Setting up SecureDNS on Netgear R7000

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
cookiemonsteruk
DD-WRT Novice


Joined: 24 Oct 2015
Posts: 41
Location: UK

PostPosted: Tue Jan 05, 2021 16:05    Post subject: Setting up SecureDNS on Netgear R7000 Reply with quote
Hello, this post is to request assistance setting this up.
I've gathered some information from different places on this forum but mostly are for Atheros.
I have updated my router Netgear R7000 to the atest DD-WRT from: ftp://ftp.dd-wrt.com/betas/2021/01-01-2021-r45229/netgear-r7000/

Additional info: I have a USB stick in use mounted on /opt.

The upgrade was successful.


I then tried to use what is available from the GUI and unfortunately I lost DNS resolution once I enabled SmartDNS and I've been informed by @wabe reason is that I don't have a /jffs mount point.
At this point I put SmartDNS on hold and attempt to use stubby. I think I'd prefer stubby to SmartDNS because my main objective is to attain privacy over performance, which SmartDNS seems to have as primary goal.

Attempting to install stubby is where I request some help.
I've got a USB mounted on /opt
I'm stuck installing entaware.
I've ssh to it as root and got to download the installer:
Code:
wget http://bin.entware.net/mipssf-k3.4/installer/generic.sh

I've attached the failure log. They are permissions errors but before going to fix those, I want to check I'm not making a mistake using the wrong installer.
From the wiki https://wiki.dd-wrt.com/wiki/index.php/Installing_Entware I think I've used the wrong installer.
The wiki says use one link for broadcom and another for dual core router. The Netgear R7000 is a dual core broacom router, so either link is right or wrong.
Anyone can confirm which one should I use?



entaware-install-failure.txt
 Description:

Download
 Filename:  entaware-install-failure.txt
 Filesize:  3.45 KB
 Downloaded:  24 Time(s)

Sponsor
cookiemonsteruk
DD-WRT Novice


Joined: 24 Oct 2015
Posts: 41
Location: UK

PostPosted: Tue Jan 05, 2021 16:22    Post subject: Reply with quote
I've now tried the alternative http://bin.entware.net/armv7sf-k3.2/installer/generic.sh , ran it and no errors.
Clearly that was the correct one.
Note to self: trying to clear out the directories created by the first installer I failed to check it creates some symlinks to system , so I might need to reflash and start again.

I move on to finalising entware and starting with stubby.
cookiemonsteruk
DD-WRT Novice


Joined: 24 Oct 2015
Posts: 41
Location: UK

PostPosted: Tue Jan 05, 2021 17:49    Post subject: Reply with quote
Entware successfully installed now.
Also stubby with its dependencies.

I've used the instructions on https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=314677&postdays=0&postorder=asc&start=30 page 3 with the stubby config as per Alozaros.

A reboot of the router later to verify all starts and in the right sequence and I lost DNS.If I remove (commented out with # in front) "#no-resolv" from Additional Dnsmasq Options has restored dns.

So the question now is now that stubby is running, what options should I use for DNSMasq. On the radio buttons and additional options?
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 1566
Location: WCentral Indiana USA

PostPosted: Tue Jan 05, 2021 18:26    Post subject: Reply with quote
You should not have to comment no-resolv.
If that is the only way DNS works then Stubby probably isn't working and you are using other servers.

From command line SSH/telnet run

watch -tn5 "cat /proc/net/nf_conntrack | grep ' dport=853 ' | sort -nrk3"

to see if port 853 is being used. Might need to be ip_conntrack instead on some routers.

Also

watch -tn5 "cat /proc/net/nf_conntrack | grep ' dport=53 ' | sort -nrk3"

to see what is happening on port 53.

You do have "server=127.0.0.1#5453" added at Additional Dnsmasq Options?
And made S61stubby.sh executable, "chmod +x /opt/etc/init.d/S61stubby.sh"?

I only have Validate DNS Replies (DNSSEC) enabled (probably not necessary)
and No DNS Rebind enabled (except on the router running wireguard server).

_________________
STUBBY DoT install guide----Forum Guide Lines (Please read!) --- How to get help the right way----PIA Setup Guide by egc----
cookiemonsteruk
DD-WRT Novice


Joined: 24 Oct 2015
Posts: 41
Location: UK

PostPosted: Tue Jan 05, 2021 18:58    Post subject: Reply with quote
bushant wrote:
You should not have to comment no-resolv.
If that is the only way DNS works then Stubby probably isn't working and you are using other servers.

From command line SSH/telnet run

watch -tn5 "cat /proc/net/nf_conntrack | grep ' dport=853 ' | sort -nrk3"

to see if port 853 is being used. Might need to be ip_conntrack instead on some routers.

Also

watch -tn5 "cat /proc/net/nf_conntrack | grep ' dport=53 ' | sort -nrk3"

to see what is happening on port 53.

You do have "server=127.0.0.1#5453" added at Additional Dnsmasq Options?
And made S61stubby.sh executable, "chmod +x /opt/etc/init.d/S61stubby.sh"?

I only have Validate DNS Replies (DNSSEC) enabled (probably not necessary)
and No DNS Rebind enabled (except on the router running wireguard server).


Thanks.
Nothing on port 853 but yes on 53 with DNSMasq settings as per attachment.
/opt/etc/init.d/S61stubby.sh is already executable by u,g,o - maybe too permisive but I can set it to owner only if required. But for troubleshooting I'll leave it as is.

"server=127.0.0.1#5453" added at Additional Dnsmasq Options? Yes it is.

So it might be as you suspect that stubby isn't working.
Nothing on dmesg and I don't have anything under /opt/var/log

I'm going to try to start stubby from console, see what it shows.



dnsmasq1.png
 Description:
 Filesize:  45.89 KB
 Viewed:  766 Time(s)

dnsmasq1.png


cookiemonsteruk
DD-WRT Novice


Joined: 24 Oct 2015
Posts: 41
Location: UK

PostPosted: Tue Jan 05, 2021 19:13    Post subject: Reply with quote
I've started directly
root@DD-WRT:~# sh /opt/etc/init.d/S61stubby.sh start
and it reports
Starting stubby... done.

Bu nothing is logged to /opt/var/log/stubby.log or dmesg

The contents of /opt/etc/stubby/stubby.yml are:
Code:
resolution_type: GETDNS_RESOLUTION_STUB
round_robin_upstreams: 1
appdata_dir: "/opt/var/lib/stubby"
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_min_version: GETDNS_TLS1_3
tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
tls_query_padding_blocksize: 128
edns_client_subnet_private: 1
idle_timeout: 10000
listen_addresses:
- 127.0.0.1@5453
dns_transport_list:
- GETDNS_TRANSPORT_TLS
upstream_recursive_servers:
- address_data: 9.9.9.9
tls_auth_name: "dns9.quad9.net"
tls_port: 853
- address_data: 1.1.1.1
tls_auth_name: "cloudflare-dns.com"
tls_port: 853


The contents of /opt/etc/init.d/S61stubby.sh are:
Code:
#!/bin/sh
logger -t S61stubby "Starting Stubby DNS over TLS $0"
# set environment PATH to system binaries
export PATH=/sbin:/bin:/usr/sbin:/usr/bin:$PATH
ENABLED=yes
PROCS=stubby
ARGS="-g -v 5 -C /opt/etc/stubby/stubby.yml 2>/opt/var/log/stubby.log"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
. /opt/etc/init.d/rc.func


I'm going to change to stdout to the log, maybe it shows something.
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 1566
Location: WCentral Indiana USA

PostPosted: Tue Jan 05, 2021 19:16    Post subject: Reply with quote
/opt/etc/init.d/S61stubby.sh check
/opt/etc/init.d/S61stubby.sh start
/opt/etc/init.d/S61stubby.sh stop

root@7802:~# /opt/etc/init.d/S61stubby.sh check
Checking stubby... alive.

I guess this should have been the first test.

_________________
STUBBY DoT install guide----Forum Guide Lines (Please read!) --- How to get help the right way----PIA Setup Guide by egc----
cookiemonsteruk
DD-WRT Novice


Joined: 24 Oct 2015
Posts: 41
Location: UK

PostPosted: Tue Jan 05, 2021 19:24    Post subject: Reply with quote
root@DD-WRT:~# /opt/etc/init.d/S61stubby.sh check
-sh: /opt/etc/init.d/S61stubby.sh: Permission denied
root@DD-WRT:~# sh /opt/etc/init.d/S61stubby.sh check
Checking stubby... dead.
root@DD-WRT:~# sh /opt/etc/init.d/S61stubby.sh start
Starting stubby... done.
root@DD-WRT:~# sh /opt/etc/init.d/S61stubby.sh stop
Checking stubby... dead.
root@DD-WRT:~#

But interestingly from /opt/etc/stubby/stubby.yml
appdata_dir: "/opt/var/lib/stubby"

but :
root@DD-WRT:~# ls /opt/var/
total 24
drwxr-xr-x 6 root root 4096 Jan 5 16:14 .
drwxr-xr-x 14 root root 4096 Nov 25 09:41 ..
drwxr-xr-x 2 root root 4096 Oct 26 17:59 lock
drwxr-xr-x 2 root root 4096 Oct 26 17:59 log
drwxr-xr-x 2 root root 4096 Jan 5 16:23 opkg-lists
drwxr-xr-x 2 root root 4096 Oct 26 17:59 run

Could it be that this path is only for Atheros devices, mine is dual core broadcom?.
Could you check for me please that you have contents on that path and if you are on Atheros?
cookiemonsteruk
DD-WRT Novice


Joined: 24 Oct 2015
Posts: 41
Location: UK

PostPosted: Tue Jan 05, 2021 19:42    Post subject: Reply with quote
root@DD-WRT:~# find / -type f -name 'stubby'
/opt/sbin/stubby

root@DD-WRT:~# file /opt/sbin/stubby
/opt/sbin/stubby: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /opt/lib/ld-linux.so.3, for GNU/Linux 3.2.0, stripped

So I'm going to point /opt/etc/stubby/stubby.yml to this path, maybe that's what it needs.
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 1566
Location: WCentral Indiana USA

PostPosted: Tue Jan 05, 2021 19:45    Post subject: Reply with quote
cookiemonsteruk wrote:

The contents of /opt/etc/stubby/stubby.yml are:
Code:
resolution_type: GETDNS_RESOLUTION_STUB
round_robin_upstreams: 1
appdata_dir: "/opt/var/lib/stubby"
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_min_version: GETDNS_TLS1_3
tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
tls_query_padding_blocksize: 128
edns_client_subnet_private: 1
idle_timeout: 10000
listen_addresses:
- 127.0.0.1@5453
dns_transport_list:
- GETDNS_TRANSPORT_TLS
upstream_recursive_servers:
- address_data: 9.9.9.9
tls_auth_name: "dns9.quad9.net"
tls_port: 853
- address_data: 1.1.1.1
tls_auth_name: "cloudflare-dns.com"
tls_port: 853



The forum will not let you paste this as it should be. If you copied this from Alozaros guide it will not work.
The line indentations are wrong. It must look as it does in /opt/etc/stubby/stubby.yml.default.

Here is mine

_________________
STUBBY DoT install guide----Forum Guide Lines (Please read!) --- How to get help the right way----PIA Setup Guide by egc----
cookiemonsteruk
DD-WRT Novice


Joined: 24 Oct 2015
Posts: 41
Location: UK

PostPosted: Tue Jan 05, 2021 19:47    Post subject: Reply with quote
Ah, brilliant. I'll correct that now and confirm.
cookiemonsteruk
DD-WRT Novice


Joined: 24 Oct 2015
Posts: 41
Location: UK

PostPosted: Tue Jan 05, 2021 20:26    Post subject: Reply with quote
It now stays alive. Many thanks, that was it!. Now I need to see that is configured correctly. Looks like this now:

====BEGIN ======
# Note: by default on OpenWRT stubby configuration is handled via
# the UCI system and the file /etc/config/stubby. If you want to
# use this file to configure stubby, then set "option manual '1'"
# in /etc/config/stubby.
resolution_type: GETDNS_RESOLUTION_STUB
round_robin_upstreams: 1
appdata_dir: "/opt/var/lib/stubby"
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_min_version: GETDNS_TLS1_3
tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
tls_query_padding_blocksize: 128
edns_client_subnet_private: 1
idle_timeout: 10000
listen_addresses:
- 127.0.0.1@5453
# - 0::1@5453
dns_transport_list:
- GETDNS_TRANSPORT_TLS
upstream_recursive_servers:
- address_data: 2606:4700:4700::1111
tls_auth_name: "cloudflare-dns.com"
- address_data: 2606:4700:4700::1001
tls_auth_name: "cloudflare-dns.com"
- address_data: 1.1.1.1
tls_auth_name: "cloudflare-dns.com"
tls_port: 853
- address_data: 1.0.0.1
tls_auth_name: "cloudflare-dns.com"
- address_data: 9.9.9.9
tls_auth_name: "dns9.quad9.net"
tls_port: 853

===== END ====

So, do I need to specify tsl_port for all providers or only these two?
Also, checks on https://www.cloudflare.com/en-gb/ssl/encrypted-sni/ are negative for SDNS and DNSSeC.
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 1566
Location: WCentral Indiana USA

PostPosted: Tue Jan 05, 2021 20:52    Post subject: Reply with quote
Alozaros has a more advanced config than I because he is the DNS MAN Wink

As you can see I don't have tsl_port in my config.
If it still doesn't work I think the one in the guide in my signature can be c/p correctly.
It has no ipv6 or quad9 and others you don't want can be commented.

Just noticed mine has duplication error, doesn't matter it still works.

_________________
STUBBY DoT install guide----Forum Guide Lines (Please read!) --- How to get help the right way----PIA Setup Guide by egc----
cookiemonsteruk
DD-WRT Novice


Joined: 24 Oct 2015
Posts: 41
Location: UK

PostPosted: Tue Jan 05, 2021 21:00    Post subject: Reply with quote
I'll have a look tomorrow again, I need to stop whilst still functional and stable.
I might take you up if at least to compare.
I'm also reading the stubby that sends me here https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Public+Resolvers#DNSPrivacyPublicResolvers-DNS-over-TLS(DoT)
So I think stubby is almost ready to fine tune.

What is not complete is the interaction with DNSMasq. I still can only resolve names with #no-resolv in the Additional Dnsmasq Options. I'm not sure yet if I need it but with stubby running now, and that option selected, all "works" , except the checks on https://www.cloudflare.com/en-gb/ssl/encrypted-sni/ tell me I have DNS SEC but no Secure DNS which is the purpose of setting stubby up.
Tomorrow I continue,
Thank you for your guidance.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 4253
Location: UK, London, just across the river..

PostPosted: Tue Jan 05, 2021 21:34    Post subject: Reply with quote
stubby work s fine.. if you read my guide carefully you will notice this line is depreciated

Alozaros wrote:
edited:20.09.2020
on the last version of stubby 0.30+ and getDNS (past 1.6) in order stubby to work, this line is depreciated in OpenSSL 1.1.1g and has to be removed..

tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"


so remove it from the set up...

also to test if its working...

tcpdump -i eth0 | grep -Ei 'dns9.quad9.net'

or

netstat -p (it catches it intermittently)

whatever comes via port 853 means is working...
in order to test it with cloudflare test, your first resolver in stubby config must be clouflare...

there are other ways to test it, but it requires you to operate with stubby debug options...

finally .yml config file for stubby is very touchy on intervals(very dependant), so stick to the default file and edit only those values you'd need, as copy paste all the .yml config from the forum may not work at all...

_________________
Atheros
TP-Link WR740Nv1 -----DD-WRT 45993 BS AP,NAT
TP-Link WR740Nv4 -----DD-WRT 44251 BS WAP/Switch
TP-Link WR1043NDv2 ---DD-WRT 46395 BS AP,NAT,AP Isolation,Ad-Block,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---DD-WRT 46166 BS AP,NAT,AD/Block,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---Gargoyle OS 1.12.0 AP,NAT,QoS,Quotas
Qualcomm/IPQ8065
Netgear R7800 -----DD-WRT 46259 BS AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT
Broadcom
Netgear R7000 -----DD-WRT 46259 BS AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,VLAN's,DoT,VPN
-----------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum