User Tools

Site Tools


docs:guide-user:services:dns:dot

DNS over TLS

Introduction

  • This guide describes how to configure OpenWrt to utilize DNS over TLS.
  • DoT applies to DNS-traffic only, use VPN to protect all the traffic.

Goals

  • Encrypt your DNS-traffic improving security and privacy:
    • Prevent DNS-data leak and DNS-traffic spoofing.
    • Escape DNS-based content-filters and internet censorship.

Requirements

  • OpenWrt 18.06.1
  • Dnsmasq 2.80
  • Stubby 0.2.4

Instructions

1. Preparation

Install OpenWrt and perform initial network and firewall setup.

2. DNS-Services

Utilize split-DNS mode to use DoT for LAN-clients and plain DNS for local system. This method should be sufficient to enforce DoT and prevent DNS-leak for LAN-clients.

Install Stubby to encrypt DNS-traffic. Enable split-DNS mode. Configure Dnsmasq to forward DNS-queries to Stubby.

opkg update
opkg install stubby
uci set dhcp.@dnsmasq[0].noresolv="1"
uci get stubby.global.listen_address \
| sed -e "s/\s/\n/g;s/@/#/g" \
| while read STUBBY_SERV
do
    uci add_list dhcp.@dnsmasq[0].server="$STUBBY_SERV"
done
uci commit dhcp
service dnsmasq restart

Testing

Verify your DNS-Provider has changed. Test DNSSEC-Validation.

Make sure there are no ISP DNS-servers in the DNS-Leak test results.

Troubleshooting

Collect and analyze the following information.

# Restart the services
service log restart; service stubby restart; service dnsmasq restart
 
# Log and status
logread -e dnsmasq; netstat -l -n -p | grep dnsmasq
logread -e stubby; netstat -l -n -p | grep stubby
 
# Runtime configuration
pgrep -f -a dnsmasq; pgrep -f -a stubby
 
# Persistent configuration
uci show dhcp; uci show stubby

Extras

1. DNS-Provider

Stubby uses Cloudflare by default. You can change it to another DNS-provider.

while uci -q delete stubby.@resolver[-1]; do :; done
uci add stubby resolver
uci set stubby.@resolver[-1].address="2001:4860:4860::8888"
uci set stubby.@resolver[-1].tls_auth_name="dns.google"
uci add stubby resolver
uci set stubby.@resolver[-1].address="2001:4860:4860::8844"
uci set stubby.@resolver[-1].tls_auth_name="dns.google"
uci add stubby resolver
uci set stubby.@resolver[-1].address="8.8.8.8"
uci set stubby.@resolver[-1].tls_auth_name="dns.google"
uci add stubby resolver
uci set stubby.@resolver[-1].address="8.8.4.4"
uci set stubby.@resolver[-1].tls_auth_name="dns.google"
uci commit stubby
service stubby restart

2. DNSSEC

Enforce DNSSEC-validation, if your DNS-provider does not support it, or you want to perform the validation yourself. Beware of performance issues.

uci set dhcp.@dnsmasq[0].proxydnssec="1"
uci commit dhcp
service dnsmasq restart
uci set stubby.global.appdata_dir="/tmp/stubby"
uci set stubby.global.dnssec_return_status="1"
uci commit stubby
service stubby restart

3. DNS-Hijacking

Intercept forwarded DNS-traffic to override LAN-client settings.

uci add firewall redirect
uci set firewall.@redirect[-1].name="Intercept-DNS"
uci set firewall.@redirect[-1].src="lan"
uci set firewall.@redirect[-1].src_dport="53"
uci set firewall.@redirect[-1].proto="tcpudp"
uci set firewall.@redirect[-1].target="DNAT"
uci commit firewall
service firewall restart

4. DoT for Local System

Disabling split-DNS mode provides DoT for both LAN-clients and local system, but leads to potential DNS-leak.

Preventing DNS-leak requires enforcing of DoT, which leads to the following and other similar potential issues:

  • Deadlock state for DNS-resolver and NTP-client, if system time is not synchronized.
  • Race condition for Adblock service resulting in blocklist download failure on system startup.

Disable split-DNS mode and override DoT for NTP-provider. Configure Adblock startup delay. Enforce DoT to prevent DNS-leak

uci delete dhcp.@dnsmasq[0].noresolv
uci get system.ntp.server \
| sed -e "s/\s/\n/g" \
| sed -e "s/^\d*\.//" \
| sort -u \
| while read NTP_DOMAIN
do
    uci add_list dhcp.@dnsmasq[0].server="/$NTP_DOMAIN/$(uci get stubby.@resolver[-2].address)"
    uci add_list dhcp.@dnsmasq[0].server="/$NTP_DOMAIN/$(uci get stubby.@resolver[-1].address)"
done
uci commit dhcp
service dnsmasq restart
 
uci set adblock.extra.adb_triggerdelay="30"
uci commit adblock
service adblock restart
 
uci set network.wan.peerdns="0"
uci delete network.wan.dns
uci set network.wan6.peerdns="0"
uci delete network.wan6.dns
uci commit network
service network reload
,
docs/guide-user/services/dns/dot.txt · Last modified: 2019/02/16 18:41 by vgaetera