Show pagesourceOld revisionsBacklinksBack to top × Table of Contents DoT with Dnsmasq and Stubby Introduction Goals Command-line instructions Testing Alternate Testing sites Troubleshooting Extras Web interface DoT provider DNSSEC validation DoT with Dnsmasq and Stubby This article relies on the following: Accessing web interface / command-line interface Managing configs / packages / services / logs Introduction This how-to describes the method for setting up DNS over TLS on OpenWrt. It relies on Dnsmasq and Stubby for resource efficiency and performance. Follow DNS hijacking to intercept DNS traffic or use VPN to protect all traffic. Goals Encrypt your DNS traffic improving security and privacy. Prevent DNS leaks and DNS hijacking. Bypass regional restrictions using public DNS providers. Escape DNS-based content filters and internet censorship. Command-line instructions Install the required packages. Enable DNS encryption. # Install packages opkg update opkg install stubby # Enable DNS encryption service dnsmasq stop uci set dhcp.@dnsmasq[0].noresolv="1" uci set dhcp.@dnsmasq[0].localuse="1" uci -q delete dhcp.@dnsmasq[0].server uci -q get stubby.global.listen_address \ | sed -e "s/\s/\n/g;s/@/#/g" \ | while read -r STUBBY_SERV do uci add_list dhcp.@dnsmasq[0].server="${STUBBY_SERV}" done uci commit dhcp service dnsmasq start LAN clients should use Dnsmasq as a primary resolver. Dnsmasq forwards DNS queries to Stubby which encrypts DNS traffic. Testing Verify domain name resolution with nslookup. nslookup openwrt.org localhost Check your DNS provider and test DNSSEC validation. dnsleaktest.com dnssec-tools.org/test Alternate Testing sites https://www.cloudflare.com/ssl/encrypted-sni/ https://1.1.1.1/help Troubleshooting Collect and analyze the following information. # Restart services service log restart; service dnsmasq restart; service stubby restart # Log and status logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq logread -e stubby; netstat -l -n -p | grep -e stubby # Runtime configuration pgrep -f -a dnsmasq; pgrep -f -a stubby head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* # Persistent configuration uci show dhcp; uci show stubby Extras Web interface If you want to manage the settings using web interface. Navigate to LuCI → Network → DHCP and DNS to configure Dnsmasq. DoT provider Stubby is configured with Cloudflare DNS by default. You can change it to Google DNS or any other DoT provider including your own DoT server with Nginx. Use resolvers supporting DNSSEC validation if necessary. Specify several resolvers to improve fault tolerance. # Configure DoT provider while uci -q delete stubby.@resolver[0]; do :; done uci add stubby resolver uci set stubby.@resolver[-1].address="2001:4860:4860::8888" uci set stubby.@resolver[-1].tls_auth_name="dns.google" uci add stubby resolver uci set stubby.@resolver[-1].address="2001:4860:4860::8844" uci set stubby.@resolver[-1].tls_auth_name="dns.google" uci add stubby resolver uci set stubby.@resolver[-1].address="8.8.8.8" uci set stubby.@resolver[-1].tls_auth_name="dns.google" uci add stubby resolver uci set stubby.@resolver[-1].address="8.8.4.4" uci set stubby.@resolver[-1].tls_auth_name="dns.google" uci commit stubby service stubby restart DNSSEC validation Enforce DNSSEC validation if your DNS provider does not support it, or you want to perform the validation yourself. Beware of fault tolerance and performance issues. # Enforce DNSSEC validation uci set dhcp.@dnsmasq[0].proxydnssec="1" uci commit dhcp service dnsmasq restart uci set stubby.global.appdata_dir="/tmp/stubby" uci set stubby.global.dnssec_return_status="1" uci commit stubby service stubby restart This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.OKMore information about cookies Last modified: 2023/10/14 01:27by vgaetera