How To Guide: Encrypt DNS on your DD-WRT

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3  Next
Author Message
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1446
Location: Appalachian mountains, USA

PostPosted: Thu May 06, 2021 15:40    Post subject: Reply with quote
On the WRT3200ACM the fallback build currently regarded as the relatively "stable" option is 44048. Before that one, 40009 was the goto build for some time. Newer builds are giving 3200 owners considerable stress, but if you want to try, 46069 is working for some people, particularly those without Apple devices in their networks. See the new-build threads for more detail.
_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Sponsor
itwontbewe
DD-WRT User


Joined: 29 Sep 2020
Posts: 260
Location: United States

PostPosted: Wed Jun 09, 2021 13:10    Post subject: Reply with quote
your custom conf has to be at

/jffs/etc/unbound.conf

https://svn.dd-wrt.com/changeset/30220
https://svn.dd-wrt.com/changeset/36376

the tinkeruntilitworks guide had it wrong until 04/27/20
whatsashell
DD-WRT Novice


Joined: 26 Mar 2017
Posts: 38

PostPosted: Sat Jun 12, 2021 0:04    Post subject: Reply with quote
Has anyone had their ISP's say anything about this?

Just a quick wireshark test and it becomes painfully clear you're running a DNS server with all these encrypted requests.
ATHF
DD-WRT Guru


Joined: 14 Dec 2015
Posts: 774
Location: 127.0.0.1

PostPosted: Sun Jun 20, 2021 6:44    Post subject: Reply with quote
whatsashell wrote:
Has anyone had their ISP's say anything about this?

Just a quick wireshark test and it becomes painfully clear you're running a DNS server with all these encrypted requests.

I haven't been doing it this way, but I have Raspberry Pis doing the DNS with encryption for 4 months and no problems here.

_________________
Tutorial for flashing WRT series
WRT Installation,Upgrade & Basic Setup–Cliff Notes
r52242: WRT3200ACM, WRT1200ACv1 & 1 Velop in bridge mode(IoT subnet), r52242 WRT1900ACv1 AP
Velop:2 WHW0101, RE6500, RE9000(AP)
Spectrum - 1000/50
SysLog Watcher 5, New security Onion box coming soon, Fingboxes, PiHoles, NEMS, Cacti, rpisurv
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Sun Jun 20, 2021 12:14    Post subject: Reply with quote
whatsashell wrote:
Has anyone had their ISP's say anything about this?

Just a quick wireshark test and it becomes painfully clear you're running a DNS server with all these encrypted requests.


Its up to your ISP agreement, but in most of the cases they shouldn't have a word against it..as all goes encrypted....via firewall bypassing ports 443, 853 and ect..

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
jifffy
DD-WRT User


Joined: 08 Jun 2020
Posts: 58

PostPosted: Mon Jul 12, 2021 17:42    Post subject: Reply with quote
"You'll need to edit the locations of chroot, directory , and root-hints"
Edit them how and to what exactly ? Can you give an exact example.
atomicamp
DD-WRT User


Joined: 16 Apr 2018
Posts: 107
Location: Milwaukee, WI

PostPosted: Mon Sep 18, 2023 0:04    Post subject: Re: How To Guide: Encrypt DNS on your WRT Reply with quote
NBA Jam wrote:
----------------------------------------------------------------------------------
Updates

04/26/20: If Cloudflare's DoT checker is not verifying encrypted DNS

Cloudflare's DNS over TLS checker has recently been unable to verify if DoT is set up for me using multiple routers with different firmwares (DD-WRT and Merlin).

The easiest way to verify it is to disable NTP and reboot your router. Your router must have the correct time for DoT to work. If DNS stops working, then you can be reasonably sure that DoT is set up correctly.

The other option that will truly verify it is by plugging a switch in between your modem and the router and running Wireshark on another device on the same switch. Filter it down to port 853. It is working if DNS queries are going out of port 853.

04/19/20: Updated for unbound v1.10.0

- unbound.conf should be stored in /jffs/unbound
- Additional files needed (updates in Configuration steps 1-5)

Thanks, tinkeruntilitworks!
Source: Unbound DNS over TLS Adblock up-to-date root.hints

----------------------------------------------------------------------------------

I recently just got DNS over TLS (DoT) set up on my WRT1900AC. Here's a guide on how I got it set up. If nothing works, it's completely reversible by unchecking Recursive DNS Resolving (Unbound) on the Setup page.

This works successfully on a WRT1900AC v1 with Firmware Version r39572. This will probably work on other models as well, especially those of the WRT type, but I have not tested them.

GUI Settings

1. Set a time server by IP Address

DoT requires that your time be set correctly, otherwise nothing can be validated and the DNS server gets all fussy. Since you need DNS to resolve a domain name, you have to use an IP address of a time server.

Check the NIST International Time Server List for one that will work for you. This must work on boot-up, so try out a few to see which ones respond right away. For me, 128.138.141.172 (utcnist2.colorado.edu) worked great.

2. Enable Recursive DNS Resolving (Unbound)

On your Setup page, check the "Recursive DNS Resolving (Unbound)" box under DHCP.



When you check this box, you're effectively giving control over from DNSMasq to Unbound for your DNS queries. Wanna know more about Unbound? The nice folks on the DD-WRT Wiki made this handy dandy guide.

3. Get a JFFS share set up

You'll need this to save your Unbound configuration file permanently, but it can also be used to install Entware.

Head over to the Administration page and check "Enable" under JFFS2 Support for Internal Flash Storage and check "Clean internal flash storage." Once you do this, reboot your router. You should now have JFFS space available. The router will automatically uncheck the "Clean internal flash storage" option after the reboot to prevent clearing all of your JFFS space every time you reboot.



Command Line Settings

Now's the fun part where you get to play around as root in Bash. How often do you get to do that without needing to document why you made every keystroke to some 450-question million-dollar documentation system that asks you if you're really really really sure you copied and pasted a 32kb text document correctly? At home where you can break your own shit without consequence, that's when.

Go ssh into your router as root.

1. Create a new file

Run the below script to create a new file.
Code:
cd /tmp
touch yourmom

lol

2. Install Entware

Follow this guide to get it installed.

The preferred method is to plug a USB stick into the back of the router and install Entware there. If you're lazy like me, you have plenty of extra Flash storage available to do this.

If you go the flash route, remember that it has a limited write life and was not designed for write-heavy applications. You'll probably never write to it enough to get to that point, but keep that in mind if you decide to install additional software on it.

Important Note: If your JFFS space is mounted in flash, you'll need to mount it to /opt before installing Entware. Do that with this script.

Code:
mkdir /jffs/opt
mount -o bind /jffs/opt /opt

The first line creates a new directory called opt in JFFS. This is where all of your stuff will get written. The second mounts it to /opt where Entware is looking during the install. This forces Entware to install to the internal flash JFFS.

Configuring Unbound

A temporary configuration file for Unbound has been created for you already. You just need to make a few slight modifications to it and save it as a permanent file.

1. Create the unbound directory in JFFS

Unbound will look for a permanent configuration file here, if it exists.

Code:
mkdir /jffs/unbound


2. Copy the pre-made Unbound config file to /jffs/unbound

Self-explanatory.

Code:
cp /etc/unbound/unbound.conf /jffs/unbound


3. Download root hints
(Credit: tinkeruntilitworks)

Code:
curl -sS --output /jffs/unbound/root.hints https://www.internic.net/domain/named.cache


4. Copy the root key
(Credit: tinkeruntilitworks)

Code:
cp /etc/unbound/root.key /jffs/unbound


5. Edit the unbound configuration file to use DNS over TLS

You'll have to do this through.....vi. Yes, I know. It's weird if you haven't used it. Look, it's not that bad. It's just from a different time! I'll walk you through it. It's going to be okay.

Code:
vi /jffs/unbound/unbound.conf

Here's all you need to know.

1. Hit 'i' to start inserting and writing text. Navigate with the arrow keys (it's all you'll need with how small this is)
2. When you're done, hit 'esc'
3. Type ':', then hit 'wq'. This means write the changes and quit.

Use the below unbound.conf as a template. You'll need to edit the locations of chroot, directory , and root-hints. You'll also be adding a few different lines under forward-zone:.

Lines under forward-zone: tell Unbound that you'd like to use DNS over TLS, and give it the DNS servers that you'd like to use. Copy these verbatim. If you would like to use other DNS servers or want to know more about what these settings are doing, check out this more detailed guide.

Code:

server:
tls-cert-bundle: "/etc/ssl/ca-bundle.crt"
verbosity: 1
interface: 0.0.0.0@7053
interface: ::0@7053
outgoing-num-tcp: 10
incoming-num-tcp: 10
msg-buffer-size: 8192
msg-cache-size: 1m
num-queries-per-thread: 30
rrset-cache-size: 2m
infra-cache-numhosts: 200
username: ""
pidfile: "/var/run/unbound.pid"
chroot: "/jffs/unbound"
directory: "/jffs/unbound"
root-hints: "/jffs/unbound/named.cache"
hide-version: yes
hide-identity: yes
prefetch: yes
target-fetch-policy: "2 1 0 0 0 0"
harden-short-bufsize: yes
harden-large-queries: yes
key-cache-size: 100k
neg-cache-size: 10k
num-threads: 2
so-reuseport: yes
msg-cache-slabs: 2
rrset-cache-slabs: 2
infra-cache-slabs: 2
key-cache-slabs: 2
outgoing-range: 462
access-control: 127.0.0.0/8 allow
access-control: 192.168.1.0/24 allow
local-data: "localhost A 127.0.0.1"
local-data: "DD-WRT 192.168.1.1"
python:
remote-control:
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com


You should now be all set. Reboot your router and give it a whirl. If successful, you will be able to access the internet and also pass the Cloudflare DNS over TLS test.



Troubleshooting

Literally no website works

1. Check that your time server is successfully setting your time. Syslog will be your friend here

2. Make sure that your time zone is set correctly

3. Make sure that you spelled the name of the DNS servers after the # correctly in your unbound config file

4. Check that your CA certificate bundle is actually there

5. Check that your unbound.conf file points to your CA certificate bundle and that you didn't misspell anything while fiddling around in vi

Remember: you can always go back by unchecking Recursive DNS Resolving (Unbound) on the Setup page. If nothing is working right and you can't figure it out, simply turn it off and let DNSMasq take over. Grab a drink and take a whack at it tomorrow. Unless you're Edward Snowden or Jason Bourne, you can live another day with someone potentially knowing how many times your IP address visited that kinky site that day.

Cloudflare can't verify if DNS over TLS is working

From what I can tell, you need to use Cloudflare's DNS server for it to verify. Once you have it all verified and are certain that DNS over TLS is set up properly, you can use any DNS server that supports DNS over TLS.

Alternatively, you can use Wireshark between your modem and router to review your DNS queries. If your DNS queries are going out over port 853, then congratulations! It's set up!


Hey, I'm trying to follow your DNS to TLS guide here. One problem I am having is that I already have entware installed to a USB stick, and my usb is mounted at
Code:
/opt
. So I have modified your guide so that anytime you have
Code:
/jffs/*
in your path or commands, I replaced
Code:
/jffs
with
Code:
/opt/
. I completed the guide, but it looks like unbound is still using the configuration file
Code:
unbound.conf
located int
Code:
/tmp/unbound.conf
. I don't think its using my
Code:
unbound.conf
located in
Code:
/opt/unbound/unbound.conf
. How can I get unbound to use my
Code:
unbound.conf
file as opposed to the default
Code:
/tmp/unbound.conf
file? How can I get this guide to fully work with using entware on a usb and NOT using jffs2 or the
Code:
/jffs
directory? Let me know if you can! Thanks!
_________________
DanRanRocks - Tech Tutorials by Dan Ran

https://github.com/danrancan
dan@danran.rockst
My Blog https://danran.rocks
Join me on key base! and Add me on Keybase

Current Linksys WRT3200acm Firmware "DD-WRT v3.0-r51140 std (12/31/22)
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 1899

PostPosted: Mon Sep 18, 2023 1:21    Post subject: Reply with quote
Read. Through. The. Entire. Thread. And. All. Linked. Resources.
_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.

--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5
atomicamp
DD-WRT User


Joined: 16 Apr 2018
Posts: 107
Location: Milwaukee, WI

PostPosted: Fri Oct 06, 2023 19:57    Post subject: Reply with quote
dale_gribble39 wrote:
Read. Through. The. Entire. Thread. And. All. Linked. Resources.


But I have and I'm not seeing anything that helps me fix this. Some advice would be more welcome than just telling me to read what I have already read a hundred times.

_________________
DanRanRocks - Tech Tutorials by Dan Ran

https://github.com/danrancan
dan@danran.rockst
My Blog https://danran.rocks
Join me on key base! and Add me on Keybase

Current Linksys WRT3200acm Firmware "DD-WRT v3.0-r51140 std (12/31/22)
hifiboy
DD-WRT Novice


Joined: 18 Nov 2021
Posts: 45

PostPosted: Thu Oct 26, 2023 9:15    Post subject: Reply with quote
Wouldn't smart dns do the same function of sending DNS requests encrypted either dot or DOH?. It is simple to use. What would be the advantage of doing it this way
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Thu Oct 26, 2023 9:29    Post subject: Reply with quote
hifiboy wrote:
Wouldn't smart dns do the same function of sending DNS requests encrypted either dot or DOH?. It is simple to use.


Absolutely that is why I am using SmartDNS Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Thu Oct 26, 2023 10:17    Post subject: Reply with quote
Well there are whole a lot of, a differences among all those..with the same result..at the end... Laughing Laughing

Unbound has lots of options...same as DNScrypt...they both have a serious handle of DNS..and local DNS..where DNScrypt has the best anonymisation among them all...

SmartDNS also handles hell of a lot of settings...and comes along with DDWRT, so you dont need entware at all and this makes it very preferable option...not to mention the tons of settings that it offers..
Where Stubby(GetDNS) is the simplest of them all...and its very light..sadly it still only offeres only DoT...

You can find lots details on the subject here

https://dnsprivacy.org/
https://duckduckgo.com/?t=ftsa&q=unbound+vs+dnscrypt+vs+stubby&ia=web

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 1899

PostPosted: Thu Oct 26, 2023 15:18    Post subject: Reply with quote
atomicamp wrote:
dale_gribble39 wrote:
Read. Through. The. Entire. Thread. And. All. Linked. Resources.


But I have and I'm not seeing anything that helps me fix this. Some advice would be more welcome than just telling me to read what I have already read a hundred times.

itwontbewe wrote:
your custom conf has to be at

/jffs/etc/unbound.conf

https://svn.dd-wrt.com/changeset/30220
https://svn.dd-wrt.com/changeset/36376

the tinkeruntilitworks guide had it wrong until 04/27/20

Of course, current revision of https://svn.dd-wrt.com/browser/src/router/services/services/unbound.c does not have that code in current revision. So, at some point, the custom config was completely removed. Not sure if this was intentional to save space or an oversight.

EDIT: Seems the change happened @43979 (diff)

https://svn.dd-wrt.com/browser/src/router/services/services/unbound.c?rev=43979
https://svn.dd-wrt.com/browser/src/router/services/services/unbound.c?rev=43433

Further linked reading: Unbound DNS over TLS Adblock up-to-date root.hints

_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.

--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5
itwontbewe
DD-WRT User


Joined: 29 Sep 2020
Posts: 260
Location: United States

PostPosted: Thu Oct 26, 2023 17:20    Post subject: Reply with quote
If you're starting Unbound from UI it needs to be at
/jffs/etc/unbound.conf

if you are starting Unbound from Startup script it can be elsewhere
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Thu Oct 26, 2023 18:09    Post subject: Reply with quote
itwontbewe wrote:
If you're starting Unbound from UI it needs to be at
/jffs/etc/unbound.conf

if you are starting Unbound from Startup script it can be elsewhere

Unless the previous custom configuration code is on the internal build server and not sync'd back to public repo (i.e. a missing commit), kind of interesting that it works for you. Local copy at current head:
Code:
user@host:~/DD-WRT$ grep -rli /jffs/etc/unbound.conf *
user@host:~/DD-WRT$ ls
ar5315_microredboot  image  Makefile  opt  README.md  redboot  src  tools
user@host:~/DD-WRT$ grep -rli /jffs/etc/unbound.conf ./src
user@host:~/DD-WRT$ grep -rli /jffs/etc/unbound.conf src/
user@host:~/DD-WRT$

Unless the specific bits syntax has changed or is hard-coded somewhere else in the source code, custom configs are gone outside of using a startup script. Unbound has been updated since either thread was started.

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Goto page Previous  1, 2, 3  Next Display posts from previous:    Page 2 of 3
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum