Help Needed DNS over TLS

directnupe · February 9, 2018, 3:27pm

Hello. Can someone possibly include stubby - dns privacy. As you know this is DNS over TLS. Two questions -
1- is there a luci app for stubby ( getdns ) ?
2 - are there any guides anywhere for configuring stubby with unbound on Lede / OpenWrt ?

By the way getdns ( stubby also ) is included supported by Lede in their repos. Does anyone know the custom feed to install the packages mentioned above ?

Thanks and hopefully this can be made available soon.

Peace and God Bless,

Directnupe

AmbientSummer · February 10, 2018, 8:57am

No luci or even uci support.
I dont think so. You can just setup dnsmasq to use stubby.

iamperson347 · February 11, 2018, 9:36pm

Hello @directnupe

I helped put the getdns and stubby packages together, so hopefully I can help get them running on your device. (Note: There will be a few changes coming to the package defaults during the next release of getdns/stubby, as well as further explanation on the config choices that were included in the stubby.)

First, to answer your questions:

No, there is no luci app yet
There is currently no guide/etc. written up to get this working with lede/openwrt.

Assumptions:

You have unbound or dnsmasq configured for your device, and it is the primary dns serving your network. (Or... at the very least, the unbound/dnsmasq config will not conflict with the default port currently set in the lede/openwrt stubby package, which is 5453.)
a) I recommend running unbound to utilize the caching. Sometimes the connections from stubby to the resolver can have a little but of lag, so caching + prefetch helps minimize the effects.
You have a ca cert bundle installed on your router.
a) You can do this by running the following: opkg install ca-certificates

To get the packages to show up, you must subscribe to the correct feed. You can add the following to the "/etc/opkg/customfeeds.conf" file:

src/gz openwrt_packages http://downloads.lede-project.org/snapshots/packages/mips_24kc/packages

Note: "mips_24kc" needs to be replaced with the proper instruction set for your device. You can find this info via the hardware table and then viewing "tech data" https://lede-project.org/toh/start

Make sure the "openwrt_packages" does not conflict with any other feed you have.

Note 2: The snapshot feed (master) is the only branch where the packages currently exist. You will have to wait for the next lede/openwrt branch if you want to stick to release branches.

Note 3: When adding the snapshot branch, be careful with "upgrading" packages.

After you add the correct feed, run:

opkg update

After that, you should be able to install the packages:

opkg install getdns stubby

You can change the default resolvers packaged with the current package by editing /etc/stubby/stubby.yml

Note: There has been some discussions about the current defaults. I believe on the next release, I'm going to change the lede/openwrt stubby defaults to use quad9 non-filtering service: 9.9.9.10 and appropriate ipv6 equivalent.

The last step is to point you local resolver (unbound/dnsmasq) to stubby for name resolution.

For unbound, simply edit "/etc/unbound/unbound_ext.conf" and add the following:

forward-addr: 127.0.0.1@5453

OR

forward-addr: ::1@5453

(The lede/openwrt package of stubby currently defaults to listening on the loopback adapters only.)

Be sure to restart/reload your resolver afterwards.

To ensure stubby starts correctly after config file changes, please check the syslog after a restart of the service. You should see something similar to below (no errors reported):

stubby[24047]: [21:28:10.228569] STUBBY: Read config from file /etc/stubby/stubby.yml
stubby[24047]: [21:28:10.254679] STUBBY: Starting DAEMON....

Hopefully this helps.

directnupe · February 15, 2018, 1:44pm

Dear Dave,
Thanks for all the help with GetDns and Stubby. I was able to get them up and running using Unbound for caching and prefetch. I use dnsmasq for DHCP in order to not slow down the device as you had noted.
As far as both packages being absent from arm_cortex-a9_vfpv3/ - yes some days they are in snapshot repo and other days they are not. I believe that you are correct when you state that it may have something to do with OpenWrt / Lede merge.
I downloaded both Stubby and GetDns and store them locally so that I can install them via Winscp when neede.
Again, I can not thank you enough for helping me and all others who are interested in DNS Over TLS. I started running a Lede snapshot so the yaml did download fron OpenWrt. Maybe because Davidc502 LEDE Snapshots is a Community Build - somehow the yaml came from his repo when using that firmware.
However, Stubby ran fine as well with his yaml when I tested it using his firmware.
Again - God Blessand I have posted in his forum as to how to run Stubby. You gave excellent instructions.

In Peace,

Derek

UniverseX · February 20, 2018, 7:54pm

Thanks @iamperson347
Would you be able to post your Unbound config? I'm struggling to get it running with Unbound, though it works fine with dnsmasq.
Many thanks.

iamperson347 · February 21, 2018, 12:03am

Hi @UniverseX

/etc/config/unbound

config unbound
        option dns64 '0'
        option edns_size '1280'
        option hide_binddata '1'
        option listen_port '53'
        option localservice '1'
        option manual_conf '0'
        option protocol 'mixed'
        option query_minimize '0'
        option rebind_localhost '0'
        option rebind_protection '1'
        option recursion 'passive'
        option resource 'small'
        option root_age '9'
        option ttl_min '120'
        option enabled '1'
        option validator '1'
        option validator_ntp '1'
        option extended_luci '1'
        option extended_stats '0'
        option dhcp4_slaac6 '1'
        option dhcp_link 'dnsmasq'
        option unbound_control '1'
        option trigger 'wan'

/etc/unbound/unbound_srv.conf

verbosity: 1
do-not-query-localhost: no
private-domain: "plex.direct"
hide-identity: yes
hide-version: yes
cache-min-ttl: 3600
cache-max-ttl: 86400
prefetch: yes

#I think the only important thing above (to at least get everything working) is do-not-query-localhost: no

/etc/unbound/unbound_ext.conf

forward-zone:
   name: "." 
     forward-addr: ::1@5453

#Note: you can replace ::1 with 127.0.0.1 if you are running ipv4 only. The default stubby port in the openwrt package is 5453, so that is what I am forwarding all unknown requests to.

Restart unbound after making changes.

Let me know if that helps.

UniverseX · February 23, 2018, 10:02am

Thank you, @iamperson347
I'm going to try it tomorrow, will let you know.
I've noticed that your config points to dnsmasq. Would you please upload DHCP config file. I'm not sure how I need to set it up in order to work with above.
Many thanks.

UniverseX · February 24, 2018, 6:09pm

Just tested. All seems working fine. Thanks a lot @iamperson347

directnupe · February 11, 2018, 10:30pm

Dear David,
Hello and thanks so much for replying in such a prompt, informative and
kind fashion. I will follow your well laid out instructions. I should be
able to handle this - as I clearly comprehend most if not all of your
steps.
I got unbound running on Lede and will use it as you say. I believe that I
got off course from reading DNS PRIVACY documentation which said to use
port 8053 for stubby and unbound. Also if I may ask - what exactly does
Getdns do in this process ? - and should I need to configure it in any way.

In addition, I noticed in your last post you would only use unbound for
caching and let Getdns " work perfectly " with stubby. I am not being
difficult - just a bit confused.
In any event - thanks for all your help. I will pass this information on
and do my best to get it correct. Lastly - is there a time frame as to the
next release which you pointed to earlier.

Peace and God Bless You and Yours,

Directnupe