Joined: 21 Nov 2019
|Posted: Thu Oct 15, 2020 11:30 Post subject: Stubby+DNSSEC+DNSMASq
long time playing with settings I came to a point that I need some help since I feel stuck.
These settings also could be used as reference for those who tries to achieve the same goal or need a reference to start with. I'm using entware and mounting JFFS to OPT (usb).
First, the settings:
- address_data: 126.96.36.199
- address_data: 188.8.131.52
The main goal is to make Stubby resolve + DNSSEC, and DNSMASq just cache. The settings are purposely picked for best the performance under strict privacy (priv>perf).
The results are not bad. Suddenly I realized that Stubby was using an old config that made lose DNSSEC, but I fell into the conviction that was working because https://www.cloudflare.com/ssl/encrypted-sni/ "validated" DNSSEC and encrypted dns.
Under the (new) actual configuration pasted above, the results in the cloudflare test are DNSSEC "working" and encrypted dns as "You may not be using secure DNS.". Which leads to the doubt of 1) why was previously showing ok? and 2) under correct setup, this is the correct result if client is behind the Stubby server?
Is there any setting that need to be fixed in order to work 100% fine? Or a way to test DNSSEC FROM the router itself?
Firmware: DD-WRT v3.0-r41954 std (01/09/20)
Dnsmasq / Unbound / VAP / DNSCrypt / DNSSEC / QoS WAN.HTB.FQ_CODEL_FAST (custom netmask and svc) / Custom port setups for subnet delegation