Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:dns:dot_dnsmasq_stubby [2021/03/04 22:14] – redundant links vgaeteradocs:guide-user:services:dns:dot_dnsmasq_stubby [2024/04/15 19:55] – [Command-line instructions] Add user guide reference. jbrossard
Line 1: Line 1:
-====== DNS over TLS with Dnsmasq and Stubby ====== +====== DoT with Dnsmasq and Stubby ====== 
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
Line 10: Line 10:
 {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}} {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}}
  
-===== Instructions ===== +===== Command-line instructions ===== 
-Install the packages and configure DNS encryption.+Install the required packages
 +Enable DNS encryption.
  
 <code bash> <code bash>
 # Install packages # Install packages
 opkg update opkg update
-opkg install dnsmasq stubby+opkg install stubby
  
 # Enable DNS encryption # Enable DNS encryption
 +service dnsmasq stop
 +uci set dhcp.@dnsmasq[0].noresolv="1"
 uci -q delete dhcp.@dnsmasq[0].server uci -q delete dhcp.@dnsmasq[0].server
-uci get stubby.global.listen_address \+uci -q get stubby.global.listen_address \
 | sed -e "s/\s/\n/g;s/@/#/g" \ | sed -e "s/\s/\n/g;s/@/#/g" \
 | while read -r STUBBY_SERV | while read -r STUBBY_SERV
Line 26: Line 29:
 done done
  
-Enforce DNS encryption for LAN clients +Disable local use of dnsmasq/stubby. It is not possible for Stubby 
-uci set dhcp.@dnsmasq[0].noresolv="1"+# to be UP during boot or just right after boot because of the race 
 +# condition with SYSNTPd service. 
 +# [[:docs:guide-user:base-system:dhcp_configuration#race_conditions_with_sysntpd]] 
 +uci set dhcp.@dnsmasq[0].localuse="0" 
 uci commit dhcp uci commit dhcp
-/etc/init.d/dnsmasq restart+service dnsmasq start
 </code> </code>
  
Line 37: Line 44:
 ===== Testing ===== ===== Testing =====
 {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#testing&noheader&nofooter&noeditbutton}} {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#testing&noheader&nofooter&noeditbutton}}
 +
 +===== Alternate Testing sites =====
 +  * https://www.cloudflare.com/ssl/encrypted-sni/
 +  * https://1.1.1.1/help
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
Line 43: Line 54:
 <code bash> <code bash>
 # Restart services # Restart services
-/etc/init.d/log restart; /etc/init.d/dnsmasq restart; /etc/init.d/stubby restart+service log restart; service dnsmasq restart; service stubby restart
  
 # Log and status # Log and status
Line 66: Line 77:
 Stubby is configured with Cloudflare DNS by default. Stubby is configured with Cloudflare DNS by default.
 You can change it to Google DNS or any other [[wp>Public_recursive_name_server|DoT provider]] including your own [[docs:guide-user:services:webserver:nginx#dns_over_tls|DoT server with Nginx]]. You can change it to Google DNS or any other [[wp>Public_recursive_name_server|DoT provider]] including your own [[docs:guide-user:services:webserver:nginx#dns_over_tls|DoT server with Nginx]].
-Make sure the resolvers support DNSSEC validation if required.+Use resolvers supporting DNSSEC validation if necessary.
 Specify several resolvers to improve fault tolerance. Specify several resolvers to improve fault tolerance.
  
Line 72: Line 83:
 # Configure DoT provider # Configure DoT provider
 while uci -q delete stubby.@resolver[0]; do :; done while uci -q delete stubby.@resolver[0]; do :; done
-uci set stubby.dns6a="resolver" +uci add stubby resolver 
-uci set stubby.dns6a.address="2001:4860:4860::8888" +uci set stubby.@resolver[-1].address="2001:4860:4860::8888" 
-uci set stubby.dns6a.tls_auth_name="dns.google" +uci set stubby.@resolver[-1].tls_auth_name="dns.google" 
-uci set stubby.dns6b="resolver" +uci add stubby resolver 
-uci set stubby.dns6b.address="2001:4860:4860::8844" +uci set stubby.@resolver[-1].address="2001:4860:4860::8844" 
-uci set stubby.dns6b.tls_auth_name="dns.google" +uci set stubby.@resolver[-1].tls_auth_name="dns.google" 
-uci set stubby.dnsa="resolver" +uci add stubby resolver 
-uci set stubby.dnsa.address="8.8.8.8" +uci set stubby.@resolver[-1].address="8.8.8.8" 
-uci set stubby.dnsa.tls_auth_name="dns.google" +uci set stubby.@resolver[-1].tls_auth_name="dns.google" 
-uci set stubby.dnsb="resolver" +uci add stubby resolver 
-uci set stubby.dnsb.address="8.8.4.4" +uci set stubby.@resolver[-1].address="8.8.4.4" 
-uci set stubby.dnsb.tls_auth_name="dns.google"+uci set stubby.@resolver[-1].tls_auth_name="dns.google"
 uci commit stubby uci commit stubby
-/etc/init.d/stubby restart+service stubby restart
 </code> </code>
  
Line 96: Line 107:
 uci set dhcp.@dnsmasq[0].proxydnssec="1" uci set dhcp.@dnsmasq[0].proxydnssec="1"
 uci commit dhcp uci commit dhcp
-/etc/init.d/dnsmasq restart+service dnsmasq restart
 uci set stubby.global.appdata_dir="/tmp/stubby" uci set stubby.global.appdata_dir="/tmp/stubby"
 uci set stubby.global.dnssec_return_status="1" uci set stubby.global.dnssec_return_status="1"
 uci commit stubby uci commit stubby
-/etc/init.d/stubby restart+service stubby restart
 </code> </code>
  
  • Last modified: 2024/06/13 19:04
  • by dnominated