"DNS over TLS" or "DNS over HTTPS"

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3, 4, 5, 6, 7  Next
Author Message
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6388
Location: UK, London, just across the river..

PostPosted: Wed May 15, 2019 16:21    Post subject: Reply with quote
10x sadly, unbound is present only on my high grade routers and i can still use DNScrypt instead...
but thank you anyway i ll test it just to see whats on.. im more interested how to set either stubby or anything else, to be able to use DoH or DoT on a lower grade routers like 1043v2 for example....

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,AP Isolation,Ad-Block,Firewall
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 55363 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55363 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Sponsor
vibranto
DD-WRT User


Joined: 30 Apr 2010
Posts: 64

PostPosted: Fri May 24, 2019 14:09    Post subject: Reply with quote
Orig I posted this in another thread with the post below which had come up on a search, before noticing it was a Broadcom forum etc. etc. so - this seems better forum/thread to add it to...

mbze430 wrote:
I have been looking at the request threads for DoT and DoH support since mid-last year (also seen some request on the SVN as well). I was wondering if there have been any new development on adding these features into DDWRT (including a GUI)

I believe Stubby is the forefront spear in with DoT. I believe DNSCrypt-Proxy is the forefront of DoH.

I tried both on my ASUS Merlin and pretty simple. Even the latest Merlin has integrated GUI for Stubby.

Just waiting for DDWRT!


This describes me to a T.

Except I gave config'ing stubby a shot today on one of my WNDR4300's and it was super straight-forward and worked great.

High-level:
  • Setup USB drive on target router
  • Installed Entware
  • Installed ca-certificates
  • Installed stubby (getdns is auto installed dependency)
  • Added DNSmasq options via GUI (other ways to do that obv -scripting etc., depends on your style..):
    no-resolv
    server=127.0.0.1#5453
  • Hard-coded an ntp server IP address
  • Edited /opt/etc/stubby/stubby.yml to my liking (added Google servers to Cloudflare, deleted ipv6)
  • Started stubby&


That was pretty much it. Worked right away.
Can netstat the 853 connections and watch it work away happily.

Was all working WAY easier than I thought.
None of the binary patching or any other fussing required.
Seems super fast although I've not done empirical testing.

At first I just tossed the stubby startup in the router startup script but I'm trying to cleanse that and keep everything substantial on /jffs or /opt so then I did it properly and added an init.d script S61stubby as follows
(note a prior version of this post linked to an example with 'nohup' apparently the base busybox doesn't support nohup so it was failing)

Code:
#!/bin/sh
export PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

ENABLED=yes
PROCS=stubby
ARGS="-g -v 5 -C /opt/etc/stubby/stubby.yml 2>/opt/var/log/stubby.log"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func


Probably there's a better way to handle the ntp situation - i see references to making an exception for ntp.pool.org - but haven't figured it out yet.

Bit surprised this subject isn't more updated - most threads here make this sound like its still not all sorted out by now. I suspect its one of those things that guys who tried found worked so easily that they never bothered to go back and mention it.

_________________
Site1: R6400v2 FreshTomato 2019.10.2 | WNDR4300 DD-WRT v3.0-r39800 | WNDR3700v4 Bricked 0.0
Site2: RT-AC3200 Merlin 384.13.0 Site3: R7000 FreshTomato 2019.2
Spares: DD-WRT v.othernumbers


Last edited by vibranto on Sat May 25, 2019 16:55; edited 1 time in total
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 2024

PostPosted: Sat May 25, 2019 15:41    Post subject: Reply with quote
vibranto wrote:
I gave config'ing stubby a shot today on one of my WNDR4300's and it was super straight-forward and worked great.

I have been running stubby on the Linux laptop and your post inspired me to try it on the R7800 again.

I have it working now using your guide Very Happy
TYVM

_________________
Forum Guide Lines (with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips!)
How to get help the right way

Before asking for help - Read the forum guidelines AND Upgrade DD-WRT!
Adblock by eibgrad + Blocklist Collection
vibranto
DD-WRT User


Joined: 30 Apr 2010
Posts: 64

PostPosted: Sat May 25, 2019 16:50    Post subject: Reply with quote
That's great...

One note - I'll edit prior post in a second - the Entware stubby startup script I originally linked above does NOT work. So I had yet another round of debbugging overnight reboot fail.

_________________
Site1: R6400v2 FreshTomato 2019.10.2 | WNDR4300 DD-WRT v3.0-r39800 | WNDR3700v4 Bricked 0.0
Site2: RT-AC3200 Merlin 384.13.0 Site3: R7000 FreshTomato 2019.2
Spares: DD-WRT v.othernumbers
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6388
Location: UK, London, just across the river..

PostPosted: Fri May 31, 2019 10:57    Post subject: Reply with quote
is there anyone who is using dnscrypt-proxy2 2.0.23-1 via Entware...
tried to do it last night on an Atheros unit (1043v2), but Im not a Linux geek and was hard to find any configuration guidelines too...
i do have fully working install of Entware + DNSCrypt v2 + stubby tried them both but it seems im missing something any step by step guides...
As well how to edit stubby .yml config file ... im very bad at those ... any ideas ...
Thanks in advance!

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,AP Isolation,Ad-Block,Firewall
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 55363 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55363 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 2024

PostPosted: Fri May 31, 2019 14:50    Post subject: Reply with quote
I have abandoned stubby in favor of SmartDNS built into GUI Services>Services.
This eliminates HAVING to have entware running on usb.
Although I still use entware for other programs available.


Alozaros wrote:
but it seems im missing something any step by step guides


This worked for me to use Stubby.
Used this startup script:
Code:
 #!/bin/sh
logger -t S61stubby "Starting Stubby DNS over TLS $0"
# set environment PATH to system binaries
export PATH=/sbin:/bin:/usr/sbin:/usr/bin:$PATH
ENABLED=yes
PROCS=stubby
ARGS="-g -v 5 -C /opt/etc/stubby/stubby.yml 2>/opt/var/log/stubby.log"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
. /opt/etc/init.d/rc.func


(The original script had PREARGS="nohup" @vibranto said busybox did not support that. I think it worked both ways for me.)
Named it S61stubby.sh
Put it in /opt/etc/init.d
Made it executable chmod +x /opt/etc/init.d/S61stubby.sh using CLI.

Start Stubby: Administration > Commands with
is-mounted.sh /opt
/opt/etc/init.d/S61stubby.sh start
save as startup
#Optional Save as USB Script = Save USB (works better I think)


Edit stubby.yml using nano opkg install nano
nano /opt/etc/stubby/stubby.yml
Or vi, https://www.cs.colostate.edu/helpdocs/vi.html
Or notepad++ w/Unix encoding

I also edit using linux text editor "Kate".

Below taken from stubby.yml.default document.

# Also beware that yaml is sensitive to the indentation at the start of each
# line so if you encounter errors when parsing the config file then please check
# that. We will add better checking but a useful online tool to check yaml
# format is here (it also converts yaml to json)
# https://yaml-online-parser.appspot.com/


If using Windows text editor you have to eliminate non-linux line ends.
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1157109#1157109

You will need to use IP addy eg:216.239.35.4 (time.google.com) for NTP as there will be no DNS until Stubby is up.
Leaving time server blank may work as well as DD-WRT has hard coded time server, untested by me.

I also saw an issue with having to stop OVPN client, then call the Stubby, then restart OVPN. Not sure what was up with that but I added sleep 6 before the Stubby startup command and havn't had another problem.

I use this command from @egc to see port 853 being used.
Code:
watch -tn5 "cat /proc/net/nf_conntrack | grep ' dport=853 ' | sort -nrk3"

(Some routers use ip_conntrack instead)

As you are already using entware, wireshark can be installed
opkg install wireshark
Run with tshark -i <interface>
tshark -D shows available interfaces
tshark -h help file

Maybe I got it all, hope it works for you.


Last edited by bushant on Wed Dec 14, 2022 18:44; edited 7 times in total
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 2024

PostPosted: Fri May 31, 2019 16:51    Post subject: Reply with quote
I was already using 216.239.35.4 as NTP server.(time.google.com) as there will be no name resolution until Stubby is running.
_________________
Forum Guide Lines (with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips!)
How to get help the right way

Before asking for help - Read the forum guidelines AND Upgrade DD-WRT!
Adblock by eibgrad + Blocklist Collection


Last edited by bushant on Sat Apr 02, 2022 19:18; edited 1 time in total
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6388
Location: UK, London, just across the river..

PostPosted: Sun Jun 02, 2019 10:10    Post subject: Reply with quote
10x ill give it a try...and will report..

this will not work, but i can wireshak it i guess?

watch -tn5 "cat /proc/net/nf_conntrack | grep ' dport=853 ' | sort -nrk3"

watch: not found

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,AP Isolation,Ad-Block,Firewall
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 55363 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55363 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 2024

PostPosted: Sun Jun 02, 2019 14:40    Post subject: Reply with quote
When I had stubby running on the laptop, wireshark would pick up traffic on port 853.
With stubby running on the router, wireshark does not see that traffic. I don't know wireshark usage well.
netstat or netstat -p catches it intermittently.
Code:
netstat -p
tcp        0      0 38.65.xxx.xxx:45978      one.one.one.one:853     ESTABLISHED 1511/stubby
tcp        0      0 38.65.xxx.xxx:35014      145.100.185.15:853      ESTABLISHED 1511/stubby

_________________
Forum Guide Lines (with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips!)
How to get help the right way

Before asking for help - Read the forum guidelines AND Upgrade DD-WRT!
Adblock by eibgrad + Blocklist Collection
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6388
Location: UK, London, just across the river..

PostPosted: Mon Jun 03, 2019 20:46    Post subject: Reply with quote
bushant wrote:
When I had stubby running on the laptop, wireshark would pick up traffic on port 853.
With stubby running on the router, wireshark does not see that traffic. I don't know wireshark usage well.
netstat or netstat -p catches it intermittently.
Code:
netstat -p
tcp        0      0 38.65.xxx.xxx:45978      one.one.one.one:853     ESTABLISHED 1511/stubby
tcp        0      0 38.65.xxx.xxx:35014      145.100.185.15:853      ESTABLISHED 1511/stubby


so far i think i made it to work it comes out on netstat -p as you said intermittently as well i can see on TOP too as well it shows of to : netstat -lnptu |grep stubby


what i did so far step by step is:
"for Atheros based non dual core routers"

turn on USB, mount it on /OPT
cd /opt (click enter)
wget http://bin.entware.net/mipssf-k3.4/installer/generic.sh (click enter)
sh generic.sh (click enter)

for Entware on other type of routers please visit
https://wiki.dd-wrt.com/wiki/index.php/Installing_Entware

opkg update (click enter)
opkg upgrade (click enter)
opkg install ca-certificates (click enter)
opkg install ca-bundle (click enter)
opkg install stubby (click enter)
opkg install nano (click enter)
opkg update (click enter)
opkg upgrade (click enter)

than type:
nano /opt/etc/init.d/S61stubby.sh
paste this script:

#!/bin/sh
logger -t S61stubby "Starting Stubby DNS over TLS $0"
# set environment PATH to system binaries
export PATH=/sbin:/bin:/usr/sbin:/usr/bin:$PATH
ENABLED=yes
PROCS=stubby
ARGS="-g -v 5 -C /opt/etc/stubby/stubby.yml 2>/opt/var/log/stubby.log"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
. /opt/etc/init.d/rc.func

than press
(ctrl+x)
(click Y)
(click enter
)

than type
chmod +x /opt/etc/init.d/S61stubby.sh

than type:
nano /opt/etc/stubby/stubby.yml
(click enter)

edit to your preferences i used this one you can compare and edit your script:
IF YOU INTEND TO COPY PASTE TO STUBBY, DO NOTICE ON THIS SCRIPT SPACING IS CORRUPTED
FOR BEST RESULTS MANUALLY EDIT THOSE LINES AND KEEP THE DEFAULT SPACING

Code:

resolution_type: GETDNS_RESOLUTION_STUB
round_robin_upstreams: 1
appdata_dir: "/opt/var/lib/stubby"
tls_ca_path: "/opt/etc/ssl/certs"
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_min_version: GETDNS_TLS1_3
tls_query_padding_blocksize: 128
edns_client_subnet_private: 1
tls_connection_retries: 1
idle_timeout: 10000
listen_addresses:
  - 127.0.0.1@5453
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
upstream_recursive_servers:
  - address_data: 9.9.9.9
    tls_auth_name: "dns9.quad9.net"
    tls_port: 853
  - address_data: 1.1.1.1
    tls_auth_name: "cloudflare-dns.com"
    tls_port: 853

edited:20.09.2020
on the last version of stubby 0.30+ and getDNS (past 1.6) in order stubby to work, this line is depreciated in OpenSSL 1.1.1g+ and has to be removed..

tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"

than press
(ctrl+x)
(click Y)
(click enter)


finally add those to start up script via GUI

sleep 10
/opt/etc/init.d/rc.unslung start ---- add this if you have other start up things running as well

/opt/etc/init.d/S61stubby.sh start ---- add this line if you want to start only stubby

or on newer builds after 483xx instead of those rules in Start Up script, save to USB script

sleep 5
/opt/etc/init.d/rc.unslung start


and those lines to advanced DNSmasq
no-resolv
server=127.0.0.1#5453

finally make sure you have a decent NTP time server
selected in the main DDWRT GUI, with correct time zone
in my case i use an IP only format choose one of those and paste the IP in NTP box:

GGL NTP time IP 216.239.35.12 or 216.239.35.8

Cloudflare NTP 162.159.200.123

also make sure you add a path to certificates, otherwise it wont see/use those by default
tls_ca_path: "/opt/etc/ssl/certs"

thanks for the help and guidelines .... Wink
to test Stubby is using those specified DNS's
try this command via CLI (telnet or SSh)...
(you must have tcpdump or you can install it via entware -
opkg install tcpdump)

tcpdump -i eth0 | grep -Ei 'dns9.quad9.net'

or if you use 1.1.1.1 cloudflare-dns.com instead of quad9

https://1.1.1.1/help

more info about Stubby default config and upstream servers
https://github.com/getdnsapi/stubby/blob/develop/stubby.yml.example

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,AP Isolation,Ad-Block,Firewall
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 55363 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55363 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913


Last edited by Alozaros on Mon Mar 18, 2024 19:07; edited 28 times in total
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6388
Location: UK, London, just across the river..

PostPosted: Tue Jun 11, 2019 23:03    Post subject: Reply with quote
i cannot state the stubby is fully working or at least prove it...
on wireshark i do not see anything going out via 853 port or coming back to it or the listening port...
i also do have DNS standard hits in wireshark witch leads me to believe that this stubby is not working as intended or im doing it wrong, the only thing that comes out of it is, my DNS is swapped with
1.1.1.1 and i see TLS is used in this https://1.1.1.1/help test and can see stubby from the router side netstat -p and in the router's Active IP Connections..... i can see 1.1.1.1 is connected to 853,
and all the DNS port 53 - router IP are dns UNREPLIED, and have the listening port connected to 127.0.0.1, but the actual results are different...

P.S. it seems there is a great confusion, as i capture the frames in my wi-fi DNS there are not tls encrypted
but it seems those DNS frames on my routers end are tls encrypted, so i guess i was sniffing at the wrong end,
ill try to install wireshark and check the routers end to confirm..., but so far if i have to relay on
the Active IP Connections results & https://1.1.1.1/help test, stubby is working...i guess...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,AP Isolation,Ad-Block,Firewall
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 55363 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55363 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6388
Location: UK, London, just across the river..

PostPosted: Wed Jun 12, 2019 17:42    Post subject: Reply with quote
ok.. on the router i ended installing tcpdump instead of wireshark...i can confirm i didn't see any hits on port 53 (DNS) in or out of eth0 all goes port 853 as intended, so clearly its working as it is...

tcpdump -i eth0 | grep -Ei 'dns9.quad9.net'

I can see its working as it should

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,AP Isolation,Ad-Block,Firewall
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 55363 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55363 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913


Last edited by Alozaros on Sun Dec 20, 2020 14:43; edited 1 time in total
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 2024

PostPosted: Wed Jun 12, 2019 18:05    Post subject: Reply with quote
What might a firewall rule look like to drop/reject traffic to/from port 53?
_________________
Forum Guide Lines (with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips!)
How to get help the right way

Before asking for help - Read the forum guidelines AND Upgrade DD-WRT!
Adblock by eibgrad + Blocklist Collection
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6388
Location: UK, London, just across the river..

PostPosted: Wed Jun 12, 2019 19:47    Post subject: Reply with quote
bushant wrote:
What might a firewall rule look like to drop/reject traffic to/from port 53?


don't know i tried few with no avail...
tried something like that too
iptables -t nat -D PREROUTING -i br0 -p udp --dport 53 -j DNAT --to `nvram get lan_ipaddr`
iptables -t nat -D PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to `nvram get lan_ipaddr`
iptables -t nat -I PREROUTING -i br0 -p udp --dport 853 -j DNAT --to `nvram get lan_ipaddr`
iptables -t nat -I PREROUTING -i br0 -p tcp --dport 853 -j DNAT --to `nvram get lan_ipaddr`

but the first 2 rules remain after restart, it seems there is no way to block it with a simple rules either

iptables -I FORWARD -p tcp --dport 53 -j DROP
iptables -I FORWARD -p udp --dport 53 -j DROP

but noticed if you mess up with port 53 than no NTP on router start and than stubby is not working and no dns at all...

the good thing is with tcpdump -i eth0 i don't see any hits on port 53 at all, all goes via 853
as well you can see in Active IP connections in GUI DNS port 53 are UNREPLIED, and port for stubby is listening...

so far im happy with stubby, it seems to work with the set up above...
was thinking to get dnscrypt instead, but not much info and my previous try's ware not successful...
will see, need to read more about it...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,AP Isolation,Ad-Block,Firewall
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 55363 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55363 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
HalfBit
DD-WRT Guru


Joined: 04 Sep 2009
Posts: 776
Location: AR, USA

PostPosted: Tue Jul 16, 2019 3:06    Post subject: Reply with quote
I'm pretty sure that you don't have to specify an NTP server and that an IP is built into the firmware.

For the issue of FQDN for NTP before DNS is working, I ran into this same issue when running DNSCrypt on the router itself and found following line in my DNSmasq options to work:

server=/ntp.org/208.67.222.222

My router is configured to use us.pool.ntp.org for NTP.

How have some of you been able to run dig on your routers?? I installed stubby, and getdns but that didn't seem to work.

_________________
R7000 Nighthawk - DD-WRT v3.0-r50308
R7000 Nighthawk - DD-WRT v3.0-r50308
~~~~~~~~~~Dismantled for learning opportunities~~~~~~~~~~
WRT54Gv2
WRT54Gv8.2
~~~~~~~~~~Other Settings~~~~~~~~~
https://nextdns.io/?from=2d3sq39x
https://pi-hole.net/
https://github.com/DNSCrypt/dnscrypt-proxy
Goto page Previous  1, 2, 3, 4, 5, 6, 7  Next Display posts from previous:    Page 3 of 7
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum