Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:dns:dot_dnsmasq_stubby [2019/04/20 10:10] – split from docs:guide-user:services:dns:encrypt vgaeteradocs:guide-user:services:dns:dot_dnsmasq_stubby [2024/04/15 19:55] – [Command-line instructions] Add user guide reference. jbrossard
Line 1: Line 1:
-====== DNS over HTTPS via Dnsmasq and https-dns-proxy ====== +====== DoT with Dnsmasq and Stubby ====== 
-{{page>meta:infobox:cli_setup&noheader&nofooter&noeditbtn}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
-  * This guide describes how to configure OpenWrt to protect your DNS traffic+  * This how-to describes the method for setting up [[wp>DNS_over_TLS|DNS over TLS]] on OpenWrt
-  * It utilizes [[wp>DNS_over_HTTPS|DNS over HTTPS]] to provide DNS encryption+  * It relies on [[docs:guide-user:base-system:dhcp.dnsmasq|Dnsmasq]] and [[docs:guide-user:services:dns:stubby|Stubby]] for resource efficiency and performance
-  * DNS encryption is limited to DNS trafficuse [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.+  * Follow [[docs:guide-user:firewall:fw3_configurations:intercept_dns|DNS hijacking]] to intercept DNS traffic or use [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.
  
 ===== Goals ===== ===== Goals =====
-{{section>dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}}+{{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}}
  
-===== Instructions ===== +===== Command-line instructions ===== 
-This method utilizes DoT and maintains a balance between resource efficiency and performance. +Install the required packages
- +Enable DNS encryption.
-Enable split DNS mode to encrypt LAN client DNS traffic assuming that local system traffic does not involve private data. +
- +
-Use [[docs:guide-user:services:dns:stubby|Stubby]] to encrypt DNS traffic. +
-Configure [[docs:guide-user:base-system:dhcp.dnsmasq|Dnsmasq]] to forward DNS queries to Stubby. +
-Enforce DNS encryption for LAN clients to prevent DNS leak.+
  
 <code bash> <code bash>
 # Install packages # Install packages
 opkg update opkg update
-opkg install dnsmasq stubby+opkg install stubby
  
 # Enable DNS encryption # Enable DNS encryption
 +service dnsmasq stop
 +uci set dhcp.@dnsmasq[0].noresolv="1"
 uci -q delete dhcp.@dnsmasq[0].server uci -q delete dhcp.@dnsmasq[0].server
-uci get stubby.global.listen_address \+uci -q get stubby.global.listen_address \
 | sed -e "s/\s/\n/g;s/@/#/g" \ | sed -e "s/\s/\n/g;s/@/#/g" \
-| while read STUBBY_SERV +| while read -r STUBBY_SERV 
-do +do uci add_list dhcp.@dnsmasq[0].server="${STUBBY_SERV}"
-uci add_list dhcp.@dnsmasq[0].server="${STUBBY_SERV}"+
 done done
  
-Enforce DNS encryption for LAN clients +Disable local use of dnsmasq/stubby. It is not possible for Stubby 
-uci set dhcp.@dnsmasq[0].noresolv="1"+# to be UP during boot or just right after boot because of the race 
 +# condition with SYSNTPd service. 
 +# [[:docs:guide-user:base-system:dhcp_configuration#race_conditions_with_sysntpd]] 
 +uci set dhcp.@dnsmasq[0].localuse="0" 
 uci commit dhcp uci commit dhcp
-service dnsmasq restart+service dnsmasq start
 </code> </code>
 +
 +LAN clients should use Dnsmasq as a primary resolver.
 +Dnsmasq forwards DNS queries to Stubby which encrypts DNS traffic.
  
 ===== Testing ===== ===== Testing =====
-{{section>dnscrypt_dnsmasq_dnscrypt-proxy#testing&noheader&nofooter&noeditbutton}}+{{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#testing&noheader&nofooter&noeditbutton}} 
 + 
 +===== Alternate Testing sites ===== 
 +  * https://www.cloudflare.com/ssl/encrypted-sni/ 
 +  * https://1.1.1.1/help
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
Line 46: Line 53:
  
 <code bash> <code bash>
-# Restart the services+# Restart services
 service log restart; service dnsmasq restart; service stubby restart service log restart; service dnsmasq restart; service stubby restart
  
Line 55: Line 62:
 # Runtime configuration # Runtime configuration
 pgrep -f -a dnsmasq; pgrep -f -a stubby pgrep -f -a dnsmasq; pgrep -f -a stubby
 +head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
  
 # Persistent configuration # Persistent configuration
Line 61: Line 69:
  
 ===== Extras ===== ===== Extras =====
 +==== Web interface ====
 +If you want to manage the settings using web interface.
 +
 +Navigate to **LuCI -> Network -> DHCP and DNS** to configure Dnsmasq.
 +
 ==== DoT provider ==== ==== DoT provider ====
-Stubby uses Cloudflare DNS by default. +Stubby is configured with Cloudflare DNS by default. 
-You can change it to another [[wp>Public_recursive_name_server|DoT provider]]. +You can change it to Google DNS or any other [[wp>Public_recursive_name_server|DoT provider]] including your own [[docs:guide-user:services:webserver:nginx#dns_over_tls|DoT server with Nginx]]. 
-Make sure selected provider supports DNSSEC validation if required+Use resolvers supporting DNSSEC validation if necessary
-Specify several servers to improve fault tolerance.+Specify several resolvers to improve fault tolerance.
  
 <code bash> <code bash>
 # Configure DoT provider # Configure DoT provider
-while uci -q delete stubby.@resolver[-1]; do :; done +while uci -q delete stubby.@resolver[0]; do :; done 
-uci set stubby.dns6a="resolver" +uci add stubby resolver 
-uci set stubby.dns6a.address="2001:4860:4860::8888" +uci set stubby.@resolver[-1].address="2001:4860:4860::8888" 
-uci set stubby.dns6a.tls_auth_name="dns.google" +uci set stubby.@resolver[-1].tls_auth_name="dns.google" 
-uci set stubby.dns6b="resolver" +uci add stubby resolver 
-uci set stubby.dns6b.address="2001:4860:4860::8844" +uci set stubby.@resolver[-1].address="2001:4860:4860::8844" 
-uci set stubby.dns6b.tls_auth_name="dns.google" +uci set stubby.@resolver[-1].tls_auth_name="dns.google" 
-uci set stubby.dnsa="resolver" +uci add stubby resolver 
-uci set stubby.dnsa.address="8.8.8.8" +uci set stubby.@resolver[-1].address="8.8.8.8" 
-uci set stubby.dnsa.tls_auth_name="dns.google" +uci set stubby.@resolver[-1].tls_auth_name="dns.google" 
-uci set stubby.dnsb="resolver" +uci add stubby resolver 
-uci set stubby.dnsb.address="8.8.4.4" +uci set stubby.@resolver[-1].address="8.8.4.4" 
-uci set stubby.dnsb.tls_auth_name="dns.google"+uci set stubby.@resolver[-1].tls_auth_name="dns.google"
 uci commit stubby uci commit stubby
 service stubby restart service stubby restart
 </code> </code>
  
-==== Local system DNS via Dnsmasq ==== +==== DNSSEC validation ==== 
-{{section>dnscrypt_dnsmasq_dnscrypt-proxy#local_system_dns_via_dnsmasq&noheader&nofooter&noeditbutton}}+Enforce [[wp>Domain_Name_System_Security_Extensions|DNSSEC]] validation if your DNS provider does not support it, or you want to perform the validation yourself. 
 +Beware of fault tolerance and performance issues.
  
-{{tag>How-to DNS DoT}}+<code bash> 
 +# Enforce DNSSEC validation 
 +uci set dhcp.@dnsmasq[0].proxydnssec="1" 
 +uci commit dhcp 
 +service dnsmasq restart 
 +uci set stubby.global.appdata_dir="/tmp/stubby" 
 +uci set stubby.global.dnssec_return_status="1" 
 +uci commit stubby 
 +service stubby restart 
 +</code>
  
  • Last modified: 2024/06/13 19:04
  • by dnominated