02. Copy and paste all these lines at the same time in Xshell 6 or PuTTY and press Enter (IMPORTANT):
(These lines are overwritten every time you paste them in Xshell 6 or PuTTY)
03. If you want to test if DNS over TLS (DoT) is working, just copy and paste all these lines at the same time in Xshell 6 or PuTTY and press Enter (IMPORTANT) and then Test on their website:
Cloudflare DNS: (These lines are overwritten every time you paste them in Xshell 6 or PuTTY)
AdGuard Test
04. To use another DoT provider, just change the "forward-addr: x.x.x.x@853#Hostname" lines from step three using Notepad, then copy and paste all those lines at the same time in Xshell 6 or PuTTY and press Enter (IMPORTANT):
02. You can use other host list from this page to block fakenews or gambling or porn or social media:
(Just change the link"https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" from step one)
03. To update the host list, you have to run the commands from step one.
Stop using Custom DNS or Adblock or Unbound:
01. If you don't want to continue using Custom DNS from step three and want to use the defaults, just copy and paste all these lines at the same time in Xshell 6 or PuTTY and press Enter (IMPORTANT):
02. If you don't want to continue Blocking Ads with Unbound, just copy and paste all these lines at the same time in Xshell 6 or PuTTY and press Enter (IMPORTANT):
Reboot the router
Note:
- You don't have to have anything in Additional Dnsmasq Options or Unbound doesn't work. *static leases are ok
(Services -> Services -> Additional Dnsmasq Options)
Joined: 16 Nov 2015 Posts: 6439 Location: UK, London, just across the river..
Posted: Wed Jul 03, 2019 11:15 Post subject:
if your goal is DNS over TLS there is a stubby
via entware, its easy to set up and use, i guess its even faster than unbound...
look at my sig for details... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Thu Jul 11, 2019 19:49 Post subject:
Haven't experimented with DNS over TLS myself, but I did notice when this guide https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1166512#1166512 appeared recently. It looks like a clean presentation of what's required. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
if you check the link in my sig stubby is easy to configure and does not require jffs and its working well...
as i see your sig may i ask how to use quad9 for DNScrypt
i use start up script...with the standard resolvers...
i've seen some guide lines how to use quad9 but had no success
can you shred some light... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Sat Jul 13, 2019 6:15; edited 1 time in total
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Fri Jul 12, 2019 20:55 Post subject:
Alozaros wrote:
as i see your sig may i ask how to use quad9 for DNScrypt
i use start up script...with the standart resovers...
ive seen some guide lines how to use quad9 but had no success
can you shred some light...
The link in my sig is to the Marvell new-build thread for 39144, where I posted a detailed procedure in response to someone's question. I should have started a new thread, of course. I officially feel guilty.
For what it's worth, I've been using DNSCrypt with Quad9 here for four months or so. No problems at all. I'm using it on 39144, which still had the Encrypt DNS button in the DNSMasq section. I suspect you could use the same procedure without difficulty on newer releases that lack that button, which I don't use anyway, as reports are that dnscrypt-proxy is still included in those newer builds.
Update (Aug 7, 2019): I'm using the exact same DNSCrypt setup now on release 40009, which indeed has no Encrypt DNS button. No changes were required. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Joined: 16 Nov 2015 Posts: 6439 Location: UK, London, just across the river..
Posted: Sat Jul 13, 2019 6:14 Post subject:
yep in the past tried the same 9.9.9.9 over start up script but with no avail ...
currently using DNScrypt via start up & DNSmasq
all working as it should...but will try again this quad9 stuff..later
so far DoT is working on all my other routers, i haven't tried yet on R7800 as i have DNScrypt on it...
Generally speaking, i also use FFx DoH option with
9.9.9.9 and its working on app level very well ... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
then create your unbound.conf file and place it in /jffs/unbound and add include: /jffs/unbound/adservers.conf for ad-blocking ...
But it seems to me this does not work. To check, I take, for example, the site - "interactivearea.ru" - it is present in the file
Code:
local-zone: "interactivearea.ru" redirect
local-data: "interactivearea.ru A 0.0.0.0"
But the browser still displays the site. At the same time ip6 and "forward-zone:" are not included.
In your example, the line 'include: /jffs/unbound/adservers.conf' does not contain quotation marks ("") for the file path - Is this not an error? However, I tried both options - the result is the same. Therefore, I have no confidence that the lock works.
then create your unbound.conf file and place it in /jffs/unbound and add include: /jffs/unbound/adservers.conf for ad-blocking ...
But it seems to me this does not work. To check, I take, for example, the site - "interactivearea.ru" - it is present in the file
Code:
local-zone: "interactivearea.ru" redirect
local-data: "interactivearea.ru A 0.0.0.0"
But the browser still displays the site. At the same time ip6 and "forward-zone:" are not included.
In your example, the line 'include: /jffs/unbound/adservers.conf' does not contain quotation marks ("") for the file path - Is this not an error? However, I tried both options - the result is the same. Therefore, I have no confidence that the lock works.
when you have a question, that's why its so important to start with router model and
current build running.....
as this happens check syslog for err's, look at the download location to confirms file is downloaded
and its there...
very likely your router doesn't have a curl command...
you can try with wget, but than you need to change the source to http instead of https _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
...
as i see your sig may i ask how to use quad9 for DNScrypt
i use start up script...with the standart resovers...
ive seen some guide lines how to use quad9 but had no success
can you shred some light...
The link in my sig is to the Marvell new-build thread for 39144, where I posted a detailed procedure in response to someone's question. I should have started a new thread, of course. I officially feel guilty.
Linksys WRT1900ACSv2 -- DD-WRT v3.0-r40890 std (09/03/19)
I tested for your "sig" a bunch of Unbound (enabled through "Recursive DNS Resolving") and NDSCrypt. I don't know why (I'm not very smart), but they did not work together on port 127.0.0.1#30. But they work well with this setup:
In "Administration--Commands--Startup" introduced:
I do not like that with this combination, DNS leaks anyway.
(In general, it is not clear: Why bind Unbound with DNSCrypt or TLS - does Unbound not hide DNS queries?)
"Adguard-dns" works in a similar way:
Startup: dnscrypt-proxy -d -S -a 192.168.1.1:31 \
-R adguard-dns -L /etc/dnscrypt/dnscrypt-resolvers.csv & unbound.conf: forward-zone:
name: "."
forward-addr: 192.168.1.1@31
tinkeruntilitworks wrote:
did you build the new directory?
or did you just add the ad-blocking?
…
very likely your router doesn't have a curl command...
you can try with wget, but than you need to change the source to http instead of https
Yes, I have everything as in your pictures. "curl" works, otherwise I would not be able to get "adservers.conf" and experiment.
As for the "pixelserv_tls" - I did not know about it. Thanks, maybe someday I'll try.
I know one more lock option: take a look.
This has its own peculiarity: you need Unbound to work on another port - it does not replace DNSMasq when it is turned on. This method has been proposed here.
I like this option the most and I use it now, but I’m checking other possibilities as well.
This is better for me because I can get into the ".lib" zone by adding the line "server=/lib/coin/emc/bazar/5.132.191.104" to the "Additional Dnsmasq Options". Unbound and DNSCrypt do not provide names from this zone. In addition, my provider has local resources that can only be resolved by the provider's DNS server. The "No DNS Rebind" option for DNSMasq prohibits this, but Unbound cannot. The line "address=/forum.net.z/video.net.z/lib.net.z/11.12.13.14" (changed) helps out.
Sorry, I think I left the main topic.
Joined: 16 Nov 2015 Posts: 6439 Location: UK, London, just across the river..
Posted: Sat Sep 21, 2019 9:11 Post subject:
so PavelVD to my knowledge and understanding..
you run DNSCrypt via Unbound on the same port...
and it doesn't seems wright...well usually, DoT uses port 853 external and any internal you set for your loop back interface...
well i don't see any need for both of them apart of the options and settings that unbound does provide...
same set of features and settings even more..you might have with DNScrypt v2,
and no need of unbound to run it...it still does recursive resolving as Stubby does too...if this is your goal...
Than the most interesting thing for me is, which of all above Stubby, DNScrypt, and Unbound drains less resources and provides the best and more stable/fast results...?? (all they do recursive resolving)
so far, im happy with DNSCrypt and Stubby on my units.. _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
so PavelVD to my knowledge and understanding..
you run DNSCrypt via Unbound on the same port...
and it doesn't seems wright...well usually, DoT uses port 853 external and any internal you set for your loop back interface...
well i don't see any need for both of them apart of the options and settings that unbound does provide...
same set of futures and settings even more..you might have with DNScrypt v2,
and no need of unbound to run it...it still does recursive resolving as Stubby does too...if this is your goal...
Than the most interesting thing for me is, which of all above Stubby, DNScrypt, and Unbound drains less resources and provides the best and more stable/fast results...?? (all they do recursive resolving)
so far, im happy with DNSCrypt and Stubby on my units..
No, I ran Unbound on 127.0.0.1#5153, and DNSCrypt on 192.168.1.1#30. And that was for the test.
There is, apparently, a confusion: dnscrypt-proxy is NOT DNSCrypt2. Proxy is still embedded in our firmware. In combination with Unbound, it is good because it allows recursive queries (if I understand everything correctly) and encrypts them, while Unbound caches them.
I found several flaws in the current Unbound and set it aside. Switch to DNSCrypt2 from Entware. In principle, it works well, quickly, does DoH and crypt.
Actually, I would like to return to Unbound in the future. I like that not only my requests are hidden, but also the DNS server that I was accessing. I'm still looking.
It seems that I like the same as you. But I have not tried Stubby yet.