Posted: Tue Jan 05, 2021 16:05 Post subject: Setting up SecureDNS on Netgear R7000
Hello, this post is to request assistance setting this up.
I've gathered some information from different places on this forum but mostly are for Atheros.
I have updated my router Netgear R7000 to the atest DD-WRT from: ftp://ftp.dd-wrt.com/betas/2021/01-01-2021-r45229/netgear-r7000/
Additional info: I have a USB stick in use mounted on /opt.
The upgrade was successful.
I then tried to use what is available from the GUI and unfortunately I lost DNS resolution once I enabled SmartDNS and I've been informed by @wabe reason is that I don't have a /jffs mount point.
At this point I put SmartDNS on hold and attempt to use stubby. I think I'd prefer stubby to SmartDNS because my main objective is to attain privacy over performance, which SmartDNS seems to have as primary goal.
Attempting to install stubby is where I request some help.
I've got a USB mounted on /opt
I'm stuck installing entaware.
I've ssh to it as root and got to download the installer:
I've attached the failure log. They are permissions errors but before going to fix those, I want to check I'm not making a mistake using the wrong installer.
From the wiki https://wiki.dd-wrt.com/wiki/index.php/Installing_Entware I think I've used the wrong installer.
The wiki says use one link for broadcom and another for dual core router. The Netgear R7000 is a dual core broacom router, so either link is right or wrong.
Anyone can confirm which one should I use?
I've now tried the alternative http://bin.entware.net/armv7sf-k3.2/installer/generic.sh , ran it and no errors.
Clearly that was the correct one.
Note to self: trying to clear out the directories created by the first installer I failed to check it creates some symlinks to system , so I might need to reflash and start again.
I move on to finalising entware and starting with stubby.
A reboot of the router later to verify all starts and in the right sequence and I lost DNS.If I remove (commented out with # in front) "#no-resolv" from Additional Dnsmasq Options has restored dns.
So the question now is now that stubby is running, what options should I use for DNSMasq. On the radio buttons and additional options?
You do have "server=127.0.0.1#5453" added at Additional Dnsmasq Options?
And made S61stubby.sh executable, "chmod +x /opt/etc/init.d/S61stubby.sh"?
I only have Validate DNS Replies (DNSSEC) enabled (probably not necessary)
and No DNS Rebind enabled (except on the router running wireguard server).
Thanks.
Nothing on port 853 but yes on 53 with DNSMasq settings as per attachment.
/opt/etc/init.d/S61stubby.sh is already executable by u,g,o - maybe too permisive but I can set it to owner only if required. But for troubleshooting I'll leave it as is.
"server=127.0.0.1#5453" added at Additional Dnsmasq Options? Yes it is.
So it might be as you suspect that stubby isn't working.
Nothing on dmesg and I don't have anything under /opt/var/log
I'm going to try to start stubby from console, see what it shows.
root@DD-WRT:~# /opt/etc/init.d/S61stubby.sh check
-sh: /opt/etc/init.d/S61stubby.sh: Permission denied
root@DD-WRT:~# sh /opt/etc/init.d/S61stubby.sh check
Checking stubby... dead.
root@DD-WRT:~# sh /opt/etc/init.d/S61stubby.sh start
Starting stubby... done.
root@DD-WRT:~# sh /opt/etc/init.d/S61stubby.sh stop
Checking stubby... dead.
root@DD-WRT:~#
But interestingly from /opt/etc/stubby/stubby.yml
appdata_dir: "/opt/var/lib/stubby"
but :
root@DD-WRT:~# ls /opt/var/
total 24
drwxr-xr-x 6 root root 4096 Jan 5 16:14 .
drwxr-xr-x 14 root root 4096 Nov 25 09:41 ..
drwxr-xr-x 2 root root 4096 Oct 26 17:59 lock
drwxr-xr-x 2 root root 4096 Oct 26 17:59 log
drwxr-xr-x 2 root root 4096 Jan 5 16:23 opkg-lists
drwxr-xr-x 2 root root 4096 Oct 26 17:59 run
Could it be that this path is only for Atheros devices, mine is dual core broadcom?.
Could you check for me please that you have contents on that path and if you are on Atheros?
The forum will not let you paste this as it should be. If you copied this from Alozaros guide it will not work.
The line indentations are wrong. It must look as it does in /opt/etc/stubby/stubby.yml.default.
Alozaros has a more advanced config than I because he is the DNS MAN
As you can see I don't have tsl_port in my config.
If it still doesn't work I think the one in the guide in my signature can be c/p correctly.
It has no ipv6 or quad9 and others you don't want can be commented.
What is not complete is the interaction with DNSMasq. I still can only resolve names with #no-resolv in the Additional Dnsmasq Options. I'm not sure yet if I need it but with stubby running now, and that option selected, all "works" , except the checks on https://www.cloudflare.com/en-gb/ssl/encrypted-sni/ tell me I have DNS SEC but no Secure DNS which is the purpose of setting stubby up.
Tomorrow I continue,
Thank you for your guidance.
Joined: 16 Nov 2015 Posts: 6436 Location: UK, London, just across the river..
Posted: Tue Jan 05, 2021 21:34 Post subject:
stubby work s fine.. if you read my guide carefully you will notice this line is depreciated
Alozaros wrote:
edited:20.09.2020
on the last version of stubby 0.30+ and getDNS (past 1.6) in order stubby to work, this line is depreciated in OpenSSL 1.1.1g and has to be removed..
whatever comes via port 853 means is working...
in order to test it with cloudflare test, your first resolver in stubby config must be clouflare...
there are other ways to test it, but it requires you to operate with stubby debug options...
finally .yml config file for stubby is very touchy on intervals(very dependant), so stick to the default file and edit only those values you'd need, as copy paste all the .yml config from the forum may not work at all... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913