DoT with Dnsmasq and Stubby

This article relies on the following:

Introduction

  • This how-to describes the method for setting up DNS over TLS on OpenWrt.
  • It relies on Dnsmasq and Stubby for resource efficiency and performance.
  • Follow DNS hijacking to intercept DNS traffic or use VPN to protect all traffic.

Goals

  • Encrypt your DNS traffic improving security and privacy.
    • Prevent DNS leaks and DNS hijacking.
  • Bypass regional restrictions using public DNS providers.
    • Escape DNS-based content filters and internet censorship.

Luci web-interface Instructions

Navigate to System → Software. Tap 'Update Lists', and under 'Filter' enter 'stubby'. Tap the 'Install...' button. There is no Luci plug-in for Stubby. Fortunately, it requires very little effort to simply get it running.

Navigate to Network → Interfaces. Tap 'Edit' next to LAN. 'Advanced Settings', 'Use custom DNS servers': '127.0.0.1', tap '+', and add '0::1' as a second one. 'DNS Weight': '20'. 'Save'.

Tap 'Edit' next to WAN. If you want the router itself to use alternate DNS, uncheck 'Use DNS servers advertised by peer', and put in e.g. '1.1.1.1'. Otherwise, leave this to resolve to your provider's DNS. Trying to resolve through stubby, before stubby is running properly during boot, can cause problems. Set the 'DNS Weight' to some high number, low-priority, like '50'. 'Save'.

Tap 'Edit' next to WAN6. Do the same as for WAN, but since this is the IPv6 interface, use a DNS of e.g. '2606:4700:4700::1111', if not using the provider's DNS, and similar low-priority 'DNS Weight' of e.g. 55. 'Save'

Navigate to Network → DHCP and DNS → Forwards. 'DNS Forwards': '0::1#5453' tap '+' and add '127.0.0.1#5453', tap 'Save'. Go to the 'Resolve & Host File' tab. Check 'Ignore resolv file' & 'Strict order', 'Save'.

'Save & Apply'. Stubby should be running now.

There are a few tweaks that can only be done by editing the /etc/config/stubby and /etc/config/dhcp. See below sections.

Command-line instructions

1.) Install the required packages: 

opkg update
opkg install stubby

2.) Enable DNS encryption: 

service dnsmasq stop
uci set dhcp.@dnsmasq[0].noresolv="1"
uci -q delete dhcp.@dnsmasq[0].server
uci -q get stubby.global.listen_address \
| sed -e "s/\s/\n/g;s/@/#/g" \
| while read -r STUBBY_SERV
do uci add_list dhcp.@dnsmasq[0].server="${STUBBY_SERV}"
done

3.) Disable local use of dnsmasq/stubby: It is not possible for Stubby to be UP during boot or just right after boot, without additional configuration, because of the race condition with SYSNTPd service. race_conditions_with_sysntpd 

uci set dhcp.@dnsmasq[0].localuse="0"

4.) Commit changes: 

uci commit dhcp
service dnsmasq start

LAN clients should use Dnsmasq as a primary resolver. Dnsmasq forwards DNS queries to Stubby which encrypts DNS traffic.

Testing

Verify domain name resolution with nslookup: 

nslookup openwrt.org localhost

To check your DNS provider, you can use:

DNS Leak Test and DNSSEC Test:

Alternative test via CLI: * check connection to Quad9 DNS (it require to use Quad9 DNS servers): 

dig +short txt proto.on.quad9.net.
# should print: doh. or dot.

* check connection to NextDNS (it require to use NextDNS DNS servers): 

curl -SL https://test.nextdns.io/
{
        "status": "ok",
        "protocol": "DOT",
        "profile": "SOMEPROFILE",
        "client": "80.XXX.XXX.XXX",
        "srcIP": "80.XXX.XXX.XXX",
        "destIP": "XX.XX.28.0",
        "anycast": true,
        "server": "zepto-ber-1",
        "clientName": "unknown-dot"
}

Alternate Testing sites

Troubleshooting

Collect and analyze the following information. 

# Restart services
service log restart; service dnsmasq restart; service stubby restart
 
# Log and status
logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq
logread -e stubby; netstat -l -n -p | grep -e stubby
 
# Runtime configuration
pgrep -f -a dnsmasq; pgrep -f -a stubby
head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
 
# Persistent configuration
uci show dhcp; uci show stubby

Extras

DoT provider

Stubby is configured with Cloudflare DNS by default. You can change it to Google DNS or any other DoT provider including your own DoT server with Nginx. Use resolvers supporting DNSSEC validation if necessary. Specify several resolvers to improve fault tolerance. 

# Configure DoT provider
while uci -q delete stubby.@resolver[0]; do :; done
uci add stubby resolver
uci set stubby.@resolver[-1].address="2001:4860:4860::8888"
uci set stubby.@resolver[-1].tls_auth_name="dns.google"
uci add stubby resolver
uci set stubby.@resolver[-1].address="2001:4860:4860::8844"
uci set stubby.@resolver[-1].tls_auth_name="dns.google"
uci add stubby resolver
uci set stubby.@resolver[-1].address="8.8.8.8"
uci set stubby.@resolver[-1].tls_auth_name="dns.google"
uci add stubby resolver
uci set stubby.@resolver[-1].address="8.8.4.4"
uci set stubby.@resolver[-1].tls_auth_name="dns.google"
uci commit stubby
service stubby restart

DNSSEC validation

Enforce DNSSEC validation if your DNS provider does not support it, or you want to perform the validation yourself. Beware of fault tolerance and performance issues. 

uci set dhcp.@dnsmasq[0].proxydnssec="1"
uci commit dhcp
service dnsmasq restart
uci set stubby.global.appdata_dir="/tmp/stubby"
uci set stubby.global.dnssec_return_status="1"
uci commit stubby
service stubby restart
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2024/06/13 19:04
  • by dnominated