Gargoyle Forum

RomanHK wrote:

as_w wrote:

RomanHK wrote:Trying to use it only as DNSSEC without stubby, it is unstable and after rebooting the router DNSSEC no longer works.
Test page: https://dnssec.vs.uni-due.de/

Curious, here it is working normally. All the tests I've done, including this one you quoted, have gone ok. And as I used the test router I have, I turned it off all night, reconnected this morning and it continued to run smoothly.

Yes, it works if you are using servers that can already validate (such as cloudflare, 1.1.1.1, ...), you must try it on servers that are not already validating (Norton ConnectSafe A).

But I won't convince you otherwise - I also want to start using DNSSEC + TLS on routers. DNSSEC + TLS with stubby goes perfectly . Now it depends if the developers integrate this option into the GUI as an additional feature .

as_w wrote: I understand now. Norton ConnectSafe still works?

coits wrote:Guys,

Just want to ask, does dnssec and dnscrypt play together well?

Thank you

RomanHK wrote:

coits wrote:Guys,

Just want to ask, does dnssec and dnscrypt play together well?

Thank you

Yes I agree. dnsmasq full (DNSSEC) + stubby (TLS over DNS) work fine.

coits wrote:Guys,

I have tried to install dnssec and got these errors on syslog "Insecure DS reply received, do upstream DNS servers support DNSSEC?".

Clicking on google search link goes to blank page, sometimes it works!.
It seems partially working.

Any idea, what I am missing here?

Thanks guys.

RomanHK wrote:

coits wrote:Guys,

I have tried to install dnssec and got these errors on syslog "Insecure DS reply received, do upstream DNS servers support DNSSEC?".

Clicking on google search link goes to blank page, sometimes it works!.
It seems partially working.

Any idea, what I am missing here?

Thanks guys.

You need to do this exactly as you see it from @as_w: viewtopic.php?f=5&t=11924#p52566
It is important to install dnsmasq full and stubby. The question is whether you have free space for this installation.

coits wrote: I have installed dnsmasq-full and stubby. it seems it doesn't play very well when you have dnscrypt running on it. when I run nslookup it still showing 127.0.0.1:53.

I believe I need to do some port forwarding from 53 to 5453 so that nslookup will show 127.0.01:5453.

Syslog still flooding with these errors "Insecure DS reply received, do upstream DNS servers support DNSSEC?"
I used cloudfare 1.1.1.1 and 1.0.0.1


Any thoughts or idea guys, it's nice to have this working.

Thank you.

option resolvfile '/dev/null'

option dnssec '1'
option dnsseccheckunsigned '1'
list server '127.0.0.1#5453'

RomanHK wrote:

coits wrote: I have installed dnsmasq-full and stubby. it seems it doesn't play very well when you have dnscrypt running on it. when I run nslookup it still showing 127.0.0.1:53.

I believe I need to do some port forwarding from 53 to 5453 so that nslookup will show 127.0.01:5453.

Syslog still flooding with these errors "Insecure DS reply received, do upstream DNS servers support DNSSEC?"
I used cloudfare 1.1.1.1 and 1.0.0.1


Any thoughts or idea guys, it's nice to have this working.

Thank you.

Okay. This will be an ISP problem, disable it for DNS to be accessible. In /etc/config/dhcp, change the value as follows:

Code: Select all

option resolvfile '/dev/null'

So I hope you've added these values:

Code: Select all

option dnssec '1'
option dnsseccheckunsigned '1'
list server '127.0.0.1#5453'

And watch out for typos (127.0.01:5453)

They should help. Let me know if you do.