Posted: Thu Mar 28, 2024 10:58 Post subject: DoH server fallback
Hello all,
I'd like to use my R7000 with r55416 to act as a DNS server on port 53, using DoH upstream DoH servers.
I have one DoH server with ad blocking and 1 fallback server in UDP without ad blocking. I'd like ddwrt to query DNS server in strict order, so it uses always the ad blocking server, except if it's unreachable.
I'm using SmartDNS and it is working fine but it doesn't query the DNS server in strict order. It is possible to achieve what I'd like please? (with SmartDNS or a different way)
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Thu Mar 28, 2024 11:37 Post subject:
short answer is probably NO...in the way you are doing it...
strict order is only DNSmasq settings and its proven that its not always working as intended...
SmartDNS has its own system to query/race the best DNS in terms of timing...so there it will go wrong
wright away...as you probably ticked use only SmartDNS servers and this is the way it should...than SmartDNS will ignore any other DNS settings anywhere and use the servers specified in its own box...only...
Then again you must not use a DNS with different filtering capabilities, as it goes messy always...
as the query times could be different and then you cannot instruct the DNS request where to go first...and what results to bring out...its a cants and dogs game and you must know what you are doing...
i have not looked deeply into the SmarDNS config options regarding it interpretation of strict order...(as i use only one DNS ) tls servers for SmartDNS works best on me kind off...
but you can have a look on response-mode and test it...
https://pymumu.github.io/smartdns/en/configuration/
p.s.more over i dont understand your settings and why do you have option 6 in dnsmasq pointing to external DNS (eventually), and you are doing SmartDNS with various type DNS requests...to me it seams like a proper DNS mess...either use one or another... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
I looked at response-mode but my primary (ads filtering) DoH upstream server, may not be the fastest...
Is there another way without SmartDNS? I'm currently using a DoH->UDP proxy on a raspberry pi but I'd prefer to manage the DNS stuff directly on the router.
PS:
My DNSmasq config is pointing to my router IP (192.168.10.1)
SmartDNS is using both UDP & DoH servers, I didn't known it could make a mess, I will change
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Thu Mar 28, 2024 14:08 Post subject:
jean-paul wrote:
....Is there another way without SmartDNS? I'm currently using a DoH->UDP proxy on a raspberry pi but I'd prefer to manage the DNS stuff directly on the router.
use one or another...either DNS made on the router side (DNSmasq + SmartDNS..i use it that way)
or dont do any DNS on the router and use Pi for DNS...there is a beautiful thread on the
PI DNS subject... https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=331414
jean-paul wrote:
PS: My DNSmasq config is pointing to my router IP (192.168.10.1)
SmartDNS is using both UDP & DoH servers, I didn't known it could make a mess, I will change
Best,
Jean-Paul
As i said SmartDNS and DNSmasq has it all...and work well in conjunction...
what i use is...SmartDNS for Dot DNS forwarding, on the top is DNSmasq doing ad-blocking via custom script...you can choose ad-blocking lists there, and choose/add DNS adblocking servers in the SmartDNS box...do not use strict mode or cache in DNSmasq when using SmartDNS, DNSSEC has to be disabled too..usually DNSSEC is done/supported on DNS servers side...so its not a big problem...
For the record you can do SmartDNS ad-block list but, it has a limit of 100k if im not wrong..and totally omit DNSmasq use for DNS (not recommended, due to some reasons, but it will work)....
bear in mind too much add-blocking may impair the overall router functionality and reduce not only the ads, but block some unmalicious stuff..
to presume...here is the pic of the DNSmasq and SmartDNS settings i use..
as i said i do have a adblocking script in my custom script...i can share it too..if so..
but there are so many adblocking scripts around, im sure you can find a lot.. _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Thu Mar 28, 2024 14:37; edited 1 time in total
Joined: 18 Mar 2014 Posts: 12922 Location: Netherlands
Posted: Thu Mar 28, 2024 14:28 Post subject:
Alozaros wrote:
For the record you can do SmartDNS ad-block list but, it has a limit of 100k if im not wrong..and totally omit DNSmasq use for DNS (not recommended, due to some reasons, but it will work)....
The limit is dependant on the routers free RAM but for these 256 MB RAM routers you can probably go up to a file size of 10 MB with 500.000 entries (dependant on what else you run of course)
My own blocklist is 5975 kB with 240.000 entries and works well
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Thu Mar 28, 2024 14:45 Post subject:
ok i see...will give it a try again..i must ve done something odd, when i tried, it would not parse all the list that was 200k + but round it to 100k for some odd reason...
There are many ways to introduce malicious sites and adblocking...in DDWRT...
I do have an adblock of 180k+ via DNSmasq, as well ipset rules via DNSmasq and iptables/ipset snort list to block..IP's...but as i said, with too much blocking, its very tiny ice to break the normal internet functionality... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913