Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:dns:dot_dnsmasq_stubby [2019/04/20 11:18] – links updated vgaeteradocs:guide-user:services:dns:dot_dnsmasq_stubby [2024/04/15 19:55] – [Command-line instructions] Add user guide reference. jbrossard
Line 1: Line 1:
-====== DNS over TLS via Dnsmasq and Stubby ====== +====== DoT with Dnsmasq and Stubby ====== 
-{{page>meta:infobox:cli_setup&noheader&nofooter&noeditbtn}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
-  * This guide describes how to configure OpenWrt to protect your DNS traffic. +  * This how-to describes the method for setting up [[wp>DNS_over_TLS|DNS over TLS]] on OpenWrt. 
-  * It utilizes [[wp>DNS_over_TLS|DNS over TLS]] to provide [[?do=showtag&tag=DNSCrypt+DoH+DoT|DNS encryption]]. +  * It relies on [[docs:guide-user:base-system:dhcp.dnsmasq|Dnsmasq]] and [[docs:guide-user:services:dns:stubby|Stubby]] for resource efficiency and performance
-  * DNS encryption is limited to DNS trafficuse [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.+  * Follow [[docs:guide-user:firewall:fw3_configurations:intercept_dns|DNS hijacking]] to intercept DNS traffic or use [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.
  
 ===== Goals ===== ===== Goals =====
-{{section>dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}}+{{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}}
  
-===== Instructions ===== +===== Command-line instructions ===== 
-This method utilizes DoT via [[docs:guide-user:base-system:dhcp.dnsmasq|Dnsmasq]] and [[docs:guide-user:services:dns:stubby|Stubby]] and maintains a balance between resource efficiency and performance. +Install the required packages
- +Enable DNS encryption.
-Enable split DNS mode to encrypt LAN client DNS traffic assuming that local system traffic does not involve private data. +
- +
-Use Stubby to encrypt DNS traffic. +
-Configure Dnsmasq to forward DNS queries to Stubby. +
-Enforce DNS encryption for LAN clients to prevent DNS leak.+
  
 <code bash> <code bash>
 # Install packages # Install packages
 opkg update opkg update
-opkg install dnsmasq stubby+opkg install stubby
  
 # Enable DNS encryption # Enable DNS encryption
 +service dnsmasq stop
 +uci set dhcp.@dnsmasq[0].noresolv="1"
 uci -q delete dhcp.@dnsmasq[0].server uci -q delete dhcp.@dnsmasq[0].server
-uci get stubby.global.listen_address \+uci -q get stubby.global.listen_address \
 | sed -e "s/\s/\n/g;s/@/#/g" \ | sed -e "s/\s/\n/g;s/@/#/g" \
-| while read STUBBY_SERV +| while read -r STUBBY_SERV 
-do +do uci add_list dhcp.@dnsmasq[0].server="${STUBBY_SERV}"
-uci add_list dhcp.@dnsmasq[0].server="${STUBBY_SERV}"+
 done done
  
-Enforce DNS encryption for LAN clients +Disable local use of dnsmasq/stubby. It is not possible for Stubby 
-uci set dhcp.@dnsmasq[0].noresolv="1"+# to be UP during boot or just right after boot because of the race 
 +# condition with SYSNTPd service. 
 +# [[:docs:guide-user:base-system:dhcp_configuration#race_conditions_with_sysntpd]] 
 +uci set dhcp.@dnsmasq[0].localuse="0" 
 uci commit dhcp uci commit dhcp
-service dnsmasq restart+service dnsmasq start
 </code> </code>
  
-See also: [[intercept|DNS hijacking]], [[docs:guide-user:services:rng|Random generator]]+LAN clients should use Dnsmasq as a primary resolver. 
 +Dnsmasq forwards DNS queries to Stubby which encrypts DNS traffic.
  
 ===== Testing ===== ===== Testing =====
-{{section>dnscrypt_dnsmasq_dnscrypt-proxy#testing&noheader&nofooter&noeditbutton}}+{{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#testing&noheader&nofooter&noeditbutton}} 
 + 
 +===== Alternate Testing sites ===== 
 +  * https://www.cloudflare.com/ssl/encrypted-sni/ 
 +  * https://1.1.1.1/help
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
Line 48: Line 53:
  
 <code bash> <code bash>
-# Restart the services+# Restart services
 service log restart; service dnsmasq restart; service stubby restart service log restart; service dnsmasq restart; service stubby restart
  
Line 57: Line 62:
 # Runtime configuration # Runtime configuration
 pgrep -f -a dnsmasq; pgrep -f -a stubby pgrep -f -a dnsmasq; pgrep -f -a stubby
 +head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
  
 # Persistent configuration # Persistent configuration
Line 63: Line 69:
  
 ===== Extras ===== ===== Extras =====
 +==== Web interface ====
 +If you want to manage the settings using web interface.
 +
 +Navigate to **LuCI -> Network -> DHCP and DNS** to configure Dnsmasq.
 +
 ==== DoT provider ==== ==== DoT provider ====
-Stubby uses Cloudflare DNS by default. +Stubby is configured with Cloudflare DNS by default. 
-You can change it to another [[wp>Public_recursive_name_server|DoT provider]]. +You can change it to Google DNS or any other [[wp>Public_recursive_name_server|DoT provider]] including your own [[docs:guide-user:services:webserver:nginx#dns_over_tls|DoT server with Nginx]]. 
-Make sure selected provider supports DNSSEC validation if required+Use resolvers supporting DNSSEC validation if necessary
-Specify several servers to improve fault tolerance.+Specify several resolvers to improve fault tolerance.
  
 <code bash> <code bash>
 # Configure DoT provider # Configure DoT provider
-while uci -q delete stubby.@resolver[-1]; do :; done +while uci -q delete stubby.@resolver[0]; do :; done 
-uci set stubby.dns6a="resolver" +uci add stubby resolver 
-uci set stubby.dns6a.address="2001:4860:4860::8888" +uci set stubby.@resolver[-1].address="2001:4860:4860::8888" 
-uci set stubby.dns6a.tls_auth_name="dns.google" +uci set stubby.@resolver[-1].tls_auth_name="dns.google" 
-uci set stubby.dns6b="resolver" +uci add stubby resolver 
-uci set stubby.dns6b.address="2001:4860:4860::8844" +uci set stubby.@resolver[-1].address="2001:4860:4860::8844" 
-uci set stubby.dns6b.tls_auth_name="dns.google" +uci set stubby.@resolver[-1].tls_auth_name="dns.google" 
-uci set stubby.dnsa="resolver" +uci add stubby resolver 
-uci set stubby.dnsa.address="8.8.8.8" +uci set stubby.@resolver[-1].address="8.8.8.8" 
-uci set stubby.dnsa.tls_auth_name="dns.google" +uci set stubby.@resolver[-1].tls_auth_name="dns.google" 
-uci set stubby.dnsb="resolver" +uci add stubby resolver 
-uci set stubby.dnsb.address="8.8.4.4" +uci set stubby.@resolver[-1].address="8.8.4.4" 
-uci set stubby.dnsb.tls_auth_name="dns.google"+uci set stubby.@resolver[-1].tls_auth_name="dns.google"
 uci commit stubby uci commit stubby
 service stubby restart service stubby restart
Line 90: Line 101:
 ==== DNSSEC validation ==== ==== DNSSEC validation ====
 Enforce [[wp>Domain_Name_System_Security_Extensions|DNSSEC]] validation if your DNS provider does not support it, or you want to perform the validation yourself. Enforce [[wp>Domain_Name_System_Security_Extensions|DNSSEC]] validation if your DNS provider does not support it, or you want to perform the validation yourself.
-Beware of performance issues.+Beware of fault tolerance and performance issues.
  
 <code bash> <code bash>
Line 102: Line 113:
 service stubby restart service stubby restart
 </code> </code>
- 
-==== Local system DNS via Dnsmasq ==== 
-{{section>dnscrypt_dnsmasq_dnscrypt-proxy#local_system_dns_via_dnsmasq&noheader&nofooter&noeditbutton}} 
- 
-{{tag>How-to DNS DoT}} 
  
  • Last modified: 2024/06/13 19:04
  • by dnominated