Setting up SecureDNS on Netgear R7000

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2
Author Message
cookiemonsteruk
DD-WRT Novice


Joined: 24 Oct 2015
Posts: 41
Location: UK

PostPosted: Tue Jan 05, 2021 22:39    Post subject: Reply with quote
Ok, I've comented out the cypher suites line and restarted stubby.
I installed tcpdump (it's great to be able to with entware) and captured some packets. I can see traffic with lines like this:
22:30:11.476646 IP host-9P-29-1AB-XT.asxxxx.net.xxx > dns9.quad9.net.853: Flags [R], seq 3054894708, win 0, length 0
(host redacted)

So from your post, it is working.
I just need now to look into the "#no-resolv" part of DNSMasq and read the manual for stubby to alter the config to behave as I want.
Most obliged.!!
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Wed Jan 06, 2021 0:18    Post subject: Reply with quote
no-resolv is part of DNSmasq config, it literally tells to DNSmasq, to not use any other DNS servers specified in those x3 boxes form the basic set up page or fetched by ISP, than use those specified in DNSmasq config like server=
_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
cookiemonsteruk
DD-WRT Novice


Joined: 24 Oct 2015
Posts: 41
Location: UK

PostPosted: Wed Jan 06, 2021 23:03    Post subject: Reply with quote
I can confirm stubby is working with your help.
I'm reading documentation from stubby and getdns to tweak if necessary.
Thanks for the explanations.
One last question for @bushant if I may:

I'm using your startup script:
Code:
#!/bin/sh
logger -t S61stubby "Starting Stubby DNS over TLS $0"
# set environment PATH to system binaries
export PATH=/sbin:/bin:/usr/sbin:/usr/bin:$PATH
ENABLED=yes
PROCS=stubby
ARGS="-g -v 5 -C /opt/etc/stubby/stubby.yml 2>/opt/var/log/stubby.log"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
. /opt/etc/init.d/rc.func

Would you mind elaborating on why there are two lines for PATH and the use of "-g -v 5" in the ARGS variable
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 2028

PostPosted: Wed Jan 06, 2021 23:28    Post subject: Reply with quote
I only plagiarized that script by @vibranto
from the "DNS over TLS" or "DNS over HTTPS" thread.

Mhmm Looking at that now it appears to have been streamlined since I grabbed it.

_________________
Forum Guide Lines (with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips!)
How to get help the right way

Before asking for help - Read the forum guidelines AND Upgrade DD-WRT!
Adblock by eibgrad + Blocklist Collection
cookiemonsteruk
DD-WRT Novice


Joined: 24 Oct 2015
Posts: 41
Location: UK

PostPosted: Thu Jan 07, 2021 14:51    Post subject: Reply with quote
Right. Apologies @vibranto for not realising this.
Any info on this will be appreciated. So far the documentation for Stubby has nothing I can spot for options -g -v {number}
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 2028

PostPosted: Thu Jan 07, 2021 18:34    Post subject: Reply with quote
To be honest stubby started working right out of the box a year and a half ago for me
and I have never messed with it much only add and subtract servers a couple times.

But a while ago I tried the S61stubby.sh script as it currently is in @vibranto's post on page 3 of that thread.
It does not work.
Code:
/opt/etc/init.d/S61stubby.sh start
Permission Denied.

_________________
Forum Guide Lines (with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips!)
How to get help the right way

Before asking for help - Read the forum guidelines AND Upgrade DD-WRT!
Adblock by eibgrad + Blocklist Collection
cookiemonsteruk
DD-WRT Novice


Joined: 24 Oct 2015
Posts: 41
Location: UK

PostPosted: Thu Jan 07, 2021 21:14    Post subject: Reply with quote
that's just permissions. If you're running it as root, chances are it just needs a full shell line, for instance:
root@DD-WRT:/opt# /bin/sh /opt/etc/init.d/S61stubby.sh check
for a check. If it doesn't give you a "Permission denied", then that would do for
root@DD-WRT:/opt# /bin/sh /opt/etc/init.d/S61stubby.sh start
and it will work.

Hopefully @vibranto will see this question at some point and educate me.
Thanks @bushant.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Fri Jan 08, 2021 8:50    Post subject: Reply with quote
cookiemonsteruk

if you read the guide carefully you'd find that
this script you create once via CLI, you don't need it created/inserted in start up script, as it resides in /opt/etc/init.d/S61stubby.sh

just follow the guide in my link:

opkg install nano (click enter)

than type:
nano /opt/etc/init.d/S61stubby.sh
paste this script:

#!/bin/sh
logger -t S61stubby "Starting Stubby DNS over TLS $0"
# set environment PATH to system binaries
export PATH=/sbin:/bin:/usr/sbin:/usr/bin:$PATH
ENABLED=yes
PROCS=stubby
ARGS="-g -v 5 -C /opt/etc/stubby/stubby.yml 2>/opt/var/log/stubby.log"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
. /opt/etc/init.d/rc.func

than press
(ctrl+x)
(click Y)
(click enter)

than type
chmod +x /opt/etc/init.d/S61stubby.sh

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
cookiemonsteruk
DD-WRT Novice


Joined: 24 Oct 2015
Posts: 41
Location: UK

PostPosted: Fri Jan 08, 2021 10:26    Post subject: Reply with quote
Yes, this is a startup script is working fine. Stubby is working, the startup script below is called from admin command at boot. All good.
I am asking for an explananation what the variables do.
My searches have taken me to the original that seems to have come from another forum. I'll look there.
So thanks for the help, it got me with Stubby working fine.
wabe
DD-WRT Guru


Joined: 17 Jun 2006
Posts: 889

PostPosted: Sun Jan 10, 2021 18:02    Post subject: Reply with quote
Smartdns is also a good alternative, works well for me, better than Stubby. There is a thread explaining how to get it going with dns over tls here:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=323896
One advantage is that it does not require Entware

_________________
Netgear R7000 on Build 55109
Asus AC-AC68U rev. C1 (AP) on Build 55109
Asus AC-68U rev. A1 on Build 54604
Asus AC-68U rev. A1 on Build 53339
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Sun Jan 10, 2021 21:11    Post subject: Reply with quote
wabe wrote:
Smartdns is also a good alternative, works well for me, better than Stubby. There is a thread explaining how to get it going with dns over tls here:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=323896
One advantage is that it does not require Entware


wabe Laughing Laughing if you didn't notice, the same chap populated on both threads... Embarassed

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
cookiemonsteruk
DD-WRT Novice


Joined: 24 Oct 2015
Posts: 41
Location: UK

PostPosted: Mon Jan 11, 2021 9:53    Post subject: Reply with quote
thanks both for taking the time to assist.
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum