Page 1 of 3
DNS-over-TLS+DNSSEC support
Posted: Wed Mar 06, 2019 9:35 am
by willian
First, I want to thank you for the great work done by you, after testing OpenWRT and ddwrt, Gargoyle was by far the best option (I have been using it for three years).
So I currently have a TL-WR1043NDv1 with Gargoyle 1.10.0 running perfectly and I would like to know if there is a way to implement DNS-over-TLS+DNSSEC. I saw some guides for OpenWRT and I have another TL-WR1043NDv1 for testing but I don't know if it would work.
If there is any way to implement I would test with no problem.
Thanks.
Re: DNS-over-TLS+DNSSEC support
Posted: Wed Mar 06, 2019 4:05 pm
by Lantis
In general, if it works on Openwrt it should work on Gargoyle. However setup will be manual and command line based, and the amount of support we can offer is limited.
Are you able to link the particular guide you are interested in?
Re: DNS-over-TLS+DNSSEC support
Posted: Wed Mar 06, 2019 4:42 pm
by RomanHK
I personally recommend that you enter your own DNS IP addresses that DNSSEC can do and work with. In this model, DNSSEC resolver (KNOT, UNBOUND, BIND + certificates) is no place.
I have heard that DNSMASQ is already able to validate - but that's not tested.
Re: DNS-over-TLS+DNSSEC support
Posted: Thu Mar 07, 2019 10:26 am
by willian
RomanHK wrote:I personally recommend that you enter your own DNS IP addresses that DNSSEC can do and work with. In this model, DNSSEC resolver (KNOT, UNBOUND, BIND + certificates) is no place.
I have heard that DNSMASQ is already able to validate - but that's not tested.
Lantis wrote:In general, if it works on Openwrt it should work on Gargoyle. However setup will be manual and command line based, and the amount of support we can offer is limited.
Are you able to link the particular guide you are interested in?
I installed the latest version of OpenWRT and tested these two guides:
https://candrews.integralblue.com/2018/ ... wrt-18-06/
https://candrews.integralblue.com/2018/ ... wrt-18-06/
I didn't have much time to check but it seems to work. Since the version of OpenWRT I installed is 18.06 and the newly released Gargoyle is based on this, today or tomorrow I will test to see if it works.
Re: DNS-over-TLS+DNSSEC support
Posted: Fri Mar 08, 2019 12:19 am
by CBx86
Please, post the results.
I dont have upgrade gargoyle yet.
Thanks!
Re: DNS-over-TLS+DNSSEC support
Posted: Sat Mar 16, 2019 8:38 pm
by willian
Hello, after a few days trying to make it work, I finally succeeded.
I ended up leaving aside the two guides that I mentioned because there were some necessary configurations missing. I used the stubby's own guide in github:
https://github.com/openwrt/packages/tre ... ubby/files
Following this guide worked out but had to adjust a few things to work on the Gargoyle.
First, the stubby package is not available in the Gargoyle plugin repository, so I just added the OpenWRT plugin repository and installed it with all the necessary dependencies.
http://downloads.openwrt.org/releases/1 ... s/Packages
After installing stubby and configuring DoT, we come to DNSSEC.
dnsmasq does not support DNSSEC, so we have to remove it and install dnsmasq-full. The command for this is:
Code: Select all
opkg install dnsmasq-full --download-only && opkg remove dnsmasq && opkg install dnsmasq-full --cache . && rm *.ipk
The issue here is that the --download-only and --cache parameters don't work in Gargoyle (at least for me they didn't work), the first one just downloads the package without installing, and the second one I didn't understand exactly what it is for. So what I did was:
- make a backup of the dhcp file (/etc/config/dhcp) with all the changes made previously for DoT and running
Code: Select all
opkg remove dnsmasq && opkg install dnsmasq-full --force-overwrite
After installing dnsmasq-full, the dnsmasq section in the dhcp file is completely changed, so the need for backup.
dnsmasq section (/etc/config/dhcp):
Code: Select all
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option noresolv '1'
option dnssec '1'
option dnsseccheckunsigned '1'
list server '127.0.0.1#5453'
Basically that's it, finishing the rest of the settings, it's just testing.
Re: DNS-over-TLS+DNSSEC support
Posted: Sat Mar 16, 2019 9:11 pm
by CBx86
Nice! I will try it soon!
Thanks!
Re: DNS-over-TLS+DNSSEC support
Posted: Sat Mar 16, 2019 11:25 pm
by RomanHK
Trying to use it only as DNSSEC without stubby, it is unstable and after rebooting the router DNSSEC no longer works.
Test page:
https://dnssec.vs.uni-due.de/
Re: DNS-over-TLS+DNSSEC support
Posted: Sun Mar 17, 2019 7:55 pm
by willian
RomanHK wrote:Trying to use it only as DNSSEC without stubby, it is unstable and after rebooting the router DNSSEC no longer works.
Test page:
https://dnssec.vs.uni-due.de/
Curious, here it is working normally. All the tests I've done, including this one you quoted, have gone ok. And as I used the test router I have, I turned it off all night, reconnected this morning and it continued to run smoothly.
Re: DNS-over-TLS+DNSSEC support
Posted: Mon Mar 18, 2019 4:13 am
by RomanHK
as_w wrote:RomanHK wrote:Trying to use it only as DNSSEC without stubby, it is unstable and after rebooting the router DNSSEC no longer works.
Test page:
https://dnssec.vs.uni-due.de/
Curious, here it is working normally. All the tests I've done, including this one you quoted, have gone ok. And as I used the test router I have, I turned it off all night, reconnected this morning and it continued to run smoothly.
Yes, it works if you are using servers that can already validate (such as cloudflare, 1.1.1.1, ...), you must try it on servers that are not already validating (Norton ConnectSafe A).
But I won't convince you otherwise - I also want to start using DNSSEC + TLS on routers. DNSSEC + TLS with stubby goes perfectly
. Now it depends if the developers integrate this option into the GUI as an additional feature
.