User Tools

Site Tools


docs:guide-user:services:dns:dot_dnsmasq_stubby

DNS over TLS with Dnsmasq and Stubby

Introduction

  • This how-to describes the method for setting up DNS over TLS on OpenWrt.
  • It relies on Dnsmasq and Stubby for resource efficiency and performance.
  • Follow DNS encryption for alternative methods or use VPN to protect all traffic.

Goals

  • Encrypt your DNS traffic improving security and privacy.
    • Prevent DNS leak and DNS hijacking.
  • Bypass regional restrictions using public DNS providers.
    • Escape DNS-based content filters and internet censorship.

Instructions

Enable split DNS mode to encrypt LAN client DNS traffic assuming that local system traffic does not involve private data.

Use Stubby to encrypt DNS traffic. Configure Dnsmasq to forward DNS queries to Stubby. Enforce DNS encryption for LAN clients to avoid DNS leak.

# Install packages
opkg update
opkg install dnsmasq stubby
 
# Enable DNS encryption
uci -q delete dhcp.@dnsmasq[0].server
uci get stubby.global.listen_address \
| sed -e "s/\s/\n/g;s/@/#/g" \
| while read -r STUBBY_SERV
do
uci add_list dhcp.@dnsmasq[0].server="${STUBBY_SERV}"
done
 
# Enforce DNS encryption for LAN clients
uci set dhcp.@dnsmasq[0].noresolv="1"
uci commit dhcp
/etc/init.d/dnsmasq restart

Testing

Verify that domain name resolution works.

nslookup openwrt.org localhost

Check your DNS provider. Make sure there is no DNS leak.

Test DNSSEC validation.

Troubleshooting

Collect and analyze the following information.

# Restart the services
/etc/init.d/log restart; /etc/init.d/dnsmasq restart; /etc/init.d/stubby restart
 
# Log and status
logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq
logread -e stubby; netstat -l -n -p | grep -e stubby
 
# Runtime configuration
pgrep -f -a dnsmasq; pgrep -f -a stubby
 
# Persistent configuration
uci show dhcp; uci show stubby

Extras

Web interface

If you want to manage the settings via web interface.

Navigate to LuCI → Network → DHCP and DNS to configure Dnsmasq.

DoT provider

Stubby is configured with Cloudflare DNS by default. You can change it to another DoT provider. Make sure selected provider supports DNSSEC validation if required. Specify several servers to improve fault tolerance.

# Configure DoT provider
while uci -q delete stubby.@resolver[0]; do :; done
uci set stubby.dns6a="resolver"
uci set stubby.dns6a.address="2001:4860:4860::8888"
uci set stubby.dns6a.tls_auth_name="dns.google"
uci set stubby.dns6b="resolver"
uci set stubby.dns6b.address="2001:4860:4860::8844"
uci set stubby.dns6b.tls_auth_name="dns.google"
uci set stubby.dnsa="resolver"
uci set stubby.dnsa.address="8.8.8.8"
uci set stubby.dnsa.tls_auth_name="dns.google"
uci set stubby.dnsb="resolver"
uci set stubby.dnsb.address="8.8.4.4"
uci set stubby.dnsb.tls_auth_name="dns.google"
uci commit stubby
/etc/init.d/stubby restart

DNSSEC validation

Enforce DNSSEC validation if your DNS provider does not support it, or you want to perform the validation yourself. Beware of performance issues.

# Enforce DNSSEC validation
uci set dhcp.@dnsmasq[0].proxydnssec="1"
uci commit dhcp
/etc/init.d/dnsmasq restart
uci set stubby.global.appdata_dir="/tmp/stubby"
uci set stubby.global.dnssec_return_status="1"
uci commit stubby
/etc/init.d/stubby restart

Local system

Local system does not use Dnsmasq as a primary resolver when DNS encryption is enabled. Enforce Dnsmasq as a primary resolver to provide DNS encryption for local system. Bypass DNS encryption for NTP provider to avoid deadlock state when system time is not synchronized. Beware of race condition with Adblock service.

# Enforce DNS encryption for local system
uci set dhcp.@dnsmasq[0].localuse="1"
 
# Fetch DNS provider
. /lib/functions/network.sh
network_flush_cache
network_find_wan NET_IF
network_find_wan6 NET_IF6
network_get_dnsserver NET_DNS "${NET_IF}"
network_get_dnsserver NET_DNS6 "${NET_IF6}"
 
# Bypass DNS encryption for NTP provider
uci get system.ntp.server \
| sed -e "s/\s/\n/g" \
| sed -e "s/^[0-9]*\.//" \
| sort -u \
| while read -r NTP_DOMAIN
do
uci add_list dhcp.@dnsmasq[0].server="/${NTP_DOMAIN}/${NET_DNS%% *}"
uci add_list dhcp.@dnsmasq[0].server="/${NTP_DOMAIN}/${NET_DNS6%% *}"
done
uci commit dhcp
/etc/init.d/dnsmasq restart
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
docs/guide-user/services/dns/dot_dnsmasq_stubby.txt · Last modified: 2019/10/03 23:40 by vgaetera