"DNS over TLS" or "DNS over HTTPS"

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3, 4, 5, 6  Next
Author Message
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 947
Location: Appalachian mountains, USA

PostPosted: Sun Dec 15, 2019 19:59    Post subject: Reply with quote
wabe wrote:
Alozaros wrote:
you have to set those servers to communicate via port 853 in stubby Wink Then DNS will be encrypted...
on tcpdump i can see only 853 communications...

That’s exactly what I’ve done. Added Quad9 to stubby.yml and tested with tcpdump.
No traffic on port 853. What I noticed is that 9.9.9.9 resolves to a dns provider in NL (WoodyNet), could be that provider does not offer dns over tls? On the other hand if Quad 9 claim they offer this protocol all their partners ought to provide it too.

WoodyNet is what you want. I think Woody is the president of Quad9 or something, and WoodyNet is what they enter into the ISP field of some registration form. WoodyNet is how you know it's Quad9. Re that and instructions re TLS, see https://quad9.net.

_________________
Five WRT1900ACSv2's on 42926, 44048.
VLANs, multiple VAPs, NAS, client-mode travel router, OpenVPN client (AirVPN), DDNS, wireguard server, two wireguard clients (AzireVPN), use of two DNSCrypt DNS providers (inc Quad9) through OpenVPN and wireguard clients.
Sponsor
wabe
DD-WRT Guru


Joined: 17 Jun 2006
Posts: 765

PostPosted: Sun Dec 15, 2019 20:31    Post subject: Reply with quote
Alozaros wrote:

WoodyNet is what you want. I think Woody is the president of Quad9 or something, and WoodyNet is what they enter into the ISP field of some registration form. WoodyNet is how you know it's Quad9. Re that and instructions re TLS, see https://quad9.net.

I know how to set it up, but not working. Using the following stubby.yml entries for quad9
Code:

upstream_recursive_servers:
  - address_data: 9.9.9.9
    tls_auth_name: "dns.quad9.net"
    tls_pubkey_pinset:
        - digest: "sha256"
          value: MujBQ+U0p2eZLTnQ2KGEqs+fPLYV/1DnpZDjBDPwUqQ=

I’ve also tried w/o the tls_pubkey_pinset entries. No change

_________________
AC-68U rev. C1 on Build 44483
AC-68U rev. A1 on Build 44483
AC-68U rev. A1 on Build 44340
sunny0_0
DD-WRT Novice


Joined: 27 Nov 2019
Posts: 6

PostPosted: Wed Dec 18, 2019 5:20    Post subject: Reply with quote
wabe wrote:
Alozaros wrote:

WoodyNet is what you want. I think Woody is the president of Quad9 or something, and WoodyNet is what they enter into the ISP field of some registration form. WoodyNet is how you know it's Quad9. Re that and instructions re TLS, see https://quad9.net.

I know how to set it up, but not working. Using the following stubby.yml entries for quad9
Code:

upstream_recursive_servers:
  - address_data: 9.9.9.9
    tls_auth_name: "dns.quad9.net"
    tls_pubkey_pinset:
        - digest: "sha256"
          value: MujBQ+U0p2eZLTnQ2KGEqs+fPLYV/1DnpZDjBDPwUqQ=

I’ve also tried w/o the tls_pubkey_pinset entries. No change


I just formatted and reinstalled entware and stubby. I used the default stubby.yml config for cloudflare, which works fine.

resolution_type: GETDNS_RESOLUTION_STUB
round_robin_upstreams: 1
appdata_dir: "/opt/var/lib/stubby"
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private: 1
idle_timeout: 10000
listen_addresses:
- 127.0.0.1@5453
- 0::1@5453
dns_transport_list:
- GETDNS_TRANSPORT_TLS
upstream_recursive_servers:
- address_data: 2606:4700:4700::1111
tls_auth_name: "cloudflare-dns.com"
- address_data: 2606:4700:4700::1001
tls_auth_name: "cloudflare-dns.com"
- address_data: 1.1.1.1
tls_auth_name: "cloudflare-dns.com"
- address_data: 1.0.0.1
tls_auth_name: "cloudflare-dns.com"
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 3858
Location: UK, London, just across the river..

PostPosted: Wed Dec 18, 2019 7:11    Post subject: Reply with quote
yep i know it works fine

on the last versions of stubby those lines are depreciated for a 1.1.1.1 and 9.9.9.9 so you dont need them...

tls_pubkey_pinset:
- digest: "sha256"
value: MujBQ+U0p2eZLTnQ2KGEqs+fPLYV/1DnpZDjBDPwUqQ=

so you do not need them

just have a look here https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321868&start=15
there is a yml sample i posted that works on port 853

and yep woodynet is a quad9, PCH is also another transponder for quad9

_________________
Atheros
TP-Link WR740Nv1 -----DD-WRT 44538 BS AP,NAT
TP-Link WR740Nv4 -----DD-WRT 44251 BS WAP/Switch
TP-Link WR1043NDv2 ---DD-WRT 44538 BS AP,NAT,AP Isolation,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---DD-WRT 44538 BS AP,NAT,AD Block,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---Gargoyle OS 1.12.0 AP,NAT,QoS,Quotas
Qualcomm/IPQ8065
Netgear R7800 -----DD-WRT 44538 BS AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT
Broadcom
Netgear R7000 -----DD-WRT 44538 BS AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,DoT,VPN
-----------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
ccbrianf
DD-WRT Novice


Joined: 10 Jun 2015
Posts: 9

PostPosted: Tue Apr 21, 2020 21:44    Post subject: Failed resolving address to hostname us.pool.ntp.org Reply with quote
FYI: It doesn't look like the server=/us.pool.ntp.org/DNS_SERVER_IP solution works for the ntp bootstrap problem because the ntp server appears to do a reverse ptr IP lookup for security reasons, and there are way too many IP aliases for that host name to cover with individual dnsmasq ptr-record entries.
James80
DD-WRT User


Joined: 09 Mar 2020
Posts: 121

PostPosted: Thu Apr 23, 2020 3:36    Post subject: Reply with quote
Alozaros wrote:


turn on USB mount, it on OPT
cd /opt (click enter)
wget http://bin.entware.net/mipssf-k3.4/installer/generic.sh (click enter)
sh generic.sh (click enter)

e


the .sh file does not work, error '' read file only''

do you have idea what to do?

thinks
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 3858
Location: UK, London, just across the river..

PostPosted: Thu Apr 23, 2020 6:09    Post subject: Reply with quote
James80 wrote:
Alozaros wrote:


turn on USB mount, it on OPT
cd /opt (click enter)
wget http://bin.entware.net/mipssf-k3.4/installer/generic.sh (click enter)
sh generic.sh (click enter)

e


the .sh file does not work, error '' read file only''

do you have idea what to do?

thinks


first start with what router/build ?
to me it smells like, you need to read this first...

https://wiki.dd-wrt.com/wiki/index.php/Installing_Entware



ccbrianf wrote:
FYI: It doesn't look like the server=/us.pool.ntp.org/DNS_SERVER_IP solution works for the ntp bootstrap problem because the ntp server appears to do a reverse ptr IP lookup for security reasons, and there are way too many IP aliases for that host name to cover with individual dnsmasq ptr-record entries.


the only thing you have to do is to specify an IP in basic settings NTP time...
use GGL NTP time...IP --- 216.239.35.8

_________________
Atheros
TP-Link WR740Nv1 -----DD-WRT 44538 BS AP,NAT
TP-Link WR740Nv4 -----DD-WRT 44251 BS WAP/Switch
TP-Link WR1043NDv2 ---DD-WRT 44538 BS AP,NAT,AP Isolation,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---DD-WRT 44538 BS AP,NAT,AD Block,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---Gargoyle OS 1.12.0 AP,NAT,QoS,Quotas
Qualcomm/IPQ8065
Netgear R7800 -----DD-WRT 44538 BS AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT
Broadcom
Netgear R7000 -----DD-WRT 44538 BS AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,DoT,VPN
-----------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
James80
DD-WRT User


Joined: 09 Mar 2020
Posts: 121

PostPosted: Thu Apr 23, 2020 12:12    Post subject: Reply with quote
Alozaros wrote:
James80 wrote:
Alozaros wrote:


turn on USB mount, it on OPT
cd /opt (click enter)
wget http://bin.entware.net/mipssf-k3.4/installer/generic.sh (click enter)
sh generic.sh (click enter)

e


the .sh file does not work, error '' read file only''

do you have idea what to do?

thinks


first start with what router/build ?
to me it smells like, you need to read this first...

https://wiki.dd-wrt.com/wiki/index.php/Installing_Entware



ccbrianf wrote:
FYI: It doesn't look like the server=/us.pool.ntp.org/DNS_SERVER_IP solution works for the ntp bootstrap problem because the ntp server appears to do a reverse ptr IP lookup for security reasons, and there are way too many IP aliases for that host name to cover with individual dnsmasq ptr-record entries.


the only thing you have to do is to specify an IP in basic settings NTP time...
use GGL NTP time...IP --- 216.239.35.8



R7800 last build.

AnD I've already the ntp time with ip, except not the one you wrote
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 3858
Location: UK, London, just across the river..

PostPosted: Thu Apr 23, 2020 14:49    Post subject: Reply with quote
James80 the one you wanted to install is for single core Atheros units and its wrong...

you need this one bett start from scratch...

cd /opt (click enter)
wget http://bin.entware.net/armv7sf-k3.2/installer/generic.sh (click enter)
sh generic.sh (click enter)

NTP time advise was for another member not for you, but not bad idea to have it too....

_________________
Atheros
TP-Link WR740Nv1 -----DD-WRT 44538 BS AP,NAT
TP-Link WR740Nv4 -----DD-WRT 44251 BS WAP/Switch
TP-Link WR1043NDv2 ---DD-WRT 44538 BS AP,NAT,AP Isolation,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---DD-WRT 44538 BS AP,NAT,AD Block,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---Gargoyle OS 1.12.0 AP,NAT,QoS,Quotas
Qualcomm/IPQ8065
Netgear R7800 -----DD-WRT 44538 BS AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT
Broadcom
Netgear R7000 -----DD-WRT 44538 BS AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,DoT,VPN
-----------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
ccbrianf
DD-WRT Novice


Joined: 10 Jun 2015
Posts: 9

PostPosted: Thu Apr 23, 2020 15:38    Post subject: Reply with quote
Quote:
the only thing you have to do is to specify an IP in basic settings NTP time...
use GGL NTP time...IP --- 216.239.35.8

Yes, I understand that is functional, and I hear not specifying one is as well. That is why I prefaced my post with FYI. I just wanted to report that there is a complication with the other solution proposed in this thread of setting a specific name server to use for your NTP server hostname using dnsmasq.

That said, I was also looking to see if anyone had any more robust solutions that better support friendly load balancing, fail-over, and security. Using a hard coded IP can be a single point of failure and more easily allow the possibility of that server providing bad data at some point.
tinkeruntilitworks
Guest





PostPosted: Thu Apr 23, 2020 21:03    Post subject: Reply with quote
ccbrianf wrote:
Quote:
the only thing you have to do is to specify an IP in basic settings NTP time...
use GGL NTP time...IP --- 216.239.35.8

Yes, I understand that is functional, and I hear not specifying one is as well. That is why I prefaced my post with FYI. I just wanted to report that there is a complication with the other solution proposed in this thread of setting a specific name server to use for your NTP server hostname using dnsmasq.

That said, I was also looking to see if anyone had any more robust solutions that better support friendly load balancing, fail-over, and security. Using a hard coded IP can be a single point of failure and more easily allow the possibility of that server providing bad data at some point.



i just tried this while running unbound on my netgear r7000p r42954

during boot i get this
Dec 31 19:00:28 DD-WRT daemon.err ntpclient[1222]: Failed resolving address to hostname 2.pool.ntp.org: Try again
Dec 31 19:00:28 DD-WRT daemon.err ntpclient[1222]: Failed resolving server 2.pool.ntp.org: Network is down

but then it grabs it with an ip address
it appears to work for me without giving an address
ccbrianf
DD-WRT Novice


Joined: 10 Jun 2015
Posts: 9

PostPosted: Fri Apr 24, 2020 0:03    Post subject: Reply with quote
I'm not using unbound, but rather dnsmasq. But yes, I get a stream of those errors, and then I see evidence that by the time stubby tries to start that dnsmasq has exited for some reason. Maybe I need to dig into why that's happening more, or maybe you eventually got whatever the hard coded builtin ntp server is returned from DNS so it just worked Smile.
James80
DD-WRT User


Joined: 09 Mar 2020
Posts: 121

PostPosted: Fri Apr 24, 2020 3:32    Post subject: Reply with quote
Alozaros wrote:
James80 the one you wanted to install is for single core Atheros units and its wrong...

you need this one bett start from scratch...

cd /opt (click enter)
wget http://bin.entware.net/armv7sf-k3.2/installer/generic.sh (click enter)
sh generic.sh (click enter)

NTP time advise was for another member not for you, but not bad idea to have it too....



root@DD-WRT:~# cd /opt
root@DD-WRT:/opt# wget http://bin.entware.net/armv7sf-k3.2/installer/generic.sh
Connecting to bin.entware.net (104.27.177.50:80)

wget: can't open 'generic.sh': Read-only file system

dont know if the problem /entware can be related to usb page?

EDIT: it worked after I did that command before installing entware: mkdir /jffs/opt
mount -o bind /jffs/opt /opt.

but don't know if it is in the right place
James80
DD-WRT User


Joined: 09 Mar 2020
Posts: 121

PostPosted: Fri Apr 24, 2020 4:05    Post subject: Reply with quote
wabe wrote:
Alozaros wrote:
could you give us a step by step guide...?
i tried stubby with DoH but failed to connect...
back in the days with unbound i was heaving some fun stuff too, it was not that working always, but sadly its not present on low end routers...


The step I followed to get this to work was:
- Enter a ntp-server manually with ip-address (not FQDN) on"Setup" and test that it works.
- Enable Unbound on "Setup" and check that default configuration works. For some reason it took a fairly long time for the router to startup
-Copy configuration from /tmp/unbound.conf for editing
- Add the dns servers you want to use like this example to the bottom of unbound.conf:

forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.0.0.1@853#one.one.one.one
forward-addr: 1.1.1.1@853#one.one.one.one
forward-addr: 8.8.4.4@853#dns.google
forward-addr: 8.8.8.8@853#dns.google
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net

- Copy unbound.conf to /jffs/etc

-Restart router


in unbound.conf there are a lot of infos and text, do we need to remove all and just adding the infos you give here??

thanks
jauch888888
DD-WRT User


Joined: 23 Apr 2020
Posts: 94

PostPosted: Thu Apr 30, 2020 14:04    Post subject: Reply with quote
what is the best way to stop stubby? I would like to try another option, like ''Entware DNSCrypt-Proxy ''

I would like to know what I should do in first, cause I have doT via stubby in the moment.

thanks
Goto page Previous  1, 2, 3, 4, 5, 6  Next Display posts from previous:    Page 5 of 6
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum