Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:dns:dot_dnsmasq_stubby [2019/04/20 11:13] – [Instructions] des vgaetera | docs:guide-user:services:dns:dot_dnsmasq_stubby [2024/04/15 19:55] – [Command-line instructions] Add user guide reference. jbrossard | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== | + | ====== |
| - | {{page> | + | {{section> |
| ===== Introduction ===== | ===== Introduction ===== | ||
| - | * This guide describes | + | * This how-to describes the method for setting up [[wp> |
| - | * It utilizes | + | * It relies on [[docs: |
| - | * DNS encryption is limited | + | * Follow [[docs: |
| ===== Goals ===== | ===== Goals ===== | ||
| - | {{section> | + | {{section> |
| - | ===== Instructions | + | ===== Command-line instructions |
| - | This method utilizes DoT via [[docs: | + | Install the required packages. |
| - | + | Enable DNS encryption. | |
| - | Enable | + | |
| - | + | ||
| - | Use Stubby to encrypt DNS traffic. | + | |
| - | Configure Dnsmasq to forward DNS queries to Stubby. | + | |
| - | Enforce | + | |
| <code bash> | <code bash> | ||
| # Install packages | # Install packages | ||
| opkg update | opkg update | ||
| - | opkg install | + | opkg install stubby |
| # Enable DNS encryption | # Enable DNS encryption | ||
| + | service dnsmasq stop | ||
| + | uci set dhcp.@dnsmasq[0].noresolv=" | ||
| uci -q delete dhcp.@dnsmasq[0].server | uci -q delete dhcp.@dnsmasq[0].server | ||
| - | uci get stubby.global.listen_address \ | + | uci -q get stubby.global.listen_address \ |
| | sed -e " | | sed -e " | ||
| - | | while read STUBBY_SERV | + | | while read -r STUBBY_SERV |
| - | do | + | do uci add_list dhcp.@dnsmasq[0].server=" |
| - | uci add_list dhcp.@dnsmasq[0].server=" | + | |
| done | done | ||
| - | # Enforce DNS encryption | + | # Disable local use of dnsmasq/ |
| - | uci set dhcp.@dnsmasq[0].noresolv="1" | + | # to be UP during boot or just right after boot because of the race |
| + | # condition with SYSNTPd service. | ||
| + | # [[: | ||
| + | uci set dhcp.@dnsmasq[0].localuse="0" | ||
| uci commit dhcp | uci commit dhcp | ||
| - | service dnsmasq | + | service dnsmasq |
| </ | </ | ||
| + | |||
| + | LAN clients should use Dnsmasq as a primary resolver. | ||
| + | Dnsmasq forwards DNS queries to Stubby which encrypts DNS traffic. | ||
| ===== Testing ===== | ===== Testing ===== | ||
| - | {{section> | + | {{section> |
| + | |||
| + | ===== Alternate Testing sites ===== | ||
| + | * https:// | ||
| + | * https:// | ||
| ===== Troubleshooting ===== | ===== Troubleshooting ===== | ||
| Line 46: | Line 53: | ||
| <code bash> | <code bash> | ||
| - | # Restart | + | # Restart services |
| service log restart; service dnsmasq restart; service stubby restart | service log restart; service dnsmasq restart; service stubby restart | ||
| Line 55: | Line 62: | ||
| # Runtime configuration | # Runtime configuration | ||
| pgrep -f -a dnsmasq; pgrep -f -a stubby | pgrep -f -a dnsmasq; pgrep -f -a stubby | ||
| + | head -v -n -0 / | ||
| # Persistent configuration | # Persistent configuration | ||
| Line 61: | Line 69: | ||
| ===== Extras ===== | ===== Extras ===== | ||
| + | ==== Web interface ==== | ||
| + | If you want to manage the settings using web interface. | ||
| + | |||
| + | Navigate to **LuCI -> Network -> DHCP and DNS** to configure Dnsmasq. | ||
| + | |||
| ==== DoT provider ==== | ==== DoT provider ==== | ||
| - | Stubby | + | Stubby |
| - | You can change it to another | + | You can change it to Google DNS or any other [[wp> |
| - | Make sure selected provider supports | + | Use resolvers supporting |
| - | Specify several | + | Specify several |
| <code bash> | <code bash> | ||
| # Configure DoT provider | # Configure DoT provider | ||
| - | while uci -q delete stubby.@resolver[-1]; do :; done | + | while uci -q delete stubby.@resolver[0]; do :; done |
| - | uci set stubby.dns6a=" | + | uci add stubby resolver |
| - | uci set stubby.dns6a.address=" | + | uci set stubby.@resolver[-1].address=" |
| - | uci set stubby.dns6a.tls_auth_name=" | + | uci set stubby.@resolver[-1].tls_auth_name=" |
| - | uci set stubby.dns6b=" | + | uci add stubby resolver |
| - | uci set stubby.dns6b.address=" | + | uci set stubby.@resolver[-1].address=" |
| - | uci set stubby.dns6b.tls_auth_name=" | + | uci set stubby.@resolver[-1].tls_auth_name=" |
| - | uci set stubby.dnsa=" | + | uci add stubby resolver |
| - | uci set stubby.dnsa.address=" | + | uci set stubby.@resolver[-1].address=" |
| - | uci set stubby.dnsa.tls_auth_name=" | + | uci set stubby.@resolver[-1].tls_auth_name=" |
| - | uci set stubby.dnsb=" | + | uci add stubby resolver |
| - | uci set stubby.dnsb.address=" | + | uci set stubby.@resolver[-1].address=" |
| - | uci set stubby.dnsb.tls_auth_name=" | + | uci set stubby.@resolver[-1].tls_auth_name=" |
| uci commit stubby | uci commit stubby | ||
| service stubby restart | service stubby restart | ||
| Line 88: | Line 101: | ||
| ==== DNSSEC validation ==== | ==== DNSSEC validation ==== | ||
| Enforce [[wp> | Enforce [[wp> | ||
| - | Beware of performance issues. | + | Beware of fault tolerance and performance issues. |
| <code bash> | <code bash> | ||
| Line 100: | Line 113: | ||
| service stubby restart | service stubby restart | ||
| </ | </ | ||
| - | |||
| - | ==== Local system DNS via Dnsmasq ==== | ||
| - | {{section> | ||
| - | |||
| - | {{tag> | ||