Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:dns:dot_dnsmasq_stubby [2020/08/05 04:27] – [Extras] formatting optimized vgaeteradocs:guide-user:services:dns:dot_dnsmasq_stubby [2024/04/15 19:55] – [Command-line instructions] Add user guide reference. jbrossard
Line 1: Line 1:
-====== DNS over TLS with Dnsmasq and Stubby ====== +====== DoT with Dnsmasq and Stubby ====== 
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
   * This how-to describes the method for setting up [[wp>DNS_over_TLS|DNS over TLS]] on OpenWrt.   * This how-to describes the method for setting up [[wp>DNS_over_TLS|DNS over TLS]] on OpenWrt.
   * It relies on [[docs:guide-user:base-system:dhcp.dnsmasq|Dnsmasq]] and [[docs:guide-user:services:dns:stubby|Stubby]] for resource efficiency and performance.   * It relies on [[docs:guide-user:base-system:dhcp.dnsmasq|Dnsmasq]] and [[docs:guide-user:services:dns:stubby|Stubby]] for resource efficiency and performance.
-  * Follow [[docs:guide-user:services:dns:start#encryption|DNS encryption]] for alternative methods or use [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.+  * Follow [[docs:guide-user:firewall:fw3_configurations:intercept_dns|DNS hijacking]] to intercept DNS traffic or use [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.
  
 ===== Goals ===== ===== Goals =====
 {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}} {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}}
  
-===== Instructions ===== +===== Command-line instructions ===== 
-Install the packages and configure DNS encryption.+Install the required packages
 +Enable DNS encryption.
  
 <code bash> <code bash>
 # Install packages # Install packages
 opkg update opkg update
-opkg install dnsmasq stubby+opkg install stubby
  
 # Enable DNS encryption # Enable DNS encryption
 +service dnsmasq stop
 +uci set dhcp.@dnsmasq[0].noresolv="1"
 uci -q delete dhcp.@dnsmasq[0].server uci -q delete dhcp.@dnsmasq[0].server
-uci get stubby.global.listen_address \+uci -q get stubby.global.listen_address \
 | sed -e "s/\s/\n/g;s/@/#/g" \ | sed -e "s/\s/\n/g;s/@/#/g" \
 | while read -r STUBBY_SERV | while read -r STUBBY_SERV
-do +do uci add_list dhcp.@dnsmasq[0].server="${STUBBY_SERV}"
-uci add_list dhcp.@dnsmasq[0].server="${STUBBY_SERV}"+
 done done
  
-Enforce DNS encryption for LAN clients +Disable local use of dnsmasq/stubby. It is not possible for Stubby 
-uci set dhcp.@dnsmasq[0].noresolv="1"+# to be UP during boot or just right after boot because of the race 
 +# condition with SYSNTPd service. 
 +# [[:docs:guide-user:base-system:dhcp_configuration#race_conditions_with_sysntpd]] 
 +uci set dhcp.@dnsmasq[0].localuse="0" 
 uci commit dhcp uci commit dhcp
-/etc/init.d/dnsmasq restart+service dnsmasq start
 </code> </code>
  
Line 38: Line 44:
 ===== Testing ===== ===== Testing =====
 {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#testing&noheader&nofooter&noeditbutton}} {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#testing&noheader&nofooter&noeditbutton}}
 +
 +===== Alternate Testing sites =====
 +  * https://www.cloudflare.com/ssl/encrypted-sni/
 +  * https://1.1.1.1/help
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
Line 43: Line 53:
  
 <code bash> <code bash>
-# Restart the services +# Restart services 
-/etc/init.d/log restart; /etc/init.d/dnsmasq restart; /etc/init.d/stubby restart+service log restart; service dnsmasq restart; service stubby restart
  
 # Log and status # Log and status
Line 52: Line 62:
 # Runtime configuration # Runtime configuration
 pgrep -f -a dnsmasq; pgrep -f -a stubby pgrep -f -a dnsmasq; pgrep -f -a stubby
 +head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
  
 # Persistent configuration # Persistent configuration
Line 59: Line 70:
 ===== Extras ===== ===== Extras =====
 ==== Web interface ==== ==== Web interface ====
-If you want to manage the settings via web interface.+If you want to manage the settings using web interface.
  
-Navigate to **[[http://openwrt.lan/|LuCI]] -> Network -> DHCP and DNS** to configure Dnsmasq.+Navigate to **LuCI -> Network -> DHCP and DNS** to configure Dnsmasq.
  
 ==== DoT provider ==== ==== DoT provider ====
 Stubby is configured with Cloudflare DNS by default. Stubby is configured with Cloudflare DNS by default.
-You can change it to Google DNS or any other [[wp>Public_recursive_name_server|DoT provider]]. +You can change it to Google DNS or any other [[wp>Public_recursive_name_server|DoT provider]] including your own [[docs:guide-user:services:webserver:nginx#dns_over_tls|DoT server with Nginx]]. 
-Make sure the provider supports DNSSEC validation if required+Use resolvers supporting DNSSEC validation if necessary
-Specify several servers to improve fault tolerance.+Specify several resolvers to improve fault tolerance.
  
 <code bash> <code bash>
 # Configure DoT provider # Configure DoT provider
 while uci -q delete stubby.@resolver[0]; do :; done while uci -q delete stubby.@resolver[0]; do :; done
-uci set stubby.dns6a="resolver" +uci add stubby resolver 
-uci set stubby.dns6a.address="2001:4860:4860::8888" +uci set stubby.@resolver[-1].address="2001:4860:4860::8888" 
-uci set stubby.dns6a.tls_auth_name="dns.google" +uci set stubby.@resolver[-1].tls_auth_name="dns.google" 
-uci set stubby.dns6b="resolver" +uci add stubby resolver 
-uci set stubby.dns6b.address="2001:4860:4860::8844" +uci set stubby.@resolver[-1].address="2001:4860:4860::8844" 
-uci set stubby.dns6b.tls_auth_name="dns.google" +uci set stubby.@resolver[-1].tls_auth_name="dns.google" 
-uci set stubby.dnsa="resolver" +uci add stubby resolver 
-uci set stubby.dnsa.address="8.8.8.8" +uci set stubby.@resolver[-1].address="8.8.8.8" 
-uci set stubby.dnsa.tls_auth_name="dns.google" +uci set stubby.@resolver[-1].tls_auth_name="dns.google" 
-uci set stubby.dnsb="resolver" +uci add stubby resolver 
-uci set stubby.dnsb.address="8.8.4.4" +uci set stubby.@resolver[-1].address="8.8.4.4" 
-uci set stubby.dnsb.tls_auth_name="dns.google"+uci set stubby.@resolver[-1].tls_auth_name="dns.google"
 uci commit stubby uci commit stubby
-/etc/init.d/stubby restart+service stubby restart
 </code> </code>
  
 ==== DNSSEC validation ==== ==== DNSSEC validation ====
 Enforce [[wp>Domain_Name_System_Security_Extensions|DNSSEC]] validation if your DNS provider does not support it, or you want to perform the validation yourself. Enforce [[wp>Domain_Name_System_Security_Extensions|DNSSEC]] validation if your DNS provider does not support it, or you want to perform the validation yourself.
-Beware of performance issues.+Beware of fault tolerance and performance issues.
  
 <code bash> <code bash>
Line 96: Line 107:
 uci set dhcp.@dnsmasq[0].proxydnssec="1" uci set dhcp.@dnsmasq[0].proxydnssec="1"
 uci commit dhcp uci commit dhcp
-/etc/init.d/dnsmasq restart+service dnsmasq restart
 uci set stubby.global.appdata_dir="/tmp/stubby" uci set stubby.global.appdata_dir="/tmp/stubby"
 uci set stubby.global.dnssec_return_status="1" uci set stubby.global.dnssec_return_status="1"
 uci commit stubby uci commit stubby
-/etc/init.d/stubby restart+service stubby restart
 </code> </code>
  
  • Last modified: 2024/06/13 19:04
  • by dnominated