DNS-over-TLS+DNSSEC support

[RomanHK]

Okay, I'm sorry - after the router's reboot, it self-adjusted - Gargoyle has it set that if you have "Allow NameCoin/OpenNIC Resolution" enabled, it will reset itself . You have to realize that it is only an alternative to KNOT (UNBOUND) resolver and all communication must go through stubby (which I have already written). This is the only lack of dnsmasq daemon.

1) Set DNS from ISP by screenshot:


2) Edit /etc/config/dhcp configuration:

Code: Select all

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '0'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option dnssec '1'
	option dnsseccheckunsigned '1'

3) Insert rows into /etc/dnsmasq.conf configuration:

Code: Select all

no-resolv
server="127.0.0.1#5453"

Log has no errors and looks like this:

Code: Select all

started, version 2.80 cachesize 150
DNS service limited to local subnets
compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify dumpfile
DNSSEC validation enabled
configured with trust anchor for <root> keytag 20326
configured with trust anchor for <root> keytag 19036
daemon.warn dnsmasq[18003]: warning: ignoring resolv-file flag because no-resolv is set
daemon.info dnsmasq-dhcp[18003]: DHCP, IP range 192.168.1.125 -- 192.168.1.174, lease time 2d
daemon.info dnsmasq-dhcp[18003]: IPv6 router advertisement enabled
using local addresses only for domain test
using local addresses only for domain onion
using local addresses only for domain localhost
using local addresses only for domain local
using local addresses only for domain invalid
using local addresses only for domain bind
using local addresses only for domain lan
using nameserver 127.0.0.1#5453
read /etc/hosts - 48 addresses
read /tmp/hosts/dhcp.cfg01411c - 3 addresses
daemon.info dnsmasq-dhcp[18003]: read /etc/ethers - 45 addresses

Router Commands:

Code: Select all

BusyBox v1.28.4 () built-in shell (ash)

------------------------------------------------------------------
|            _____                             _                 |
|           |  __ \                           | |                |
|           | |  \/ __ _ _ __ __ _  ___  _   _| | ___            |
|           | | __ / _` | '__/ _` |/ _ \| | | | |/ _ \           |
|           | |_\ \ (_| | | | (_| | (_) | |_| | |  __/           |
|            \____/\__,_|_|  \__, |\___/ \__, |_|\___|           |
|                             __/ |       __/ |                  |
|                            |___/       |___/                   |
|                                                                |
|----------------------------------------------------------------|
| Gargoyle version 1.11.X   | OpenWrt 18.06 branch               |
| Gargoyle revision 3b74ef1f| OpenWrt commit 806b570             |
| Built February 13, 2019   | Target  mvebu/default              |
------------------------------------------------------------------
root@TurrisOmnia:~# nslookup google.ca
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:      google.ca
Address 1: 172.217.23.227
Address 2: 2a00:1450:4014:800::2003

root@TurrisOmnia:~# ping -c4 google.ca
PING google.ca (172.217.23.227): 56 data bytes
64 bytes from 172.217.23.227: seq=0 ttl=55 time=5.321 ms
64 bytes from 172.217.23.227: seq=1 ttl=55 time=4.779 ms
64 bytes from 172.217.23.227: seq=2 ttl=55 time=5.234 ms
64 bytes from 172.217.23.227: seq=3 ttl=55 time=5.008 ms

--- google.ca ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 4.779/5.085/5.321 ms
root@TurrisOmnia:~#

I have restarted it several times, the configuration is holding, errors aren't appearing in the log.

So now it should go. Let me know if you do.

[coits]

Apologies for the late reply.

I have tried the above suggestion and still not working.

I will try to update my spare router with the latest gargoyle firmware and let's see how it goes?

Don't wanna messed up that much on my primary router.

Thank you!

[RomanHK]

So I'm sorry that it doesn't work for you.
You'll have to start from the beginning. Stubby you have done (see your test). The problem will probably be in dnsmasq. You have to do this as follows and it must go through without errors:

Code: Select all

opkg remove dnsmasq && opkg install dnsmasq-full --force-overwrite

Then set dnsmasq according to my last post (edit the /etc/config/dhcp and /etc/dnsmasq.conf files), reboot the router and do the tests - it should already go.

[coits]

Followed everything you have advise.But, still not working, I can see the log that says "dnsvalidation enabled". But, these errors still flooding on syslog.
===================================================
Insecure DS reply received, do upstream DNS servers support DNSSEC?
===================================================

Thanks

[RomanHK]

Followed everything you have advise.But, still not working, I can see the log that says "dnsvalidation enabled". But, these errors still flooding on syslog.
===================================================
Insecure DS reply received, do upstream DNS servers support DNSSEC?
===================================================

Thanks

Looks like it's going to be a mistake somewhere on CloudFlare.
https://www.snbforums.com/threads/dnssec-log.47804/
https://community.cloudflare.com/t/does ... ssec/33539

It can be seen that this type is imperfect and I can't do much with it.

[coits]

I have burned my midnight candle on this last night.

Finally I have it working, but still this "insecure DS" comes in the log sometimes.I have check it thru dnssec test sites and it says dnssec is working.but, dnscrypt is broken.

When I fixed dnscrypt then dnssec is not working. Finally, I would say dnssec and dnscrypt wont work together that well.

But, at least we have some progress. let's wait for a few months until someone from the forum give us some insight on how to make these 2 play together well.

Thanks RomanHK for your advise and support on this.

[coits]

Hi Guys,

Just want to give an update about this topic.
I finally got dnscrypt and dnssec play together pretty well.

I have remove dnscrypt and manually installed dnscrypt-proxy V2, it's pretty big around 6M. and use cloudflare not opendns.

Check the logs and don't see these errors anymore

============================================
Insecure DS reply received, do upstream DNS servers support DNSSEC?
============================================

Passed all dnssec and dnscrypt test.

Thanks

[RomanHK]

Step by step: https://davidc502sis.dynamic-dns.net/dnscrypt/

[RomanHK]

I didn't have much time to check but it seems to work. Since the version of OpenWRT I installed is 18.06 and the newly released Gargoyle is based on this, today or tomorrow I will test to see if it works.

My result is:
STUBBY = unstable, has a problem with DNS (MX record).
DNSMASQ (full) = has a problem with DNSSEC verification. https://rootcanary.org/test.html
I got better results with DNSCRYPT v2.

I came back to UNBOUND and have both DNS-over-TLS and DNSSEC set up.

But it's a matter of opinion, so it really depends on you what you use ...