SMARTDNS Guide

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3 ... 8, 9, 10 ... 18, 19, 20  Next
Author Message
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Fri Jun 24, 2022 17:53    Post subject: Reply with quote
egc wrote:
bind :6053
prefetch-domain yes
serve-expired yes
log-size 64K
log-num 1
log-level error
log-file /tmp/smartdns.log
log-level debug
server-https https://1.1.1.1/dns-query
audit-enable yes
audit-file /tmp/smartdns-audit.log


is heaving x2 log-level a problem.... Embarassed Laughing
"log-level debug" there is an extra space too...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Fri Jun 24, 2022 17:59    Post subject: Reply with quote
Alozaros wrote:
egc wrote:
bind :6053
prefetch-domain yes
serve-expired yes
log-size 64K
log-num 1
log-level error
log-file /tmp/smartdns.log
log-level debug
server-https https://1.1.1.1/dns-query
audit-enable yes
audit-file /tmp/smartdns-audit.log


is heaving x2 log-level a problem.... Embarassed Laughing
"log-level debug" there is an extra space too...


The extra space is a typo.

About the dual entry, I do not know, it should not be a problem.
But even without it there is no logging at my side

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Fri Jun 24, 2022 18:07    Post subject: Reply with quote
audit-num 1 is missing too, if you use it...but it shouldn't be an issue..

and yep i also don't see the log created by:

log-file /tmp/smartdns.log
nor i managed it to make SmartDNS to work on my 1043v2

i also added a path to where my certs are, as i don't have ssl folder @ /etc on 1043v2 for some odd reason...

ca-file /opt/etc/ssl/certs/ca-certificates.crt
ca-path /opt/etc/ssl/certs/

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Sat Jun 25, 2022 7:38    Post subject: Reply with quote
Logging is only enabled on x86 because of size constraints, higher end routers should be able to have a small log file and now with the additional config you can probably log to /jffs

I am working on it and see what is feasible

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Sat Jun 25, 2022 8:35    Post subject: Reply with quote
egc wrote:
Logging is only enabled on x86 because of size constraints, higher end routers should be able to have a small log file and now with the additional config you can probably log to /jffs

I am working on it and see what is feasible


I had a 6 feeling BS said that before...
Thanks..in advance Cool Cool

p.s. im more likely Stubby man Razz : P ,but SmartDNS provides a few better options...and its fast and light too...sadly on 1043v2 it works only via Entware...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Sat Jun 25, 2022 10:33    Post subject: Reply with quote
Log-file working on my EA6900:

Code:
[2022-06-25 12:17:28,337][NOTICE][       smartdns.c:272 ] smartdns starting...(Copyright (C) Nick Peng <pymumu@gmail.com>, build:Jun 25 2022 11:48:25)
[2022-06-25 12:17:28,347][ INFO][     dns_client.c:1074] add server 9.9.9.9:53, type: udp
[2022-06-25 12:17:28,347][ INFO][     dns_client.c:1074] add server 1.0.0.1:53, type: udp
[2022-06-25 12:17:28,349][ WARN][     dns_client.c:876 ] load certificate from /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs failed.
[2022-06-25 12:17:28,349][ INFO][     dns_client.c:1074] add server 1.1.1.1:443, type: https
[2022-06-25 12:17:30,253][ INFO][     dns_client.c:3033] send request www.google.com, qtype 1, id 1
[2022-06-25 12:17:30,295][ INFO][     dns_server.c:805 ] result: www.google.com, rcode: 0,  142.250.179.164

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
tcpud
DD-WRT Novice


Joined: 23 Jun 2022
Posts: 12

PostPosted: Sat Jun 25, 2022 10:52    Post subject: Reply with quote
on R7800, Mine seems to be working just fine with the GUI setup

While checking in cloudfare: " For Secure DNS

We weren’t able to detect whether you were using a DNS resolver over secure transport. Contact your DNS provider or try using 1.1.1.1 for fast & secure DNS".


Does it need a ssl certificate to be installed/configured or the results actually mean that DoH is working fine but cloudfare test cannot recognise it?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Sat Jun 25, 2022 11:14    Post subject: Reply with quote
I have no idea, I am just learning how it works, but now that I can log i see a warning about the crt so try this, add this to the additional options as it looks like that is where the certificate is:

Code:
ca-file /etc/ssl/ca-bundle.crt
ca-path /etc/ssl


But first check if you do not have any other DNS servers, from CLI:
cat /tmp/smartdns.conf

It should list all the servers.

To stop any other DNS servers:
Ignore WAN DNS (on Setup page): Enabled

Local DNS, and Static DNS 1,2,3 should be 0.0.0.0

Also DNS servers form OpenVPN and Wireguard can be used.

If you do not have any other DNS servers beside the DoH servers then add the options from above and let me know if that helps.

If so I will patch it but not before tomorrow or the day after, I have to go shopping with the wife Sad

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Sat Jun 25, 2022 11:21    Post subject: Reply with quote
yea those are needed otherwise requests go over 443 but not encrypted...odd why servers accept not encrypted requests...

Stubby behaves like that, so correct ssl path is a due..

ca-file /etc/ssl/ca-bundle.crt
ca-path /etc/ssl


it could be ca-certificates.crt too

interesting to test it with wireshark to see if there is a encrypted payload..sadly Im a few days away from vacation mode...and im not around of any capable routers to test it ATM Cool Cool

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Sat Jun 25, 2022 12:00    Post subject: Reply with quote
Thanks good info Smile

I was wondering how it worked without a cert.

The cert is in the path I described but check if it is in the same place in your router Smile

So it should probably be patched which I will see to Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Sat Jun 25, 2022 12:27    Post subject: Reply with quote
It could be a self signed certificate not sure if this is accepted
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Sat Jun 25, 2022 12:29    Post subject: Reply with quote
egc wrote:
Thanks good info Smile

I was wondering how it worked without a cert.

The cert is in the path I described but check if it is in the same place in your router Smile

So it should probably be patched which I will see to Smile


Nope 1043v2 doesn't have any of those .crt, nor a directory etc/ssl

i guess those are too big to fit in the flash, but on all 16MB+ flashsize routers they must be there...

Otherwise, in order to make Stubby to work, i have ca-bundle and ca-certificate + libssl installed via Entware...
I was hoping i can use those for SmartDNS, but it didn't work as expected...may be course CA-Bundle is not in a single file, but all certs in one directory...ill try to scp it from R7800 and move it to 1043v2 and try again...when time is not a factor Razz Cool

p.s. the only wonder i have is will cp ca-bundle to /opt/etc/ssl/certs will mess with normal stubby operation as there are all certs in this folder along with the copy of ca-bundle.crt as a single file ... no idea... Rolling Eyes Embarassed

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913


Last edited by Alozaros on Sat Jun 25, 2022 12:40; edited 1 time in total
tcpud
DD-WRT Novice


Joined: 23 Jun 2022
Posts: 12

PostPosted: Sat Jun 25, 2022 12:38    Post subject: Reply with quote
After changing the DoH DNS to cloudfare following is the result.

In addition to " To stop any other DNS servers:
Ignore WAN DNS (on Setup page): Enabled
Local DNS, and Static DNS 1,2,3 should be 0.0.0.0
" , the " Use dnsmasq for DNS" is unticked.

I am not eductated in Linux so struggling to get logs

As recommended by @Alozaros I did try the code "ca-file /etc/ssl/ca-bundle.crt
ca-path /etc/ssl" . but after reeboting the router no DNS resolv.
From the above, it appears that everything is alreday working okay as it should. The cert in question posisbly is alreday enaged? (how do i get the logs)
It posisble, when using other DoH providers, Cloudfare check doesn't recognises other DoH due to the encrytption they already have.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Sat Jun 25, 2022 12:44    Post subject: Reply with quote
tcpud https://1.1.1.1/help/
what is the output of this one ?
is DOH recognised ??

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
tcpud
DD-WRT Novice


Joined: 23 Jun 2022
Posts: 12

PostPosted: Sat Jun 25, 2022 12:49    Post subject: Reply with quote
Yes
Goto page Previous  1, 2, 3 ... 8, 9, 10 ... 18, 19, 20  Next Display posts from previous:    Page 9 of 20
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum