Joined: 18 Mar 2014 Posts: 12835 Location: Netherlands
Posted: Sat Jun 25, 2022 7:38 Post subject:
Logging is only enabled on x86 because of size constraints, higher end routers should be able to have a small log file and now with the additional config you can probably log to /jffs
Joined: 16 Nov 2015 Posts: 6408 Location: UK, London, just across the river..
Posted: Sat Jun 25, 2022 8:35 Post subject:
egc wrote:
Logging is only enabled on x86 because of size constraints, higher end routers should be able to have a small log file and now with the additional config you can probably log to /jffs
I am working on it and see what is feasible
I had a 6 feeling BS said that before...
Thanks..in advance
p.s. im more likely Stubby man : P ,but SmartDNS provides a few better options...and its fast and light too...sadly on 1043v2 it works only via Entware... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
on R7800, Mine seems to be working just fine with the GUI setup
While checking in cloudfare: " For Secure DNS
We weren’t able to detect whether you were using a DNS resolver over secure transport. Contact your DNS provider or try using 1.1.1.1 for fast & secure DNS".
Does it need a ssl certificate to be installed/configured or the results actually mean that DoH is working fine but cloudfare test cannot recognise it?
Joined: 18 Mar 2014 Posts: 12835 Location: Netherlands
Posted: Sat Jun 25, 2022 11:14 Post subject:
I have no idea, I am just learning how it works, but now that I can log i see a warning about the crt so try this, add this to the additional options as it looks like that is where the certificate is:
Code:
ca-file /etc/ssl/ca-bundle.crt
ca-path /etc/ssl
But first check if you do not have any other DNS servers, from CLI:
cat /tmp/smartdns.conf
It should list all the servers.
To stop any other DNS servers:
Ignore WAN DNS (on Setup page): Enabled
Local DNS, and Static DNS 1,2,3 should be 0.0.0.0
Also DNS servers form OpenVPN and Wireguard can be used.
If you do not have any other DNS servers beside the DoH servers then add the options from above and let me know if that helps.
Joined: 16 Nov 2015 Posts: 6408 Location: UK, London, just across the river..
Posted: Sat Jun 25, 2022 11:21 Post subject:
yea those are needed otherwise requests go over 443 but not encrypted...odd why servers accept not encrypted requests...
Stubby behaves like that, so correct ssl path is a due..
ca-file /etc/ssl/ca-bundle.crt
ca-path /etc/ssl
it could be ca-certificates.crt too
interesting to test it with wireshark to see if there is a encrypted payload..sadly Im a few days away from vacation mode...and im not around of any capable routers to test it ATM _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 16 Nov 2015 Posts: 6408 Location: UK, London, just across the river..
Posted: Sat Jun 25, 2022 12:29 Post subject:
egc wrote:
Thanks good info
I was wondering how it worked without a cert.
The cert is in the path I described but check if it is in the same place in your router
So it should probably be patched which I will see to
Nope 1043v2 doesn't have any of those .crt, nor a directory etc/ssl
i guess those are too big to fit in the flash, but on all 16MB+ flashsize routers they must be there...
Otherwise, in order to make Stubby to work, i have ca-bundle and ca-certificate + libssl installed via Entware...
I was hoping i can use those for SmartDNS, but it didn't work as expected...may be course CA-Bundle is not in a single file, but all certs in one directory...ill try to scp it from R7800 and move it to 1043v2 and try again...when time is not a factor
p.s. the only wonder i have is will cp ca-bundle to /opt/etc/ssl/certs will mess with normal stubby operation as there are all certs in this folder along with the copy of ca-bundle.crt as a single file ... no idea... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Sat Jun 25, 2022 12:40; edited 1 time in total
After changing the DoH DNS to cloudfare following is the result.
In addition to " To stop any other DNS servers:
Ignore WAN DNS (on Setup page): Enabled
Local DNS, and Static DNS 1,2,3 should be 0.0.0.0" , the " Use dnsmasq for DNS" is unticked.
I am not eductated in Linux so struggling to get logs
As recommended by @Alozaros I did try the code "ca-file /etc/ssl/ca-bundle.crt
ca-path /etc/ssl" . but after reeboting the router no DNS resolv.
From the above, it appears that everything is alreday working okay as it should. The cert in question posisbly is alreday enaged? (how do i get the logs)
It posisble, when using other DoH providers, Cloudfare check doesn't recognises other DoH due to the encrytption they already have.