you tell me witch is the stubresolver (its the same with stubby ) and what im talking about stubresolvers and how dnsmasq is a stubresolver in this case...
short answer these are both "stub resolvers" they are only connected in series, this is done when they offer different functions.
you just put another stub resolver in front of dnsmasq because dnsmasq does not support DoT or DoH as upstream link.
You can also connect 10 stub resolvers in series - no problem.
I use myself for example client <--> systemd-resolved <--> dnsmasq <--> dnsmasq <--> unbound in recursive mode that would be:
as said before by definition there are only authoritative / recursive / and stub resolvers, if your resolver is neither authoritative nor recursive then it is only a "stub resolver".
correct...
in DDWRT DNSmasq can work as DNS Forwarder or local server...where Recursive resolving is held by Unbound...to be honest i've never used DNSmasq in Stub-resolving/Recursive mode...and i dont know how... but instead im using Stubby or SmartDNS or DNScrypt-proxy v2 in Stub/Recursive mode and its fine...
SmartDNS could work with or without DNSmasq in Stub/Recursive way and its even faster than it..+ lots of good options...
Big thanks to BS and the others that contributed towards implementing SmartDNS in DDWRT as this is a valuable option regarding DNS privacy... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
read carefully the requirements...or the egc guide about it...
Ednan also im not sure if TP-link 1043v2 supports SmartDNS encryption, as it doesn't have openssl, due to its limited flash size...unless BS did something recently...and made it work (i doubt)...to be precise you have to check its DNS payload if its encrypted at all, either via tcpdump or wireshark
just check if those do exist on 1043v2...
/etc/ssl/ca-bundle.crt
/etc/ssl
i have few 1043v2 and somewhere BS mentioned that SmartDNS encryption will not work on those routers..due to certain limitations and weak architecture...
your only solution to have encrypted DNS is to use Stubby via Entware USB installation..red link in my sig
Joined: 16 Nov 2015 Posts: 6411 Location: UK, London, just across the river..
Posted: Tue Nov 22, 2022 22:37 Post subject:
if those are not there than you can have only basic use of SmartDNS without encryption...
If you want to have encrypted DNS your only option is to use Stubby via Entware on USB installation, as i said above...check the red link in my signature and read the guide in my post...
do not use SmartDNS along with Stubby ! _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 16 Nov 2015 Posts: 6411 Location: UK, London, just across the river..
Posted: Fri Jan 13, 2023 13:33 Post subject:
Just to RE-CAP the current SmartDNS settings on (51288)...as this "Thread" went too far and people dont bother to do deep diggin any more..
So, in order to use it as a Encrypted DNS service thanks to ecg, BS and some other contributors! ...on the current builds (im currently on 51288)... the use of SmartDNS as a service is very simplified..so, once you enable SmartDNS most of the necessary settings of it, come by default.
The only lines needed in SmartDNS config box are the https or tls DNS servers you would like to use, all added in this format:
So, to make SmartDNS work you don't need to add those lines any more in the config box (as in the older guide)...all is added by default..
As well, you can use/see few of SmartDNS options directly via GUI...like https://wiki.dd-wrt.com/wiki/index.php/SmartDNS.
This one is not in the wiki yet Use Additional Servers Only if you enable it, SmartDNS will use only the DNS servers specified in its config box, any other DNS settings will be ignored...
To make SmartDNS Resolver to work you have to disable:
-Validate DNS Replies (DNSSEC) form advanced DNSmasq rules
-Check unsigned reply's
(as those 2 interfere with SmartDNS)
-in my setup i disabled the DNSmasq cache...
-as well, to delete any static DNS entries form anywhere else..
and make sure you have NTP time (its vital)
It is highly advised to remove any other DNS settings from the router!!
As well no-resolv or server= or ignore WAN DNS are settings that concern DNSmasq config, but not SmartDNS config, so if any DNS servers are present anywhere else by default, those will be fetched to SmartDNS.conf too...and it will be a bit messy... but it will work...kinds of.
So, in order to prevent it, you can enable Use Additional Servers Only and SmartDNS will use only the servers specified in its box only...
In general, by default SmartDNS works along with DNSmasq, although SmartDNS overtakes it and works well..with it, you can turn off DNSmasq for DNS and turn off DNSmasq completely and use SmartDNS as a stand alone service for DNS management..
However Turning off DNSmasq is not recommended as DNSmasq is the backbone of DDWRT functionality...so, it is highly advised to not disable DNSmasq and its functionality, apart of disabling those futures related to DNSSEC
SmartDNS alone is fully functional and configurable, as DNSmasq is and its even better in some scenarios.(I use them both enabled DNSmasq along with SmartDNS)
i haven't explored this side yet...nor I tested all the SmartDNS commands and options that you can fiddle with it...https://pymumu.github.io/smartdns/ReadMe_en.html
If you would like to use SmartDNS as a stand alone(despite its not advisable)...make sure you have NTP time...working !!!
P.S. SmartDNS has its own caching ...It is advisable to disable DNSmasq cache (set to 0) and use SmartDNS caching mechanism instead, although you can use only DNSmasq cache if you decide not to use the other...(in my case, for home use i dont use any of those) but in some heavy DNS loaded scenarios...DNS caching has its own advantages... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Wed Nov 08, 2023 18:45; edited 6 times in total
Router wrt1900acs v2 firmware 06-06-2023-r52894 can someone tell me if the settings are correct? _________________ Internet provider https://en.wikipedia.org/wiki/RCS_%26_RDS 1Gbps
WDR3600 rev.1.5 - DD-Wrt
Linksys WRT1900ACS v.2 DD-Wrt/-OpenWrt
Joined: 16 Nov 2015 Posts: 6411 Location: UK, London, just across the river..
Posted: Sun Jul 02, 2023 16:51 Post subject:
-tls-host-verify is not needed and not doing anything..
if you use IPv6 DNS servers, than you need to enable dualstack IP option..
also in general you don't need that many servers, consider some of those have filtering abilities and must not be used with others that don't have...as well some like cloudflare recommend, to not use any other along with them
me myself i don't mix https with tls servers too...
edited
-tls-host-verify works with this syntax
server-tls 9.9.9.9:853 -host-name dns.quad9.net -tls-host-verify dns.quad9.net _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Wed Nov 08, 2023 19:00; edited 1 time in total
Joined: 08 May 2018 Posts: 14126 Location: Texas, USA
Posted: Thu Sep 28, 2023 15:31 Post subject:
I guess at some point information in this thread needs to be compiled and the wiki get some love. Expediting this will be via Harry Hill's explanation of how business runs.
-tls-host-verify is not needed and not doing anything..
if you use IPv6 DNS servers, than you need to enable dualstack IP option..
also in general you don't need that many servers, consider some of those have filtering abilities and must not be used with others that don't have...as well some like cloudflare recommend, to not use any other along with them
me myself i don't mix https with tls servers too...
which is the menu where enable dualstack IP option? _________________ Internet provider https://en.wikipedia.org/wiki/RCS_%26_RDS 1Gbps
WDR3600 rev.1.5 - DD-Wrt
Linksys WRT1900ACS v.2 DD-Wrt/-OpenWrt