DNS-over-TLS+DNSSEC support

General discussion about Gargoyle, OpenWrt or anything else even remotely related to the project

Moderator: Moderators

willian
Posts: 14
Joined: Wed Mar 06, 2019 8:19 am

DNS-over-TLS+DNSSEC support

Post by willian »

First, I want to thank you for the great work done by you, after testing OpenWRT and ddwrt, Gargoyle was by far the best option (I have been using it for three years).

So I currently have a TL-WR1043NDv1 with Gargoyle 1.10.0 running perfectly and I would like to know if there is a way to implement DNS-over-TLS+DNSSEC. I saw some guides for OpenWRT and I have another TL-WR1043NDv1 for testing but I don't know if it would work.
If there is any way to implement I would test with no problem.

Thanks.
TL-WR1043ND v1 | 1.12.X (Built 20200610-0028 git@80899c80)

Lantis
Moderator
Posts: 7172
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia
Contact:

Re: DNS-over-TLS+DNSSEC support

Post by Lantis »

In general, if it works on Openwrt it should work on Gargoyle. However setup will be manual and command line based, and the amount of support we can offer is limited.

Are you able to link the particular guide you are interested in?
https://lantisproject.com/downloads/gargoylebuilds for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.
https://lantisproject.com/blog

RomanHK
Posts: 794
Joined: Sat May 04, 2013 4:18 pm
Location: Czech Republik

Re: DNS-over-TLS+DNSSEC support

Post by RomanHK »

I personally recommend that you enter your own DNS IP addresses that DNSSEC can do and work with. In this model, DNSSEC resolver (KNOT, UNBOUND, BIND + certificates) is no place.

I have heard that DNSMASQ is already able to validate - but that's not tested.
Turris Omnia with OpenWrt 21.02 - Tested
Linksys WRT3200ACM with Gargoyle 1.13.x
TL-WR1043ND v2 with Gargoyle 1.10.0

http://gargoyle.romanhk.cz custom builds by gargoyle users

willian
Posts: 14
Joined: Wed Mar 06, 2019 8:19 am

Re: DNS-over-TLS+DNSSEC support

Post by willian »

RomanHK wrote:I personally recommend that you enter your own DNS IP addresses that DNSSEC can do and work with. In this model, DNSSEC resolver (KNOT, UNBOUND, BIND + certificates) is no place.

I have heard that DNSMASQ is already able to validate - but that's not tested.
Lantis wrote:In general, if it works on Openwrt it should work on Gargoyle. However setup will be manual and command line based, and the amount of support we can offer is limited.

Are you able to link the particular guide you are interested in?
I installed the latest version of OpenWRT and tested these two guides:

https://candrews.integralblue.com/2018/ ... wrt-18-06/
https://candrews.integralblue.com/2018/ ... wrt-18-06/

I didn't have much time to check but it seems to work. Since the version of OpenWRT I installed is 18.06 and the newly released Gargoyle is based on this, today or tomorrow I will test to see if it works.
Last edited by willian on Mon May 13, 2019 9:36 am, edited 1 time in total.
TL-WR1043ND v1 | 1.12.X (Built 20200610-0028 git@80899c80)

User avatar
CBx86
Posts: 157
Joined: Sun Jan 05, 2014 5:43 pm
Location: Brazil

Re: DNS-over-TLS+DNSSEC support

Post by CBx86 »

Please, post the results. :D

I dont have upgrade gargoyle yet. :oops:

Thanks!

willian
Posts: 14
Joined: Wed Mar 06, 2019 8:19 am

Re: DNS-over-TLS+DNSSEC support

Post by willian »

Hello, after a few days trying to make it work, I finally succeeded.

I ended up leaving aside the two guides that I mentioned because there were some necessary configurations missing. I used the stubby's own guide in github: https://github.com/openwrt/packages/tre ... ubby/files

Following this guide worked out but had to adjust a few things to work on the Gargoyle.

First, the stubby package is not available in the Gargoyle plugin repository, so I just added the OpenWRT plugin repository and installed it with all the necessary dependencies.
http://downloads.openwrt.org/releases/1 ... s/Packages

After installing stubby and configuring DoT, we come to DNSSEC.

dnsmasq does not support DNSSEC, so we have to remove it and install dnsmasq-full. The command for this is:

Code: Select all

opkg install dnsmasq-full --download-only && opkg remove dnsmasq && opkg install dnsmasq-full --cache . && rm *.ipk
The issue here is that the --download-only and --cache parameters don't work in Gargoyle (at least for me they didn't work), the first one just downloads the package without installing, and the second one I didn't understand exactly what it is for. So what I did was:
  • make a backup of the dhcp file (/etc/config/dhcp) with all the changes made previously for DoT and running

    Code: Select all

    opkg remove dnsmasq && opkg install dnsmasq-full --force-overwrite
    here I used the --force-overwrite parameter as there is a file that is not excluded when removing dnsmasq, then it just overlaps
After installing dnsmasq-full, the dnsmasq section in the dhcp file is completely changed, so the need for backup.

dnsmasq section (/etc/config/dhcp):

Code: Select all

	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option noresolv '1'
	option dnssec '1'
	option dnsseccheckunsigned '1'
	list server '127.0.0.1#5453'
Basically that's it, finishing the rest of the settings, it's just testing.
TL-WR1043ND v1 | 1.12.X (Built 20200610-0028 git@80899c80)

User avatar
CBx86
Posts: 157
Joined: Sun Jan 05, 2014 5:43 pm
Location: Brazil

Re: DNS-over-TLS+DNSSEC support

Post by CBx86 »

Nice! I will try it soon!

Thanks! :D

RomanHK
Posts: 794
Joined: Sat May 04, 2013 4:18 pm
Location: Czech Republik

Re: DNS-over-TLS+DNSSEC support

Post by RomanHK »

Trying to use it only as DNSSEC without stubby, it is unstable and after rebooting the router DNSSEC no longer works. :(
Test page: https://dnssec.vs.uni-due.de/
Turris Omnia with OpenWrt 21.02 - Tested
Linksys WRT3200ACM with Gargoyle 1.13.x
TL-WR1043ND v2 with Gargoyle 1.10.0

http://gargoyle.romanhk.cz custom builds by gargoyle users

willian
Posts: 14
Joined: Wed Mar 06, 2019 8:19 am

Re: DNS-over-TLS+DNSSEC support

Post by willian »

RomanHK wrote:Trying to use it only as DNSSEC without stubby, it is unstable and after rebooting the router DNSSEC no longer works. :(
Test page: https://dnssec.vs.uni-due.de/
Curious, here it is working normally. All the tests I've done, including this one you quoted, have gone ok. And as I used the test router I have, I turned it off all night, reconnected this morning and it continued to run smoothly.
TL-WR1043ND v1 | 1.12.X (Built 20200610-0028 git@80899c80)

RomanHK
Posts: 794
Joined: Sat May 04, 2013 4:18 pm
Location: Czech Republik

Re: DNS-over-TLS+DNSSEC support

Post by RomanHK »

as_w wrote:
RomanHK wrote:Trying to use it only as DNSSEC without stubby, it is unstable and after rebooting the router DNSSEC no longer works. :(
Test page: https://dnssec.vs.uni-due.de/
Curious, here it is working normally. All the tests I've done, including this one you quoted, have gone ok. And as I used the test router I have, I turned it off all night, reconnected this morning and it continued to run smoothly.
Yes, it works if you are using servers that can already validate (such as cloudflare, 1.1.1.1, ...), you must try it on servers that are not already validating (Norton ConnectSafe A).

But I won't convince you otherwise - I also want to start using DNSSEC + TLS on routers. DNSSEC + TLS with stubby goes perfectly ;) . Now it depends if the developers integrate this option into the GUI as an additional feature :?: .
Turris Omnia with OpenWrt 21.02 - Tested
Linksys WRT3200ACM with Gargoyle 1.13.x
TL-WR1043ND v2 with Gargoyle 1.10.0

http://gargoyle.romanhk.cz custom builds by gargoyle users

Post Reply