7heblackwolf DD-WRT User
Joined: 21 Nov 2019 Posts: 66
|
Posted: Thu Oct 15, 2020 11:30 Post subject: Stubby+DNSSEC+DNSMASq |
|
Hi there,
long time playing with settings I came to a point that I need some help since I feel stuck.
These settings also could be used as reference for those who tries to achieve the same goal or need a reference to start with. I'm using entware and mounting JFFS to OPT (usb).
First, the settings:
- DNSMASq
listen-address=127.0.0.1
server=127.0.0.1#5453
cache-size=10000
log-async=10
no-resolv
no-negcache
stop-dns-rebind
dhcp-authoritative
dhcp-option=option:dns-server, 192.168.7.1
dhcp-rapid-commit
bogus-priv
domain-needed
expand-hosts
quiet-dhcp
proxy-dnssec
- Stubby
Code: | resolution_type: GETDNS_RESOLUTION_STUB
dnssec: GETDNS_EXTENSION_TRUE
dns_transport_list:
- GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
tls_ca_file: "/etc/ssl/ca-bundle.crt"
appdata_dir: "/opt/etc/stubby/cache"
idle_timeout: 9000
edns_client_subnet_private: 1
round_robin_upstreams: 1
listen_addresses:
- 127.0.0.1@5453
upstream_recursive_servers:
- address_data: 1.1.1.1
tls_auth_name: "cloudflare-dns.com"
- address_data: 1.0.0.1
tls_auth_name: "cloudflare-dns.com"
|
The main goal is to make Stubby resolve + DNSSEC, and DNSMASq just cache. The settings are purposely picked for best the performance under strict privacy (priv>perf).
The results are not bad. Suddenly I realized that Stubby was using an old config that made lose DNSSEC, but I fell into the conviction that was working because https://www.cloudflare.com/ssl/encrypted-sni/ "validated" DNSSEC and encrypted dns.
Under the (new) actual configuration pasted above, the results in the cloudflare test are DNSSEC "working" and encrypted dns as "You may not be using secure DNS.". Which leads to the doubt of 1) why was previously showing ok? and 2) under correct setup, this is the correct result if client is behind the Stubby server?
Is there any setting that need to be fixed in order to work 100% fine? Or a way to test DNSSEC FROM the router itself? _________________ Linksys WRT3200ACM |
|