Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:dns:dot_dnsmasq_stubby [2019/09/18 14:32] – [Introduction] vgaeteradocs:guide-user:services:dns:dot_dnsmasq_stubby [2024/04/15 19:55] – [Command-line instructions] Add user guide reference. jbrossard
Line 1: Line 1:
-====== DNS over TLS with Dnsmasq and Stubby ====== +====== DoT with Dnsmasq and Stubby ====== 
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
   * This how-to describes the method for setting up [[wp>DNS_over_TLS|DNS over TLS]] on OpenWrt.   * This how-to describes the method for setting up [[wp>DNS_over_TLS|DNS over TLS]] on OpenWrt.
   * It relies on [[docs:guide-user:base-system:dhcp.dnsmasq|Dnsmasq]] and [[docs:guide-user:services:dns:stubby|Stubby]] for resource efficiency and performance.   * It relies on [[docs:guide-user:base-system:dhcp.dnsmasq|Dnsmasq]] and [[docs:guide-user:services:dns:stubby|Stubby]] for resource efficiency and performance.
-  * Follow [[docs:guide-user:services:dns:start#encryption|DNS encryption]] for alternative methods or use [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.+  * Follow [[docs:guide-user:firewall:fw3_configurations:intercept_dns|DNS hijacking]] to intercept DNS traffic or use [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.
  
 ===== Goals ===== ===== Goals =====
 {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}} {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}}
  
-===== Instructions ===== +===== Command-line instructions ===== 
-Enable split DNS mode to encrypt LAN client DNS traffic assuming that local system traffic does not involve private data+Install the required packages
- +Enable DNS encryption.
-Use Stubby to encrypt DNS traffic. +
-Configure Dnsmasq to forward DNS queries to Stubby. +
-Enforce DNS encryption for LAN clients to avoid DNS leak.+
  
 <code bash> <code bash>
 # Install packages # Install packages
 opkg update opkg update
-opkg install dnsmasq stubby+opkg install stubby
  
 # Enable DNS encryption # Enable DNS encryption
 +service dnsmasq stop
 +uci set dhcp.@dnsmasq[0].noresolv="1"
 uci -q delete dhcp.@dnsmasq[0].server uci -q delete dhcp.@dnsmasq[0].server
-uci get stubby.global.listen_address \+uci -q get stubby.global.listen_address \
 | sed -e "s/\s/\n/g;s/@/#/g" \ | sed -e "s/\s/\n/g;s/@/#/g" \
 | while read -r STUBBY_SERV | while read -r STUBBY_SERV
-do +do uci add_list dhcp.@dnsmasq[0].server="${STUBBY_SERV}"
-uci add_list dhcp.@dnsmasq[0].server="${STUBBY_SERV}"+
 done done
  
-Enforce DNS encryption for LAN clients +Disable local use of dnsmasq/stubby. It is not possible for Stubby 
-uci set dhcp.@dnsmasq[0].noresolv="1"+# to be UP during boot or just right after boot because of the race 
 +# condition with SYSNTPd service. 
 +# [[:docs:guide-user:base-system:dhcp_configuration#race_conditions_with_sysntpd]] 
 +uci set dhcp.@dnsmasq[0].localuse="0" 
 uci commit dhcp uci commit dhcp
-/etc/init.d/dnsmasq restart+service dnsmasq start
 </code> </code>
  
-See also: +LAN clients should use Dnsmasq as a primary resolver. 
-[[docs:guide-user:services:dns:intercept|DNS hijacking]], +Dnsmasq forwards DNS queries to Stubby which encrypts DNS traffic.
-[[docs:guide-user:services:rng|Random generator]]+
  
 ===== Testing ===== ===== Testing =====
 {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#testing&noheader&nofooter&noeditbutton}} {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#testing&noheader&nofooter&noeditbutton}}
 +
 +===== Alternate Testing sites =====
 +  * https://www.cloudflare.com/ssl/encrypted-sni/
 +  * https://1.1.1.1/help
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
Line 48: Line 53:
  
 <code bash> <code bash>
-# Restart the services +# Restart services 
-/etc/init.d/log restart; /etc/init.d/dnsmasq restart; /etc/init.d/stubby restart+service log restart; service dnsmasq restart; service stubby restart
  
 # Log and status # Log and status
Line 57: Line 62:
 # Runtime configuration # Runtime configuration
 pgrep -f -a dnsmasq; pgrep -f -a stubby pgrep -f -a dnsmasq; pgrep -f -a stubby
 +head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
  
 # Persistent configuration # Persistent configuration
Line 63: Line 69:
  
 ===== Extras ===== ===== Extras =====
 +==== Web interface ====
 +If you want to manage the settings using web interface.
 +
 +Navigate to **LuCI -> Network -> DHCP and DNS** to configure Dnsmasq.
 +
 ==== DoT provider ==== ==== DoT provider ====
 Stubby is configured with Cloudflare DNS by default. Stubby is configured with Cloudflare DNS by default.
-You can change it to another [[wp>Public_recursive_name_server|DoT provider]]. +You can change it to Google DNS or any other [[wp>Public_recursive_name_server|DoT provider]] including your own [[docs:guide-user:services:webserver:nginx#dns_over_tls|DoT server with Nginx]]. 
-Make sure selected provider supports DNSSEC validation if required+Use resolvers supporting DNSSEC validation if necessary
-Specify several servers to improve fault tolerance.+Specify several resolvers to improve fault tolerance.
  
 <code bash> <code bash>
 # Configure DoT provider # Configure DoT provider
 while uci -q delete stubby.@resolver[0]; do :; done while uci -q delete stubby.@resolver[0]; do :; done
-uci set stubby.dns6a="resolver" +uci add stubby resolver 
-uci set stubby.dns6a.address="2001:4860:4860::8888" +uci set stubby.@resolver[-1].address="2001:4860:4860::8888" 
-uci set stubby.dns6a.tls_auth_name="dns.google" +uci set stubby.@resolver[-1].tls_auth_name="dns.google" 
-uci set stubby.dns6b="resolver" +uci add stubby resolver 
-uci set stubby.dns6b.address="2001:4860:4860::8844" +uci set stubby.@resolver[-1].address="2001:4860:4860::8844" 
-uci set stubby.dns6b.tls_auth_name="dns.google" +uci set stubby.@resolver[-1].tls_auth_name="dns.google" 
-uci set stubby.dnsa="resolver" +uci add stubby resolver 
-uci set stubby.dnsa.address="8.8.8.8" +uci set stubby.@resolver[-1].address="8.8.8.8" 
-uci set stubby.dnsa.tls_auth_name="dns.google" +uci set stubby.@resolver[-1].tls_auth_name="dns.google" 
-uci set stubby.dnsb="resolver" +uci add stubby resolver 
-uci set stubby.dnsb.address="8.8.4.4" +uci set stubby.@resolver[-1].address="8.8.4.4" 
-uci set stubby.dnsb.tls_auth_name="dns.google"+uci set stubby.@resolver[-1].tls_auth_name="dns.google"
 uci commit stubby uci commit stubby
-/etc/init.d/stubby restart+service stubby restart
 </code> </code>
  
 ==== DNSSEC validation ==== ==== DNSSEC validation ====
 Enforce [[wp>Domain_Name_System_Security_Extensions|DNSSEC]] validation if your DNS provider does not support it, or you want to perform the validation yourself. Enforce [[wp>Domain_Name_System_Security_Extensions|DNSSEC]] validation if your DNS provider does not support it, or you want to perform the validation yourself.
-Beware of performance issues.+Beware of fault tolerance and performance issues.
  
 <code bash> <code bash>
Line 96: Line 107:
 uci set dhcp.@dnsmasq[0].proxydnssec="1" uci set dhcp.@dnsmasq[0].proxydnssec="1"
 uci commit dhcp uci commit dhcp
-/etc/init.d/dnsmasq restart+service dnsmasq restart
 uci set stubby.global.appdata_dir="/tmp/stubby" uci set stubby.global.appdata_dir="/tmp/stubby"
 uci set stubby.global.dnssec_return_status="1" uci set stubby.global.dnssec_return_status="1"
 uci commit stubby uci commit stubby
-/etc/init.d/stubby restart+service stubby restart
 </code> </code>
- 
-==== Local system DNS via Dnsmasq ==== 
-{{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#local_system_dns_via_dnsmasq&noheader&nofooter&noeditbutton}} 
  
  • Last modified: 2024/06/13 19:04
  • by dnominated