Stubby+DNSSEC+DNSMASq

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.)
Author Message
7heblackwolf
DD-WRT Novice


Joined: 21 Nov 2019
Posts: 44

PostPosted: Thu Oct 15, 2020 11:30    Post subject: Stubby+DNSSEC+DNSMASq Reply with quote
Hi there,
long time playing with settings I came to a point that I need some help since I feel stuck.

These settings also could be used as reference for those who tries to achieve the same goal or need a reference to start with. I'm using entware and mounting JFFS to OPT (usb).

First, the settings:

- DNSMASq
    listen-address=127.0.0.1
    server=127.0.0.1#5453
    cache-size=10000
    log-async=10
    no-resolv
    no-negcache
    stop-dns-rebind
    dhcp-authoritative
    dhcp-option=option:dns-server, 192.168.7.1
    dhcp-rapid-commit
    bogus-priv
    domain-needed
    expand-hosts
    quiet-dhcp
    proxy-dnssec


- Stubby
Code:
resolution_type: GETDNS_RESOLUTION_STUB
dnssec: GETDNS_EXTENSION_TRUE
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
tls_ca_file: "/etc/ssl/ca-bundle.crt"
appdata_dir: "/opt/etc/stubby/cache"
idle_timeout: 9000
edns_client_subnet_private: 1
round_robin_upstreams: 1
listen_addresses:
  - 127.0.0.1@5453
upstream_recursive_servers:
  - address_data: 1.1.1.1
    tls_auth_name: "cloudflare-dns.com"
  - address_data: 1.0.0.1
    tls_auth_name: "cloudflare-dns.com"







The main goal is to make Stubby resolve + DNSSEC, and DNSMASq just cache. The settings are purposely picked for best the performance under strict privacy (priv>perf).

The results are not bad. Suddenly I realized that Stubby was using an old config that made lose DNSSEC, but I fell into the conviction that was working because https://www.cloudflare.com/ssl/encrypted-sni/ "validated" DNSSEC and encrypted dns.

Under the (new) actual configuration pasted above, the results in the cloudflare test are DNSSEC "working" and encrypted dns as "You may not be using secure DNS.". Which leads to the doubt of 1) why was previously showing ok? and 2) under correct setup, this is the correct result if client is behind the Stubby server?

Is there any setting that need to be fixed in order to work 100% fine? Or a way to test DNSSEC FROM the router itself?

_________________
Linksys WRT3200ACM
Firmware: DD-WRT v3.0-r41954 std (01/09/20)

Dnsmasq / Unbound / VAP / DNSCrypt / DNSSEC / QoS WAN.HTB.FQ_CODEL_FAST (custom netmask and svc) / Custom port setups for subnet delegation

Sponsor
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.) All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum