Joined: 18 Mar 2014 Posts: 12837 Location: Netherlands
Posted: Sat Jun 25, 2022 18:26 Post subject:
It looks like you do not need a Client side certificate to work? I am still investigating this
When using only DoH servers my log looks clean
Logging is really helpful you can also add an audit log and send the logs to /jffs etc.
But unfortunately only users using X86 or using a Community build do have logging.
It adds about 16 KB to a build and of course you have to have room on RAM for the log itself but that can be written to USB (that is what I do, I override it in the Additional Options, (also an invention of yours truly ) )
I have made logging optional so that with the config parameter:
Code:
CONFIG_SMARTDNS_LOG=y
It can be added to the build but it is up to our no 1 to implement it for routers he sees fit
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Sat Jun 25, 2022 19:59 Post subject:
egc wrote:
It looks like you do not need a Client side certificate to work? I am still investigating this
When using only DoH servers my log looks clean
Logging is really helpful you can also add an audit log and send the logs to /jffs etc.
But unfortunately only users using X86 or using a Community build do have logging.
It adds about 16 KB to a build and of course you have to have room on RAM for the log itself but that can be written to USB (that is what I do, I override it in the Additional Options, (also an invention of yours truly ) )
I have made logging optional so that with the config parameter:
Code:
CONFIG_SMARTDNS_LOG=y
It can be added to the build but it is up to our no 1 to implement it for routers he sees fit
I will politely ask him tomorrow
yep sounds like a plan...
did you check with wireshark if DoH requests have a encrypted payload..?? _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
i guess those are too big to fit in the flash, but on all 16MB+ flashsize routers they must be there...
Not all 16MB flash routers supported by DD-WRT have proper firmware images. A couple of examples are the Linksys E3200 v1 and E4200 v1; Using the bits for the EA2700 and a little casting of the right spells corrects this. Don't know why it was never offered as an option outside of these devices being lumped in with the other Linksys E-series which only have 8MB flash. _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
Joined: 29 Sep 2020 Posts: 260 Location: United States
Posted: Sun Jun 26, 2022 15:00 Post subject:
when i ran smartdns i used the below. i reran the the script in cli to update. it didn't work as well as a host file or dnsmasq blocking in certain situations but it was ok. * It is way more efficient than unbound though
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Sun Jun 26, 2022 15:37 Post subject:
egc wrote:
I have made a patch which makes the logging optional by adding:
CONFIG_SMARTDNS_LOG=y
To the config file
Why optional because it adds 16 KB to the build size and there are low end routers which are filled to the brim.
So only select routers can have it added to the config file and have a slightly larger build size
Unfortunately our CEO does not like it.
So no logging for you
Worse than adding things that may affect limited flash size routers, is that those routers that have 128MB flash size (32MB for dd-wrt) for instance are affected in the reverse, for instance, openssl is severely neutered, Dropbear side, we cant have e.g. ECDSA cipher for SSH because that adds 30KB uncompressed (recently CHACHAPOLY was enabled which added 10KB putty supports it since 2015)
Some more #ifdefs and openssl/dropbear builds that offer more ciphers for those of us which still have 34 free blocks to fill on our DD-WRT flash partition and likely would find these extra things saner to manage router via SSH remotely.
But Im not complaining, I already suggested that JFFS is hogging too much space anyway, we could do with another 10MB for DD-WRT and actual cool modern features.
Joined: 18 Mar 2014 Posts: 12837 Location: Netherlands
Posted: Wed Jun 29, 2022 7:12 Post subject:
the-joker wrote:
egc wrote:
I have made a patch which makes the logging optional by adding:
CONFIG_SMARTDNS_LOG=y
To the config file
Why optional because it adds 16 KB to the build size and there are low end routers which are filled to the brim.
So only select routers can have it added to the config file and have a slightly larger build size
Unfortunately our CEO does not like it.
So no logging for you
Worse than adding things that may affect limited flash size routers, is that those routers that have 128MB flash size (32MB for dd-wrt) for instance are affected in the reverse, for instance, openssl is severely neutered, Dropbear side, we cant have e.g. ECDSA cipher for SSH because that adds 30KB uncompressed (recently CHACHAPOLY was enabled which added 10KB putty supports it since 2015)
Some more #ifdefs and openssl/dropbear builds that offer more ciphers for those of us which still have 34 free blocks to fill on our DD-WRT flash partition and likely would find these extra things saner to manage router via SSH remotely.
But Im not complaining, I already suggested that JFFS is hogging too much space anyway, we could do with another 10MB for DD-WRT and actual cool modern features.
Our CEO sadly is too busy, but Im sure patches are welcome to improve this further
I can patch all of this (as I have done for SmartDNS logging) and make things all optional, but sadly it is not implemented.
The burden of maintaining all the config files is too much
Worse than adding things that may affect limited flash size routers
ProFTPD -> vsftpd (I have seen no reason to have a big fat ftpd package that is being underutilized for functionality)
Do a complete upstream merge with busybox 1.35.x stable tree (there's code reductions not present in DD-WRT and no reason, not even due to having builds with Linux 2.4 to not do so)
I could go on and on and on. Think outside the box of accepting what is there is completely upstream code. _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Mon Jul 04, 2022 7:52 Post subject:
so...i tested SmartDNS on 49392 via 1043v2 router as well on R7800...
so, if i check cat/tmp/smartdns.conf
those settings come by default
bind :6053
prefetch-domain yes
serve-expired yes
log-size 64K
log-num 1
log-level error
log-file /tmp/smartdns.log
--------------------------------------
to make it work you have to disable
-Validate DNS Replies (DNSSEC) form advanced DNSmasq rules
-as well to delete any static DNS entries form anywhere
as no-resolv or ignore WAN DNS are settings that concern DNSmasq config, but not SmartDNS config, so if any DNS servers are present anywhere else will be fetched to SmartDNS.conf too
The only lines needed in SmartDNS config box are the https or tls DNS servers to use, all added in this format:
i guess its not bad idea to add tls to it too...
as both use certificates i guess...the thing is i haven't tested the encrypted payload with wireshark yet, but the test whit https://1.1.1.1/help/ if cloudflare is used with both options tls or https the payload is confirmed, no idea how the heck cloudflare is testing it...but it should be good i guess..
p.s. CONFIG_SMARTDNS_LOG=y is not added yet ??
so far, not log... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Wed Sep 14, 2022 9:34; edited 1 time in total
Joined: 18 Mar 2014 Posts: 12837 Location: Netherlands
Posted: Mon Jul 04, 2022 10:15 Post subject:
To add also the WireGuard DNS and pushed OpenVPN client DNS are used so do not use any WG DNS and disable the OpenVPN client DNS (pull-filter ignore "dhcp-option DNS") if applicable.
Unfortunately no logging for the lesser mortals.
Patch is there and if you build with CONFIG_SMARTDNS_LOG=y then the logging is enabled, but our beloved no1 does not want to have the burden of configuring all the config files so he said no
I think it is a missed opportunity, it can be very helpful to see what is going on (that is why I could spot that SmartDNS could not find the cert, so I submitted https://svn.dd-wrt.com/changeset/49397 ) and also to use the audit log (you can simply write to USB)
But checking all the config files and checking if the routers build with it can have an extra 16KB added to the build size is a lot of work.
Joined: 18 Mar 2014 Posts: 12837 Location: Netherlands
Posted: Mon Jul 04, 2022 15:43 Post subject:
No nothing with DNS over UDP.
At this moment existing DNS servers e.g. the ones from static DNS, or the WAN DNS or pushed from OpenVPN or WireGuard are added to the smart DNS servers (as plain DNS servers)
So even if you are using DoH or DoT the plain DNS servers are also used and that is of course not what you want.
You can meticulously remove all static DNS, Local DNS, ignore WAN DNS, not use WG DNS and disable the pushing of OpenVPN DNS servers but a simple switch which prevents the adding of DNS servers to the smartdns.conf is easier
So the switch will let you choose between using the already present DNS servers or use the DNS servers you specify the Additional SmartDNS options.