DDWRT DNSCrypt Resolver

Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions
Goto page Previous  1, 2
Author Message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sat Aug 27, 2022 10:27    Post subject: Reply with quote
Query DNS in strict order is a fairly useless settings, not that it matters in this case as you have only one upstream DNS resolver in DNSMasq (which is SmartDNS)

The strict order is relative and does not work very well so not reliable see:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=332833&highlight=

Check Unsigned DNS replies is also useless as you do not have DNSSEC enabled (which you should not as you use SmartDNS)

About the settings in the OpenvPN config to stop the pushing of DNS servers, I would keep it there just as a reminder you are not using them (and if you inadvertently are going to use Split DNS with PBR).
But it does not do anything in this case as you are not using them anyway as you are using SmartDNS.

It is complicated and I am not an expert either but there is information at hand:
https://wiki.dd-wrt.com/wiki/index.php/Additional_DNSMasq_Options
https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html
https://forum.dd-wrt.com/phpBB2/index.php

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Sponsor
manchesterblack
DD-WRT User


Joined: 04 Mar 2021
Posts: 65
Location: Manchester

PostPosted: Thu Jan 12, 2023 11:21    Post subject: SMart DNS Reply with quote
Are my settings correct?
When I do a DNS test, I dont see the smart dns servers but these
178.238.10.99 None Clouvider Limited London, United Kingdom
217.146.83.100 100.83.146.217.baremetal.zare.com. Hydra Communications Ltd London, United Kingdom



Screenshot 2023-01-12 at 10.45.26.png
 Description:
 Filesize:  765.65 KB
 Viewed:  850 Time(s)

Screenshot 2023-01-12 at 10.45.26.png



_________________
Netgear R7000
DD-WRT DD-WRT v3.0-r50595 std (10/23/22)
Manchester
Enable dnsmasq- Yes
Encrypt DNS- NO
DNSCrypt Resolver- No Using Smart DNS
Cache DNSSEC Data- Yes
Validate DNS Replies (DNSSEC)- NO
Check Unsigned DNS Replies- NO
No DNS Rebind- Enable
Query DNS in Strict Order- Enable
Add Requestor MAC to DNS Query- Disable
RFC4039 Rapid Commit Support- Enable
Maximum Cached Entries- 1500

Smart DNS - YES

server-https https://9.9.9.9/dns-query
server-tls 9.9.9.9:853 -host-name: dns.quad9.net
server-tls 5.2.75.75:853 -host-name: dot.nl.ahadns.net
server-https https://1.1.1.1/dns-query

Additional VPN Configuration-
pull-filter ignore "dhcp-option DNS6 "
pull-filter ignore "dhcp-option DNS "

Dnsmasq Additional Options

server=/pool.ntp.org/9.9.9.9
server=/pool.ntp.org/1.0.0.1
server=/adquard-dns.com/9.9.9.9


BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6409
Location: UK, London, just across the river..

PostPosted: Thu Jan 12, 2023 11:35    Post subject: Reply with quote
to use only the SmartDNS servers...tick/enable use additional servers only (very recommended) Laughing
_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
manchesterblack
DD-WRT User


Joined: 04 Mar 2021
Posts: 65
Location: Manchester

PostPosted: Thu Jan 12, 2023 11:55    Post subject: Reply with quote
Still showing VPN dns servers. How do I test and check if smart DNS is working?
_________________
Netgear R7000
DD-WRT DD-WRT v3.0-r50595 std (10/23/22)
Manchester
Enable dnsmasq- Yes
Encrypt DNS- NO
DNSCrypt Resolver- No Using Smart DNS
Cache DNSSEC Data- Yes
Validate DNS Replies (DNSSEC)- NO
Check Unsigned DNS Replies- NO
No DNS Rebind- Enable
Query DNS in Strict Order- Enable
Add Requestor MAC to DNS Query- Disable
RFC4039 Rapid Commit Support- Enable
Maximum Cached Entries- 1500

Smart DNS - YES

server-https https://9.9.9.9/dns-query
server-tls 9.9.9.9:853 -host-name: dns.quad9.net
server-tls 5.2.75.75:853 -host-name: dot.nl.ahadns.net
server-https https://1.1.1.1/dns-query

Additional VPN Configuration-
pull-filter ignore "dhcp-option DNS6 "
pull-filter ignore "dhcp-option DNS "

Dnsmasq Additional Options

server=/pool.ntp.org/9.9.9.9
server=/pool.ntp.org/1.0.0.1
server=/adquard-dns.com/9.9.9.9


BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6409
Location: UK, London, just across the river..

PostPosted: Thu Jan 12, 2023 19:36    Post subject: Reply with quote
I can see this command has an extra space/interval at the end by the quotes no idea if this plays role...

pull-filter ignore "dhcp-option DNS6 "
pull-filter ignore "dhcp-option DNS "


no idea why you need those lines in DNSmasq as those are confusing the DNS,
especially if you did not enable use additional servers only in SmartDNS
also 3-d line in the stack is wrong, i guess..just remove them all

DNSmasq Additional Options

server=/pool.ntp.org/9.9.9.9
server=/pool.ntp.org/1.0.0.1
server=/adquard-dns.com/9.9.9.9

if you need and extra...NTP time servers just add an IP in the box where NTP time in this format

216.239.35.4 162.159.200.123

those 2 are google and cloudflare NTP time, but you can add others too, the format is a like this with space/interval in between...as well on the new versions of firmware BS made an adjustment so
the default NTP time queries few NTP servers...by default..so you don't really need anything...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
manchesterblack
DD-WRT User


Joined: 04 Mar 2021
Posts: 65
Location: Manchester

PostPosted: Fri Jan 13, 2023 10:44    Post subject: Reply with quote
Alozaros, not sure either, one guru asked me to add it. Please tell me exactly what I should do. I mean I will copy and paste what you send, just let me know where in DDWRT to add it too please. Apologies for the inconvenience.
_________________
Netgear R7000
DD-WRT DD-WRT v3.0-r50595 std (10/23/22)
Manchester
Enable dnsmasq- Yes
Encrypt DNS- NO
DNSCrypt Resolver- No Using Smart DNS
Cache DNSSEC Data- Yes
Validate DNS Replies (DNSSEC)- NO
Check Unsigned DNS Replies- NO
No DNS Rebind- Enable
Query DNS in Strict Order- Enable
Add Requestor MAC to DNS Query- Disable
RFC4039 Rapid Commit Support- Enable
Maximum Cached Entries- 1500

Smart DNS - YES

server-https https://9.9.9.9/dns-query
server-tls 9.9.9.9:853 -host-name: dns.quad9.net
server-tls 5.2.75.75:853 -host-name: dot.nl.ahadns.net
server-https https://1.1.1.1/dns-query

Additional VPN Configuration-
pull-filter ignore "dhcp-option DNS6 "
pull-filter ignore "dhcp-option DNS "

Dnsmasq Additional Options

server=/pool.ntp.org/9.9.9.9
server=/pool.ntp.org/1.0.0.1
server=/adquard-dns.com/9.9.9.9


BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Fri Jan 13, 2023 11:29    Post subject: Reply with quote
A lot of information can be found in the guide, have a look Smile

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=323896

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
manchesterblack
DD-WRT User


Joined: 04 Mar 2021
Posts: 65
Location: Manchester

PostPosted: Sat Jan 14, 2023 19:41    Post subject: Reply with quote
I got it working and cheers to all for the supply.
_________________
Netgear R7000
DD-WRT DD-WRT v3.0-r50595 std (10/23/22)
Manchester
Enable dnsmasq- Yes
Encrypt DNS- NO
DNSCrypt Resolver- No Using Smart DNS
Cache DNSSEC Data- Yes
Validate DNS Replies (DNSSEC)- NO
Check Unsigned DNS Replies- NO
No DNS Rebind- Enable
Query DNS in Strict Order- Enable
Add Requestor MAC to DNS Query- Disable
RFC4039 Rapid Commit Support- Enable
Maximum Cached Entries- 1500

Smart DNS - YES

server-https https://9.9.9.9/dns-query
server-tls 9.9.9.9:853 -host-name: dns.quad9.net
server-tls 5.2.75.75:853 -host-name: dot.nl.ahadns.net
server-https https://1.1.1.1/dns-query

Additional VPN Configuration-
pull-filter ignore "dhcp-option DNS6 "
pull-filter ignore "dhcp-option DNS "

Dnsmasq Additional Options

server=/pool.ntp.org/9.9.9.9
server=/pool.ntp.org/1.0.0.1
server=/adquard-dns.com/9.9.9.9


BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum