"DNS over TLS" or "DNS over HTTPS"

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3, 4, 5, 6, 7  Next
Author Message
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Wed Jul 17, 2019 19:10    Post subject: Reply with quote
with NTP time..... well ether way will do...

hmm i managed to install and deploy stubby on my R7000 and its working...just don't follow the bit Entware for Atheros routers and use Broadcom instead...once on entware install, stubby, tcpdump, nano that's all you need, than follow the guide...in my post above...,but haven't tried DNScrypt + stubby yet... Razz

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Sponsor
wabe
DD-WRT Guru


Joined: 17 Jun 2006
Posts: 889

PostPosted: Mon Sep 23, 2019 17:31    Post subject: Reply with quote
Can confirm that the described procedure works perfectly after installing Entware on one of my Asus AC68Us
_________________
Netgear R7000 on Build 55109
Asus AC-AC68U rev. C1 (AP) on Build 55109
Asus AC-68U rev. A1 on Build 54604
Asus AC-68U rev. A1 on Build 53339
iycgtptyarvg
DD-WRT Novice


Joined: 18 Jun 2014
Posts: 45

PostPosted: Sun Oct 13, 2019 20:28    Post subject: Reply with quote
1.
On Android I can use dns.quad9.net as the setting for 'Private DNS'. Is the same possible in DD-WRT?
I mean, is it possible to fill this in without having to install all sorts of things outside the 'standard' DD-WRT releases?

2.
I use a firewall script to download malware/adware blocklists. Would that still work if I use Dns over TLS/HTTPS?
tinkeruntilitworks
Guest





PostPosted: Sun Oct 13, 2019 21:29    Post subject: Reply with quote
posting your router and build number will be helpful for the more experienced users to help you out


*
on my Netgear R7000p the recent builds have added a encrypt dns toggle in the services tab(gui)

it appears to be dnscrypt v2 with a limited selection of providers. unfortunately quad9 is not among them
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Mon Oct 14, 2019 6:28    Post subject: Reply with quote
well...and your current build number is...???

On the old builds, there was a DNSCrypt in the Services
but it was depreciated, i have no idea how it works but its not v2 as DNSCrypt-proxy v2 is written on Golang and
the only way to install it is via Entware
So, if you use DNScrypt 1.95 old version with old servers still working via GUI or CLI...
yep the AdD block script is working with it...

But if you want to use (DNS via TLS) adblocking may not work...
to set either of the above services there are links in
in my signature...

the best regarding options is DNSCrypt-proxy v2...than i guess unbound and the last is stubby...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913


Last edited by Alozaros on Sun Dec 20, 2020 14:44; edited 2 times in total
tinkeruntilitworks
Guest





PostPosted: Mon Oct 14, 2019 13:37    Post subject: Reply with quote
recent as in the current build and the one before it
r41269/
r41303/
and now
r41321/

what ever the version(my bad) it is a simple solution available to some

*
it is the same that was in old kong builds 6 months ago or so.

opendns has a decent privacy policy right?
they just don't offer the protection for free anymore right?
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1446
Location: Appalachian mountains, USA

PostPosted: Mon Oct 14, 2019 14:46    Post subject: Reply with quote
tinkeruntilitworks wrote:
posting your router and build number will be helpful for the more experienced users to help you out


*
on my Netgear R7000p the recent builds have added a encrypt dns toggle in the services tab(gui)

it appears to be dnscrypt v2 with a limited selection of providers. unfortunately quad9 is not among them

See the link i my sig below re setting up the old DNSCrypt, which does not require entware. I use it with quad9 DNS and adguard DNS.

BTW, I believe opendns sells your DNS history. If someone knows for sure otherwise, please speak up.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
tinkeruntilitworks
Guest





PostPosted: Mon Oct 14, 2019 16:25    Post subject: Reply with quote
i was more talking for the op sake. i'm still playing with unbound. the more options available for people the better.

Last edited by tinkeruntilitworks on Tue Nov 26, 2019 15:13; edited 2 times in total
iycgtptyarvg
DD-WRT Novice


Joined: 18 Jun 2014
Posts: 45

PostPosted: Mon Oct 14, 2019 17:09    Post subject: Reply with quote
tinkeruntilitworks wrote:
posting your router and build number will be helpful for the more experienced users to help you out


*
on my Netgear R7000p the recent builds have added a encrypt dns toggle in the services tab(gui)

it appears to be dnscrypt v2 with a limited selection of providers. unfortunately quad9 is not among them

I'm sorry, I forgot this wasn't a router specific forum topic.

I have a TP-Link WDR4300.
wabe
DD-WRT Guru


Joined: 17 Jun 2006
Posts: 889

PostPosted: Tue Nov 26, 2019 15:05    Post subject: Reply with quote
Started using stubby and it worked really well for a while. With the last couple of builds I've had problems with links timing out and being unreachable. I'm using Cloudflare as dns provider.
Today I switched back to my original dnsmasq setup disabling dns-tls. Have no idea what cause the problems with stubby on more recent builds or if Cloudflare has implemented any changes?
Anyone else having the same issues?

_________________
Netgear R7000 on Build 55109
Asus AC-AC68U rev. C1 (AP) on Build 55109
Asus AC-68U rev. A1 on Build 54604
Asus AC-68U rev. A1 on Build 53339
sunny0_0
DD-WRT Novice


Joined: 27 Nov 2019
Posts: 22

PostPosted: Wed Nov 27, 2019 2:18    Post subject: Reply with quote
wabe wrote:
Started using stubby and it worked really well for a while. With the last couple of builds I've had problems with links timing out and being unreachable. I'm using Cloudflare as dns provider.
Today I switched back to my original dnsmasq setup disabling dns-tls. Have no idea what cause the problems with stubby on more recent builds or if Cloudflare has implemented any changes?
Anyone else having the same issues?


Yes, I've also had problems with Cloudflare recently. Switching to Quad9 in my stubby config fixed it.

I think the problem with Cloudflare is slowly being fixed across their servers. Ones in the US seem to be fine now, but elsewhere are still having problems.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Fri Nov 29, 2019 14:59    Post subject: Reply with quote
well...I never had any issues, either with stubby or 1.1.1.1, it works flawlessly...
it depends from your set up too, if you use a round robin option or not, idle time, port, cyphers used and ect....
recently, there was a opkg update too, so you'd need to do it, in order to keep working as expected..
opkg update
opkg upgrade

I do use many servers instead of just 1.1.1.1...
it help's ...
If you need more help i need to see your yml settings file....

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
wabe
DD-WRT Guru


Joined: 17 Jun 2006
Posts: 889

PostPosted: Sun Dec 15, 2019 15:26    Post subject: Reply with quote
Tried quad9 with stubby today. Worked well but I decided to test that it really communicated over the right port. Unfortunately it seems that it resolves on standard port 53 i.e unencrypted.
Have yet to try if 1.1.1.1 works well again.

_________________
Netgear R7000 on Build 55109
Asus AC-AC68U rev. C1 (AP) on Build 55109
Asus AC-68U rev. A1 on Build 54604
Asus AC-68U rev. A1 on Build 53339
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Sun Dec 15, 2019 16:12    Post subject: Reply with quote
you have to set those servers to communicate via port 853 in stubby Wink Then DNS will be encrypted...
on tcpdump i can see only 853 communications...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
wabe
DD-WRT Guru


Joined: 17 Jun 2006
Posts: 889

PostPosted: Sun Dec 15, 2019 19:27    Post subject: Reply with quote
Alozaros wrote:
you have to set those servers to communicate via port 853 in stubby Wink Then DNS will be encrypted...
on tcpdump i can see only 853 communications...

That’s exactly what I’ve done. Added Quad9 to stubby.yml and tested with tcpdump.
No traffic on port 853. What I noticed is that 9.9.9.9 resolves to a dns provider in NL (WoodyNet), could be that provider does not offer dns over tls? On the other hand if Quad 9 claim they offer this protocol all their partners ought to provide it too.

_________________
Netgear R7000 on Build 55109
Asus AC-AC68U rev. C1 (AP) on Build 55109
Asus AC-68U rev. A1 on Build 54604
Asus AC-68U rev. A1 on Build 53339
Goto page Previous  1, 2, 3, 4, 5, 6, 7  Next Display posts from previous:    Page 4 of 7
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum