SmartDNS certificates

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
dpp3530
DD-WRT Guru


Joined: 12 Dec 2007
Posts: 764
Location: Pittsburgh, PA USA

PostPosted: Wed Feb 01, 2023 0:43    Post subject: SmartDNS certificates Reply with quote
I've been using the Cloudflare DNS servers (DOT and DOH) in SmartDNS for several months now. Recently I read an article about free DNS resolvers, and it mentioned Control D for ad blocking. I tested it a bit on my Windows laptop and found it to be quite effective at blocking ads. Since they have DOT and DOH, I figured I could just update the SmartDNS config. Unfortunately, that's not what happened. I found myself without DNS resolution. After a bunch of troubleshooting, I found that it would it would work unencrypted but DOT and DOH would not.

I did some further investigation and found that Control D uses a ZeroSSL intermediate cert. Unfortunately, this cert is not in /etc/ssl/ca-bundle.crt. I tried a few workarounds, including copying the files to the thumbdrive I have mounted as /jffs, appending the missing cert, and adding the lines
Code:
ca-file /jffs/etc/ssl/ca-bundle.crt
ca-path /jffs/etc/ssl

to the SmartDNS additional options. Apparently the ca-file and ca-path already in smartdns.conf take precedence, though.

I'm not sure how to get it to trust the "ZeroSSL ECC Domain Secure Site CA" cert.

_________________
__________________________
Netgear R7800
DD-WRT v3.0 STD
Linksys WRT1900AC
DD-WRT v3.0 STD
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Wed Feb 01, 2023 8:20    Post subject: Reply with quote
You can make your own smartdns.conf and put it in /jffs

Then in Administration/commands Save USB add:
restart smartdns

Then when the USB is ready and /jffs/smartdns.conf is available it will restart smartdns which will first look at /jffs for a conf file

It might be that the path is /jffs/etc , I will check later

Edit: it is /jffs/etc

I have moved this thread to the Advanced Networking forum there you can also find the SmartDNS thread which is a sticky

Note: I have not tested it so let me know if it works

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
dpp3530
DD-WRT Guru


Joined: 12 Dec 2007
Posts: 764
Location: Pittsburgh, PA USA

PostPosted: Wed Feb 01, 2023 17:30    Post subject: Reply with quote
Thanks @egc. That worked for the configuration. Still trying to get the certificates sorted, though. May be a lost cause.
_________________
__________________________
Netgear R7800
DD-WRT v3.0 STD
Linksys WRT1900AC
DD-WRT v3.0 STD
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Wed Feb 01, 2023 18:17    Post subject: Reply with quote
dpp3530 wrote:
Thanks @egc. That worked for the configuration. Still trying to get the certificates sorted, though. May be a lost cause.


hmm...you should be able to add them to this folder manually...
and than point to those...no idea if SmartDNS will use them both...or only those form jffs..in this case you may need to load all its config to jffs...

if its not working than there is something else that you'd need..extra...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
dpp3530
DD-WRT Guru


Joined: 12 Dec 2007
Posts: 764
Location: Pittsburgh, PA USA

PostPosted: Wed Feb 01, 2023 19:47    Post subject: Reply with quote
I got it. /jffs/etc/smartdns.conf contains
Code:
server-name Barricade
bind [::]:6053
prefetch-domain yes
log-size 64K
log-num 1
log-level info
log-file /jffs/smartdns.log
ca-file /opt/etc/ssl/certs/ca-certificates.crt
ca-path /opt/etc/ssl/certs
server-tls p2.freedns.controld.com:853
server-https https://freedns.controld.com/p2


Copied the root and intermediate certs (in Base64 .crt format) to /opt/etc/ssl/certs and made sure
Code:
server=/freedns.controld.com/8.8.8.8

was in my DNSMasq config. Now I have DNS resolution.

The interesting thing is that the Cloudflare test site says I'm not using DOT or DOH, but
Code:
tcpdump -ni eth1 -p port 853

shows a whole lot of traffic for "not" using DNS over TLS.

_________________
__________________________
Netgear R7800
DD-WRT v3.0 STD
Linksys WRT1900AC
DD-WRT v3.0 STD
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Wed Feb 01, 2023 20:50    Post subject: Reply with quote
Browser configuration problem? Most modern browsers have a setting for secure DNS.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Wed Feb 01, 2023 21:10    Post subject: Reply with quote
To use SmartDNS servers, you must not have other DNS settings anywhere else...as it gets messy...
you better use this option Use Additional Servers Only to ignore all other DNS settings you have and router will use SmartDNS servers only...

You probably didn't read the last page of SmartDNS WIP, where i presumed the necessary settings for SmartDNS to work.. Rolling Eyes

This is the correct format to spell DoH and DoT servers there..

server-https https://9.9.9.9/dns-query
server-tls 9.9.9.9:853 -host-name: dns.quad9.net

check with this command
tcpdump -n -i eth0 'port 853'
or
tcpdump -n -i eth0 'port 443'

also if you have DoT and DoH SmartDNS will querry the fastest and will use it with priority so try with only one to find out if its working as intended and than add the other..in general i prefer either one or the other ( DoH vs DoT)

you dont need this line at all
server=/freedns.controld.com/8.8.8.8

also as KP-69 noted check your browser, if its using DoH by default and stop it..

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
dpp3530
DD-WRT Guru


Joined: 12 Dec 2007
Posts: 764
Location: Pittsburgh, PA USA

PostPosted: Wed Feb 01, 2023 21:59    Post subject: Reply with quote
modified the config to

Code:
server-name Barricade
bind [::]:6053
prefetch-domain yes
log-size 64K
log-num 1
log-level info
log-file /jffs/smartdns.log
ca-file /opt/etc/ssl/certs/ca-certificates.crt
ca-path /opt/etc/ssl/certs
server-tls 76.76.2.11:853 -hostname  p2.freedns.controld.com
#server-https https://76.76.2.11/p2


I commented the last line to restrict to DOT for testing. Verified that use Additional Servers Only is checked in the GUI, although I question whether it does anything since my smartdns.conf is in /jffs.

ran the command

Code:
tcpdump -n -i eth1 'port 853'


(on the WRT1900AC, eth1 is the WAN)

Still seeing the same traffic on 853, still getting a NO on Cloudflare.

Tried latest Firefox and Waterfox, both with DOH unchecked.

_________________
__________________________
Netgear R7800
DD-WRT v3.0 STD
Linksys WRT1900AC
DD-WRT v3.0 STD
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum