Unbound DNS over TLS Adblock up-to-date root.hints

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2, 3, 4, 5  Next
Author Message
tinkeruntilitworks
Guest





PostPosted: Wed Jul 03, 2019 0:35    Post subject: Unbound DNS over TLS Adblock up-to-date root.hints Reply with quote
running this on a Netgear R7000P DD-WRT v3.0-r43192 std (05/19/20) settings from Unbound version 1.10.0

Since the 03/25/2020 - r42803 build Unbound & dnsmasq link on port 7053. You just add the port to the interface setting.
Code:
interface: 0.0.0.0@7053 
interface: ::0@7053

When you enable Unbound the following automatically gets added to the dnsmasq.conf.
Code:
server=127.0.0.1#7053 
no-resolv

A key note: Changeset 30220 your conf must be at the location below
Code:
/jffs/etc/unbound.conf

Some highlights: DNS over TLS, Adblocking, How to Test, Family Filters
Quote:
If you want to do everything from Xshell 6 or PuTTY (Xshell 6 > PuTTY) in a second, follow this guide.

Requirements:
  1. Setup -> Basic Setup
    • Recursive DNS Resolving (Unbound): Tick
    • Server IP/Name: 216.239.35.0 or 216.239.35.12 (Google NTP servers)

  2. Services -> Services
    • Secure Shell: Enable (SSHd)

  3. Administration -> Management
    • JFFS2 Support: Enable
    • Clean Internal Flash Storage: Enable

  4. Reboot the router.

Instructions:
01. Copy and paste all these commands at the same time in Xshell 6 or PuTTY and press Enter (IMPORTANT):
Code:
mkdir -p /jffs/etc
curl -sS --output /jffs/etc/root.hints https://www.internic.net/domain/named.cache
cp /etc/unbound/root.key /jffs/etc
> /jffs/etc/unbound_dns.conf
> /jffs/etc/blockedhosts.conf
> /jffs/etc/unbound.conf

02. Copy and paste all these lines at the same time in Xshell 6 or PuTTY and press Enter (IMPORTANT):
(These lines are overwritten every time you paste them in Xshell 6 or PuTTY)
Code:
cat << EOF > /jffs/etc/unbound.conf
server:
verbosity: 1
num-threads: 2
interface: 127.0.0.1@7053
port: 7053
outgoing-range: 950
msg-cache-size: 50m
msg-cache-slabs: 1
num-queries-per-thread: 512
rrset-cache-size: 100m
rrset-cache-slabs: 1
infra-cache-slabs: 1
access-control: 127.0.0.0/8 allow
access-control: 192.168.1.1/24 allow
chroot: "/jffs/etc"
username: ""
directory: "/jffs/etc"
pidfile: "/var/run/unbound.pid"
root-hints: "/jffs/etc/root.hints"
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
rrset-roundrobin: yes
auto-trust-anchor-file: "/jffs/etc/root.key"
key-cache-slabs: 1
# Adblock
include: "/jffs/etc/blockedhosts.conf"
tls-cert-bundle: "/etc/ssl/ca-bundle.crt"
python:
remote-control:
forward-zone:
name: "."
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net
forward-tls-upstream: yes
# Custom DNS Resolver
include: "/jffs/etc/unbound_dns.conf"
auth-zone:
name: "."
url: "https://www.internic.net/domain/root.zone"
fallback-enabled: yes
for-downstream: no
for-upstream: yes
zonefile: "root.zone"
EOF
stopservice unbound
startservice unbound
ps | grep unbound

03. If you want to test if DNS over TLS (DoT) is working, just copy and paste all these lines at the same time in Xshell 6 or PuTTY and press Enter (IMPORTANT) and then Test on their website:

  1. Cloudflare DNS:
    (These lines are overwritten every time you paste them in Xshell 6 or PuTTY)
    Code:
    cat << EOF > /jffs/etc/unbound_dns.conf
    forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 1.0.0.1@853#cloudflare-dns.com
    EOF
    stopservice unbound
    startservice unbound
    ps | grep unbound

    Cloudflare Test


  2. AdGuard DNS:
    (These lines are overwritten every time you paste them in Xshell 6 or PuTTY)
    Code:
    cat << EOF > /jffs/etc/unbound_dns.conf
    forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 176.103.130.130@853#dns.adguard.com
    forward-addr: 176.103.130.131@853#dns.adguard.com
    EOF
    stopservice unbound
    startservice unbound
    ps | grep unbound

    AdGuard Test

04. To use another DoT provider, just change the "forward-addr: x.x.x.x@853#Hostname" lines from step three using Notepad, then copy and paste all those lines at the same time in Xshell 6 or PuTTY and press Enter (IMPORTANT):

AdGuard
  • Filters: Default
    Code:
    forward-addr: 176.103.130.130@853#dns.adguard.com
    forward-addr: 176.103.130.131@853#dns.adguard.com

  • Filters: Family
    Code:
    forward-addr: 176.103.130.132@853#dns-family.adguard.com
    forward-addr: 176.103.130.134@853#dns-family.adguard.com

CleanBrowsing
  • Filters: Security
    Code:
    forward-addr: 185.228.168.9@853#security-filter-dns.cleanbrowsing.org
    forward-addr: 185.228.169.9@853#security-filter-dns.cleanbrowsing.org

  • Filters: Adult
    Code:
    forward-addr: 185.228.168.10@853#adult-filter-dns.cleanbrowsing.org
    forward-addr: 185.228.169.11@853#adult-filter-dns.cleanbrowsing.org

  • Filters: Family
    Code:
    forward-addr: 185.228.168.168@853#family-filter-dns.cleanbrowsing.org
    forward-addr: 185.228.169.168@853#family-filter-dns.cleanbrowsing.org

Cloudflare
  • Filters: None
    Code:
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 1.0.0.1@853#cloudflare-dns.com

Google
  • Filters: None
    Code:
    forward-addr: 8.8.8.8@853#dns.google
    forward-addr: 8.8.4.4@853#dns.google

Quad9
  • Filters: Secure
    Code:
    forward-addr: 9.9.9.9@853#dns.quad9.net
    forward-addr: 149.112.112.112@853#dns.quad9.net

  • Filters: None
    Code:
    forward-addr: 9.9.9.10@853#dns-nosec.quad9.net
    forward-addr: 149.112.112.10@853#dns-nosec.quad9.net

Source:


DNS Leak and DNSSEC Test:

Adblock with Unbound

01. Copy and paste all these commands at the same time in Xshell 6 or PuTTY and press Enter (IMPORTANT):
(Take a few minutes to complete)
Code:
curl -sS -L --compressed "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" > /tmp/blockedhosts
cat /tmp/blockedhosts | grep 0.0.0.0 | awk '{print "local-data: \""$2" A 127.0.0.1\""}' > /jffs/etc/blockedhosts.conf
rm -r /tmp/blockedhosts
stopservice unbound
startservice unbound
ps | grep unbound

02. You can use other host list from this page to block fakenews or gambling or porn or social media:
(Just change the link "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" from step one)

03. To update the host list, you have to run the commands from step one.


Stop using Custom DNS or Adblock or Unbound:

01. If you don't want to continue using Custom DNS from step three and want to use the defaults, just copy and paste all these lines at the same time in Xshell 6 or PuTTY and press Enter (IMPORTANT):
Code:
> /jffs/etc/unbound_dns.conf
stopservice unbound
startservice unbound
ps | grep unbound

02. If you don't want to continue Blocking Ads with Unbound, just copy and paste all these lines at the same time in Xshell 6 or PuTTY and press Enter (IMPORTANT):
Code:
> /jffs/etc/blockedhosts.conf
stopservice unbound
startservice unbound
ps | grep unbound

03. If you want to remove these settings and stop using Unbound completely, you just have to do this:
  1. Copy and paste these commands at the same time in Xshell 6 or PuTTY and press Enter (IMPORTANT):
    Code:
    rm -r /jffs/etc
    stopservice unbound
    startservice unbound
    ps | grep unbound

  2. Setup -> Basic Setup
    • Recursive DNS Resolving (Unbound): Untick

  3. Reboot the router

Note:
- You don't have to have anything in Additional Dnsmasq Options or Unbound doesn't work. *static leases are ok
(Services -> Services -> Additional Dnsmasq Options)


I consulted these sites.
NLnet Labs Unbound Master example.conf
DD-WRT Wiki Unbound
NLnet Labs Unbound Documentation
NLnet Labs Unbound How to Optimise
DNS Privacy Project Unbound
Forum Member NBA Jam's Unbound Guide
MartineauUK/Unbound-Asuswrt-Merlin unbound.conf
CALOMEL Unbound DNS Tutorial


Last edited by tinkeruntilitworks on Sat May 30, 2020 23:20; edited 497 times in total
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Wed Jul 03, 2019 11:15    Post subject: Reply with quote
if your goal is DNS over TLS there is a stubby
via entware, its easy to set up and use, i guess its even faster than unbound...
look at my sig for details...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Thu Jul 11, 2019 19:49    Post subject: Reply with quote
Haven't experimented with DNS over TLS myself, but I did notice when this guide https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1166512#1166512 appeared recently. It looks like a clean presentation of what's required.
_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Fri Jul 12, 2019 16:11    Post subject: Reply with quote
SurprisedItWorks wrote:
Haven't experimented widnth DNS over TLS myself, but I did notice when this guide https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1166512#1166512 appeared recently. It looks like a clean presentation of what's required.


if you check the link in my sig stubby is easy to configure and does not require jffs and its working well...

as i see your sig may i ask how to use quad9 for DNScrypt
i use start up script...with the standard resolvers...
i've seen some guide lines how to use quad9 but had no success
can you shred some light...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913


Last edited by Alozaros on Sat Jul 13, 2019 6:15; edited 1 time in total
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Fri Jul 12, 2019 20:55    Post subject: Reply with quote
Alozaros wrote:

as i see your sig may i ask how to use quad9 for DNScrypt
i use start up script...with the standart resovers...
ive seen some guide lines how to use quad9 but had no success
can you shred some light...


The link in my sig is to the Marvell new-build thread for 39144, where I posted a detailed procedure in response to someone's question. I should have started a new thread, of course. I officially feel guilty.

For what it's worth, I've been using DNSCrypt with Quad9 here for four months or so. No problems at all. I'm using it on 39144, which still had the Encrypt DNS button in the DNSMasq section. I suspect you could use the same procedure without difficulty on newer releases that lack that button, which I don't use anyway, as reports are that dnscrypt-proxy is still included in those newer builds.

Update (Aug 7, 2019): I'm using the exact same DNSCrypt setup now on release 40009, which indeed has no Encrypt DNS button. No changes were required.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.


Last edited by SurprisedItWorks on Wed Aug 07, 2019 16:53; edited 1 time in total
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Sat Jul 13, 2019 6:14    Post subject: Reply with quote
yep in the past tried the same 9.9.9.9 over start up script but with no avail ...
currently using DNScrypt via start up & DNSmasq
all working as it should...but will try again this quad9 stuff..later

so far DoT is working on all my other routers, i haven't tried yet on R7800 as i have DNScrypt on it...
Generally speaking, i also use FFx DoH option with
9.9.9.9 and its working on app level very well ...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
PavelVD
DD-WRT User


Joined: 26 Jul 2019
Posts: 109

PostPosted: Thu Sep 05, 2019 20:26    Post subject: Re: Unbound / DNS over TLS / up-to-date root hints / ad-bloc Reply with quote
I want to tell you what I'm doing wrong?
I took this design
tinkeruntilitworks wrote:
...
ad-blocking- run these scripts
curl -sS -L --compressed "https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/social/hosts" > /jffs/adservers.conf

cat /jffs/adservers.conf | grep '^0\.0\.0\.0' | awk '{print "local-zone: \""$2"\" redirect\nlocal-data: \""$2" A 0.0.0.0\""}' > /jffs/unbound/adservers.conf

...

then create your unbound.conf file and place it in /jffs/unbound and add include: /jffs/unbound/adservers.conf for ad-blocking ...

But it seems to me this does not work. To check, I take, for example, the site - "interactivearea.ru" - it is present in the file
Code:
local-zone: "interactivearea.ru" redirect
local-data: "interactivearea.ru A 0.0.0.0"

But the browser still displays the site. At the same time ip6 and "forward-zone:" are not included.
In your example, the line 'include: /jffs/unbound/adservers.conf' does not contain quotation marks ("") for the file path - Is this not an error? However, I tried both options - the result is the same. Therefore, I have no confidence that the lock works.
tinkeruntilitworks
Guest





PostPosted: Thu Sep 05, 2019 21:11    Post subject: Reply with quote
*
blocking has changed. plus i put disclaimer it's not the best.


Last edited by tinkeruntilitworks on Sun Mar 15, 2020 0:46; edited 6 times in total
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Thu Sep 05, 2019 23:42    Post subject: Re: Unbound / DNS over TLS / up-to-date root hints / ad-bloc Reply with quote
PavelVD wrote:
I want to tell you what I'm doing wrong?
I took this design
tinkeruntilitworks wrote:
...
ad-blocking- run these scripts
curl -sS -L --compressed "https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/social/hosts" > /jffs/adservers.conf

cat /jffs/adservers.conf | grep '^0\.0\.0\.0' | awk '{print "local-zone: \""$2"\" redirect\nlocal-data: \""$2" A 0.0.0.0\""}' > /jffs/unbound/adservers.conf

...

then create your unbound.conf file and place it in /jffs/unbound and add include: /jffs/unbound/adservers.conf for ad-blocking ...

But it seems to me this does not work. To check, I take, for example, the site - "interactivearea.ru" - it is present in the file
Code:
local-zone: "interactivearea.ru" redirect
local-data: "interactivearea.ru A 0.0.0.0"

But the browser still displays the site. At the same time ip6 and "forward-zone:" are not included.
In your example, the line 'include: /jffs/unbound/adservers.conf' does not contain quotation marks ("") for the file path - Is this not an error? However, I tried both options - the result is the same. Therefore, I have no confidence that the lock works.


when you have a question, that's why its so important to start with router model and
current build running.....

as this happens check syslog for err's, look at the download location to confirms file is downloaded
and its there...

very likely your router doesn't have a curl command...
you can try with wget, but than you need to change the source to http instead of https

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
PavelVD
DD-WRT User


Joined: 26 Jul 2019
Posts: 109

PostPosted: Fri Sep 06, 2019 11:21    Post subject: Reply with quote
SurprisedItWorks wrote:
Alozaros wrote:
...
as i see your sig may i ask how to use quad9 for DNScrypt
i use start up script...with the standart resovers...
ive seen some guide lines how to use quad9 but had no success
can you shred some light...


The link in my sig is to the Marvell new-build thread for 39144, where I posted a detailed procedure in response to someone's question. I should have started a new thread, of course. I officially feel guilty.

Linksys WRT1900ACSv2 -- DD-WRT v3.0-r40890 std (09/03/19)
I tested for your "sig" a bunch of Unbound (enabled through "Recursive DNS Resolving") and NDSCrypt. I don't know why (I'm not very smart), but they did not work together on port 127.0.0.1#30. But they work well with this setup:
In "Administration--Commands--Startup" introduced:
Code:
dnscrypt-proxy -d -S -a 192.168.1.1:30 \
-r 9.9.9.9:8443 -N 2.dnscrypt-cert.quad9.net -k \
67c8:47b8:c875:8cd1:2024:5543:be75:6746:df34:df1d:84c0:0b8c:4703:68df:821d:863e
In the file "unbound.conf" added:
Code:
forward-zone:
name: "."
forward-addr: 192.168.1.1@30
I do not like that with this combination, DNS leaks anyway.
(In general, it is not clear: Why bind Unbound with DNSCrypt or TLS - does Unbound not hide DNS queries?)
"Adguard-dns" works in a similar way:
Startup:
dnscrypt-proxy -d -S -a 192.168.1.1:31 \
-R adguard-dns -L /etc/dnscrypt/dnscrypt-resolvers.csv

& unbound.conf:
forward-zone:
name: "."
forward-addr: 192.168.1.1@31


tinkeruntilitworks wrote:
did you build the new directory?
or did you just add the ad-blocking?

very likely your router doesn't have a curl command...
you can try with wget, but than you need to change the source to http instead of https
Yes, I have everything as in your pictures. "curl" works, otherwise I would not be able to get "adservers.conf" and experiment.
As for the "pixelserv_tls" - I did not know about it. Thanks, maybe someday I'll try.
I know one more lock option: take a look.
This has its own peculiarity: you need Unbound to work on another port - it does not replace DNSMasq when it is turned on. This method has been proposed here.
I like this option the most and I use it now, but I’m checking other possibilities as well.
This is better for me because I can get into the ".lib" zone by adding the line "server=/lib/coin/emc/bazar/5.132.191.104" to the "Additional Dnsmasq Options". Unbound and DNSCrypt do not provide names from this zone. In addition, my provider has local resources that can only be resolved by the provider's DNS server. The "No DNS Rebind" option for DNSMasq prohibits this, but Unbound cannot. The line "address=/forum.net.z/video.net.z/lib.net.z/11.12.13.14" (changed) helps out.
Sorry, I think I left the main topic. Embarassed
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Sat Sep 21, 2019 9:11    Post subject: Reply with quote
so PavelVD to my knowledge and understanding..
you run DNSCrypt via Unbound on the same port...
and it doesn't seems wright...well usually, DoT uses port 853 external and any internal you set for your loop back interface...

well i don't see any need for both of them apart of the options and settings that unbound does provide...
same set of features and settings even more..you might have with DNScrypt v2,
and no need of unbound to run it...it still does recursive resolving as Stubby does too...if this is your goal...
Than the most interesting thing for me is, which of all above Stubby, DNScrypt, and Unbound drains less resources and provides the best and more stable/fast results...?? (all they do recursive resolving)
so far, im happy with DNSCrypt and Stubby on my units..

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
PavelVD
DD-WRT User


Joined: 26 Jul 2019
Posts: 109

PostPosted: Tue Sep 24, 2019 22:45    Post subject: Reply with quote
Alozaros wrote:
so PavelVD to my knowledge and understanding..
you run DNSCrypt via Unbound on the same port...
and it doesn't seems wright...well usually, DoT uses port 853 external and any internal you set for your loop back interface...

well i don't see any need for both of them apart of the options and settings that unbound does provide...
same set of futures and settings even more..you might have with DNScrypt v2,
and no need of unbound to run it...it still does recursive resolving as Stubby does too...if this is your goal...
Than the most interesting thing for me is, which of all above Stubby, DNScrypt, and Unbound drains less resources and provides the best and more stable/fast results...?? (all they do recursive resolving)
so far, im happy with DNSCrypt and Stubby on my units..

No, I ran Unbound on 127.0.0.1#5153, and DNSCrypt on 192.168.1.1#30. And that was for the test.
There is, apparently, a confusion: dnscrypt-proxy is NOT DNSCrypt2. Proxy is still embedded in our firmware. In combination with Unbound, it is good because it allows recursive queries (if I understand everything correctly) and encrypts them, while Unbound caches them.
I found several flaws in the current Unbound and set it aside. Switch to DNSCrypt2 from Entware. In principle, it works well, quickly, does DoH and crypt.
Actually, I would like to return to Unbound in the future. I like that not only my requests are hidden, but also the DNS server that I was accessing. I'm still looking.
It seems that I like the same as you. But I have not tried Stubby yet.
tinkeruntilitworks
Guest





PostPosted: Tue Sep 24, 2019 22:56    Post subject: Reply with quote
PavelVD wrote:
I found several flaws in the current Unbound and set it aside.


flaws in my setup?

or in how unbound runs on dd-wrt?

or both?
PavelVD
DD-WRT User


Joined: 26 Jul 2019
Posts: 109

PostPosted: Wed Sep 25, 2019 9:56    Post subject: Reply with quote
For the most part, I meant dd-wrt. Some things I can’t configure.
If I prepare ... Not now.
tinkeruntilitworks
Guest





PostPosted: Wed Sep 25, 2019 13:10    Post subject: Reply with quote
thanks for the response

i'm just trying to improve and learn more

i see there is an update coming. maybe that will help resolve some of the issues

https://svn.dd-wrt.com/changeset/41134
Goto page 1, 2, 3, 4, 5  Next Display posts from previous:    Page 1 of 5
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum