Joined: 12 Dec 2007 Posts: 783 Location: Pittsburgh, PA USA
Posted: Wed Feb 01, 2023 0:43 Post subject: SmartDNS certificates
I've been using the Cloudflare DNS servers (DOT and DOH) in SmartDNS for several months now. Recently I read an article about free DNS resolvers, and it mentioned Control D for ad blocking. I tested it a bit on my Windows laptop and found it to be quite effective at blocking ads. Since they have DOT and DOH, I figured I could just update the SmartDNS config. Unfortunately, that's not what happened. I found myself without DNS resolution. After a bunch of troubleshooting, I found that it would it would work unencrypted but DOT and DOH would not.
I did some further investigation and found that Control D uses a ZeroSSL intermediate cert. Unfortunately, this cert is not in /etc/ssl/ca-bundle.crt. I tried a few workarounds, including copying the files to the thumbdrive I have mounted as /jffs, appending the missing cert, and adding the lines
to the SmartDNS additional options. Apparently the ca-file and ca-path already in smartdns.conf take precedence, though.
I'm not sure how to get it to trust the "ZeroSSL ECC Domain Secure Site CA" cert. _________________ __________________________
Netgear R7800
DD-WRT v3.0 STD
Linksys WRT1900AC
DD-WRT v3.0 STD
Joined: 12 Dec 2007 Posts: 783 Location: Pittsburgh, PA USA
Posted: Wed Feb 01, 2023 17:30 Post subject:
Thanks @egc. That worked for the configuration. Still trying to get the certificates sorted, though. May be a lost cause. _________________ __________________________
Netgear R7800
DD-WRT v3.0 STD
Linksys WRT1900AC
DD-WRT v3.0 STD
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Wed Feb 01, 2023 18:17 Post subject:
dpp3530 wrote:
Thanks @egc. That worked for the configuration. Still trying to get the certificates sorted, though. May be a lost cause.
hmm...you should be able to add them to this folder manually...
and than point to those...no idea if SmartDNS will use them both...or only those form jffs..in this case you may need to load all its config to jffs...
if its not working than there is something else that you'd need..extra... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Copied the root and intermediate certs (in Base64 .crt format) to /opt/etc/ssl/certs and made sure
Code:
server=/freedns.controld.com/8.8.8.8
was in my DNSMasq config. Now I have DNS resolution.
The interesting thing is that the Cloudflare test site says I'm not using DOT or DOH, but
Code:
tcpdump -ni eth1 -p port 853
shows a whole lot of traffic for "not" using DNS over TLS. _________________ __________________________
Netgear R7800
DD-WRT v3.0 STD
Linksys WRT1900AC
DD-WRT v3.0 STD
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Wed Feb 01, 2023 21:10 Post subject:
To use SmartDNS servers, you must not have other DNS settings anywhere else...as it gets messy...
you better use this option Use Additional Servers Only to ignore all other DNS settings you have and router will use SmartDNS servers only...
You probably didn't read the last page of SmartDNS WIP, where i presumed the necessary settings for SmartDNS to work..
This is the correct format to spell DoH and DoT servers there..
check with this command
tcpdump -n -i eth0 'port 853'
or
tcpdump -n -i eth0 'port 443'
also if you have DoT and DoH SmartDNS will querry the fastest and will use it with priority so try with only one to find out if its working as intended and than add the other..in general i prefer either one or the other ( DoH vs DoT)
you dont need this line at all
server=/freedns.controld.com/8.8.8.8
also as KP-69 noted check your browser, if its using DoH by default and stop it.. _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
I commented the last line to restrict to DOT for testing. Verified that use Additional Servers Only is checked in the GUI, although I question whether it does anything since my smartdns.conf is in /jffs.
ran the command
Code:
tcpdump -n -i eth1 'port 853'
(on the WRT1900AC, eth1 is the WAN)
Still seeing the same traffic on 853, still getting a NO on Cloudflare.
Tried latest Firefox and Waterfox, both with DOH unchecked. _________________ __________________________
Netgear R7800
DD-WRT v3.0 STD
Linksys WRT1900AC
DD-WRT v3.0 STD