Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:dns:dot_dnsmasq_stubby [2019/10/03 10:59] – [Web interface] vgaeteradocs:guide-user:services:dns:dot_dnsmasq_stubby [2024/04/15 19:55] – [Command-line instructions] Add user guide reference. jbrossard
Line 1: Line 1:
-====== DNS over TLS with Dnsmasq and Stubby ====== +====== DoT with Dnsmasq and Stubby ====== 
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
   * This how-to describes the method for setting up [[wp>DNS_over_TLS|DNS over TLS]] on OpenWrt.   * This how-to describes the method for setting up [[wp>DNS_over_TLS|DNS over TLS]] on OpenWrt.
   * It relies on [[docs:guide-user:base-system:dhcp.dnsmasq|Dnsmasq]] and [[docs:guide-user:services:dns:stubby|Stubby]] for resource efficiency and performance.   * It relies on [[docs:guide-user:base-system:dhcp.dnsmasq|Dnsmasq]] and [[docs:guide-user:services:dns:stubby|Stubby]] for resource efficiency and performance.
-  * Follow [[docs:guide-user:services:dns:start#encryption|DNS encryption]] for alternative methods or use [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.+  * Follow [[docs:guide-user:firewall:fw3_configurations:intercept_dns|DNS hijacking]] to intercept DNS traffic or use [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.
  
 ===== Goals ===== ===== Goals =====
 {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}} {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}}
  
-===== Instructions ===== +===== Command-line instructions ===== 
-Enable split DNS mode to encrypt LAN client DNS traffic assuming that local system traffic does not involve private data+Install the required packages
- +Enable DNS encryption.
-Use Stubby to encrypt DNS traffic. +
-Configure Dnsmasq to forward DNS queries to Stubby. +
-Enforce DNS encryption for LAN clients to avoid DNS leak.+
  
 <code bash> <code bash>
 # Install packages # Install packages
 opkg update opkg update
-opkg install dnsmasq stubby+opkg install stubby
  
 # Enable DNS encryption # Enable DNS encryption
 +service dnsmasq stop
 +uci set dhcp.@dnsmasq[0].noresolv="1"
 uci -q delete dhcp.@dnsmasq[0].server uci -q delete dhcp.@dnsmasq[0].server
-uci get stubby.global.listen_address \+uci -q get stubby.global.listen_address \
 | sed -e "s/\s/\n/g;s/@/#/g" \ | sed -e "s/\s/\n/g;s/@/#/g" \
 | while read -r STUBBY_SERV | while read -r STUBBY_SERV
-do +do uci add_list dhcp.@dnsmasq[0].server="${STUBBY_SERV}"
-uci add_list dhcp.@dnsmasq[0].server="${STUBBY_SERV}"+
 done done
  
-Enforce DNS encryption for LAN clients +Disable local use of dnsmasq/stubby. It is not possible for Stubby 
-uci set dhcp.@dnsmasq[0].noresolv="1"+# to be UP during boot or just right after boot because of the race 
 +# condition with SYSNTPd service. 
 +# [[:docs:guide-user:base-system:dhcp_configuration#race_conditions_with_sysntpd]] 
 +uci set dhcp.@dnsmasq[0].localuse="0" 
 uci commit dhcp uci commit dhcp
-/etc/init.d/dnsmasq restart+service dnsmasq start
 </code> </code>
  
-See also: +LAN clients should use Dnsmasq as a primary resolver. 
-[[docs:guide-user:services:dns:intercept|DNS hijacking]], +Dnsmasq forwards DNS queries to Stubby which encrypts DNS traffic.
-[[docs:guide-user:services:rng|Random generator]]+
  
 ===== Testing ===== ===== Testing =====
 {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#testing&noheader&nofooter&noeditbutton}} {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#testing&noheader&nofooter&noeditbutton}}
 +
 +===== Alternate Testing sites =====
 +  * https://www.cloudflare.com/ssl/encrypted-sni/
 +  * https://1.1.1.1/help
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
Line 48: Line 53:
  
 <code bash> <code bash>
-# Restart the services +# Restart services 
-/etc/init.d/log restart; /etc/init.d/dnsmasq restart; /etc/init.d/stubby restart+service log restart; service dnsmasq restart; service stubby restart
  
 # Log and status # Log and status
Line 57: Line 62:
 # Runtime configuration # Runtime configuration
 pgrep -f -a dnsmasq; pgrep -f -a stubby pgrep -f -a dnsmasq; pgrep -f -a stubby
 +head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
  
 # Persistent configuration # Persistent configuration
Line 64: Line 70:
 ===== Extras ===== ===== Extras =====
 ==== Web interface ==== ==== Web interface ====
-If you want to manage the settings via web interface.+If you want to manage the settings using web interface.
  
-Navigate to **[[http://openwrt.lan/|LuCI]] -> Network -> DHCP and DNS** to configure Dnsmasq.+Navigate to **LuCI -> Network -> DHCP and DNS** to configure Dnsmasq.
  
 ==== DoT provider ==== ==== DoT provider ====
 Stubby is configured with Cloudflare DNS by default. Stubby is configured with Cloudflare DNS by default.
-You can change it to another [[wp>Public_recursive_name_server|DoT provider]]. +You can change it to Google DNS or any other [[wp>Public_recursive_name_server|DoT provider]] including your own [[docs:guide-user:services:webserver:nginx#dns_over_tls|DoT server with Nginx]]. 
-Make sure selected provider supports DNSSEC validation if required+Use resolvers supporting DNSSEC validation if necessary
-Specify several servers to improve fault tolerance.+Specify several resolvers to improve fault tolerance.
  
 <code bash> <code bash>
 # Configure DoT provider # Configure DoT provider
 while uci -q delete stubby.@resolver[0]; do :; done while uci -q delete stubby.@resolver[0]; do :; done
-uci set stubby.dns6a="resolver" +uci add stubby resolver 
-uci set stubby.dns6a.address="2001:4860:4860::8888" +uci set stubby.@resolver[-1].address="2001:4860:4860::8888" 
-uci set stubby.dns6a.tls_auth_name="dns.google" +uci set stubby.@resolver[-1].tls_auth_name="dns.google" 
-uci set stubby.dns6b="resolver" +uci add stubby resolver 
-uci set stubby.dns6b.address="2001:4860:4860::8844" +uci set stubby.@resolver[-1].address="2001:4860:4860::8844" 
-uci set stubby.dns6b.tls_auth_name="dns.google" +uci set stubby.@resolver[-1].tls_auth_name="dns.google" 
-uci set stubby.dnsa="resolver" +uci add stubby resolver 
-uci set stubby.dnsa.address="8.8.8.8" +uci set stubby.@resolver[-1].address="8.8.8.8" 
-uci set stubby.dnsa.tls_auth_name="dns.google" +uci set stubby.@resolver[-1].tls_auth_name="dns.google" 
-uci set stubby.dnsb="resolver" +uci add stubby resolver 
-uci set stubby.dnsb.address="8.8.4.4" +uci set stubby.@resolver[-1].address="8.8.4.4" 
-uci set stubby.dnsb.tls_auth_name="dns.google"+uci set stubby.@resolver[-1].tls_auth_name="dns.google"
 uci commit stubby uci commit stubby
-/etc/init.d/stubby restart+service stubby restart
 </code> </code>
  
 ==== DNSSEC validation ==== ==== DNSSEC validation ====
 Enforce [[wp>Domain_Name_System_Security_Extensions|DNSSEC]] validation if your DNS provider does not support it, or you want to perform the validation yourself. Enforce [[wp>Domain_Name_System_Security_Extensions|DNSSEC]] validation if your DNS provider does not support it, or you want to perform the validation yourself.
-Beware of performance issues.+Beware of fault tolerance and performance issues.
  
 <code bash> <code bash>
Line 101: Line 107:
 uci set dhcp.@dnsmasq[0].proxydnssec="1" uci set dhcp.@dnsmasq[0].proxydnssec="1"
 uci commit dhcp uci commit dhcp
-/etc/init.d/dnsmasq restart+service dnsmasq restart
 uci set stubby.global.appdata_dir="/tmp/stubby" uci set stubby.global.appdata_dir="/tmp/stubby"
 uci set stubby.global.dnssec_return_status="1" uci set stubby.global.dnssec_return_status="1"
 uci commit stubby uci commit stubby
-/etc/init.d/stubby restart+service stubby restart
 </code> </code>
- 
-==== Local system ==== 
-{{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#local_system&noheader&nofooter&noeditbutton}} 
  
  • Last modified: 2024/06/13 19:04
  • by dnominated