DoT with Dnsmasq and Stubby

  • This how-to describes the method for setting up DNS over TLS on OpenWrt.
  • It relies on Dnsmasq and Stubby for resource efficiency and performance.
  • Follow DNS hijacking to intercept DNS traffic or use VPN to protect all traffic.
  • Encrypt your DNS traffic improving security and privacy.
    • Prevent DNS leak and DNS hijacking.
  • Bypass regional restrictions using public DNS providers.
    • Escape DNS-based content filters and internet censorship.

Install the packages and configure DNS encryption.

# Install packages
opkg update
opkg install dnsmasq stubby
 
# Enable DNS encryption
uci -q delete dhcp.@dnsmasq[0].server
uci get stubby.global.listen_address \
| sed -e "s/\s/\n/g;s/@/#/g" \
| while read -r STUBBY_SERV
do uci add_list dhcp.@dnsmasq[0].server="${STUBBY_SERV}"
done
 
# Enforce DNS encryption for LAN clients
/etc/init.d/dnsmasq stop
uci set dhcp.@dnsmasq[0].noresolv="1"
uci commit dhcp
/etc/init.d/dnsmasq start

LAN clients should use Dnsmasq as a primary resolver. Dnsmasq forwards DNS queries to Stubby which encrypts DNS traffic.

Verify that domain name resolution works.

nslookup openwrt.org localhost

Check your DNS provider. Make sure there is no DNS leak.

Test DNSSEC validation.

Collect and analyze the following information.

# Restart services
/etc/init.d/log restart; /etc/init.d/dnsmasq restart; /etc/init.d/stubby restart
 
# Log and status
logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq
logread -e stubby; netstat -l -n -p | grep -e stubby
 
# Runtime configuration
pgrep -f -a dnsmasq; pgrep -f -a stubby
head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
 
# Persistent configuration
uci show dhcp; uci show stubby

If you want to manage the settings using web interface.

Navigate to LuCI → Network → DHCP and DNS to configure Dnsmasq.

Stubby is configured with Cloudflare DNS by default. You can change it to Google DNS or any other DoT provider including your own DoT server with Nginx. Make sure the resolvers support DNSSEC validation if required. Specify several resolvers to improve fault tolerance.

# Configure DoT provider
while uci -q delete stubby.@resolver[0]; do :; done
uci set stubby.dns6a="resolver"
uci set stubby.dns6a.address="2001:4860:4860::8888"
uci set stubby.dns6a.tls_auth_name="dns.google"
uci set stubby.dns6b="resolver"
uci set stubby.dns6b.address="2001:4860:4860::8844"
uci set stubby.dns6b.tls_auth_name="dns.google"
uci set stubby.dnsa="resolver"
uci set stubby.dnsa.address="8.8.8.8"
uci set stubby.dnsa.tls_auth_name="dns.google"
uci set stubby.dnsb="resolver"
uci set stubby.dnsb.address="8.8.4.4"
uci set stubby.dnsb.tls_auth_name="dns.google"
uci commit stubby
/etc/init.d/stubby restart

Enforce DNSSEC validation if your DNS provider does not support it, or you want to perform the validation yourself. Beware of fault tolerance and performance issues.

# Enforce DNSSEC validation
uci set dhcp.@dnsmasq[0].proxydnssec="1"
uci commit dhcp
/etc/init.d/dnsmasq restart
uci set stubby.global.appdata_dir="/tmp/stubby"
uci set stubby.global.dnssec_return_status="1"
uci commit stubby
/etc/init.d/stubby restart
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2021/03/21 07:49
  • by vgaetera