This article relies on the following skills:
Utilize split-DNS mode to use DoT for LAN-clients and plain DNS for local system. This method should be sufficient to enforce DoT and prevent DNS-leak for LAN-clients.
Install Stubby to encrypt DNS-traffic. Enable split-DNS mode. Configure Dnsmasq to forward DNS-queries to Stubby.
opkg update opkg install stubby uci set dhcp.@dnsmasq[0].noresolv="1" uci get stubby.global.listen_address \ | sed -e "s/\s/\n/g;s/@/#/g" \ | while read STUBBY_SERV do uci add_list dhcp.@dnsmasq[0].server="$STUBBY_SERV" done uci commit dhcp service dnsmasq restart
Verify your DNS-Provider has changed. Test DNSSEC-Validation.
Make sure there are no ISP DNS-servers in the DNS-Leak test results.
Collect and analyze the following information.
# Restart the services service log restart; service stubby restart; service dnsmasq restart # Log and status logread -e dnsmasq; netstat -l -n -p | grep dnsmasq logread -e stubby; netstat -l -n -p | grep stubby # Runtime configuration pgrep -f -a dnsmasq; pgrep -f -a stubby # Persistent configuration uci show dhcp; uci show stubby
Stubby uses Cloudflare by default. You can change it to another DNS-provider.
while uci -q delete stubby.@resolver[-1]; do :; done uci add stubby resolver uci set stubby.@resolver[-1].address="2001:4860:4860::8888" uci set stubby.@resolver[-1].tls_auth_name="dns.google" uci add stubby resolver uci set stubby.@resolver[-1].address="2001:4860:4860::8844" uci set stubby.@resolver[-1].tls_auth_name="dns.google" uci add stubby resolver uci set stubby.@resolver[-1].address="8.8.8.8" uci set stubby.@resolver[-1].tls_auth_name="dns.google" uci add stubby resolver uci set stubby.@resolver[-1].address="8.8.4.4" uci set stubby.@resolver[-1].tls_auth_name="dns.google" uci commit stubby service stubby restart
Enforce DNSSEC-validation, if your DNS-provider does not support it, or you want to perform the validation yourself. Beware of performance issues.
uci set dhcp.@dnsmasq[0].proxydnssec="1" uci commit dhcp service dnsmasq restart uci set stubby.global.appdata_dir="/tmp/stubby" uci set stubby.global.dnssec_return_status="1" uci commit stubby service stubby restart
Intercept forwarded DNS-traffic to override LAN-client settings.
uci add firewall redirect uci set firewall.@redirect[-1].name="Intercept-DNS" uci set firewall.@redirect[-1].src="lan" uci set firewall.@redirect[-1].src_dport="53" uci set firewall.@redirect[-1].proto="tcpudp" uci set firewall.@redirect[-1].target="DNAT" uci commit firewall service firewall restart
Disabling split-DNS mode provides DoT for both LAN-clients and local system, but leads to potential DNS-leak.
Preventing DNS-leak requires enforcing of DoT, which leads to the following and other similar potential issues:
Disable split-DNS mode and override DoT for NTP-provider. Configure Adblock startup delay. Enforce DoT to prevent DNS-leak
uci delete dhcp.@dnsmasq[0].noresolv uci get system.ntp.server \ | sed -e "s/\s/\n/g" \ | sed -e "s/^\d*\.//" \ | sort -u \ | while read NTP_DOMAIN do uci add_list dhcp.@dnsmasq[0].server="/$NTP_DOMAIN/$(uci get stubby.@resolver[-2].address)" uci add_list dhcp.@dnsmasq[0].server="/$NTP_DOMAIN/$(uci get stubby.@resolver[-1].address)" done uci commit dhcp service dnsmasq restart uci set adblock.extra.adb_triggerdelay="30" uci commit adblock service adblock restart uci set network.wan.peerdns="0" uci delete network.wan.dns uci set network.wan6.peerdns="0" uci delete network.wan6.dns uci commit network service network reload