"DNS over TLS" or "DNS over HTTPS"

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3, 4, 5, 6, 7  Next
Author Message
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Sun Dec 15, 2019 19:59    Post subject: Reply with quote
wabe wrote:
Alozaros wrote:
you have to set those servers to communicate via port 853 in stubby Wink Then DNS will be encrypted...
on tcpdump i can see only 853 communications...

That’s exactly what I’ve done. Added Quad9 to stubby.yml and tested with tcpdump.
No traffic on port 853. What I noticed is that 9.9.9.9 resolves to a dns provider in NL (WoodyNet), could be that provider does not offer dns over tls? On the other hand if Quad 9 claim they offer this protocol all their partners ought to provide it too.

WoodyNet is what you want. I think Woody is the president of Quad9 or something, and WoodyNet is what they enter into the ISP field of some registration form. WoodyNet is how you know it's Quad9. Re that and instructions re TLS, see https://quad9.net.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Sponsor
wabe
DD-WRT Guru


Joined: 17 Jun 2006
Posts: 889

PostPosted: Sun Dec 15, 2019 20:31    Post subject: Reply with quote
Alozaros wrote:

WoodyNet is what you want. I think Woody is the president of Quad9 or something, and WoodyNet is what they enter into the ISP field of some registration form. WoodyNet is how you know it's Quad9. Re that and instructions re TLS, see https://quad9.net.

I know how to set it up, but not working. Using the following stubby.yml entries for quad9
Code:

upstream_recursive_servers:
  - address_data: 9.9.9.9
    tls_auth_name: "dns.quad9.net"
    tls_pubkey_pinset:
        - digest: "sha256"
          value: MujBQ+U0p2eZLTnQ2KGEqs+fPLYV/1DnpZDjBDPwUqQ=

I’ve also tried w/o the tls_pubkey_pinset entries. No change

_________________
Netgear R7000 on Build 55109
Asus AC-AC68U rev. C1 (AP) on Build 55109
Asus AC-68U rev. A1 on Build 54604
Asus AC-68U rev. A1 on Build 53339
sunny0_0
DD-WRT Novice


Joined: 27 Nov 2019
Posts: 22

PostPosted: Wed Dec 18, 2019 5:20    Post subject: Reply with quote
wabe wrote:
Alozaros wrote:

WoodyNet is what you want. I think Woody is the president of Quad9 or something, and WoodyNet is what they enter into the ISP field of some registration form. WoodyNet is how you know it's Quad9. Re that and instructions re TLS, see https://quad9.net.

I know how to set it up, but not working. Using the following stubby.yml entries for quad9
Code:

upstream_recursive_servers:
  - address_data: 9.9.9.9
    tls_auth_name: "dns.quad9.net"
    tls_pubkey_pinset:
        - digest: "sha256"
          value: MujBQ+U0p2eZLTnQ2KGEqs+fPLYV/1DnpZDjBDPwUqQ=

I’ve also tried w/o the tls_pubkey_pinset entries. No change


I just formatted and reinstalled entware and stubby. I used the default stubby.yml config for cloudflare, which works fine.

resolution_type: GETDNS_RESOLUTION_STUB
round_robin_upstreams: 1
appdata_dir: "/opt/var/lib/stubby"
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private: 1
idle_timeout: 10000
listen_addresses:
- 127.0.0.1@5453
- 0::1@5453
dns_transport_list:
- GETDNS_TRANSPORT_TLS
upstream_recursive_servers:
- address_data: 2606:4700:4700::1111
tls_auth_name: "cloudflare-dns.com"
- address_data: 2606:4700:4700::1001
tls_auth_name: "cloudflare-dns.com"
- address_data: 1.1.1.1
tls_auth_name: "cloudflare-dns.com"
- address_data: 1.0.0.1
tls_auth_name: "cloudflare-dns.com"
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Wed Dec 18, 2019 7:11    Post subject: Reply with quote
yep i know it works fine

on the last versions of stubby those lines are depreciated for a 1.1.1.1 and 9.9.9.9 so you dont need them...

tls_pubkey_pinset:
- digest: "sha256"
value: MujBQ+U0p2eZLTnQ2KGEqs+fPLYV/1DnpZDjBDPwUqQ=

so you do not need them

just have a look here https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321868&start=15
there is a yml sample i posted that works on port 853

and yep woodynet is a quad9, PCH is also another transponder for quad9

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
ccbrianf
DD-WRT User


Joined: 10 Jun 2015
Posts: 58

PostPosted: Tue Apr 21, 2020 21:44    Post subject: Failed resolving address to hostname us.pool.ntp.org Reply with quote
FYI: It doesn't look like the server=/us.pool.ntp.org/DNS_SERVER_IP solution works for the ntp bootstrap problem because the ntp server appears to do a reverse ptr IP lookup for security reasons, and there are way too many IP aliases for that host name to cover with individual dnsmasq ptr-record entries.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Thu Apr 23, 2020 6:09    Post subject: Reply with quote
ccbrianf wrote:
FYI: It doesn't look like the server=/us.pool.ntp.org/DNS_SERVER_IP solution works for the ntp bootstrap problem because the ntp server appears to do a reverse ptr IP lookup for security reasons, and there are way too many IP aliases for that host name to cover with individual dnsmasq ptr-record entries.


the only thing you have to do is to specify an IP in basic settings NTP time...
use GGL NTP time...IP --- 216.239.35.8

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
ccbrianf
DD-WRT User


Joined: 10 Jun 2015
Posts: 58

PostPosted: Thu Apr 23, 2020 15:38    Post subject: Reply with quote
Quote:
the only thing you have to do is to specify an IP in basic settings NTP time...
use GGL NTP time...IP --- 216.239.35.8

Yes, I understand that is functional, and I hear not specifying one is as well. That is why I prefaced my post with FYI. I just wanted to report that there is a complication with the other solution proposed in this thread of setting a specific name server to use for your NTP server hostname using dnsmasq.

That said, I was also looking to see if anyone had any more robust solutions that better support friendly load balancing, fail-over, and security. Using a hard coded IP can be a single point of failure and more easily allow the possibility of that server providing bad data at some point.
tinkeruntilitworks
Guest





PostPosted: Thu Apr 23, 2020 21:03    Post subject: Reply with quote
ccbrianf wrote:
Quote:
the only thing you have to do is to specify an IP in basic settings NTP time...
use GGL NTP time...IP --- 216.239.35.8

Yes, I understand that is functional, and I hear not specifying one is as well. That is why I prefaced my post with FYI. I just wanted to report that there is a complication with the other solution proposed in this thread of setting a specific name server to use for your NTP server hostname using dnsmasq.

That said, I was also looking to see if anyone had any more robust solutions that better support friendly load balancing, fail-over, and security. Using a hard coded IP can be a single point of failure and more easily allow the possibility of that server providing bad data at some point.



i just tried this while running unbound on my netgear r7000p r42954

during boot i get this
Dec 31 19:00:28 DD-WRT daemon.err ntpclient[1222]: Failed resolving address to hostname 2.pool.ntp.org: Try again
Dec 31 19:00:28 DD-WRT daemon.err ntpclient[1222]: Failed resolving server 2.pool.ntp.org: Network is down

but then it grabs it with an ip address
it appears to work for me without giving an address
ccbrianf
DD-WRT User


Joined: 10 Jun 2015
Posts: 58

PostPosted: Fri Apr 24, 2020 0:03    Post subject: Reply with quote
I'm not using unbound, but rather dnsmasq. But yes, I get a stream of those errors, and then I see evidence that by the time stubby tries to start that dnsmasq has exited for some reason. Maybe I need to dig into why that's happening more, or maybe you eventually got whatever the hard coded builtin ntp server is returned from DNS so it just worked Smile.
MonarchX
DD-WRT User


Joined: 26 Sep 2009
Posts: 119

PostPosted: Fri Nov 13, 2020 19:20    Post subject: Reply with quote
It would be great to have built-in support for DNS-over-HTTPS or DNSCrypt (or DNS-over-QUIC).

With DNS-over-HTTPS SDNS stamps, you can disable outbound port 53 entirely. Normally, even with DNS-over-HTTPS, port 53 is used to boostrap to plaintext DNS, but with DNS-over-HTTPS SDNS stamps, no boostrapping is needed and only encrypted DNS traffic is sent (via TCP port 443).
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Thu Nov 19, 2020 9:28    Post subject: Reply with quote
MonarchX wrote:
It would be great to have built-in support for DNS-over-HTTPS or DNSCrypt (or DNS-over-QUIC).

With DNS-over-HTTPS SDNS stamps, you can disable outbound port 53 entirely. Normally, even with DNS-over-HTTPS, port 53 is used to boostrap to plaintext DNS, but with DNS-over-HTTPS SDNS stamps, no boostrapping is needed and only encrypted DNS traffic is sent (via TCP port 443).


DNSCrypt ver 1.95 option is present in GUI, on high grade routers... have aread and look around Razz

if you want to use DoT or DoH, you can use SmartDNS, that is also present on most of the routers, same with Unbound, you just have to jffs on USB...
for some DNS encrypted alternatives via OPT/Entware, have a look in x2 links in my signature ...
all those work on loopback interface 127.0.0.1 and unreplay port 53 by default, also known as a stub resolvers...

have a good read on those sticky's around, full of info on the subject...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Tue Dec 01, 2020 17:24    Post subject: Reply with quote
MonarchX wrote:
It would be great to have built-in support for DNS-over-HTTPS or DNSCrypt (or DNS-over-QUIC).

With DNS-over-HTTPS SDNS stamps, you can disable outbound port 53 entirely. Normally, even with DNS-over-HTTPS, port 53 is used to boostrap to plaintext DNS, but with DNS-over-HTTPS SDNS stamps, no boostrapping is needed and only encrypted DNS traffic is sent (via TCP port 443).

How about Cloudfared?? Smile
https://developers.cloudflare.com/1.1.1.1/dns-over-https/cloudflared-proxy


_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Tue Dec 08, 2020 3:54    Post subject: Why is Firefox implementing DoH and not DoT? Reply with quote
Source: https://support.mozilla.org/en-US/kb/dns-over-https-doh-faqs#w_why-is-firefox-implementing-doh-and-not-dot

Why is Firefox implementing DoH and not DoT?

The IETF has standardized two DNS over secure transport protocols: DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH). These two protocols have broadly similar security and privacy properties. We chose DoH because we believe it is a better fit for our existing mature browser networking stack (which is focused on HTTP) and provides better support for future protocol features such as HTTP/DNS multiplexing and QUIC.

DNS over HTTPS - the good, the bad and the ugly
https://archive.fosdem.org/2019/schedule/event/dns_over_http/


_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
cookiemonsteruk
DD-WRT Novice


Joined: 24 Oct 2015
Posts: 41
Location: UK

PostPosted: Mon Jan 04, 2021 17:16    Post subject: Reply with quote
@Alozaros or anyone else willing to help:
I've looked at your stickies and suggested sigs to read but I've failed to find it.
I am on DD-WRT v3.0-r36070M kongac (05/31/1Cool on a Netgear R7000, Broadcom.
Use DNSMasq for DNS is selected in my router GUI, it makes me believe I am using DNSMasq.

I want to use DNS over TLS, or over HTTP if I fail on setting TLS.

This thread is not chip-specific but the only working examples/instructions are for Atheros ones.

Can I please be pointed to a thread for Broacoms, please.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Mon Jan 04, 2021 20:32    Post subject: Reply with quote
for Stubby DNS over TLS, follow the red link in my signature...
Stubby requires Entware installation. There 3 different Entware instlalations...
Broadcom for Broadcom routers
Atheros for Atheros routers
For dual core ARM routers, as R7000 is...

cd /opt (click enter)
wget http://bin.entware.net/armv7sf-k3.2/installer/generic.sh (click enter)
sh generic.sh (click enter)

https://wiki.dd-wrt.com/wiki/index.php/Adding_Software_Packages_using_Entware-3X

once you have Entware installed setting up Stubby is the same for all installations...


if you update to a newer DDWRT build you can also use SmartDNS, as its has the same capabilities..for TLS encryption..and you don't need Entware installation, just USB jfff,
instead...(do keep in mind it requires more reading & understanding) Rolling Eyes

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=323896

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Goto page Previous  1, 2, 3, 4, 5, 6, 7  Next Display posts from previous:    Page 5 of 7
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum