Posted: Fri May 29, 2020 1:04 Post subject: Make Stubby play well with DNSMASq in DNSSEC and DoT?
WRT3200ACM
r43266
Today I realize something that blew my mind.
I have Stubby for DNS lookup and DNSMASq for the rest of the stuff, but most importantly: caching. Cuz I wanna speed up things but w/o losing security. In the past I validated dnssec with DNSMASq, and until now, I had the triple score in CF as the picture attached.
The settings I'm using right now are these (which works):
As you can see, DNSSEC is being proxied, but Stubby is not making any DNSSEC validation, nor DNSMASq (per the non existing --dnssec). I dunno why it's working now, but anyways. What I want is to validate everything (DNSSEC, DoT) through Stubby and do the caching with DNSMASq.
Also I found that DNSMASq man doesn't recommend proxy-dnssec "In most cases, enabling DNSSEC validation within dnsmasq is a better option. See --dnssec for details."
But tried to enable it and it's even worst, now doesn't validate DNSSEC at all using:
to Stubby yml, tried DNSMASq without DNSSEC parameters, so I removed proxy-dnssec. And now the connection validates Cloudflare DNS, DoT, and DNSSEC.. seems very very snappier to my compared with the previous settings...
It's funny that after research for hours, I post, and less than an hour later I find that answer by myself.. like.. man.. I was 99% there...
Hope this help someone. Cheers _________________ Linksys WRT3200ACM