most of the routers, same with Unbound, you just have to jffs on USB...
for some DNS encrypted alternatives via OPT/Entware, have a look in x2 links in my signature ...
all those work on loopback interface 127.0.0.1 and unreplay port 53 by default, also known as a stub resolvers...
have a good read on those sticky's around, full of info on the subject... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 26 Mar 2013 Posts: 1858 Location: Hung Hom, Hong Kong
Posted: Tue Dec 01, 2020 17:24 Post subject:
MonarchX wrote:
It would be great to have built-in support for DNS-over-HTTPS or DNSCrypt (or DNS-over-QUIC).
With DNS-over-HTTPS SDNS stamps, you can disable outbound port 53 entirely. Normally, even with DNS-over-HTTPS, port 53 is used to boostrap to plaintext DNS, but with DNS-over-HTTPS SDNS stamps, no boostrapping is needed and only encrypted DNS traffic is sent (via TCP port 443).
The IETF has standardized two DNS over secure transport protocols: DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH). These two protocols have broadly similar security and privacy properties. We chose DoH because we believe it is a better fit for our existing mature browser networking stack (which is focused on HTTP) and provides better support for future protocol features such as HTTP/DNS multiplexing and QUIC.
@Alozaros or anyone else willing to help:
I've looked at your stickies and suggested sigs to read but I've failed to find it.
I am on DD-WRT v3.0-r36070M kongac (05/31/1 on a Netgear R7000, Broadcom.
Use DNSMasq for DNS is selected in my router GUI, it makes me believe I am using DNSMasq.
I want to use DNS over TLS, or over HTTP if I fail on setting TLS.
This thread is not chip-specific but the only working examples/instructions are for Atheros ones.
Can I please be pointed to a thread for Broacoms, please.
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Mon Jan 04, 2021 20:32 Post subject:
for Stubby DNS over TLS, follow the red link in my signature...
Stubby requires Entware installation. There 3 different Entware instlalations...
Broadcom for Broadcom routers
Atheros for Atheros routers
For dual core ARM routers, as R7000 is...
once you have Entware installed setting up Stubby is the same for all installations...
if you update to a newer DDWRT build you can also use SmartDNS, as its has the same capabilities..for TLS encryption..and you don't need Entware installation, just USB jfff,
instead...(do keep in mind it requires more reading & understanding)
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=323896 _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913