DNS-over-TLS+DNSSEC support

General discussion about Gargoyle, OpenWrt or anything else even remotely related to the project

Moderator: Moderators

willian
Posts: 14
Joined: Wed Mar 06, 2019 8:19 am

Re: DNS-over-TLS+DNSSEC support

Post by willian »

RomanHK wrote:
as_w wrote:
RomanHK wrote:Trying to use it only as DNSSEC without stubby, it is unstable and after rebooting the router DNSSEC no longer works. :(
Test page: https://dnssec.vs.uni-due.de/
Curious, here it is working normally. All the tests I've done, including this one you quoted, have gone ok. And as I used the test router I have, I turned it off all night, reconnected this morning and it continued to run smoothly.
Yes, it works if you are using servers that can already validate (such as cloudflare, 1.1.1.1, ...), you must try it on servers that are not already validating (Norton ConnectSafe A).

But I won't convince you otherwise - I also want to start using DNSSEC + TLS on routers. DNSSEC + TLS with stubby goes perfectly ;) . Now it depends if the developers integrate this option into the GUI as an additional feature :?: .
I understand now. Norton ConnectSafe still works?
TL-WR1043ND v1 | 1.12.X (Built 20200610-0028 git@80899c80)

RomanHK
Posts: 794
Joined: Sat May 04, 2013 4:18 pm
Location: Czech Republik

Re: DNS-over-TLS+DNSSEC support

Post by RomanHK »

as_w wrote: I understand now. Norton ConnectSafe still works?
That was just an example. DNS works, but does it protect? I do not know.
Turris Omnia with OpenWrt 21.02 - Tested
Linksys WRT3200ACM with Gargoyle 1.13.x
TL-WR1043ND v2 with Gargoyle 1.10.0

http://gargoyle.romanhk.cz custom builds by gargoyle users

coits
Posts: 118
Joined: Thu Sep 19, 2013 1:58 am
Location: canada

Re: DNS-over-TLS+DNSSEC support

Post by coits »

Guys,

Just want to ask, does dnssec and dnscrypt play together well?

Thank you
Gargoyle 1.9.x on Buffalo WZR-HP-AG300H
Gargoyle 1.10.x on TP-Link Archer C7 v2.0
Gargoyle 1.11.x on WRT3200 acm

RomanHK
Posts: 794
Joined: Sat May 04, 2013 4:18 pm
Location: Czech Republik

Re: DNS-over-TLS+DNSSEC support

Post by RomanHK »

coits wrote:Guys,

Just want to ask, does dnssec and dnscrypt play together well?

Thank you
Yes I agree. dnsmasq full (DNSSEC) + stubby (TLS over DNS) work fine.
Turris Omnia with OpenWrt 21.02 - Tested
Linksys WRT3200ACM with Gargoyle 1.13.x
TL-WR1043ND v2 with Gargoyle 1.10.0

http://gargoyle.romanhk.cz custom builds by gargoyle users

coits
Posts: 118
Joined: Thu Sep 19, 2013 1:58 am
Location: canada

Re: DNS-over-TLS+DNSSEC support

Post by coits »

RomanHK wrote:
coits wrote:Guys,

Just want to ask, does dnssec and dnscrypt play together well?

Thank you
Yes I agree. dnsmasq full (DNSSEC) + stubby (TLS over DNS) work fine.
Thanks, i will try this sometime.
Gargoyle 1.9.x on Buffalo WZR-HP-AG300H
Gargoyle 1.10.x on TP-Link Archer C7 v2.0
Gargoyle 1.11.x on WRT3200 acm

coits
Posts: 118
Joined: Thu Sep 19, 2013 1:58 am
Location: canada

Re: DNS-over-TLS+DNSSEC support

Post by coits »

Guys,

I have tried to install dnssec and got these errors on syslog "Insecure DS reply received, do upstream DNS servers support DNSSEC?".

Clicking on google search link goes to blank page, sometimes it works!.
It seems partially working.

Any idea, what I am missing here?

Thanks guys.
Gargoyle 1.9.x on Buffalo WZR-HP-AG300H
Gargoyle 1.10.x on TP-Link Archer C7 v2.0
Gargoyle 1.11.x on WRT3200 acm

RomanHK
Posts: 794
Joined: Sat May 04, 2013 4:18 pm
Location: Czech Republik

Re: DNS-over-TLS+DNSSEC support

Post by RomanHK »

coits wrote:Guys,

I have tried to install dnssec and got these errors on syslog "Insecure DS reply received, do upstream DNS servers support DNSSEC?".

Clicking on google search link goes to blank page, sometimes it works!.
It seems partially working.

Any idea, what I am missing here?

Thanks guys.
You need to do this exactly as you see it from @as_w: viewtopic.php?f=5&t=11924#p52566
It is important to install dnsmasq full and stubby. The question is whether you have free space for this installation.
Turris Omnia with OpenWrt 21.02 - Tested
Linksys WRT3200ACM with Gargoyle 1.13.x
TL-WR1043ND v2 with Gargoyle 1.10.0

http://gargoyle.romanhk.cz custom builds by gargoyle users

coits
Posts: 118
Joined: Thu Sep 19, 2013 1:58 am
Location: canada

Re: DNS-over-TLS+DNSSEC support

Post by coits »

RomanHK wrote:
coits wrote:Guys,

I have tried to install dnssec and got these errors on syslog "Insecure DS reply received, do upstream DNS servers support DNSSEC?".

Clicking on google search link goes to blank page, sometimes it works!.
It seems partially working.

Any idea, what I am missing here?

Thanks guys.
You need to do this exactly as you see it from @as_w: viewtopic.php?f=5&t=11924#p52566
It is important to install dnsmasq full and stubby. The question is whether you have free space for this installation.

I have installed dnsmasq-full and stubby. it seems it doesn't play very well when you have dnscrypt running on it. when I run nslookup it still showing 127.0.0.1:53.

I believe I need to do some port forwarding from 53 to 5453 so that nslookup will show 127.0.01:5453.

Syslog still flooding with these errors "Insecure DS reply received, do upstream DNS servers support DNSSEC?"
I used cloudfare 1.1.1.1 and 1.0.0.1


Any thoughts or idea guys, it's nice to have this working.

Thank you.
Gargoyle 1.9.x on Buffalo WZR-HP-AG300H
Gargoyle 1.10.x on TP-Link Archer C7 v2.0
Gargoyle 1.11.x on WRT3200 acm

RomanHK
Posts: 794
Joined: Sat May 04, 2013 4:18 pm
Location: Czech Republik

Re: DNS-over-TLS+DNSSEC support

Post by RomanHK »

coits wrote: I have installed dnsmasq-full and stubby. it seems it doesn't play very well when you have dnscrypt running on it. when I run nslookup it still showing 127.0.0.1:53.

I believe I need to do some port forwarding from 53 to 5453 so that nslookup will show 127.0.01:5453.

Syslog still flooding with these errors "Insecure DS reply received, do upstream DNS servers support DNSSEC?"
I used cloudfare 1.1.1.1 and 1.0.0.1


Any thoughts or idea guys, it's nice to have this working.

Thank you.
Okay. This will be an ISP problem, disable it for DNS to be accessible. In /etc/config/dhcp, change the value as follows:

Code: Select all

option resolvfile '/dev/null'
So I hope you've added these values:

Code: Select all

option dnssec '1'
option dnsseccheckunsigned '1'
list server '127.0.0.1#5453'
And watch out for typos (127.0.01:5453)

They should help. Let me know if you do.
Turris Omnia with OpenWrt 21.02 - Tested
Linksys WRT3200ACM with Gargoyle 1.13.x
TL-WR1043ND v2 with Gargoyle 1.10.0

http://gargoyle.romanhk.cz custom builds by gargoyle users

coits
Posts: 118
Joined: Thu Sep 19, 2013 1:58 am
Location: canada

Re: DNS-over-TLS+DNSSEC support

Post by coits »

RomanHK wrote:
coits wrote: I have installed dnsmasq-full and stubby. it seems it doesn't play very well when you have dnscrypt running on it. when I run nslookup it still showing 127.0.0.1:53.

I believe I need to do some port forwarding from 53 to 5453 so that nslookup will show 127.0.01:5453.

Syslog still flooding with these errors "Insecure DS reply received, do upstream DNS servers support DNSSEC?"
I used cloudfare 1.1.1.1 and 1.0.0.1


Any thoughts or idea guys, it's nice to have this working.

Thank you.
Okay. This will be an ISP problem, disable it for DNS to be accessible. In /etc/config/dhcp, change the value as follows:

Code: Select all

option resolvfile '/dev/null'
So I hope you've added these values:

Code: Select all

option dnssec '1'
option dnsseccheckunsigned '1'
list server '127.0.0.1#5453'

And watch out for typos (127.0.01:5453)

They should help. Let me know if you do.

Still not working, tried to ran nslookup and ping, but to no avail.

Please see details below.
Any thoughts why dnssec not working?

Thank you.
================================
nslookup google.ca
;; connection timed out; no servers could be reached

ping google.ca
ping: bad address 'google.ca'
================================

dhcp configuration:
===================
option resolvfile '/dev/null'
option nonwildcard '1'
option localservice '1'
option noresolv '1'
option dnssec '1'
option dnsseccheckunsigned '1'
list server '127.0.0.1#5453'
list server '127.0.0.1#5353'
list server '/pool.ntp.org/208.67.222.222'
===================

Syslog is flooding with same error below.
================================
Insecure DS reply received, do upstream DNS servers support DNSSEC?
================================

I have tested stubby and it looks good if port 5453 was specified.
================================
; <<>> DiG 9.11.2-P1 <<>> dnssectest.sidn.nl +dnssec +multi -p5453 @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42421
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
;; QUESTION SECTION:
;dnssectest.sidn.nl. IN A

;; ANSWER SECTION:
dnssectest.sidn.nl. 14400 IN A 213.136.9.12
dnssectest.sidn.nl. 14400 IN RRSIG A 8 3 14400 (
20190425133854 20190326133854 42033 sidn.nl.
eJRvKCpzWqZVkuq/yJiV398ZRQrdCKLx+Sut8S5FGnhw
kdyhG/YIZW2wnf+xPqF7f1HxVI/Yu9PLjySbSDZU3mrc
LJs+60WM05r5vsH4IisPoxjH1/5cHF6Rqbc5hVhlVStJ
NeYQtw20SAIJ55dVPDhAH2LcEmv/uc1q6tgRftQ= )
================================
Gargoyle 1.9.x on Buffalo WZR-HP-AG300H
Gargoyle 1.10.x on TP-Link Archer C7 v2.0
Gargoyle 1.11.x on WRT3200 acm

Post Reply