DNS-over-TLS+DNSSEC support

[willian]

Trying to use it only as DNSSEC without stubby, it is unstable and after rebooting the router DNSSEC no longer works.
Test page: https://dnssec.vs.uni-due.de/

Curious, here it is working normally. All the tests I've done, including this one you quoted, have gone ok. And as I used the test router I have, I turned it off all night, reconnected this morning and it continued to run smoothly.

Yes, it works if you are using servers that can already validate (such as cloudflare, 1.1.1.1, ...), you must try it on servers that are not already validating (Norton ConnectSafe A).

But I won't convince you otherwise - I also want to start using DNSSEC + TLS on routers. DNSSEC + TLS with stubby goes perfectly . Now it depends if the developers integrate this option into the GUI as an additional feature .

I understand now. Norton ConnectSafe still works?

[RomanHK]

I understand now. Norton ConnectSafe still works?

That was just an example. DNS works, but does it protect? I do not know.

[coits]

Guys,

Just want to ask, does dnssec and dnscrypt play together well?

Thank you

[RomanHK]

Guys,

Just want to ask, does dnssec and dnscrypt play together well?

Thank you

Yes I agree. dnsmasq full (DNSSEC) + stubby (TLS over DNS) work fine.

[coits]

Guys,

Just want to ask, does dnssec and dnscrypt play together well?

Thank you

Yes I agree. dnsmasq full (DNSSEC) + stubby (TLS over DNS) work fine.

Thanks, i will try this sometime.

[coits]

Guys,

I have tried to install dnssec and got these errors on syslog "Insecure DS reply received, do upstream DNS servers support DNSSEC?".

Clicking on google search link goes to blank page, sometimes it works!.
It seems partially working.

Any idea, what I am missing here?

Thanks guys.

[RomanHK]

Guys,

I have tried to install dnssec and got these errors on syslog "Insecure DS reply received, do upstream DNS servers support DNSSEC?".

Clicking on google search link goes to blank page, sometimes it works!.
It seems partially working.

Any idea, what I am missing here?

Thanks guys.

You need to do this exactly as you see it from @as_w: viewtopic.php?f=5&t=11924#p52566
It is important to install dnsmasq full and stubby. The question is whether you have free space for this installation.

[coits]

Guys,

I have tried to install dnssec and got these errors on syslog "Insecure DS reply received, do upstream DNS servers support DNSSEC?".

Clicking on google search link goes to blank page, sometimes it works!.
It seems partially working.

Any idea, what I am missing here?

Thanks guys.

You need to do this exactly as you see it from @as_w: viewtopic.php?f=5&t=11924#p52566
It is important to install dnsmasq full and stubby. The question is whether you have free space for this installation.

I have installed dnsmasq-full and stubby. it seems it doesn't play very well when you have dnscrypt running on it. when I run nslookup it still showing 127.0.0.1:53.

I believe I need to do some port forwarding from 53 to 5453 so that nslookup will show 127.0.01:5453.

Syslog still flooding with these errors "Insecure DS reply received, do upstream DNS servers support DNSSEC?"
I used cloudfare 1.1.1.1 and 1.0.0.1


Any thoughts or idea guys, it's nice to have this working.

Thank you.

[RomanHK]

I have installed dnsmasq-full and stubby. it seems it doesn't play very well when you have dnscrypt running on it. when I run nslookup it still showing 127.0.0.1:53.

I believe I need to do some port forwarding from 53 to 5453 so that nslookup will show 127.0.01:5453.

Syslog still flooding with these errors "Insecure DS reply received, do upstream DNS servers support DNSSEC?"
I used cloudfare 1.1.1.1 and 1.0.0.1


Any thoughts or idea guys, it's nice to have this working.

Thank you.

Okay. This will be an ISP problem, disable it for DNS to be accessible. In /etc/config/dhcp, change the value as follows:

Code: Select all

option resolvfile '/dev/null'

So I hope you've added these values:

Code: Select all

option dnssec '1'
option dnsseccheckunsigned '1'
list server '127.0.0.1#5453'

And watch out for typos (127.0.01:5453)

They should help. Let me know if you do.

[coits]

I have installed dnsmasq-full and stubby. it seems it doesn't play very well when you have dnscrypt running on it. when I run nslookup it still showing 127.0.0.1:53.

I believe I need to do some port forwarding from 53 to 5453 so that nslookup will show 127.0.01:5453.

Syslog still flooding with these errors "Insecure DS reply received, do upstream DNS servers support DNSSEC?"
I used cloudfare 1.1.1.1 and 1.0.0.1


Any thoughts or idea guys, it's nice to have this working.

Thank you.

Okay. This will be an ISP problem, disable it for DNS to be accessible. In /etc/config/dhcp, change the value as follows:

Code: Select all

option resolvfile '/dev/null'

So I hope you've added these values:

Code: Select all

option dnssec '1'
option dnsseccheckunsigned '1'
list server '127.0.0.1#5453'

And watch out for typos (127.0.01:5453)

They should help. Let me know if you do.

Still not working, tried to ran nslookup and ping, but to no avail.

Please see details below.
Any thoughts why dnssec not working?

Thank you.
================================
nslookup google.ca
;; connection timed out; no servers could be reached

ping google.ca
ping: bad address 'google.ca'
================================

dhcp configuration:
===================
option resolvfile '/dev/null'
option nonwildcard '1'
option localservice '1'
option noresolv '1'
option dnssec '1'
option dnsseccheckunsigned '1'
list server '127.0.0.1#5453'
list server '127.0.0.1#5353'
list server '/pool.ntp.org/208.67.222.222'
===================

Syslog is flooding with same error below.
================================
Insecure DS reply received, do upstream DNS servers support DNSSEC?
================================

I have tested stubby and it looks good if port 5453 was specified.
================================
; <<>> DiG 9.11.2-P1 <<>> dnssectest.sidn.nl +dnssec +multi -p5453 @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42421
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
;; QUESTION SECTION:
;dnssectest.sidn.nl. IN A

;; ANSWER SECTION:
dnssectest.sidn.nl. 14400 IN A 213.136.9.12
dnssectest.sidn.nl. 14400 IN RRSIG A 8 3 14400 (
20190425133854 20190326133854 42033 sidn.nl.
eJRvKCpzWqZVkuq/yJiV398ZRQrdCKLx+Sut8S5FGnhw
kdyhG/YIZW2wnf+xPqF7f1HxVI/Yu9PLjySbSDZU3mrc
LJs+60WM05r5vsH4IisPoxjH1/5cHF6Rqbc5hVhlVStJ
NeYQtw20SAIJ55dVPDhAH2LcEmv/uc1q6tgRftQ= )
================================