DNS-over-TLS+DNSSEC support

[willian]

First, I want to thank you for the great work done by you, after testing OpenWRT and ddwrt, Gargoyle was by far the best option (I have been using it for three years).

So I currently have a TL-WR1043NDv1 with Gargoyle 1.10.0 running perfectly and I would like to know if there is a way to implement DNS-over-TLS+DNSSEC. I saw some guides for OpenWRT and I have another TL-WR1043NDv1 for testing but I don't know if it would work.
If there is any way to implement I would test with no problem.

Thanks.

[Lantis]

In general, if it works on Openwrt it should work on Gargoyle. However setup will be manual and command line based, and the amount of support we can offer is limited.

Are you able to link the particular guide you are interested in?

[RomanHK]

I personally recommend that you enter your own DNS IP addresses that DNSSEC can do and work with. In this model, DNSSEC resolver (KNOT, UNBOUND, BIND + certificates) is no place.

I have heard that DNSMASQ is already able to validate - but that's not tested.

[willian]

I personally recommend that you enter your own DNS IP addresses that DNSSEC can do and work with. In this model, DNSSEC resolver (KNOT, UNBOUND, BIND + certificates) is no place.

I have heard that DNSMASQ is already able to validate - but that's not tested.

In general, if it works on Openwrt it should work on Gargoyle. However setup will be manual and command line based, and the amount of support we can offer is limited.

Are you able to link the particular guide you are interested in?

I installed the latest version of OpenWRT and tested these two guides:

https://candrews.integralblue.com/2018/ ... wrt-18-06/
https://candrews.integralblue.com/2018/ ... wrt-18-06/

I didn't have much time to check but it seems to work. Since the version of OpenWRT I installed is 18.06 and the newly released Gargoyle is based on this, today or tomorrow I will test to see if it works.

[CBx86]

Please, post the results.

I dont have upgrade gargoyle yet.

Thanks!

[willian]

Hello, after a few days trying to make it work, I finally succeeded.

I ended up leaving aside the two guides that I mentioned because there were some necessary configurations missing. I used the stubby's own guide in github: https://github.com/openwrt/packages/tre ... ubby/files

Following this guide worked out but had to adjust a few things to work on the Gargoyle.

First, the stubby package is not available in the Gargoyle plugin repository, so I just added the OpenWRT plugin repository and installed it with all the necessary dependencies.
http://downloads.openwrt.org/releases/1 ... s/Packages

After installing stubby and configuring DoT, we come to DNSSEC.

dnsmasq does not support DNSSEC, so we have to remove it and install dnsmasq-full. The command for this is:

Code: Select all

opkg install dnsmasq-full --download-only && opkg remove dnsmasq && opkg install dnsmasq-full --cache . && rm *.ipk

The issue here is that the --download-only and --cache parameters don't work in Gargoyle (at least for me they didn't work), the first one just downloads the package without installing, and the second one I didn't understand exactly what it is for. So what I did was:

• make a backup of the dhcp file (/etc/config/dhcp) with all the changes made previously for DoT and running
  

  Code: Select all

  opkg remove dnsmasq && opkg install dnsmasq-full --force-overwrite

  here I used the --force-overwrite parameter as there is a file that is not excluded when removing dnsmasq, then it just overlaps

After installing dnsmasq-full, the dnsmasq section in the dhcp file is completely changed, so the need for backup.

dnsmasq section (/etc/config/dhcp):

Code: Select all

	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option noresolv '1'
	option dnssec '1'
	option dnsseccheckunsigned '1'
	list server '127.0.0.1#5453'

Basically that's it, finishing the rest of the settings, it's just testing.

[CBx86]

Nice! I will try it soon!

Thanks!

[RomanHK]

Trying to use it only as DNSSEC without stubby, it is unstable and after rebooting the router DNSSEC no longer works.
Test page: https://dnssec.vs.uni-due.de/

[willian]

Trying to use it only as DNSSEC without stubby, it is unstable and after rebooting the router DNSSEC no longer works.
Test page: https://dnssec.vs.uni-due.de/

Curious, here it is working normally. All the tests I've done, including this one you quoted, have gone ok. And as I used the test router I have, I turned it off all night, reconnected this morning and it continued to run smoothly.

[RomanHK]

Trying to use it only as DNSSEC without stubby, it is unstable and after rebooting the router DNSSEC no longer works.
Test page: https://dnssec.vs.uni-due.de/

Curious, here it is working normally. All the tests I've done, including this one you quoted, have gone ok. And as I used the test router I have, I turned it off all night, reconnected this morning and it continued to run smoothly.

Yes, it works if you are using servers that can already validate (such as cloudflare, 1.1.1.1, ...), you must try it on servers that are not already validating (Norton ConnectSafe A).

But I won't convince you otherwise - I also want to start using DNSSEC + TLS on routers. DNSSEC + TLS with stubby goes perfectly . Now it depends if the developers integrate this option into the GUI as an additional feature .