SMARTDNS Guide

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3 ... 9, 10, 11 ... 18, 19, 20  Next
Author Message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sat Jun 25, 2022 18:26    Post subject: Reply with quote
It looks like you do not need a Client side certificate to work? I am still investigating this

When using only DoH servers my log looks clean

Logging is really helpful you can also add an audit log and send the logs to /jffs etc.

But unfortunately only users using X86 or using a Community build do have logging.

It adds about 16 KB to a build and of course you have to have room on RAM for the log itself but that can be written to USB (that is what I do, I override it in the Additional Options, (also an invention of yours truly Smile ) )

I have made logging optional so that with the config parameter:
Code:
CONFIG_SMARTDNS_LOG=y

It can be added to the build but it is up to our no 1 to implement it for routers he sees fit Smile

I will politely ask him tomorrow

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Sat Jun 25, 2022 19:59    Post subject: Reply with quote
egc wrote:
It looks like you do not need a Client side certificate to work? I am still investigating this

When using only DoH servers my log looks clean

Logging is really helpful you can also add an audit log and send the logs to /jffs etc.

But unfortunately only users using X86 or using a Community build do have logging.

It adds about 16 KB to a build and of course you have to have room on RAM for the log itself but that can be written to USB (that is what I do, I override it in the Additional Options, (also an invention of yours truly Smile ) )

I have made logging optional so that with the config parameter:
Code:
CONFIG_SMARTDNS_LOG=y

It can be added to the build but it is up to our no 1 to implement it for routers he sees fit Smile

I will politely ask him tomorrow


yep sounds like a plan... Laughing Cool

did you check with wireshark if DoH requests have a encrypted payload..??

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 1899

PostPosted: Sat Jun 25, 2022 20:09    Post subject: Reply with quote
Alozaros wrote:
i guess those are too big to fit in the flash, but on all 16MB+ flashsize routers they must be there...
Not all 16MB flash routers supported by DD-WRT have proper firmware images. A couple of examples are the Linksys E3200 v1 and E4200 v1; Using the bits for the EA2700 and a little casting of the right spells corrects this. Don't know why it was never offered as an option outside of these devices being lumped in with the other Linksys E-series which only have 8MB flash.
_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.

--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sun Jun 26, 2022 13:00    Post subject: Reply with quote
I have made a patch which makes the logging optional by adding:
CONFIG_SMARTDNS_LOG=y
To the config file

Why optional because it adds 16 KB to the build size and there are low end routers which are filled to the brim.

So only select routers can have it added to the config file and have a slightly larger build size

Unfortunately our CEO does not like it.

So no logging for you Sad

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
tcpud
DD-WRT Novice


Joined: 23 Jun 2022
Posts: 12

PostPosted: Sun Jun 26, 2022 13:42    Post subject: Reply with quote
From the wiki, it appears that smartdns can also be used to block ads. Smile
I came accross a list for it as a url at https://github.com/privacy-protection-tools/anti-AD

How could this be added in additonal settings?
itwontbewe
DD-WRT User


Joined: 29 Sep 2020
Posts: 260
Location: United States

PostPosted: Sun Jun 26, 2022 15:00    Post subject: Reply with quote
when i ran smartdns i used the below. i reran the the script in cli to update. it didn't work as well as a host file or dnsmasq blocking in certain situations but it was ok. * It is way more efficient than unbound though
Code:
curl --output /tmp/overrid https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
grep '^0\.0\.0\.0' /tmp/overrid | sed '1d' | awk '$1 == "0.0.0.0"  { print "Address /"$2"/#"}' > /tmp/smartdns.more.conf
mv /tmp/smartdns.more.conf /jffs/etc
rm -r /tmp/overrid
stopservice smartdns
startservice smartdns


Additional SmartDNS Options
Code:
conf-file /jffs/etc/smartdns.more.conf


for your link you could do something like put the below in save startup and rerun in cli as needed.
Code:
curl --output /tmp/smartdns.more.conf https://raw.githubusercontent.com/privacy-protection-tools/anti-AD/master/anti-ad-smartdns.conf
stopservice smartdns
startservice smartdns


Additional SmartDNS Options
Code:
conf-file /tmp/smartdns.more.conf


Last edited by itwontbewe on Wed Dec 21, 2022 19:04; edited 2 times in total
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Sun Jun 26, 2022 15:37    Post subject: Reply with quote
egc wrote:
I have made a patch which makes the logging optional by adding:
CONFIG_SMARTDNS_LOG=y
To the config file

Why optional because it adds 16 KB to the build size and there are low end routers which are filled to the brim.

So only select routers can have it added to the config file and have a slightly larger build size

Unfortunately our CEO does not like it.

So no logging for you Sad


Worse than adding things that may affect limited flash size routers, is that those routers that have 128MB flash size (32MB for dd-wrt) for instance are affected in the reverse, for instance, openssl is severely neutered, Dropbear side, we cant have e.g. ECDSA cipher for SSH because that adds 30KB uncompressed (recently CHACHAPOLY was enabled which added 10KB putty supports it since 2015)

Some more #ifdefs and openssl/dropbear builds that offer more ciphers for those of us which still have 34 free blocks to fill on our DD-WRT flash partition and likely would find these extra things saner to manage router via SSH remotely.

But Im not complaining, I already suggested that JFFS is hogging too much space anyway, we could do with another 10MB for DD-WRT and actual cool modern features.

Our CEO sadly is too busy, but Im sure patches are welcome to improve this further

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sun Jun 26, 2022 15:58    Post subject: Reply with quote
Agreed 100%
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Wed Jun 29, 2022 7:12    Post subject: Reply with quote
the-joker wrote:
egc wrote:
I have made a patch which makes the logging optional by adding:
CONFIG_SMARTDNS_LOG=y
To the config file

Why optional because it adds 16 KB to the build size and there are low end routers which are filled to the brim.

So only select routers can have it added to the config file and have a slightly larger build size

Unfortunately our CEO does not like it.

So no logging for you Sad


Worse than adding things that may affect limited flash size routers, is that those routers that have 128MB flash size (32MB for dd-wrt) for instance are affected in the reverse, for instance, openssl is severely neutered, Dropbear side, we cant have e.g. ECDSA cipher for SSH because that adds 30KB uncompressed (recently CHACHAPOLY was enabled which added 10KB putty supports it since 2015)

Some more #ifdefs and openssl/dropbear builds that offer more ciphers for those of us which still have 34 free blocks to fill on our DD-WRT flash partition and likely would find these extra things saner to manage router via SSH remotely.

But Im not complaining, I already suggested that JFFS is hogging too much space anyway, we could do with another 10MB for DD-WRT and actual cool modern features.

Our CEO sadly is too busy, but Im sure patches are welcome to improve this further



I can patch all of this (as I have done for SmartDNS logging) and make things all optional, but sadly it is not implemented.
The burden of maintaining all the config files is too much

I only have to maintain about 10 config files so for me it is easy

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 1899

PostPosted: Wed Jun 29, 2022 11:35    Post subject: Reply with quote
the-joker wrote:
Worse than adding things that may affect limited flash size routers

  • ProFTPD -> vsftpd (I have seen no reason to have a big fat ftpd package that is being underutilized for functionality)
  • Do a complete upstream merge with busybox 1.35.x stable tree (there's code reductions not present in DD-WRT and no reason, not even due to having builds with Linux 2.4 to not do so)

I could go on and on and on. Think outside the box of accepting what is there is completely upstream code.

_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.

--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Mon Jul 04, 2022 7:52    Post subject: Reply with quote
so...i tested SmartDNS on 49392 via 1043v2 router as well on R7800... Cool

so, if i check cat/tmp/smartdns.conf
those settings come by default

bind :6053
prefetch-domain yes
serve-expired yes
log-size 64K
log-num 1
log-level error
log-file /tmp/smartdns.log
--------------------------------------
to make it work you have to disable
-Validate DNS Replies (DNSSEC) form advanced DNSmasq rules
-as well to delete any static DNS entries form anywhere
as no-resolv or ignore WAN DNS are settings that concern DNSmasq config, but not SmartDNS config, so if any DNS servers are present anywhere else will be fetched to SmartDNS.conf too

The only lines needed in SmartDNS config box are the https or tls DNS servers to use, all added in this format:

server-https https://9.9.9.9/dns-query
server-tls 78.46.244.143:853 -host-name: dot-de.blahdns.com
server-tls 9.9.9.9:853 -host-name: dns.quad9.net

also looking at this changeset...
https://svn.dd-wrt.com/changeset/49397

i guess its not bad idea to add tls to it too...
as both use certificates i guess...the thing is i haven't tested the encrypted payload with wireshark yet, but the test whit https://1.1.1.1/help/ if cloudflare is used with both options tls or https the payload is confirmed, no idea how the heck cloudflare is testing it...but it should be good i guess.. Embarassed

p.s. CONFIG_SMARTDNS_LOG=y is not added yet ??
so far, not log... Rolling Eyes

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913


Last edited by Alozaros on Wed Sep 14, 2022 9:34; edited 1 time in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon Jul 04, 2022 10:15    Post subject: Reply with quote
To add also the WireGuard DNS and pushed OpenVPN client DNS are used so do not use any WG DNS and disable the OpenVPN client DNS (pull-filter ignore "dhcp-option DNS") if applicable.

Unfortunately no logging for the lesser mortals.

Patch is there and if you build with CONFIG_SMARTDNS_LOG=y then the logging is enabled, but our beloved no1 does not want to have the burden of configuring all the config files so he said no Sad

I think it is a missed opportunity, it can be very helpful to see what is going on (that is why I could spot that SmartDNS could not find the cert, so I submitted https://svn.dd-wrt.com/changeset/49397 ) and also to use the audit log (you can simply write to USB)

But checking all the config files and checking if the routers build with it can have an extra 16KB added to the build size is a lot of work.

But maybe someone else can convince him.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon Jul 04, 2022 14:06    Post subject: Reply with quote
I will add a "no-resolv" option so that smartdns does not take any DNS servers already present

Need a better name for it, suggestions?

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Mon Jul 04, 2022 15:14    Post subject: Reply with quote
egc wrote:
I will add a "no-resolv" option so that smartdns does not take any DNS servers already present

Need a better name for it, suggestions?

Well, depends what it actually does, label names should be max 3 words where possible.

This isn't anything todo with DNS over UDP, or is it?

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon Jul 04, 2022 15:43    Post subject: Reply with quote
No nothing with DNS over UDP.

At this moment existing DNS servers e.g. the ones from static DNS, or the WAN DNS or pushed from OpenVPN or WireGuard are added to the smart DNS servers (as plain DNS servers)

So even if you are using DoH or DoT the plain DNS servers are also used and that is of course not what you want.

You can meticulously remove all static DNS, Local DNS, ignore WAN DNS, not use WG DNS and disable the pushing of OpenVPN DNS servers but a simple switch which prevents the adding of DNS servers to the smartdns.conf is easier Smile

So the switch will let you choose between using the already present DNS servers or use the DNS servers you specify the Additional SmartDNS options.

It is just as if you have specified no-resolv in DNSMasq

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Goto page Previous  1, 2, 3 ... 9, 10, 11 ... 18, 19, 20  Next Display posts from previous:    Page 10 of 20
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum