Make Stubby play well with DNSMASq in DNSSEC and DoT?

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.)
Author Message
7heblackwolf
DD-WRT Novice


Joined: 21 Nov 2019
Posts: 44

PostPosted: Fri May 29, 2020 1:04    Post subject: Make Stubby play well with DNSMASq in DNSSEC and DoT? Reply with quote
WRT3200ACM
r43266

Today I realize something that blew my mind.
I have Stubby for DNS lookup and DNSMASq for the rest of the stuff, but most importantly: caching. Cuz I wanna speed up things but w/o losing security. In the past I validated dnssec with DNSMASq, and until now, I had the triple score in CF as the picture attached.

The settings I'm using right now are these (which works):

DNSMASq
Code:

server=127.0.0.1#5453
listen-address=127.0.0.1
no-resolv
no-negcache
stop-dns-rebind
dhcp-authoritative
dhcp-rapid-commit
dhcp-option=option:dns-server, 192.168.7.1
dhcp-rapid-commit
bogus-priv
domain-needed
expand-hosts
quiet-dhcp
proxy-dnssec


Stubby
Code:

resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private: 1
idle_timeout: 60000
listen_addresses:
  - 127.0.0.1@5453
round_robin_upstreams: 1
appdata_dir: "/opt/var/lib/stubby"
upstream_recursive_servers:
  - address_data: 1.1.1.1
    tls_auth_name: "cloudflare-dns.com"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
  - address_data: 1.0.0.1
    tls_auth_name: "cloudflare-dns.com"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=


As you can see, DNSSEC is being proxied, but Stubby is not making any DNSSEC validation, nor DNSMASq (per the non existing --dnssec). I dunno why it's working now, but anyways. What I want is to validate everything (DNSSEC, DoT) through Stubby and do the caching with DNSMASq.

So I changed the settings to this:
DNSMASq
Code:

server=127.0.0.1#5453
listen-address=127.0.0.1
no-resolv
no-negcache
stop-dns-rebind
dhcp-authoritative
dhcp-rapid-commit
dhcp-option=option:dns-server, 192.168.7.1
dhcp-rapid-commit
bogus-priv
domain-needed
quiet-dhcp
proxy-dnssec


Stubby
Code:

resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private: 1
idle_timeout: 60000
dnssec_return_status: GETDNS_EXTENSION_TRUE
dnssec_trust_anchors: "/etc/trust-anchors.conf"
listen_addresses:
  - 127.0.0.1@5453
round_robin_upstreams: 1
appdata_dir: "/opt/var/lib/stubby"
upstream_recursive_servers:
  - address_data: 1.1.1.1
    tls_auth_name: "cloudflare-dns.com"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
  - address_data: 1.0.0.1
    tls_auth_name: "cloudflare-dns.com"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=




But end up without connection. Both services running "ok". There's something that I'm missing?

Cheers

_________________
Linksys WRT3200ACM
Firmware: DD-WRT v3.0-r41954 std (01/09/20)

Dnsmasq / Unbound / VAP / DNSCrypt / DNSSEC / QoS WAN.HTB.FQ_CODEL_FAST (custom netmask and svc) / Custom port setups for subnet delegation

Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 7274
Location: Texas, USA

PostPosted: Fri May 29, 2020 1:31    Post subject: Reply with quote
I presume you've read through this thread:

"DNS over TLS" or "DNS over HTTPS"

Trying to find information can be tricky, not sure if anything here will help:

Stubby DNS over TLS and PIA VPN

Struggles w/Stubby

DNS over TLS support

_________________
Official Forum Rules, Guidelines, and Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
DON'T use Chromium-based browsersRTFM/STFW - TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is?
Please DO NOT PM me with questions; Ask in the forum.

---------------------------------------------------------

Linux User #377467 counter.li.org / linuxcounter.net
7heblackwolf
DD-WRT Novice


Joined: 21 Nov 2019
Posts: 44

PostPosted: Fri May 29, 2020 1:38    Post subject: Reply with quote
kernel-panic69 wrote:
I presume you've read through this thread:

"DNS over TLS" or "DNS over HTTPS"

Trying to find information can be tricky, not sure if anything here will help:

Stubby DNS over TLS and PIA VPN

Struggles w/Stubby

DNS over TLS support



These are the documents that I'm following and adapting to my requirements:
https://wiki.archlinux.org/index.php/Stubby
http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html
https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby#ConfiguringStubby-DNSSEC

Also here:
https://wiki.gentoo.org/wiki/NetworkManager
https://techrevelations.de/2019/01/11/encrypted-dns-and-how-to-use-it-in-linux/
https://www.mankier.com/1/stubby

_________________
Linksys WRT3200ACM
Firmware: DD-WRT v3.0-r41954 std (01/09/20)

Dnsmasq / Unbound / VAP / DNSCrypt / DNSSEC / QoS WAN.HTB.FQ_CODEL_FAST (custom netmask and svc) / Custom port setups for subnet delegation

7heblackwolf
DD-WRT Novice


Joined: 21 Nov 2019
Posts: 44

PostPosted: Fri May 29, 2020 1:40    Post subject: Reply with quote
kernel-panic69 wrote:
I presume you've read through this thread:

"DNS over TLS" or "DNS over HTTPS"

Trying to find information can be tricky, not sure if anything here will help:

Stubby DNS over TLS and PIA VPN

Struggles w/Stubby

DNS over TLS support


Also I found that DNSMASq man doesn't recommend proxy-dnssec "In most cases, enabling DNSSEC validation within dnsmasq is a better option. See --dnssec for details."

But tried to enable it and it's even worst, now doesn't validate DNSSEC at all using:
Code:
dnssec
trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
dnssec-check-unsigned

_________________
Linksys WRT3200ACM
Firmware: DD-WRT v3.0-r41954 std (01/09/20)

Dnsmasq / Unbound / VAP / DNSCrypt / DNSSEC / QoS WAN.HTB.FQ_CODEL_FAST (custom netmask and svc) / Custom port setups for subnet delegation

7heblackwolf
DD-WRT Novice


Joined: 21 Nov 2019
Posts: 44

PostPosted: Fri May 29, 2020 1:58    Post subject: Reply with quote
Based on https://forum.openwrt.org/t/tutorial-dns-over-tls-with-dnsmasq-and-stubby-no-need-for-unbound/18663
Seems that I missed a "tls_ca_file", which in my case it's:
Code:
tls_ca_file: "/etc/ssl/ca-bundle.crt"


^this fix with the DNSMASq "proxy-dnssec" it's not working yet.

_________________
Linksys WRT3200ACM
Firmware: DD-WRT v3.0-r41954 std (01/09/20)

Dnsmasq / Unbound / VAP / DNSCrypt / DNSSEC / QoS WAN.HTB.FQ_CODEL_FAST (custom netmask and svc) / Custom port setups for subnet delegation

7heblackwolf
DD-WRT Novice


Joined: 21 Nov 2019
Posts: 44

PostPosted: Fri May 29, 2020 2:12    Post subject: Reply with quote
Ok I... solved it?...
After adding
Code:
tls_ca_file: "/etc/ssl/ca-bundle.crt"

to Stubby yml, tried DNSMASq without DNSSEC parameters, so I removed proxy-dnssec. And now the connection validates Cloudflare DNS, DoT, and DNSSEC.. seems very very snappier to my compared with the previous settings...

I'm sharing the final settings:
Stubby

Code:
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_ca_file: "/etc/ssl/ca-bundle.crt"
tls_query_padding_blocksize: 128
edns_client_subnet_private: 1
idle_timeout: 60000
listen_addresses:
  - 127.0.0.1@5453
round_robin_upstreams: 1
appdata_dir: "/opt/var/lib/stubby"
upstream_recursive_servers:
  - address_data: 1.1.1.1
    tls_auth_name: "cloudflare-dns.com"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
  - address_data: 1.0.0.1
    tls_auth_name: "cloudflare-dns.com"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=


DNSMASq

Code:
server=127.0.0.1#5453
listen-address=127.0.0.1
no-resolv
no-negcache
stop-dns-rebind
dhcp-authoritative
dhcp-rapid-commit
dhcp-option=option:dns-server, 192.168.7.1
dhcp-rapid-commit
bogus-priv
domain-needed
expand-hosts
quiet-dhcp


It's funny that after research for hours, I post, and less than an hour later I find that answer by myself.. like.. man.. I was 99% there...
Hope this help someone. Cheers

_________________
Linksys WRT3200ACM
Firmware: DD-WRT v3.0-r41954 std (01/09/20)

Dnsmasq / Unbound / VAP / DNSCrypt / DNSSEC / QoS WAN.HTB.FQ_CODEL_FAST (custom netmask and svc) / Custom port setups for subnet delegation

Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.) All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum