SMARTDNS Guide

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3 ... 16, 17, 18, 19, 20  Next
Author Message
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Tue Nov 22, 2022 19:15    Post subject: Reply with quote
ho1Aetoo wrote:
Alozaros wrote:

output of: lsof -i -P -n
dnsmasq 1884 root 4u IPv4 5728 0t0 UDP *:67
dnsmasq 1884 root 6u IPv4 5731 0t0 UDP *:53
dnsmasq 1884 root 7u IPv4 5732 0t0 TCP *:53 (LISTEN)
httpd 1916 root 8u IPv4 6700 0t0 TCP *:443 (LISTEN)
stubby 2831 root 8u IPv4 7693 0t0 UDP 127.0.0.1:41053
stubby 2831 root 9u IPv4 7694 0t0 TCP 127.0.0.1:41053 (LISTEN)


you tell me witch is the stubresolver (its the same with stubby Wink ) and what im talking about stubresolvers and how dnsmasq is a stubresolver in this case... Rolling Eyes


short answer these are both "stub resolvers" they are only connected in series, this is done when they offer different functions.

you just put another stub resolver in front of dnsmasq because dnsmasq does not support DoT or DoH as upstream link.

You can also connect 10 stub resolvers in series - no problem.

I use myself for example client <--> systemd-resolved <--> dnsmasq <--> dnsmasq <--> unbound in recursive mode that would be:

client <--> stub <--> stub <--> stub <--> recursive <--> authoritative

as said before by definition there are only authoritative / recursive / and stub resolvers, if your resolver is neither authoritative nor recursive then it is only a "stub resolver".


correct...

in DDWRT DNSmasq can work as DNS Forwarder or local server...where Recursive resolving is held by Unbound...to be honest i've never used DNSmasq in Stub-resolving/Recursive mode...and i dont know how... Rolling Eyes but instead im using Stubby or SmartDNS or DNScrypt-proxy v2 in Stub/Recursive mode and its fine...
SmartDNS could work with or without DNSmasq in Stub/Recursive way and its even faster than it..+ lots of good options...
Big thanks to BS and the others that contributed towards implementing SmartDNS in DDWRT as this is a valuable option regarding DNS privacy... Cool

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Sponsor
Ednan
DD-WRT Novice


Joined: 06 Sep 2011
Posts: 8

PostPosted: Tue Nov 22, 2022 20:22    Post subject: Reply with quote
Alozaros wrote:
if you read my post from above.... this is the format that must be used on DDWRT

server-https https://9.9.9.9/dns-query
server-tls 78.46.244.143:853 -host-name: dot-de.blahdns.com
server-tls 9.9.9.9:853 -host-name: dns.quad9.net

but, you ignored it and keep asking Rolling Eyes Laughing

read carefully the requirements...or the egc guide about it...

Ednan also im not sure if TP-link 1043v2 supports SmartDNS encryption, as it doesn't have openssl, due to its limited flash size...unless BS did something recently...and made it work (i doubt)...to be precise you have to check its DNS payload if its encrypted at all, either via tcpdump or wireshark

just check if those do exist on 1043v2... Razz

/etc/ssl/ca-bundle.crt
/etc/ssl

i have few 1043v2 and somewhere BS mentioned that SmartDNS encryption will not work on those routers..due to certain limitations and weak architecture...
your only solution to have encrypted DNS is to use Stubby via Entware USB installation..red link in my sig Cool


Code:
root@Archer_C5:~# ls /etc
TZ                     hotplug2-createmtd.sh  nvram
cert.pem               hotplug2.rules         openvpnlog.sh
cidrroute.sh           hotplug2.startup       openvpnstate.sh
comgt                  hso                    openvpnstatus.sh
config                 init.d                 passwd
cron.d                 issue                  port-id-map
defaults.bin           kaid                   postinit
dhcp6c.conf            key.pem                preinit
dhcp6s.conf            l7-protocols           profile
dictionary             langpack               protocols
dictionary.microsoft   ld.so.cache            resolv.conf
ethertypes             ld.so.conf             rfc6761.conf
fstab                  lease_update.sh        services
group                  motd                   wifidog-msg.html
hosts                  mtab                   www
hotplug2-common.rules  nocat.conf             xl2tpd


The code say "Archer C5", but i changed the hostname.

I dont see any /etc/ssl
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Tue Nov 22, 2022 22:37    Post subject: Reply with quote
if those are not there than you can have only basic use of SmartDNS without encryption...
If you want to have encrypted DNS your only option is to use Stubby via Entware on USB installation, as i said above...check the red link in my signature and read the guide in my post...

do not use SmartDNS along with Stubby !

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Fri Jan 13, 2023 13:33    Post subject: Reply with quote
Just to RE-CAP the current SmartDNS settings on (51288)...as this "Thread" went too far and people dont bother to do deep diggin Razz any more..

So, in order to use it as a Encrypted DNS service thanks to ecg, BS and some other contributors! Smile...on the current builds (im currently on 51288)... the use of SmartDNS as a service is very simplified..so, once you enable SmartDNS most of the necessary settings of it, come by default.
The only lines needed in SmartDNS config box are the https or tls DNS servers you would like to use, all added in this format:

server-https https://9.9.9.9/dns-query
server-https https://1.1.1.1/dns-query
server-https https://1.0.0.1/dns-query
server-https https://5.2.75.75/dns-query
server-tls 9.9.9.9:853 -host-name dns.quad9.net -tls-host-verify dns.quad9.net
server-tls 78.46.244.143:853 -host-name dot-de.blahdns.com
server-tls 5.2.75.75:853 -host-name dot.nl.ahadns.net
server-tls 1.1.1.1:853 -host-name cloudflare-dns.com
server-tls 1.0.0.1:853 -host-name cloudflare-dns.com


Bear in mind some DNS providers are not good to be mixed, as some provide filtering..and some not..


So, if you check (via SSh/telnt) the output of cat/tmp/smartdns.conf
you can see for SmartDNS, all those settings come by default...

dualstack-ip-selection yes
prefetch-domain yes
serve-expired yes
log-size 32K
log-num 1
log-level error
log-file /tmp/smartdns.log
ca-file /etc/ssl/ca-bundle.crt
ca-path /etc/ssl
---------------------------------------------------------------------------------------

So, to make SmartDNS work you don't need to add those lines any more in the config box (as in the older guide)...all is added by default..
As well, you can use/see few of SmartDNS options directly via GUI...like https://wiki.dd-wrt.com/wiki/index.php/SmartDNS.

This one is not in the wiki yet Use Additional Servers Only if you enable it, SmartDNS will use only the DNS servers specified in its config box, any other DNS settings will be ignored...

To make SmartDNS Resolver to work you have to disable:
-Validate DNS Replies (DNSSEC) form advanced DNSmasq rules
-Check unsigned reply's
(as those 2 interfere with SmartDNS)
-in my setup i disabled the DNSmasq cache...
-as well, to delete any static DNS entries form anywhere else..
and make sure you have NTP time (its vital)

It is highly advised to remove any other DNS settings from the router!!

As well no-resolv or server= or ignore WAN DNS are settings that concern DNSmasq config, but not SmartDNS config, so if any DNS servers are present anywhere else by default, those will be fetched to SmartDNS.conf too...and it will be a bit messy... but it will work...kinds of.

So, in order to prevent it, you can enable Use Additional Servers Only and SmartDNS will use only the servers specified in its box only...

In general, by default SmartDNS works along with DNSmasq, although SmartDNS overtakes it and works well..with it, you can turn off DNSmasq for DNS and turn off DNSmasq completely and use SmartDNS as a stand alone service for DNS management..
However Turning off DNSmasq is not recommended as DNSmasq is the backbone of DDWRT functionality...so, it is highly advised to not disable DNSmasq and its functionality, apart of disabling those futures related to DNSSEC

SmartDNS alone is fully functional and configurable, as DNSmasq is and its even better in some scenarios.(I use them both enabled DNSmasq along with SmartDNS)
i haven't explored this side yet...nor I tested all the SmartDNS commands and options that you can fiddle with it...https://pymumu.github.io/smartdns/ReadMe_en.html

If you would like to use SmartDNS as a stand alone(despite its not advisable)...make sure you have NTP time...working !!!

P.S. SmartDNS has its own caching ...It is advisable to disable DNSmasq cache (set to 0) and use SmartDNS caching mechanism instead, although you can use only DNSmasq cache if you decide not to use the other...(in my case, for home use i dont use any of those) but in some heavy DNS loaded scenarios...DNS caching has its own advantages...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913


Last edited by Alozaros on Wed Nov 08, 2023 18:45; edited 6 times in total
rogerx
DD-WRT Novice


Joined: 23 Mar 2023
Posts: 1

PostPosted: Thu Mar 23, 2023 22:24    Post subject: Reply with quote
Thanks for following-up. And on that note, posting an IPV4 & IPV6 Google configuration.


server-tls 8.8.8.8:853 -host-name: dns.google.com -tls-host-verify: dns.google/dns-query
server-tls 8.8.4.4:853 -host-name: dns.google.com -tls-host-verify: dns.google/dns-query
server-https https://8.8.8.8/dns-query -host-name: dns.google.com
server-https https://8.8.4.4/dns-query -host-name: dns.google.com

server-tls [2001:4860:4860::8888]:853 -host-name: dns.google.com -tls-host-verify: dns.google/dns-query
server-tls [2001:4860:4860::8844]:853 -host-name: dns.google.com -tls-host-verify: dns.google/dns-query
server-https https://[2001:4860:4860::8888]/dns-query -host-name: dns.google.com
server-https https://[2001:4860:4860::8844]/dns-query -host-name: dns.google.com
oliver44
DD-WRT Guru


Joined: 01 Jun 2016
Posts: 504

PostPosted: Thu Jun 08, 2023 13:09    Post subject: Reply with quote
hello all,

Router wrt1900acs v2 firmware 06-06-2023-r52894 can someone tell me if the settings are correct?

_________________
Internet provider https://en.wikipedia.org/wiki/RCS_%26_RDS 1Gbps
WDR3600 rev.1.5 - DD-Wrt
Linksys WRT1900ACS v.2 DD-Wrt/-OpenWrt



https://ipv6.chappell-family.com/ipv6tcptest/
https://en.internet.nl/connection/e91f490fe1c54cb2b78145c0ab0d2b5a/results
http://www.dnssec-or-not.com/
https://dnscheck.tools/#results
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Sun Jul 02, 2023 16:51    Post subject: Reply with quote
-tls-host-verify is not needed and not doing anything..

if you use IPv6 DNS servers, than you need to enable dualstack IP option..

also in general you don't need that many servers, consider some of those have filtering abilities and must not be used with others that don't have...as well some like cloudflare recommend, to not use any other along with them Razz

me myself i don't mix https with tls servers too...

edited
-tls-host-verify works with this syntax

server-tls 9.9.9.9:853 -host-name dns.quad9.net -tls-host-verify dns.quad9.net

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913


Last edited by Alozaros on Wed Nov 08, 2023 19:00; edited 1 time in total
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade

PostPosted: Mon Sep 04, 2023 8:46    Post subject: Reply with quote
I founded out that it can work like this (example for google dns):

In Additional Options of SmartDNS Resolver enter this directive:


Code:
server-https https://dns.google/dns-query




and in Additional Options of Dnsmasq Infrastructure enter these:

Code:
server=/pool.ntp.org/8.8.8.8
address=/dns.google.com/8.8.8.8
address=/dns.google.com/8.8.4.4
address=/dns.google.com/2001:4860:4860::8844
address=/dns.google.com/2001:4860:4860::8888
local=/dns.google.com/
Bonza13
DD-WRT Novice


Joined: 09 Nov 2010
Posts: 12

PostPosted: Wed Sep 13, 2023 17:01    Post subject: Reply with quote
Code:
server-https https://doh.opendns.com/dns-query


Is it right setting for Opendns and how to properly set server-tls for it?
Something like a?:
Code:
server-tls 208.67.220.220:853 -host-name: ??? -tls-host-verify: ???
NetJackACDC
DD-WRT Novice


Joined: 24 Apr 2022
Posts: 12

PostPosted: Thu Sep 28, 2023 8:57    Post subject: Reply with quote
Is there a list of DNS servers around that we can choose from for DoH or DoT? Preferably privacy/security centric ones?
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Thu Sep 28, 2023 15:31    Post subject: Reply with quote
I guess at some point information in this thread needs to be compiled and the wiki get some love. Expediting this will be via Harry Hill's explanation of how business runs.

https://support.smartdnsproxy.com/article/54-dd-wrt-dns-setup-for-smart-dns-proxy

https://www.smartdnsproxy.com/servers/

https://wiki.ipfire.org/dns/public-servers

https://public-dns.info/

https://en.wikipedia.org/wiki/Public_recursive_name_server

https://en.wikipedia.org/wiki/List_of_managed_DNS_providers

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
victoryo
DD-WRT Novice


Joined: 25 Jul 2014
Posts: 15

PostPosted: Sun Oct 08, 2023 12:25    Post subject: Reply with quote
Bonza13 wrote:
Code:
server-https https://doh.opendns.com/dns-query


Is it right setting for Opendns and how to properly set server-tls for it?
Something like a?:
Code:
server-tls 208.67.220.220:853 -host-name: ??? -tls-host-verify: ???


This is what I use, correct me if wrong:

Code:
server-tls 208.67.222.222:853 -host-name: doh.opendns.com -tls-host-verify: doh.opendns.com
server-tls 208.67.220.220:853 -host-name: doh.opendns.com -tls-host-verify: doh.opendns.com
server-https https://208.67.222.222/dns-query -host-name: doh.opendns.com -tls-host-verify: doh.opendns.com
server-https https://208.67.220.220/dns-query -host-name: doh.opendns.com -tls-host-verify: doh.opendns.com
oliver44
DD-WRT Guru


Joined: 01 Jun 2016
Posts: 504

PostPosted: Wed Oct 11, 2023 21:53    Post subject: Reply with quote
Alozaros wrote:
-tls-host-verify is not needed and not doing anything..

if you use IPv6 DNS servers, than you need to enable dualstack IP option..

also in general you don't need that many servers, consider some of those have filtering abilities and must not be used with others that don't have...as well some like cloudflare recommend, to not use any other along with them Razz

me myself i don't mix https with tls servers too...


which is the menu where enable dualstack IP option?

_________________
Internet provider https://en.wikipedia.org/wiki/RCS_%26_RDS 1Gbps
WDR3600 rev.1.5 - DD-Wrt
Linksys WRT1900ACS v.2 DD-Wrt/-OpenWrt



https://ipv6.chappell-family.com/ipv6tcptest/
https://en.internet.nl/connection/e91f490fe1c54cb2b78145c0ab0d2b5a/results
http://www.dnssec-or-not.com/
https://dnscheck.tools/#results
victoryo
DD-WRT Novice


Joined: 25 Jul 2014
Posts: 15

PostPosted: Thu Oct 12, 2023 8:10    Post subject: Reply with quote
I have smartdns working correctly and was wondering if I could also use both the "forced dns redirection" options with it?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Thu Oct 12, 2023 8:30    Post subject: Reply with quote
victoryo wrote:
I have smartdns working correctly and was wondering if I could also use both the "forced dns redirection" options with it?


Yes you can

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Goto page Previous  1, 2, 3 ... 16, 17, 18, 19, 20  Next Display posts from previous:    Page 17 of 20
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum