Search the Community

Dear Community, First you all know the drill by now - " The Intro " - two throwbacks - https://www.youtube.com/watch?v=m5FCcDEA6mY - lyrics - https://genius.com/Neil-young-southern-man-lyrics - and don't you know - https://www.youtube.com/watch?v=wkA7ok5MySk - https://genius.com/Funkadelic-if-you-dont-like-the-effects-dont-produce-the-cause-lyrics - OK - now that our long standing tradition of public elucidation has been fulfilled - let's get down to the business at hand. Since version OPNsense 18.7 - you may install stubby and getdns on OPNsense by simply issuing command # pkg install getdns ( Special Thanks and Kudos to Franco and the marvelous OPNsense Development Team ) - Please disregard and do not use any guides and / or tutorials which predate this one which covers installation and configuration of DNS Privacy on OPNsense FireWall. This is an updated guide / tutorial which explains how to setup adding DNS-Over-TLS support for OPNsense. However, there has been a minor change ( yet little known ) in UNBOUND on OPNsense 21.7.1 with regard to configure it to work with Stubby for DNS Privacy DNS OVER TLS. So, let's get started strait away. See here for previous more in depth guide concerning the benefits of DNS Privacy : https://bit.ly/3j0QT1l So here we go. So go ahead and issue command : A - # pkg install getdns in order to get started. After installing getdns which includes stubby follow the steps below. 1 - Now to put all of this together, The stubby.in file is located here - /usr/local/etc/rc.d/stubby by default. First though Stubby needs Unbound root.key - run this command before getting started: A - # su -m unbound -c /usr/local/sbin/unbound-anchor Then - B - Issue this command : # mv /usr/local/etc/rc.d/stubby /usr/local/etc/rc.d/stubby.sh Make it executable - I run this command - it works for me: C - # chmod 755 /usr/local/etc/rc.d/stubby.sh D - Yes must enable Stubby Daemon in the file - open file by : E - # nano /usr/local/etc/rc.d/stubby.sh go to line 27 - : ${stubby_enable="NO"} change the setting to : ${stubby_enable="YES"} - that is all you have to do to this file. It comes already configured. Save and exit. 2 - Now you must configure Stubby to resolve DNS OVER TLS - enter command below : A -# nano /usr/local/etc/stubby/stubby.yml - make your file match some thing similar to this ################################################################################ ######################## STUBBY YAML CONFIG FILE ############################### ################################################################################ # This is a yaml version of the stubby configuration file (it replaces the # json based stubby.conf file used in earlier versions of getdns/stubby). # # For more information see # https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby # resolution_type: GETDNS_RESOLUTION_STUB dns_transport_list: - GETDNS_TRANSPORT_TLS tls_authentication: GETDNS_AUTHENTICATION_REQUIRED tls_query_padding_blocksize: 128 edns_client_subnet_private : 1 idle_timeout: 9000 listen_addresses: - [email protected] - 0::[email protected] tls_connection_retries: 5 tls_backoff_time: 900 timeout: 2000 round_robin_upstreams: 1 tls_ca_file: "/usr/local/share/certs/ca-root-nss.crt" dnssec_trust_anchors: "/usr/local/etc/unbound/root.key" # add the right path upstream_recursive_servers: ### IPV4 Servers ### ### DNS Privacy DOT Test Servers ### ## 1 - The getdnsapi.net DNS TLS Server A+ ( NLD ) - address_data: 185.49.141.37 - address_data: 2a04:b900:0:100::38 tls_auth_name: "getdnsapi.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= ## 2 - The Surfnet/Sinodun DNS TLS Servers #3 A+ ( NLD ) - address_data: 145.100.185.18 - address_data: 2001:610:1:40ba:145:100:185:18 tls_port: 853 tls_auth_name: "dnsovertls3.sinodun.com" tls_pubkey_pinset: - digest: "sha256" value: 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8= ## xx - The The Surfnet/Sinodun DNS TLS Server A ( NLD ) - address_data: 145.100.185.15 - address_data: 2001:610:1:40ba:145:100:185:15 tls_auth_name: "dnsovertls.sinodun.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= ## xx - The The Surfnet/Sinodun DNS TLS Server #1 A ( NLD ) - address_data: 145.100.185.16 - address_data: 2001:610:1:40ba:145:100:185:16 tls_auth_name: "dnsovertls1.sinodun.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA= ## 3 - The dns.cmrg.net DNS TLS Server A+ ( CAN ) - address_data: 199.58.81.218 - address_data: 2001:470:1c:76d::53 tls_auth_name: "dns.cmrg.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo= ## 4 - The BlahDNS Japan DNS TLS Server A+ ( JPN ) - address_data: 139.162.112.47 - address_data: 2400:8902::f03c:92ff:fe27:344b tls_auth_name: "dot-jp.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: /llFOsnvj7GcXasKrojhZl6nRnnn4D8sRuDUKEdiZzM= ## xx - The BlahDNS German DNS TLS Server A+ ( USA Hosted In DEU ) - address_data: 78.46.244.143 - address_data: 2a01:4f8:c17:ec67::1 tls_auth_name: "dot-de.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: c6xmf1GsYo1IFyxc+CWfjYo+xpSV9i98H7InJTDylsU= ## xx - The BlahDNS Finland DNS TLS Server A+ ( FIN ) - address_data: 95.216.212.177 - address_data: 2a01:4f9:c010:43ce::1 tls_auth_name: "dot-fi.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: EVL610kmcSvN01nzJkkzl94IHiIVvW0PovbB5En2QfU= ## xx - The BlahDNS Singapore DNS TLS Server A+ ( SGP ) - address_data: 192.53.175.149 - address_data: 2400:8901::f03c:92ff:fe27:870a tls_auth_name: "dot-sg.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: B+aX4NBLfDsKlOWf8RM6rjL8yOCF9sZlHQnarDNrrWM= ## xx - The BlahDNS Switzerland DNS TLS Server A+ ( CHE ) - address_data: 45.91.92.121 - address_data: 2a05:9406::175 tls_auth_name: "dot-ch.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: cxti1XR6uW483xAioP3d1ZaoGSy+obY6WaE4fW1A6Nk= ## 5 - The dns.neutopia.org DNS TLS Server A+ ( FRA ) - address_data: 89.234.186.112 tls_auth_name: "dns.neutopia.org" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI= ## 6 - The Foundation for Applied Privacy DNS TLS Server #1 A+ ( AUT ) - address_data: 146.255.56.98 - address_data: 2a02:1b8:10:234::2 tls_auth_name: "dot1.applied-privacy.net" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: xhQVPE+X85b9LkORuEhxfsxE1X2EbOm8v5ytxCqg5BI= ## 7 - The Secure DNS Project by PumpleX DNS TLS Server #1 A+ ( GBR ) - address_data: 51.38.83.141 tls_auth_name: "dns.oszx.co" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Am37BK5eBKSafYNJupWsoh5pokR3wwJ5zs7xvniF6XE= ## 8 - The dismail.de DNS TLS Server #1 A+ ( DEU ) - address_data: 80.241.218.68 tls_port: 853 tls_auth_name: "fdns1.dismail.de" tls_pubkey_pinset: - digest: "sha256" value: MMi3E2HZr5A5GL+badqe3tzEPCB00+OmApZqJakbqUU= ## xx - The dismail.de DNS TLS Server #2 A+ ( USA ) - address_data: 159.69.114.157 tls_port: 853 tls_auth_name: "fdns2.dismail.de" tls_pubkey_pinset: - digest: "sha256" value: yJYDim2Wb6tbxUB3yA5ElU/FsRZZhyMXye8sXhKEd1w= ## 9 - The Lorraine Data Network DNS TLS Server A+ ( FRA ) - address_data: 80.67.188.188 tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM= ## This certificate is currently expired which ## does not pose any concerns in SPKI mode ## (in practice with Stubby) ## Source : https://ldn-fai.net/serveur-dns-recursif-ouvert/ ## 10 - The ibksturm.synology.me DNS TLS Server A+ ( CHE ) - address_data: 213.196.191.96 tls_auth_name: "ibksturm.synology.me" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: yrMslOFXpWeLoNw0YgQk/pA5vl2mqXfBOASYLLeqDxc= ## 11 - The dns.flatuslifir.is DNS TLS Server A+ ( ISL ) - address_data: 46.239.223.80 tls_auth_name: "dns.flatuslifir.is" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: b9sJFKc+wycfm4FHB9ddNopdeKceru+sZk0w5nz4xfQ= ### Publicly Available DOT Test Servers ### ## 12 - The FEROZ SALAM DNS TLS Server A+ ( GBR ) - address_data: 46.101.66.244 tls_auth_name: "doh.li" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: ugm6mY2NNKi0I/Q+pofAgx0c31tbcW6xYAImZXr5Oqo= ## 13 - The Andrews & Arnold DNS TLS Server #1 A+ ( GBR ) - address_data: 217.169.20.23 tls_auth_name: "dns.aa.net.uk" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: sS2Atff8wMigRVTxmS36FbMaXiCWsxLgD3AOtTA9eeU= ## xx - The Andrews & Arnold DNS TLS Server #2 A+ ( GBR ) - address_data: 217.169.20.22 tls_auth_name: "dns.aa.net.uk" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: /jchI7afFvSaVm4DCTksJcPHyK7uvbcwNUtTNNV4Bek= ## 14 - The dns.seby.io - Vultr DNS TLS Server A+ ( AUS ) - address_data: 45.76.113.31 tls_auth_name: "dot.seby.io" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: H13Su1659zEn0ZIblEShwjZO+M5gxKK2wXpVKQHgibM= ## xx - The dns.seby.io - OVH DNS TLS Server A+ ( AUS ) - address_data: 139.99.222.72 tls_auth_name: "dot.seby.io" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: /3AxvvuWCQmYQ4/mqHJzPL1rPC7KxaahVPmUkoSVR5A= ## 15 - The Digitale Gesellschaft DNS TLS Server #1 A+ ( CHE ) - address_data: 185.95.218.43 - address_data: 2a05:fc84::43 tls_auth_name: "dns.digitale-gesellschaft.ch" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: sAH7JR5A8WA+hs1ZGXPS/uq3Y1wufBi2wQ8Crk+oR2Q= ## xx - The Digitale Gesellschaft DNS TLS Server #2 A+ ( CHE ) - address_data: 185.95.218.42 - address_data: 2a05:fc84::42 tls_auth_name: "dns.digitale-gesellschaft.ch" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Fpgt86sGjlL4sbgNmd1WX0BYEIEJ7yQk9rp+uQKxI+w= ## 16 - The Antoine Aflalo DNS TLS Server #1 A+ ( USA ) - address_data: 168.235.81.167 tls_auth_name: "dns-nyc.aaflalo.me" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Dn58VD18MLkmmG9wvzvSs30Tu1Rd65igDLpp1odYaAc= # Set the acceptable ciphers for DNS over TLS. With OpenSSL 1.1.1 this list is # for TLS1.2 and older only. Ciphers for TLS1.3 should be set with the #tls_ciphersuites option. This option can also be given per upstream. tls_cipher_list: "EECDH+AESGCM:EECDH+CHACHA20" # Set the acceptable cipher for DNS over TLS1.3. OpenSSL >= 1.1.1 is required # for this option. This option can also be given per upstream. tls_ciphersuites: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" # Set the minimum acceptable TLS version. Works with OpenSSL >= 1.1.1 only. # This option can also be given per upstream. tls_min_version: GETDNS_TLS1_2 # Set the maximum acceptable TLS version. Works with OpenSSL >= 1.1.1 only. # This option can also be given per upstream. tls_max_version: GETDNS_TLS1_3 When I get some time - next day or two - I will post a separate Forum entry which lists many more DNS OVER TLS servers that are publicly available for. However, these are more than enough to get you started. 3 - In order to have OPNsense 21.7.1 use default start up script ( /usr/local/etc/rc.d/stubby.sh ) at boot time it helps to create a boot time start up script for it in /etc/rc.conf.d/. Not to prolong this - do the following : # touch /etc/rc.conf.d/stubby - create the needed new file # nano /etc/rc.conf.d/stubby - in the new file enter the following two lines: stubby_enable="YES" stubby_bootup_run="/usr/local/etc/rc.d/stubby.sh" Save and exit / then make the file executable - once again - works for me : # chmod 755 /etc/rc.conf.d/stubby 4 - Now you must configure your Unbound DNS Server to use Stubby for DNS Over TLS. This is where there has been a ( major ) change to UNBOUND on OPNsense 21.7.1 . The bottom line is that there is no longer any option whatsoever for you to configure UNBOUND Custom Options via OPNsense 21.7.1 WEBGUI. A - See here for the changes - https://bit.ly/3vfx1MT - then scroll down to Advanced Configurations. There you may read about the changes I alluded to earlier. So here is how we go about configuring Unbound/Stubby combination for OPNsense 21.7.1 Some user combine Unbound (as a caching proxy with other features such as DNS Blacklisting) and Stubby (as fully featured TLS forwarder). This is what we are out to achieve. Advanced Configurations Some installations require configuration settings that are not accessible in the UI. To support these, individual configuration files with a .conf extension can be put into the /usr/local/etc/unbound.opnsense.d directory. Now theoretically - you should be able to create the need file by doing the following below : B - # touch /usr/local/etc/unbound.opnsense.d/unbound_srv.conf C - # nano /usr/local/etc/unbound.opnsense.d/unbound_srv.conf enter the following in the new file as detailed below : #################################################### ### Unbound Advanced Configuration server: tls-cert-bundle: "/usr/local/share/certs/ca-root-nss.crt" hide-trustanchor: yes harden-glue: yes harden-dnssec-stripped: yes num-threads: 4 rrset-cache-size: 256m msg-cache-size: 128m so-rcvbuf: 1m val-clean-additional: yes minimal-responses: yes harden-referral-path: yes aggressive-nsec: yes prefetch: yes qname-minimisation: yes qname-minimisation-strict: yes rrset-roundrobin: yes target-fetch-policy: "0 0 0 0 0" max-udp-size: 3072 harden-below-nxdomain: yes ip-ratelimit: 300 ip-ratelimit-factor: 10 incoming-num-tcp: 100 edns-buffer-size: 1472 do-not-query-localhost: no forward-zone: name: "." # Allow all DNS queries forward-addr: [email protected] forward-addr: 0::[email protected] ################################################## *** Note that the file you create must end in .conf in order to be automatically included by the UI generated configuration. Also, Name collisions with plugin code, which use this extension point e. g. dnsbl.conf, may occur. So be sure to use a unique filename. unbound_srv.conf is a unique filename on OPNsense 21.7.1 for sure - trust me. 5 - Now, I have one caveat - when I created this file ( as described above ) via SSH - there was an issue where DNS OVER TLS did not work at all or as it should - the resolvers did not connect. Perhaps the file needs permissions - you can try - chmod 664 /usr/local/etc/unbound.opnsense.d/unbound_srv.conf and see how this works out for you GUARANTEED SOLUTION: What I did was use WINSCP in order to have this setup perform as intended. Use your favorite text editor ( I use EditPad Pro ) and copy Unbound Advanced Configuration above - into a new file labeled - unbound_srv.conf - Save this file to a local directory on your computer. Next, follow the steps below : A - WINSCP into your OPNsense 21.7.1 Firewall via SFTP protocol - SCP will not connect on OPNsense. Make sure to use SFTP protocol. Go into ( open ) the directory below on the right side of WINSCP interface : /usr/local/etc/unbound.opnsense.d/ B - Go into the directory on your computer where you have the unbound_srv.conf file which you previously created and filled out with the Unbound Advanced Configuration. This will be on the left side of WINSCP. C - Drag and Drop unbound_srv.conf ( on the left side of WINSCP ) into the /usr/local/etc/unbound.opnsense.d/unbound_srv.conf ( directory which is open ) on the right side of of WINSCP. Done - close and exit This WINSCP method is GUARANTED to work !!! - I strongly suggest that you choose to make this your preferred Unbound Advanced Configuration option for OPNsense 21.7.1 !!! 6 - Next -Under System > Settings > General Settings A - Set the first DNS Server to 127.0.0.1 with no gateway selected / Make sure that DNS server option B - Allow DNS server list to be overridden by DHCP/PPP on WAN - Is Not I repeat - Is Not Checked ! and DNS server option C - Do not use the DNS Forwarder/Resolver as a DNS server for the firewall Is Not - I repeat - Is Not Checked ! D - Save and Apply Reboot your router or run command # /usr/local/etc/rc.d/stubby.sh restart You are all set up and now. You are now running DNS OVER TLS with GETDNS plus STUBBY ( a fully featured TLS forwarder ) along with an Unbound DNS Caching Server.

Dear Community, First you all know the drill by now - " The Intro " - as a peace loving man and in light of the turbulent times we all must endure - here we go without no further ado - Kool and The Gang / https://www.youtube.com/watch?v=JgxWC3iZh7A and the lyrics if you care to sing along - https://genius.com/Kool-and-the-gang-love-and-understanding-lyrics and one of my favorites - The Chambers Brothers - https://www.youtube.com/watch?v=BvCH-6kOAGs - lyrics here : https://genius.com/The-chambers-brothers-love-peace-and-happiness-lyrics This is a new updated guide designed to assist you in installing DNS Privacy DNS OVER TLS on pfSense 2.5.2 . Please disregard and do not use any guides and / or tutorials which predate this one. The setup features getdns and Stubby forwarded to and integrated with Unbound. You may refer to my earlier guide / tutorial here for additional information regarding the benefits of DNS Privacy DNS OVER TLS - see link here - https://bit.ly/3p0AGwX OK - Here go - let's get down to the business at hand. The first thing we must do is install all the necessary packages for this to work properly. Now you need to know that when you try to view the packages on the FreeBSD servers by way of their url - for example , https://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/ - you will get the 403 Forbidden message. There is a remedy / workaround that will allow you to check out exactly what are the most recent package versions for you to install. Go to https://pkgs.org/ - once there - you will see a search box in the upper right hand corner. Just enter the package you wish to find there - then go down to FreeBSD 12 ( the distributions are listed alphabetically - next click on FreeBSD amd64 ( the distro pfSense 2.5.2 is based on ) - finally, go down to the Download section and copy your download url found next to the Binary Package section. 1 - There are four dependency packages required before actually installing the getdns package. Two are available in the pfSense package repositories and two from the FreeBSD repository. Lastly the getdns package itself is also in the FreeBSD repository. So to begin enter these commands below in the order : A # pkg install libuv B # pkg install libyaml ( both of these will install from native pfSense 2.5.2 box ) . The following packages must be installed from FreeBSD. C # pkg add https://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/libev-4.33,1.txz D # pkg add https://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/libidn-1.35.txz Now - here is where this guide diverges from its' predecessors. There is a new specific iteration of Unbound which pfSense 2.5.2 has installed. The package is called - unbound112-1.12.0_1 . Now if you attempt to add getdns-1.5.2_4.txz package via pkg add url method - see below : ( # pkg add https://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/getdns-1.5.2_4.txz ) ### this will not work ! the installation will fail and complain that " missing dependency Unbound " is the reason. so here is the solution to that dilemma below : enter the following command E # fetch https://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/getdns-1.5.2_4.txz From there you can enter command # ls -a / and you will see that getdns-1.5.2_4.txz package is now in your root directory. Next just enter the command F # pkg install getdns-1.5.2_4.txz follow the prompts answering " yes " to any all. By the way, once this package is successfully installed it must remain in your root directory otherwise DNS OVER TLS will stop working if you remove it for any reason. Now you may proceed as in the usual fashion. 2 - Now to put all of this together, The stubby.in file is located here - /usr/local/etc/rc.d/stubby by default. First though Stubby needs Unbound root.key - run this command before getting started: # su -m unbound -c /usr/local/sbin/unbound-anchor Then - A - Issue this command : # mv /usr/local/etc/rc.d/stubby /usr/local/etc/rc.d/stubby.sh Make it executable - I run two commands - it works for me: # chmod 755 /usr/local/etc/rc.d/stubby.sh B - Yes must enable Stubby Daemon in the file - open file by : nano /usr/local/etc/rc.d/stubby.sh go to line 27 - : ${stubby_enable="NO"} change the setting to : ${stubby_enable="YES"} - that is all you have to do to this file. It comes pre-configured. Save and exit. 3 - Now you must configure Stubby to resolve DNS OVER TLS - A -# nano /usr/local/etc/stubby/stubby.yml ################################################################################ ######################## STUBBY YAML CONFIG FILE ############################### ################################################################################ # This is a yaml version of the stubby configuration file (it replaces the # json based stubby.conf file used in earlier versions of getdns/stubby). # # For more information see # https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby # resolution_type: GETDNS_RESOLUTION_STUB dns_transport_list: - GETDNS_TRANSPORT_TLS tls_authentication: GETDNS_AUTHENTICATION_REQUIRED tls_query_padding_blocksize: 128 edns_client_subnet_private : 1 idle_timeout: 9000 listen_addresses: - [email protected] - 0::[email protected] tls_connection_retries: 5 tls_backoff_time: 900 timeout: 2000 round_robin_upstreams: 1 tls_ca_file: "/usr/local/share/certs/ca-root-nss.crt" dnssec_trust_anchors: "/usr/local/etc/unbound/root.key" # add the right path upstream_recursive_servers: ### IPV4 Servers ### ### DNS Privacy DOT Test Servers ### ## 1 - The getdnsapi.net DNS TLS Server A+ ( NLD ) - address_data: 185.49.141.37 - address_data: 2a04:b900:0:100::38 tls_auth_name: "getdnsapi.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= ## 2 - The Surfnet/Sinodun DNS TLS Servers #3 A+ ( NLD ) - address_data: 145.100.185.18 - address_data: 2001:610:1:40ba:145:100:185:18 tls_port: 853 tls_auth_name: "dnsovertls3.sinodun.com" tls_pubkey_pinset: - digest: "sha256" value: 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8= ## xx - The The Surfnet/Sinodun DNS TLS Server A ( NLD ) - address_data: 145.100.185.15 - address_data: 2001:610:1:40ba:145:100:185:15 tls_auth_name: "dnsovertls.sinodun.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= ## xx - The The Surfnet/Sinodun DNS TLS Server #1 A ( NLD ) - address_data: 145.100.185.16 - address_data: 2001:610:1:40ba:145:100:185:16 tls_auth_name: "dnsovertls1.sinodun.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA= ## 3 - The dns.cmrg.net DNS TLS Server A+ ( CAN ) - address_data: 199.58.81.218 - address_data: 2001:470:1c:76d::53 tls_auth_name: "dns.cmrg.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo= ## 4 - The BlahDNS Japan DNS TLS Server A+ ( JPN ) - address_data: 139.162.112.47 - address_data: 2400:8902::f03c:92ff:fe27:344b tls_auth_name: "dot-jp.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: /llFOsnvj7GcXasKrojhZl6nRnnn4D8sRuDUKEdiZzM= ## xx - The BlahDNS German DNS TLS Server A+ ( USA Hosted In DEU ) - address_data: 78.46.244.143 - address_data: 2a01:4f8:c17:ec67::1 tls_auth_name: "dot-de.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: c6xmf1GsYo1IFyxc+CWfjYo+xpSV9i98H7InJTDylsU= ## xx - The BlahDNS Finland DNS TLS Server A+ ( FIN ) - address_data: 95.216.212.177 - address_data: 2a01:4f9:c010:43ce::1 tls_auth_name: "dot-fi.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: EVL610kmcSvN01nzJkkzl94IHiIVvW0PovbB5En2QfU= ## xx - The BlahDNS Singapore DNS TLS Server A+ ( SGP ) - address_data: 192.53.175.149 - address_data: 2400:8901::f03c:92ff:fe27:870a tls_auth_name: "dot-sg.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: B+aX4NBLfDsKlOWf8RM6rjL8yOCF9sZlHQnarDNrrWM= ## xx - The BlahDNS Switzerland DNS TLS Server A+ ( CHE ) - address_data: 45.91.92.121 - address_data: 2a05:9406::175 tls_auth_name: "dot-ch.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: cxti1XR6uW483xAioP3d1ZaoGSy+obY6WaE4fW1A6Nk= ## 5 - The dns.neutopia.org DNS TLS Server A+ ( FRA ) - address_data: 89.234.186.112 tls_auth_name: "dns.neutopia.org" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI= ## 6 - The Foundation for Applied Privacy DNS TLS Server #1 A+ ( AUT ) - address_data: 146.255.56.98 - address_data: 2a02:1b8:10:234::2 tls_auth_name: "dot1.applied-privacy.net" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: xhQVPE+X85b9LkORuEhxfsxE1X2EbOm8v5ytxCqg5BI= ## 7 - The Secure DNS Project by PumpleX DNS TLS Server #1 A+ ( GBR ) - address_data: 51.38.83.141 tls_auth_name: "dns.oszx.co" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Am37BK5eBKSafYNJupWsoh5pokR3wwJ5zs7xvniF6XE= ## 8 - The dismail.de DNS TLS Server #1 A+ ( DEU ) - address_data: 80.241.218.68 tls_port: 853 tls_auth_name: "fdns1.dismail.de" tls_pubkey_pinset: - digest: "sha256" value: MMi3E2HZr5A5GL+badqe3tzEPCB00+OmApZqJakbqUU= ## xx - The dismail.de DNS TLS Server #2 A+ ( USA ) - address_data: 159.69.114.157 tls_port: 853 tls_auth_name: "fdns2.dismail.de" tls_pubkey_pinset: - digest: "sha256" value: yJYDim2Wb6tbxUB3yA5ElU/FsRZZhyMXye8sXhKEd1w= ## 9 - The Lorraine Data Network DNS TLS Server A+ ( FRA ) - address_data: 80.67.188.188 tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM= ## This certificate is currently expired which ## does not pose any concerns in SPKI mode ## (in practice with Stubby) ## Source : https://ldn-fai.net/serveur-dns-recursif-ouvert/ ## 10 - The ibksturm.synology.me DNS TLS Server A+ ( CHE ) - address_data: 213.196.191.96 tls_auth_name: "ibksturm.synology.me" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: yrMslOFXpWeLoNw0YgQk/pA5vl2mqXfBOASYLLeqDxc= ## 11 - The dns.flatuslifir.is DNS TLS Server A+ ( ISL ) - address_data: 46.239.223.80 tls_auth_name: "dns.flatuslifir.is" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: b9sJFKc+wycfm4FHB9ddNopdeKceru+sZk0w5nz4xfQ= ### Publicly Available DOT Test Servers ### ## 12 - The FEROZ SALAM DNS TLS Server A+ ( GBR ) - address_data: 46.101.66.244 tls_auth_name: "doh.li" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: ugm6mY2NNKi0I/Q+pofAgx0c31tbcW6xYAImZXr5Oqo= ## 13 - The Andrews & Arnold DNS TLS Server #1 A+ ( GBR ) - address_data: 217.169.20.23 tls_auth_name: "dns.aa.net.uk" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: sS2Atff8wMigRVTxmS36FbMaXiCWsxLgD3AOtTA9eeU= ## xx - The Andrews & Arnold DNS TLS Server #2 A+ ( GBR ) - address_data: 217.169.20.22 tls_auth_name: "dns.aa.net.uk" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: /jchI7afFvSaVm4DCTksJcPHyK7uvbcwNUtTNNV4Bek= ## 14 - The dns.seby.io - Vultr DNS TLS Server A+ ( AUS ) - address_data: 45.76.113.31 tls_auth_name: "dot.seby.io" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: H13Su1659zEn0ZIblEShwjZO+M5gxKK2wXpVKQHgibM= ## xx - The dns.seby.io - OVH DNS TLS Server A+ ( AUS ) - address_data: 139.99.222.72 tls_auth_name: "dot.seby.io" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: /3AxvvuWCQmYQ4/mqHJzPL1rPC7KxaahVPmUkoSVR5A= ## 15 - The Digitale Gesellschaft DNS TLS Server #1 A+ ( CHE ) - address_data: 185.95.218.43 - address_data: 2a05:fc84::43 tls_auth_name: "dns.digitale-gesellschaft.ch" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: sAH7JR5A8WA+hs1ZGXPS/uq3Y1wufBi2wQ8Crk+oR2Q= ## xx - The Digitale Gesellschaft DNS TLS Server #2 A+ ( CHE ) - address_data: 185.95.218.42 - address_data: 2a05:fc84::42 tls_auth_name: "dns.digitale-gesellschaft.ch" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Fpgt86sGjlL4sbgNmd1WX0BYEIEJ7yQk9rp+uQKxI+w= ## 16 - The Antoine Aflalo DNS TLS Server #1 A+ ( USA ) - address_data: 168.235.81.167 tls_auth_name: "dns-nyc.aaflalo.me" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Dn58VD18MLkmmG9wvzvSs30Tu1Rd65igDLpp1odYaAc= # Set the acceptable ciphers for DNS over TLS. With OpenSSL 1.1.1 this list is # for TLS1.2 and older only. Ciphers for TLS1.3 should be set with the #tls_ciphersuites option. This option can also be given per upstream. tls_cipher_list: "EECDH+AESGCM:EECDH+CHACHA20" # Set the acceptable cipher for DNS over TLS1.3. OpenSSL >= 1.1.1 is required # for this option. This option can also be given per upstream. tls_ciphersuites: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" # Set the minimum acceptable TLS version. Works with OpenSSL >= 1.1.1 only. # This option can also be given per upstream. tls_min_version: GETDNS_TLS1_2 # Set the maximum acceptable TLS version. Works with OpenSSL >= 1.1.1 only. # This option can also be given per upstream. tls_max_version: GETDNS_TLS1_3 When I get some time - next day or two - I will post a separate Forum entry which lists many more DNS OVER TLS servers that are publicly available for all. However, these are more than enough to get you started. 4 - In order to have pfSense 2.5.2 use default start up script ( /usr/local/etc/rc.d/stubby.sh ) at boot time it helps to create a boot time start up script for it in /etc/rc.conf.d/. Not to prolong this - do the following : # touch /etc/rc.conf.d/stubby - create the needed new file # nano /etc/rc.conf.d/stubby - in the new file enter the following two lines: stubby_enable="YES" stubby_bootup_run="/usr/local/etc/rc.d/stubby.sh" Save and exit / then make the file executable - once again - works for me : # chmod 755 /etc/rc.conf.d/stubby 5- Now you must configure your Unbound DNS Server to use Stubby for DNS Over TLS. Go to Services > DNS RESOLVER > General Settings > Display Custom Options In the Custom options Box - enter the following below : server: do-not-query-localhost: no forward-zone: name: "." # Allow all DNS queries forward-addr: [email protected] forward-addr: 0::[email protected] Save and Apply 6 - Next -Under System > General Setup > DNS Server Settings A - Set the first DNS Server to 127.0.0.1 add no other DNS Servers here B - DNS Server Override - make sure this is unchecked C - DNS Resolution Behavior Use local DNS (127.0.0.1), fall back to remote DNS SERVERS (Default) Save and Apply Reboot your router or run command # /usr/local/etc/rc.d/stubby.sh restart You are all set up and now. You are now running DNS OVER TLS with GETDNS plus STUBBY ( a fully featured TLS forwarder ) along with an Unbound DNS Caching Server.

This Is An Updated Guide - February 26, 2021 Dear Community, As always - the intro - https://www.youtube.com/watch?v=6q_Fyv_znkw and lyrics to sing along - https://genius.com/Sly-and-the-family-stone-stand-lyrics Hello and I hope that all are both safe and well. Here I am going to write a new tutorial for OpenWRT Snapshots. Some of you may remember my tutorial below : ( From The DNS Privacy Project ) DNS-OVER-TLS on OpenWrt/LEDE FEATURING UNBOUND GETDNS and STUBBY The main reason for this updated guide for implementing DNS-OVER-TLS on OpenWrt FEATURING UNBOUND GETDNS and STUBBY is due to Unbound 1.13.0-1. Eric Luehrsen - the maintainer for Unbound package on OpenWRT explains the issue here: Need Help With UNBOUND Setup on Snapshots - #30 by directnupe - Basically, in his words: As far as the PEM files, it seems Unbound has a defect with respect to the published behavior. They should be loaded before chroot. That is they are in (real root) /etc/unbound but somewhere in the mess unbound-control is trying /chroot.../etc/unbound. Enable unbound-control only localhost without encryption and it should work. This guide was updated and works on OpenWRT Snapshots, upcoming 21.02 and kernel versions 5.10 in other words this works with Unbound-daemon - 1.13.1-1 ( current version ). As a Bonus - Videos detailing all of this are here - DNSPRIVACY FOR ALL REDEUX The setup video illustrates and details how to install and configure unbound, stubby and getdns along with native dnsmasq to achieve DNS OVER TLS on OpenWRT. So let's get started. Just follow the steps and you can look at the videos as you read this set up guide. Here is the OpenWRT stubby page :https://github.com/openwrt/packages/blob/master/net/stubby/files/README.md When running DNS OVER TLS ( my setup ) - I first had to stop and disable odhcpd This setup depends on DNS functionality. odhcpd conflicts with dnsmasq for dhcp hence also DOT. The commands are as below : /etc/init.d/odhcpd stop /etc/init.d/odhcpd disable Step # 1 - opkg update && opkg install wget nano ca-bundle ca-certificates ( these are prerequisites - especially ca-bundle ) Step # 2 - opkg update ; opkg install unbound-daemon unbound-control unbound-control-setup luci-app-unbound unbound-anchor unbound-host stubby getdns unbound-checkconf odhcpd ( this installs unbound and stubby dependencies ) Step # 3 - By default, configuration of stubby is integrated with the OpenWRT UCI system using the file /etc/config/stubby. We wish to configure stubby using the /etc/stubby/stubby.yml file. We need to set option manual '1' in /etc/config/stubby and all other settings in /etc/config/stubby will be ignored. See below for correct entry ( nano /etc/config/stubby 😞 config stubby 'global' option manual '1' Step # 4 - Configure stubby.yml - enter nano /etc/stubby/stubby.yml see how below : Please use as many or as few upstream servers as you deem necessary or desired for our needs. I have shown file to use both IPV4 and IPV6 servers. All servers support TLSv1.3 protocol. Pick those closet to you geographically and so forth. # Note: by default on OpenWRT stubby configuration is handled via # the UCI system and the file /etc/config/stubby. If you want to # use this file to configure stubby, then set "option manual '1'" # in /etc/config/stubby. resolution_type: GETDNS_RESOLUTION_STUB round_robin_upstreams: 1 appdata_dir: "/var/lib/stubby" tls_authentication: GETDNS_AUTHENTICATION_REQUIRED tls_query_padding_blocksize: 128 edns_client_subnet_private: 1 idle_timeout: 10000 listen_addresses: - [email protected] - 0::[email protected] dns_transport_list: - GETDNS_TRANSPORT_TLS tls_connection_retries: 5 tls_backoff_time: 300 timeout: 1000 limit_outstanding_queries: 100 tls_ca_file: "/etc/ssl/certs/ca-certificates.crt" upstream_recursive_servers: ### IPV4 Servers ### ### DNS Privacy DOT Test Servers ### ## 1 - The getdnsapi.net DNS TLS Server A+ ( NLD ) - address_data: 185.49.141.37 tls_auth_name: "getdnsapi.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= ## 2 - The Surfnet/Sinodun DNS TLS Servers #3 A+ ( NLD ) - address_data: 145.100.185.18 tls_port: 853 tls_auth_name: "dnsovertls3.sinodun.com" tls_pubkey_pinset: - digest: "sha256" value: 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8= ## xx - The The Surfnet/Sinodun DNS TLS Server A ( NLD ) - address_data: 145.100.185.15 tls_auth_name: "dnsovertls.sinodun.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= ## xx - The The Surfnet/Sinodun DNS TLS Server #1 A ( NLD ) - address_data: 145.100.185.16 tls_auth_name: "dnsovertls1.sinodun.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA= ## 3 - The dns.cmrg.net DNS TLS Server A+ ( CAN ) - address_data: 199.58.81.218 tls_auth_name: "dns.cmrg.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo= ## 4 - The BlahDNS Japan DNS TLS Server A+ ( JPN ) - address_data: 45.32.55.94 tls_auth_name: "dot-jp.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: G69vD32lVULKRAA1Mey0aY5HqCtixfcFj6d7YfZXcXQ= ## xx - The BlahDNS German DNS TLS Server A+ ( USA Hosted In DEU ) - address_data: 78.46.244.143 tls_auth_name: "dot-de.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: MYAdUawDyym0aCys3RM7wjnGt6/VPkXRSnUynBVCZ0M= ## xx - The BlahDNS Finland DNS TLS Server A+ ( FIN ) - address_data: 95.216.212.177 tls_auth_name: "dot-fi.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: PID8ufrN/lfloA6y/C+mpR8MT53GG6GkAd8k+RmgTwc= ## xx - The BlahDNS Singapore DNS TLS Server A+ ( SGP ) - address_data: 139.180.141.57 tls_auth_name: "dot-sg.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: iENlCR6FD7l71PESwzzBUGVgJ5MtJykG2F1fV1RyV4A= ## xx - The BlahDNS Switzerland DNS TLS Server A+ ( CHE ) - address_data: 45.90.57.121 tls_auth_name: "dot-ch.blahdns.com" tls_port: 4443 tls_pubkey_pinset: - digest: "sha256" value: 0i6NHVbpWtZUAxlyKkIPo3xwYQPdwcDYMmZmOvQSBd8= ## 5 - The dns.neutopia.org DNS TLS Server A+ ( FRA ) - address_data: 89.234.186.112 tls_auth_name: "dns.neutopia.org" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI= ## 6 - The Foundation for Applied Privacy DNS TLS Server #1 A+ ( AUT ) - address_data: 146.255.56.98 tls_auth_name: "dot1.applied-privacy.net" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: wi251KSU9HwFOjL3cgG+vxxyrQl0FyP5aBkBcqs4dow= ## 7 - The Secure DNS Project by PumpleX DNS TLS Server #1 A+ ( GBR ) - address_data: 51.38.83.141 tls_auth_name: "dns.oszx.co" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: l58wGW4rA4vpqbwyQkBK+TC8nWT7ESkMnn1aG3ehbFc= ## 8 - The dismail.de DNS TLS Server #1 A+ ( DEU ) - address_data: 80.241.218.68 tls_port: 853 tls_auth_name: "fdns1.dismail.de" tls_pubkey_pinset: - digest: "sha256" value: MMi3E2HZr5A5GL+badqe3tzEPCB00+OmApZqJakbqUU= ## xx - The dismail.de DNS TLS Server #2 A+ ( USA ) - address_data: 159.69.114.157 tls_port: 853 tls_auth_name: "fdns2.dismail.de" tls_pubkey_pinset: - digest: "sha256" value: yJYDim2Wb6tbxUB3yA5ElU/FsRZZhyMXye8sXhKEd1w= ## 9 - The Lorraine Data Network DNS TLS Server A+ ( FRA ) - address_data: 80.67.188.188 tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM= ## This certificate is currently expired which ## does not pose any concerns in SPKI mode ## (in practice with Stubby) ## Source : https://ldn-fai.net/serveur-dns-recursif-ouvert/ ## 10 - The ibksturm.synology.me DNS TLS Server A+ ( CHE ) - address_data: 89.217.74.236 tls_auth_name: "ibksturm.synology.me" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: ST64ZkZeik0+6/e9gCs+dGB5r4lEMWcgxg58eBhQGDY= ## 11 - The dns.flatuslifir.is DNS TLS Server A+ ( ISL ) - address_data: 46.239.223.80 tls_auth_name: "dns.flatuslifir.is" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: bCliMm8V6PPPhy3qOG45fkJhqJZ/H7HQH3GF3RHP2sg= ### Publicly Available DOT Test Servers ### ## 12 - The ContainerPI.com - CPI DNS TLS Server A+ ( JPN ) - address_data: 45.77.180.10 tls_auth_name: "dns.containerpi.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 0fDCu9NeTLXKniGX7Hqjq4PLqXV7kvxv04lAWs/dOHY= ## 13 - The FEROZ SALAM DNS TLS Server A+ ( GBR ) - address_data: 46.101.66.244 tls_auth_name: "doh.li" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: TP3QdfiIGmReSKJ3XW+T+yQ+xy5KMNtcTt6TJ+MMynI= ## 14 - The Andrews & Arnold DNS TLS Server #1 A+ ( GBR ) - address_data: 217.169.20.23 tls_auth_name: "dns.aa.net.uk" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: ynHdh6Gn21nGQDVYEz0eYp8rktzwbAmSJgncIEk4yTI= ## xx - The Andrews & Arnold DNS TLS Server #2 A+ ( GBR ) - address_data: 217.169.20.22 tls_auth_name: "dns.aa.net.uk" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 3sSy32B+XnIOKckcW9vT06D0+XUgW3CSno+p1k3vp9Y= ## 15 - The dns.seby.io - Vultr DNS TLS Server A+ ( AUS ) - address_data: 45.76.113.31 tls_auth_name: "dot.seby.io" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: H13Su1659zEn0ZIblEShwjZO+M5gxKK2wXpVKQHgibM= ## xx - The dns.seby.io - OVH DNS TLS Server A+ ( AUS ) - address_data: 139.99.222.72 tls_auth_name: "dot.seby.io" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: y8hXAlkRxglOPlYivo/S/E1EfNFoU9f/Uf4dQcXiHhg= ## 16 - The Digitale Gesellschaft DNS TLS Server #1 A+ ( CHE ) - address_data: 185.95.218.43 tls_auth_name: "dns.digitale-gesellschaft.ch" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: A0Te9x7eWRcFvhbIVMSuJJV6tr4ABUnGEKBm+FyaknQ= ## xx - The Digitale Gesellschaft DNS TLS Server #2 A+ ( CHE ) - address_data: 185.95.218.42 tls_auth_name: "dns.digitale-gesellschaft.ch" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: XToXSSeTAIsKEZ4+KjhlWla0LtOFwI90J5nnOAY6dcE= ## 17 - The Antoine Aflalo DNS TLS Server #1 A+ ( USA ) - address_data: 168.235.81.167 tls_auth_name: "dns-nyc.aaflalo.me" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: s2bFv4zDfIc+7wIMA59QTImqx9uzko6TQVfXAz8JLto= ## 18 - The Privacy-First DNS TLS Server #1 A+ ( JPN ) - address_data: 172.104.93.80 tls_auth_name: "jp.tiar.app" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: UV439TTY3wPh+k2bKJmvHrU3gcz4bDYd6S0poXN7bZU= ## xx - The Privacy-First DNS TLS Server #2 A+ ( SGP Hosted In USA ) - address_data: 174.138.29.175 tls_auth_name: "dot.tiar.app" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: YhPROg0ogwGqlsQAehkkxQk8lMUNUVJiR04c/rO2Pdo= ## 19 - The ibuki.cgnat.net DNS TLS Server A+ ( USA ) - address_data: 168.138.243.216 tls_auth_name: "ibuki.cgnat.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: UVKs87p2i+i+6cTOsfmZWHpononMhaZ1/TaOUCCdEYA= ## 20 - The AhaDNS.com Netherlands DNS TLS Server A+ ( NLD ) - address_data: 5.2.75.75 - address_data: 2a04:52c0:101:75::75 tls_auth_name: "dot.nl.ahadns.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: vhyny5bRLcdUo8nT8yYPU3Ba3n59tw/p9ZdM7CdB7XA= ## xx - The AhaDNS.com India DNS TLS Server A+ ( IND ) - address_data: 45.79.120.233 tls_auth_name: "dot.in.ahadns.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: I2d/sF4W9UzEJDacfEioGpjzfdKfA9vScD27fL+X7y4= ## xx - The AhaDNS.com Los Angeles DNS TLS Server A+ ( USA ) - address_data: 45.67.219.208 - address_data: 2a04:bdc7:100:70::70 tls_auth_name: "dot.la.ahadns.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: I8+ilcgZbzlDJibVX+ao3N4CaN71oi/67kARvAvkF68= ## xx - The AhaDNS.com New York DNS TLS Server A+ ( USA ) - address_data: 185.213.26.187 tls_auth_name: "dot.ny.ahadns.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: KFnD8W9moK59GXrouEF2PRnD3TI5dwNerLGz2fVGUg4= ## xx - The AhaDNS.com Poland DNS TLS Server A+ ( IND ) - address_data: 45.132.75.16 - address_data: 2a0e:dc0:7:d::d tls_auth_name: "dot.pl.ahadns.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: k+2Qzo5pl+70VXixFeBNRswWwdwAu/hC6gNdFytr2Bw= ## xx - The AhaDNS.com Italy DNS TLS Server A+ ( IND ) - address_data: 45.91.95.12 - address_data: 2a0e:dc0:8:12::12 tls_auth_name: "dot.it.ahadns.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: XOAIkTcSr/sm3w8JalaSP9apN7visaVWJ7Ak6SnwFBg= ## xx - The AhaDNS.com Spain DNS TLS Server A+ ( IND ) - address_data: 45.132.74.167 - address_data: 2a0e:dc0:9:17::17 tls_auth_name: "dot.es.ahadns.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: MfhmtxPms+ZsB7v5iLdmGgoIYCDkxs55DTiY1p/+OcU= ## xx - The AhaDNS.com Norway DNS TLS Server A+ ( IND ) - address_data: 185.175.56.133 - address_data: 2a0d:5600:30:28::28 tls_auth_name: "dot.no.ahadns.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: P++7ZdWm1d+diD5Qt9PV7SFQDCrZK/jH8mo9G1xF8nc= ## xx - The AhaDNS.com Chicago DNS TLS Server A+ ( IND ) - address_data: 193.29.62.196 - address_data: 2605:4840:3:c4::c4 tls_auth_name: "dot.chi.ahadns.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: UF0rIyP2tkD8NG4FEZ/NDFu16vkXVNV4Jg4yml5oRfk= ## xx - The AhaDNS.com Australia DNS TLS Server A+ ( IND ) - address_data: 103.73.64.132 - address_data: 2406:ef80:100:11::11 tls_auth_name: "dot.au.ahadns.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: WULSbPGl4Jckg99ATU12Hp+aVdLz5H3ltu9g5cBU9q4= ## 21 - The Snopyta DNS TLS Server A+ ( FIN ) - address_data: 95.216.24.230 tls_auth_name: "fi.dot.dns.snopyta.org" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: PNeoThB4S+lf+p/ZkXZZqjWmUn13lu809xuDgBZ+xp8= ## 22 - The Lelux.fi DNS TLS Server A+ ( FRA Hosted In GBR ) - address_data: 51.158.147.50 tls_auth_name: "resolver-eu.lelux.fi" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Cv0Ap5Pf5+ZP0JxsBIm5xsnNmIK0YameM8QDWg4VKR0= ## 23 - The Lightning Wire Labs DNS TLS Server A+ ( DEU ) - address_data: 81.3.27.54 tls_auth_name: "recursor01.dns.lightningwirelabs.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: sYtspi4dALWTVbMppLGpjFDQvCEZeuabtXyoGo/Q3ng= ## 24 - The dnsforge.de DNS TLS Server #1 A+ ( DEU ) - address_data: 176.9.1.117 tls_auth_name: "dnsforge.de" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw= ## xx - The dnsforge.de DNS TLS Server #2 A+ ( DEU ) - address_data: 176.9.93.198 tls_auth_name: "dnsforge.de" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw= ## 25 - The Freifunk München DNS TLS Server A+ ( DEU ) - address_data: 5.1.66.255 tls_auth_name: "doh.ffmuc.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: BkjoiHvX67yHa/G2NNPi5G4WAN5Wh3fjIO3CRPqPYJA= - address_data: 185.150.99.255 tls_auth_name: "doh.ffmuc.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: P77Y2o4+q8v3l8Qq7M8fre0S0buvRG5gYKhM94YJEHU= ## 26 - The CIRA Canadian Shield DNS TLS Servers A+ ( CAN ) - address_data: 149.112.121.10 tls_auth_name: "private.canadianshield.cira.ca" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: sXmZXPsnkbQMw68THpV0Tgh9zCe12TtXIinSTf7lkkw= - address_data: 149.112.122.10 tls_auth_name: "private.canadianshield.cira.ca" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: sXmZXPsnkbQMw68THpV0Tgh9zCe12TtXIinSTf7lkkw= ## 27 - The dns.dnshome.de DNS TLS Server #1 A+ ( DEU ) - address_data: 185.233.106.232 tls_auth_name: "dns.dnshome.de" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: q5AkxgnWVCVjCUNUKl3aIBpGTfXF5GahE0RcncwbZoc= - address_data: 185.233.107.4 tls_auth_name: "dns.dnshome.de" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: q5AkxgnWVCVjCUNUKl3aIBpGTfXF5GahE0RcncwbZoc= ## 28 - The Hurricane Electric DNS TLS Server A+ ( USA ) - address_data: 74.82.42.42 tls_auth_name: "ordns.he.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: G9pQNrYB98Wll0AmBF/GsMMn6gaDbXDnInV1je1MaPo= ## 29 - The Stéphane Bortzmeyer DNS TLS Server A+ ( FRA ) - address_data: 193.70.85.11 tls_auth_name: "dot.bortzmeyer.fr" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: eHAFsxc9HJW8QlJB6kDlR0tkTwD97X/TXYc1AzFkTFY= ## 30 - The LibreDNS DNS TLS Server #1 A+ ( IND ) - address_data: 116.202.176.26 tls_auth_name: "dot.libredns.gr" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: V0Y0pvWkAwOPkNSPxDyZd/vJ2bo40ylADWJFu/ubPlM= ## xx - The LibreDNS DNS TLS Server #2 A+ ( IND ) - address_data: 116.202.176.26 tls_auth_name: "dot.libredns.gr" tls_port: 854 tls_pubkey_pinset: - digest: "sha256" value: V0Y0pvWkAwOPkNSPxDyZd/vJ2bo40ylADWJFu/ubPlM= ## 31 - The LavaDNS-US-1 DNS TLS Server A+ ( USA ) - address_data: 79.110.170.43 tls_auth_name: "us1.dns.lavate.ch" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: W0y9+3Qy77HrkCYLNSg0oY2J7aIqwC5GbPEP6pBTfws= ## xx - The LavaDNS-EU-1 DNS TLS Server A+ ( FIN ) - address_data: 95.217.25.217 tls_auth_name: "eu1.dns.lavate.ch" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: WSQmsUvZJRZ5EcIyZdtqt1UsB1KEeAX8+cFy/v7AiCk= ## 32 - The yepdns.com DNS TLS Server #1 A+ ( USA ) - address_data: 94.237.68.80 tls_port: 853 tls_auth_name: "sg.yepdns.com" tls_pubkey_pinset: - digest: "sha256" value: m+Gh4LlejsfHgD3yOg4QIUc2VcfP9ukrq7AR0WQd7q0= ## 33 - The Faelix DNS TLS Server #1 A+ ( LTU ) - address_data: 185.134.196.54 tls_auth_name: "rdns.faelix.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: OcCIDQdRSeK9hcmmdj1Rr3/Ma7cZ75l+nRYQMtPJz+g= ## xx - The Faelix DNS TLS Server #2 A+ ( LTU ) - address_data: 185.134.196.55 tls_auth_name: "rdns.faelix.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: OcCIDQdRSeK9hcmmdj1Rr3/Ma7cZ75l+nRYQMtPJz+g= ## xx - The Faelix DNS TLS Server #3 A+ ( LTU ) - address_data: 46.227.200.55 tls_auth_name: "rdns.faelix.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: OcCIDQdRSeK9hcmmdj1Rr3/Ma7cZ75l+nRYQMtPJz+g= ## xx - The Faelix DNS TLS Server #4 A+ ( LTU ) - address_data: 46.227.200.54 tls_auth_name: "rdns.faelix.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: OcCIDQdRSeK9hcmmdj1Rr3/Ma7cZ75l+nRYQMtPJz+g= ## 34 - The Arapurayil's DNS TLS Server #1 A+ ( USA ) - address_data: 3.7.176.123 tls_port: 853 tls_auth_name: "dns.arapurayil.com" tls_pubkey_pinset: - digest: "sha256" value: fod+JGyXcnJBDOrt1Iq14abGcxgNjh2zFVOO8saHnBM= ## 35 - The Brahma World DNS TLS Server A+ ( USA ) - address_data: 94.237.80.211 tls_port: 853 tls_auth_name: "dns.brahma.world" tls_pubkey_pinset: - digest: "sha256" value: gJR4ekQiIPT5+ug7Rzxr+9O9sKLkTgKS8Lam5EXncEU= ## 36 - The Uncensored DNS TLS Server #1 A+ ( DNK ) - address_data: 91.239.100.100 tls_auth_name: "anycast.censurfridns.dk" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 6eW98h0+xxuaGQkgNalEU5e/hbgKyUoydpPMY6xcKyY= ## xx - The Uncensored DNS TLS Server #2 A+ ( DNK ) - address_data: 89.233.43.71 tls_auth_name: "unicast.censurfridns.dk" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: INSZEZpDoWKiavosV2/xVT8O83vk/RRwS+LTiL+IpHs= ## 37 - The Digitalcourage e.V. DNS TLS Server A+ ( DEU ) - address_data: 46.182.19.48 tls_auth_name: "dns2.digitalcourage.de" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: v7rm6OtQQD3x/wbsdHDZjiDg+utMZvnoX3jq3Vi8tGU= ## 38 - The Usable Privacy DNS DNS TLS Server A+ ( CHE ) - address_data: 149.154.153.153 tls_auth_name: "adfree.usableprivacy.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: SQjhS4EtweDmR5+NMLGMVXxYP8ZwGVa1YDSoM8N5wiU= ## 39 - The Hostux DNS TLS Server A+ ( LUX ) - address_data: 185.26.126.37 tls_auth_name: "dns.hostux.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: P0gaP31TQQzAIN3DomM5vXS3+8oCgYcTA/ZJ09Jw4QE= - address_data: 185.26.126.14 tls_auth_name: "dns.hostux.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: P0gaP31TQQzAIN3DomM5vXS3+8oCgYcTA/ZJ09Jw4QE= ## 40 - The dns.therifleman.name DNS TLS Servers A+ ( USA ) - address_data: 172.104.206.174 tls_auth_name: "dns.therifleman.name" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: mZJECUWOKQW4SAvZSgM3LRalJQDUCxtImKW0KO/+ijU= ### Anycast Publicly Available DOT Test Servers ### ## 41 - The DNSlify DNS TLS Servers A+ ( Anycast ) - address_data: 185.235.81.1 tls_auth_name: "a.ns.dnslify.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: QZKcLeM+e5+3DYMrpNYv/iRMtNbRtvN8dCmWbBZFT68= - address_data: 185.235.81.2 tls_auth_name: "b.ns.dnslify.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: QZKcLeM+e5+3DYMrpNYv/iRMtNbRtvN8dCmWbBZFT68= ### DNS Privacy Anycast DOT Public Resolvers ### ## 42 - The DNS.SB DNS TLS Servers A+ ( Anycast ) - address_data: 185.222.222.222 tls_auth_name: "dns.sb" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: /qCm+kZoAyouNBtgd1MPMS/cwpN4KLr60bAtajPLt0k= - address_data: 185.184.222.222 tls_auth_name: "dns.sb" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: /qCm+kZoAyouNBtgd1MPMS/cwpN4KLr60bAtajPLt0k= ## 43 - The DNSPod DNS TLS Server #1 A+ ( Anycast ) - address_data: 162.14.21.178 tls_port: 853 tls_auth_name: "dns.pub" tls_pubkey_pinset: - digest: "sha256" value: Q1JRqG379NbZYD6KcA+jl8co9wuQNhg/YmN4dLImQpM= ## xx - The DNSPod DNS TLS Server #2 A+ ( Anycast ) - address_data: 162.14.21.56 tls_port: 853 tls_auth_name: "doh.pub" tls_pubkey_pinset: - digest: "sha256" value: Q1JRqG379NbZYD6KcA+jl8co9wuQNhg/YmN4dLImQpM= ####### Servers that listen on port 443 (IPv4 and IPv6) ####### ### Test servers ### ## 1 - The getdnsapi.net DNS TLS Server A+ ( NLD ) - address_data: 2a04:b900:0:100::38 tls_auth_name: "getdnsapi.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= ## xx - The The Surfnet/Sinodun DNS TLS Server #1 A ( NLD ) - address_data: 2001:610:1:40ba:145:100:185:16 tls_auth_name: "dnsovertls1.sinodun.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA= - address_data: 2001:610:1:40ba:145:100:185:18 tls_port: 853 tls_auth_name: "dnsovertls3.sinodun.com" tls_pubkey_pinset: - digest: "sha256" value: 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8= ## 2 - The Foundation for Applied Privacy DNS TLS Server #1 A+ ( AUT ) - address_data: 2a02:1b8:10:234::2 tls_auth_name: "dot1.applied-privacy.net" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: wi251KSU9HwFOjL3cgG+vxxyrQl0FyP5aBkBcqs4dow= ## 3 - The AhaDNS.com New York DNS TLS Server A+ ( USA ) - address_data: 2a0d:5600:33:3::3 tls_auth_name: "dot.ny.ahadns.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: KFnD8W9moK59GXrouEF2PRnD3TI5dwNerLGz2fVGUg4= # Set the acceptable ciphers for DNS over TLS. With OpenSSL 1.1.1 this list is # for TLS1.2 and older only. Ciphers for TLS1.3 should be set with the #tls_ciphersuites option. This option can also be given per upstream. tls_cipher_list: "EECDH+AESGCM:EECDH+CHACHA20" # Set the acceptable cipher for DNS over TLS1.3. OpenSSL >= 1.1.1 is required # for this option. This option can also be given per upstream. tls_ciphersuites: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" # Set the minimum acceptable TLS version. Works with OpenSSL >= 1.1.1 only. # This option can also be given per upstream. tls_min_version: GETDNS_TLS1_2 # Set the maximum acceptable TLS version. Works with OpenSSL >= 1.1.1 only. # This option can also be given per upstream. tls_max_version: GETDNS_TLS1_3 Step # 5 - This step tells Stubby to forward all DNS requests to Unbound : cat >> /etc/unbound/unbound_ext.conf <<UNBOUND_FORWARD_CONF server: do-not-query-localhost: no forward-zone: name: "." # Allow all DNS queries forward-addr: [email protected] forward-addr: 0::[email protected] UNBOUND_FORWARD_CONF Step # 6 - Now, you just need to move the existing dnsmasq server aside, so Unbound can answer your devices DNS queries. Issue commands (a) through (e) as detailed below : # Move dnsmasq to port 53535 where it will still serve local DNS from DHCP # Network -> DHCP & DNS -> Advanced Settings -> DNS server port to 53535 ( a ) uci set '[email protected][0].port=53535' # Configure dnsmasq to send a DNS Server DHCP option with its LAN IP # since it does not do this by default when port is configured. ( b ) uci add_list "dhcp.lan.dhcp_option=option:dns-server,$(uci get network.lan.ipaddr)" ( c ) uci set '[email protected][0].dhcp_link=dnsmasq' # Save & Apply (will restart dnsmasq, DNS unreachable until unbound is up) (d ) uci commit # Restart (or start) unbound (System -> Startup -> unbound -> Restart) ( e ) /etc/init.d/unbound restart Step # 7 - Set dnsmasq to send DNS requests to stubby Since dnsmasq now responds to LAN DNS requests on port 53535 of the OpenWRT device, all that is required is to have dnsmasq forward those requests to stubby which is listening on port 5453 of the OpenWRT device. To achieve this, we need to set the server option in the dnsmasq configuration in the /etc/config/dhcp file to '127.0.0.1#5453'. We also need to tell dnsmasq not to use resolvers found in /etc/resolv.conf by setting the dnsmasq option noresolv to 1 in the same file. This can be achieved by editing the /etc/config/dhcp file directly or executing the following commands - ( a ) - ( e ) at the command line: ( a ) - uci add_list [email protected][-1].server='/pool.ntp.org/129.6.15.30' ( b ) - uci add_list [email protected][-1].server='127.0.0.1#5453' ( c ) - uci add_list [email protected][-1].server='0::1#5453' ( d ) - uci set [email protected][-1].noresolv=1 ( e ) - uci commit && reload_config Step # 8 - Disable sending DNS requests to ISP provided DNS servers ( a ) - uci set network.wan.peerdns='0' ( b ) - uci set network.wan.dns='127.0.0.1' ( c ) - uci set network.wan6.peerdns='0' ( d ) - uci set network.wan6.dns='0::1' ( e ) - uci commit && reload_config Step # 9 - Shrink Dnsmasq cache as we use Unbound and increase forwards Issue commands ( a ) - ( c ) below : ( a ) - uci set [email protected][0].cachesize=50 ( b ) - uci set [email protected][0].dnsforwardmax=250 ( c ) - uci commit dhcp && reload_config Step # 10 - ( Optional ) - Edit Startup Services nano /etc/rc.local - and enter the following below : # Put your custom commands here that should be executed once # the system init finished. By default this file does nothing. /usr/sbin/ntpd -n -q -N -p 129.6.15.30 # Wait until Internet connection is available for i in {1..60}; do ping -c1 -W1 185.49.141.37 &> /dev/null && break; done # Restart DNS Privacy Daemon - Stubby as it requires a successful #time sync for its encryption to work/ /etc/init.d/network restart /etc/init.d/firewall restart /etc/init.d/unbound restart /etc/init.d/stubby restart /usr/sbin/ntpd -n -q -N -p 129.6.15.30 exit 0 Step # 11 - Configure Unbound via configuration file - replace contents of file with the following - see below : nano /etc/config/unbound config unbound 'ub_main' option add_extra_dns '0' option add_local_fqdn '1' option add_wan_fqdn '0' option dhcp4_slaac6 '0' option dns64 '0' option dns64_prefix '64:ff9b::/96' option domain 'mydomain.com' ## enter your actual domain here option domain_type 'transparent' option edns_size '1232' option extended_stats '1' option hide_binddata '1' option interface_auto '1' option extended_luci '1' option luci_expanded '1' option listen_port '53' option localservice '1' option manual_conf '0' option num_threads '2' option protocol 'mixed' option query_minimize '1' option query_min_strict '1' option rate_limit '0' option rebind_localhost '0' option rebind_protection '1' option recursion 'aggressive' option resource 'medium' option root_age '9' option ttl_min '120' option unbound_control '1' option validator '1' option validator_ntp '1' option verbosity '1' list trigger_interface 'lan' list trigger_interface 'wan' option query_minimize '1' list domain_insecure '3.us.pool.ntp.org' list domain_insecure 'mydomain.com' ## enter your actual domain here option dhcp_link 'dnsmasq' Step # 12 - Manually edit /etc/config/dhcp - go into nano /etc/config/dhcp and do the following below : A - ## --- Make sure you disable (apply "#" in front) this entry to ignore ISP's supplied DNS done by doing as detailed directly below: # option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto' B - ## --- Your router date & time must be correct in order to have successful tls initiation done by doing as detailed directly below: list server '/pool.ntp.org/129.6.15.30' ( Make sure this entry was added in Step # 7 via uci ) Step # 13 - Check your Unbound Configuration - enter command # unbound-checkconf Checks unbound config file syntax and other errors. Step # 14 - Setup Unbound Files For Unbound Control - enter command # unbound-control-setup Generates self-signed certification and private keys for both server and client. Step # 15 - Enable and Update DNSSEC - enter command # unbound-anchor -a "/etc/unbound/root.key" Performs the configuration or update of the root trust anchor for DNSSEC validation. Step # 16 - Reboot your router Step # 17 - Go to https://browserleaks.com/dns - and you will see that you are now You are now running DNS OVER TLS with GETDNS plus STUBBY ( a fully featured TLS forwarder ) along with an Unbound DNS Caching Server. Now all you need to do is run is a properly configured VPN Service. By doing so, running DNS over TLS with Stubby and GetDns will keep your VPN provider from spying on your encrypted DNS look ups - and also your DNS providers both the ISP ( replaced by encrypted Stubby ) and your Encrypted TLS DNS Service Provider will see your IP as the one from your encrypted tunneled VPN provider. I am convinced this setup is the right strategy for both security and privacy. I think it to be the best practice for all those most serious about multi-layered cyber security. I am being constantly asked why did I go through all the trouble of setting up this " so called elaborate " configuration of a DNS solution - namely DNS OVER TLS ( DOT ). Among the many contributors to this project are Sinodun IT, NLnet Labs, SalesForce, Surftnet, NLnet Foundation, OTF, Stephane Bortzmeyer and No Mountain Software. The answers ( s ) are rattled off below : Unbound - Unbound 1 Stichting NLnet Labs Science Park 400, 1098 XH Amsterdam, The Netherlands To help increase online privacy, Unbound supports DNS-over-TLS and DNS-over-HTTPS which allows clients to encrypt their communication. In addition, it supports various modern standards that limit the amount of data exchanged with authoritative servers. These standards do not only improve privacy but also help making the DNS more robust. The most important are Query Name Minimisation, the Aggressive Use of DNSSEC-Validated Cache and support for authority zones, which can be used to load a copy of the root zone. Stubby - Stubby About Stubby 'Stubby' is an application that acts as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver increasing end user privacy. Stubby is developed by the getdns project, has it's own github repo and issue tracker but dnsprivacy.org currently hosts the online documentation for Stubby . Welcome to the DNS Privacy project home page DNS Privacy Project This site is the home of a collaborative open project to promote, implement and deploy DNS Privacy. The goals of this project include:Raising awareness of the issue of DNS Privacy. Empowering users to take advantage of DNS Privacy tools and resources (client applications, DNS Privacy resolvers) Evolving the DNS to support DNS Privacy in particular developing new DNS Protocol standards Working towards full support for DNS Privacy in a range of Open Source DNS implementations including: getdns, Unbound, NSD, BIND and Knot (Auth and Resolver) Co-ordinating deployment of DNS Privacy services and documenting operational practices getdns - getdns 1 getdns is a modern asynchronous DNS API. It implements DNS entry points from a design developed and vetted by application developers, in an API specification. The open source C implementation of getdns is developed and maintained in collaboration by NLnet Labs, Sinodun and No Mountain Software. This implementation is licensed under the New BSD License. So - Stichting NLnet Labs develops and maintains Unbound, getdns and Stubby. This company sets the industry's " Gold Standard ". I use pfSense and Opnsense - I am used to Unbound. I used to run dnscrypt years ago - but then I upped my game and moved on DNS OVER TLS - DOT. Plain and simple. Once again - anyone with questions about the various DNS solutions available today should read : DNS Security: Threat Modeling DNSSEC, DoT, and DoH 2 along with my original tutorial on this topic written a while back. And by all means go with your own preference. I hope this puts this issue to rest. Again, this takes 6 to 10 ten minutes to set up. Plus I have given any and all videos to follow. These standards and products are reviewed, standardized, continually developed and constantly improved. Peace and God Bless - Stay Safe

LAN Interface For GETDNS and STUBBY Plus UNBOUND WHY YOU ASK ? ANSWER : IN LIFE ONE SHOULD HAVE OPTIONS IMPORTANT UPDATED INFORMATION !!! - READ FULL GUIDE BEFORE GETTING STARTED !!! Stop pfSense Router from occasionally allowing UNBOUND Root Hints to resolve queries on its own. This configuration ensures that localhost ( 127.0.0.1 ) will not be used as a resolver on pfSense Box. You will only use GETDNS and STUBBY DNS SERVERS if you follow this tutorial. You will use your One Main LAN Interface as the listening interface for STUBBY and the listening and outgoing interface for your UNBOUND DNS RESOLVER on pfSense. So, let's get started. See Below For Definition and Function Of Unbound Root Hints : Unbound is a caching DNS resolver. It uses a built in list of authoritative nameservers for the root zone (.), the so called root hints. On receiving a DNS query it will ask the root nameservers for an answer and will in almost all cases receive a delegation to a top level domain (TLD) authoritative nameserver. Source Document : https://man.openbsd.org/unbound First you all know the drill by now - " The Intro " we would all have a better world if we remember to practice the concept that - NOW ! is the time for all of US ( A ) to GET UP & GET INVLOVED and act with SOUL POWER ! - lyrics to sing along : https://genius.com/James-brown-get-up-get-into-it-get-involved-lyrics plus https://genius.com/James-brown-soul-power-lyrics and video : https://www.youtube.com/watch?v=1pvIarW3xHg Bonus JB : https://www.youtube.com/watch?v=v8TvBPshngE - I noticed on https://www.freshports.org/dns/getdns/ that ever since getdns 1.5.2_1 - stubby is included in the package by default. PLEASE TAKE SPECIAL NOTE UNDER Commit History : - Update to 1.5.2 - Build with STUBBY by default due to popular demand This got me to thinking about how to install DNS Privacy DNS OVER TLS on pfSense ( Special Thanks and Kudos to Ryan Steinmetz aka zi - the port maintainer and developer getdns on FreeBSD ). This is an updated guide / tutorial which explains how to setup adding DNS-Over-TLS support for pfSense - Please disregard and do not use any guides and / or tutorials which pre-date this one which covers installation and configuration of DNS Privacy on pfSense FireWall. I run GetDns and Stubby forwarded to and integrated with Unbound. For those who wish to explore Stubby and GetDns - this method is the one recommended by DNSPRIVACY - see here : https://getdnsapi.net/ https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients#DNSPrivacyClients-Unbound - please read this carefully - you will note that it indicates : Unbound As A DNS TLS Client Features:Unbound can be run as a local caching forwarder, configured to use SSL upstream, however it cannot yet authenticate upstreams, re-use TCP/TLS connections, be configured for Opportunistic mode or send several of the privacy related options (padding, ECS privacy) etc. Some users combine Unbound (as a caching proxy with other features such as DNS Blacklisting) and Stubby (as a fully featured TLS forwarder). I was asked by a still skeptical devotee of DOH " What makes this way better than just running the DNS-over-https-proxy ? My answer was : Read this and make your decisions and conclusions concerning DOH vs DOT . Here is the article below : https://www.netmeister.org/blog/doh-dot-dnssec.html Bottom Line Conclusion From Jan Schaumann - The Author of This Blog Entry : For that, my current preference is quite clearly DNS-over-TLS: I fear a bifurcation of DNS resolution by apps combined with the push for using public resolvers with DoH will lead to a more complex environment and threat model for many users. Short Synopsis of DOH: In other words , ( with DOH ) we gain the same protections as with DoT for our web applications, but leaves all other DNS traffic vulnerable. Subsequently, as a matter of fact and in practice with DNS OVER TLS ALL DNS traffic is invulnerable and protected.This is why I run DOT and eschew DOH on my OPNsense Router. Further, Personally, I run GETDNS STUBBY and UNBOUND as described here along with ( wait for it ) FireFox DOH along with Encrypted SNI - plus TLS v 1.3 in Stubby and naturally a properly configured and encrypted VPN - Your pfSense /etc/resolv.conf file before and after configuring LAN Interface For GETDNS and STUBBY Plus UNBOUND as described in this tutorial. Your pfSense Firewall # domain secureone.duckdns.org # Domain Used In My # OpenWRT DuckDNS LET’S ENCRYPT CERTIFICATES MADE SIMPLE Tutorial Before Below : cat /etc/resolv.conf nameserver 127.0.0.1 search secureone.duckdns.org After Below : cat /etc/resolv.conf nameserver 192.168.7.11 search secureone.duckdns.org These are the reasons I choose to use GetDns and Stubby with Unbound. Those reasons being so that I can take full advantage of all of the most secure privacy features available when running DNS OVER TLS. What I give you here is the absolute best method of implementation and deployment of DNS OVER TLS. For any and all who may be wondering why DNS OVER TLS is all the rage - read this: https://tenta.com/blog/post/2017/12/dns-over-tls-vs-dnscrypt I always set up DNS OVER TLS first before configuring OpenVPN and / or WireGuard on pfSense - this DNS solution works flawlessly with either VPN protocol. So here we go. 1 - There are four dependency packages required before actually installing the getdns package. Two are available in the pfSense package repositories and two from the FreeBSD repository. Lastly the getdns package itself is also in the FreeBSD repository. So to begin enter these commands below in the order : A # pkg install libuv B # pkg install libyaml - Go to https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/ as pfSense is based on FreeBSD 11 - C # pkg add https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/libev-4.24,1.txz D # pkg add https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/libidn-1.35.txz Lastly, install getdns along with stubby E # pkg add https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/getdns-1.5.2_4.txz GetDNS and Stubby are now installed on pfSense FireWall. In order to configure UNBOUND along with stubby ( and getdns ) follow the steps below. For pfSense 2.5.0 Development Snapshots which is based on FreeBSD 12 which includes openssl 1.1 with tls 1.3 support for Stubby get packages from pkg add https://pkg.freebsd.org/FreeBSD:12:amd64/latest/All/ links for the same packages listed above - always check for latest packages first or you might encounter download issues. 2 - Now Ryan Steinmetz aka zi - the port maintainer and developer of this port was kind enough to include a start up script ( stubby.in ) for this package. See the stubby.in here in the raw : https://svnweb.freebsd.org/ports/head/dns/getdns/files/stubby.in?view=markup. All I had to do was ask him and he did for any and all who elect to use this great piece of FreeBSD software. 3 - Now to put all of this together, The stubby.in file is located here - /usr/local/etc/rc.d/stubby by default. First though Stubby needs Unbound root.key - run this command before getting started: # su -m unbound -c /usr/local/sbin/unbound-anchor Then - A - Issue this command : # mv /usr/local/etc/rc.d/stubby /usr/local/etc/rc.d/stubby.sh Make it executable - I run two commands - it works for me: # chmod 744 /usr/local/etc/rc.d/stubby.sh # chmod a+x /usr/local/etc/rc.d/stubby.sh B - Yes must enable Stubby Daemon in the file - open file by : nano /usr/local/etc/rc.d/stubby.sh go to line 27 - : ${stubby_enable="NO"} change the setting to : ${stubby_enable="YES"} - that is all you have to do to this file. It comes pre-configured. Save and exit. 4 - You can and should also check real time status of DNS Privacy Servers as they are experimental and are not always stable - you can monitor DNS TLS Servers Real Time Status here below: https://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/ I have read here: https://www.monperrus.net/martin/randomization-encryption-dns-requests that Also, it is good to set up some servers that listens on port 443 and others on port 853, so as to be resilient if you are on a network with blocked ports. You can also blend IPv4 and IPv6 addresses. Now you must configure Stubby to resolve DNS OVER TLS - nano /usr/local/etc/stubby/stubby.yml VERY IMPORTANT UPDATE: After checking, rechecking and the triple checking on this website mentioned above : https://www.immuniweb.com/ssl/?id=Su8SeUQ4 I have made some very serious discoveries regarding which DNS Privacy Test Servers to use. The bottom line that I strongly suggest you only choose to deploy servers which support the TLSv1.3 protocol. See here for information and importance of TLSv1.3 : https://kinsta.com/blog/tls-1-3/ I will save you some considerable leg work and post below the best configuration for your stubby.yml file. Here it is: # All DNS Privacy Servers Below Tested and Updated On August 21 2020 With A+ Rating - # 100% Perfecto Configuration on website: https://www.immuniweb.com/ssl/?id=Su8SeUQ4n # These servers support the most recent and secure TLS protocol version of TLS 1.3 ** # Good configuration - These server configurations support only TLSv1.2 and TLSv1.3 protocols - current most secure encryption. # Also I have added the Country Locations of These DNS PRIVACY Servers using the Alpha 3 Code Format # see country code lists here : # https://www.nationsonline.org/oneworld/country_code_list.htm or https://www.iban.com/country-codes # Use as many or as few depending on your specific needs ## Go Into SSH shell and enter : # nano /usr/local/etc/stubby/stubby.yml resolution_type: GETDNS_RESOLUTION_STUB dns_transport_list: - GETDNS_TRANSPORT_TLS tls_authentication: GETDNS_AUTHENTICATION_REQUIRED dnssec_return_status: GETDNS_EXTENSION_TRUE tls_query_padding_blocksize: 128 edns_client_subnet_private : 1 idle_timeout: 9000 listen_addresses: - [email protected] ## Enter Your One Main LAN Address Here tls_connection_retries: 5 tls_backoff_time: 900 timeout: 2000 round_robin_upstreams: 1 tls_ca_path: "/etc/ssl/" upstream_recursive_servers: ### IPV4 Servers ### ### DNS Privacy DOT Test Servers ### ## 1 - The getdnsapi.net DNS TLS Server A+ ( NLD ) - address_data: 185.49.141.37 tls_auth_name: "getdnsapi.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= ## 2 - The Surfnet/Sinodun DNS TLS Server #3 A+ ( NLD ) - address_data: 145.100.185.18 tls_port: 853 tls_auth_name: "dnsovertls3.sinodun.com" tls_pubkey_pinset: - digest: "sha256" value: 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8= ## 3 - The The Surfnet/Sinodun DNS TLS Server A ( NLD ) - address_data: 145.100.185.15 tls_auth_name: "dnsovertls.sinodun.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= ## 4 - The The Surfnet/Sinodun DNS TLS Server #1 A ( NLD ) - address_data: 145.100.185.16 tls_auth_name: "dnsovertls1.sinodun.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA= ## 5 - The dns.cmrg.net DNS TLS Server A+ ( CAN ) - address_data: 199.58.81.218 tls_auth_name: "dns.cmrg.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo= ## 6 - The BlahDNS Japan DNS TLS Server A+ ( JPN ) - address_data: 45.32.55.94 tls_auth_name: "dot-jp.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: gIoiNFxX1Nw+7/pVsmUKBU941bMBYjEYuB2T9drULOM= ## 7 - The BlahDNS German DNS TLS Server A+ ( USA Hosted In DEU ) - address_data: 159.69.198.101 tls_auth_name: "dot-de.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: YZeyeJf/suAR2fMHLc9RDPkcQi/e8EEnzk5Y1N90QQE= ## 8 - The BlahDNS Finland DNS TLS Server A+ ( FIN ) - address_data: 95.216.212.177 tls_auth_name: "dot-fi.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: PID8ufrN/lfloA6y/C+mpR8MT53GG6GkAd8k+RmgTwc= ## 9 - The dns.neutopia.org DNS TLS Server A+ ( FRA ) - address_data: 89.234.186.112 tls_auth_name: "dns.neutopia.org" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI= ## 10 - The Foundation for Applied Privacy DNS TLS Server #1 A+ ( AUT ) - address_data: 94.130.106.88 tls_auth_name: "dot1.applied-privacy.net" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: 78kfbZFJaxGrAl+0hkiyWER0ajTgFL/KxMAZQHSNhWU= ## 11 - The Foundation for Applied Privacy DNS TLS Server #2 A+ ( AUT ) - address_data: 93.177.65.183 tls_auth_name: "dot1.applied-privacy.net" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: 78kfbZFJaxGrAl+0hkiyWER0ajTgFL/KxMAZQHSNhWU= ## 12 - The Secure DNS Project by PumpleX DNS TLS Server #1 A+ ( GBR ) - address_data: 51.38.83.141 tls_auth_name: "dns.oszx.co" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Bt3fAHJeDPU2dneCx9Md6zTiKhzWtZ152To0j0f32Us= ## 13 - The Rubyfish Internet Tech DNS TLS Server A+ ( CHN ) - address_data: 115.159.131.230 tls_auth_name: "dns.rubyfish.cn" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: DBDigty3zDS7TN/zbQOmnjZ0qW+qbRVzlsDKSsTwSxo= ## 14 - The Lorraine Data Network DNS TLS Server A+ ( FRA ) - address_data: 80.67.188.188 tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM= ## This certificate is currently expired which ## does not pose any concerns in SPKI mode ## (in practice with Stubby) ## Source : https://ldn-fai.net/serveur-dns-recursif-ouvert/ ## 15 - The DNSPRIVACY.at TLS Server #1 A+ ( DEU ) - address_data: 94.130.110.185 tls_auth_name: "ns1.dnsprivacy.at" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Fr9YdIAIg7TXJLLHp0XbeWKBS2utev0stoEIb+7rZjM= ## 16 - The DNSPRIVACY.at TLS Server #2 A+ ( DEU ) - expired 2020-04-01 - address_data: 94.130.110.178 tls_auth_name: "ns2.dnsprivacy.at" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 68MH4G5hipbK1xYATBFgA+/DNLDd333oXr22QyB/RRo= # 17 - The ibksturm.synology.me DNS TLS Server A+ ( CHE ) - address_data: 85.5.93.230 tls_auth_name: "ibksturm.synology.me" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: npNOnBcLbvZWZgdmcuFaEqYJbaGjBlHMf9DknDoIkgg= ## 18 - The dns.flatuslifir.is DNS TLS Server A+ ( ISL ) - address_data: 46.239.223.80 tls_auth_name: "dns.flatuslifir.is" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: OvqVajUX+2j/xfYqPZid2Z8DMX2Vex8geaYw0UG77BE= ### Publicly Available DOT Test Servers ### ## 19 - The ContainerPI.com - CPI DNS TLS Server A+ ( JPN ) - address_data: 45.77.180.10 tls_auth_name: "dns.containerpi.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: xz8kGlumwEGkPwJ3QV/XlHRKCVNo2Fae8bM5YqlyvFs= ## 20 - The FEROZ SALAM DNS TLS Server A+ ( GBR ) - address_data: 46.101.66.244 tls_auth_name: "doh.li" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: fiOT+xcarY8uz1UBZ0DzA+Gi5kcSHdBDrofcsZL3HGo= ## 21 - The Andrews & Arnold DNS TLS Server #1 A+ ( GBR ) - address_data: 217.169.20.23 tls_auth_name: "dns.aa.net.uk" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: BrjhBir4pbQ0+uTjlViVlc5qf1172WLQxDWevO/4bKI= ## 22 - The Andrews & Arnold DNS TLS Server #2 A+ ( GBR ) - address_data: 217.169.20.22 tls_auth_name: "dns.aa.net.uk" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 1Mu+KSivSkoBfLiCzL+8xhg1YO7xmAjPJAJkjrv5ZvA= ## 23 - The dns.seby.io - Vultr DNS TLS Server A+ ( AUS ) - address_data: 45.76.113.31 tls_auth_name: "dot.seby.io" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: H13Su1659zEn0ZIblEShwjZO+M5gxKK2wXpVKQHgibM= ## 24 - The dns.seby.io - OVH DNS TLS Server A+ ( AUS ) - address_data: 139.99.222.72 tls_auth_name: "dot.seby.io" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 8A/1KQQiN+aFWenQon076nAINhlZjGkB15C4E/qogGw= ## 25 - The Digitale Gesellschaft DNS TLS Server #1 A+ ( CHE ) - address_data: 185.95.218.43 tls_auth_name: "dns.digitale-gesellschaft.ch" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: OHdm30CP5hu1KI1bLnIokKL1eKbLNWQvN9bNsXb5TJQ= ## 26 - The Digitale Gesellschaft DNS TLS Server #2 A+ ( CHE ) - address_data: 185.95.218.42 tls_auth_name: "dns.digitale-gesellschaft.ch" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: W0CoacPgp4VP2zsOt2ERQuFqXTG37ud5t3ClB5Xh7dY= ## 27 - The Antoine Aflalo DNS TLS Server #1 A+ ( USA ) - address_data: 168.235.81.167 tls_auth_name: "dns-nyc.aaflalo.me" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: NZqlaEd1y4tc4z2s/GcclhKlOQtynBKtbomw1dVCydU= ## 28 - The Privacy-First DNS TLS Server #1 A+ ( JPN ) - address_data: 172.104.93.80 tls_auth_name: "jp.tiar.app" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: +Q7ZdLW0QXokd2OY/vUJm10ZAnm2KFC+ovJfm5++hDc= ## 29 - The Privacy-First DNS TLS Server #2 A+ ( SGP Hosted In USA ) - address_data: 174.138.29.175 tls_auth_name: "dot.tiar.app" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: +zKyo0IWR+e38Yw2KN7pMAkktQSjZUGN4h7BoYLytTk= ## 30 - The ibuki.cgnat.net DNS TLS Server A+ ( USA ) - address_data: 35.198.2.76 tls_auth_name: "ibuki.cgnat.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: gWjnc5JNaub1U83vNZtyY/7f1ZYH+Zwt+LWLeTzbLEU= ## 31 - The PI-DNS.COM West USA DNS TLS Server A+ ( USA ) - address_data: 45.67.219.208 tls_auth_name: "dot.westus.pi-dns.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: R9/K3atF+ZHuBAVREmFiTX5N0qse+JIqoMF+usZ2dZg= ## 32 - The PI-DNS.COM DNS TLS East USA Server A+ ( USA ) - address_data: 185.213.26.187 tls_auth_name: "dot.eastus.pi-dns.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: oZQKQh794UHpdtZc/7CG+9VUw+3uGIrQFfAhCvYcds4= ## 33 - The PI-DNS.COM Central Europe DNS TLS Server A+ ( DEU ) - address_data: 88.198.91.187 tls_auth_name: "dot.centraleu.pi-dns.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: ZdED9Ry+FfdsbpGVr2IxR/IB0D7FaVpSBWvsRWutrjg= ## 34 - The PI-DNS.COM North Europe DNS TLS Server A+ ( FIN ) - address_data: 95.216.181.228 tls_auth_name: "dot.northeu.pi-dns.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: xb6yo+7vmxFhyrA+NV1ZOKBGHuA03J4BjTwkWjZ3uZk= ## 35 - The PI-DNS.COM East Australia DNS TLS Server A+ ( AUS ) - address_data: 45.63.30.163 tls_auth_name: "dot.eastau.pi-dns.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 0oVEbW/240sc4++zXjICyOO4XKTIEewY9zY5G5v9YnY= ## 36 - The PI-DNS.COM East Asia DNS TLS Server A+ ( USA ) - address_data: 66.42.33.135 tls_auth_name: "dot.eastas.pi-dns.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 3dV7cgTZbmHD/JTfocBI6FvoyGevpZf2n5k2fG4uVr8= ## 37 - The Snopyta DNS TLS Server A+ ( FIN ) - address_data: 95.216.24.230 tls_auth_name: "fi.dot.dns.snopyta.org" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: cYf+8BXhzbBmQe6qP+BHzLb2UZ/rgOspuyCmk2aVhlE= ## 38 - The NixNet Uncensored Las Vegas DNS TLS Server A+ ( USA ) ## - or use ( tls_auth_name: "adblock.lv1.dns.nixnet.xyz" ) - address_data: 209.141.34.95 tls_auth_name: "uncensored.lv1.dns.nixnet.xyz" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Ua+l/cIZ9dbJPExk4grit6qFZWmQZcoIoMBvMLwUDHc= ## 39 - The NixNet Uncensored New York DNS TLS Server A+ ( USA ) ## - or use ( tls_auth_name: "adblock.ny1.dns.nixnet.xyz" ) - address_data: 199.195.251.84 tls_auth_name: "uncensored.ny1.dns.nixnet.xyz" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: P8A1QEHTXs7QSmAuwR4FupMd3L/OW9TXbTXcFaazzoU= ## 40 - The NixNet Uncensored Luxembourg DNS TLS Server A+ ( LUX ) ## - or use ( tls_auth_name: "adblock.lux1.dns.nixnet.xyz" ) - address_data: 104.244.78.231 tls_auth_name: "uncensored.lux1.dns.nixnet.xyz" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: ncPZ5vhEPiv7VOf2nesJW9GYOGZ48MsAhzd4PO+3NJQ= ## 41 - The Lelux.fi DNS TLS Server A+ ( FRA Hosted In GBR ) - address_data: 51.158.147.50 tls_auth_name: "resolver-eu.lelux.fi" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 8ZpLg8m7CE41EnXddCRJGsaWK2UVjy2UnhPo/7BsPIo= ## 42 - The Lightning Wire Labs DNS TLS Server A+ ( DEU ) - address_data: 81.3.27.54 tls_auth_name: "recursor01.dns.lightningwirelabs.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 9QRO8JyJCVMU+KAO9acW5xfQnSXRuj1OqAz5aZHwH+4= ## 43 - The Hostux DNS TLS Server A+ ( LUX ) - address_data: 185.26.126.37 tls_auth_name: "dns.hostux.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: P0gaP31TQQzAIN3DomM5vXS3+8oCgYcTA/ZJ09Jw4QE= ## 44 - The dnsforge.de DNS TLS Server #1 A+ ( DEU ) - address_data: 176.9.1.117 tls_auth_name: "dnsforge.de" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw= ## 45 - The dnsforge.de DNS TLS Server #2 A+ ( DEU ) - address_data: 176.9.93.198 tls_auth_name: "dnsforge.de" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw= # 46 - The Freifunk München DNS TLS Server A+ ( DEU ) - address_data: 195.30.94.28 tls_auth_name: "doh.ffmuc.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: vAgfcoO9rzejY7Pdv9MK9DymLvYYJ4PF5V1QzReF4MU= # 47 - The doh.defaultroutes.de DNS TLS Server A+ ( DEU ) - address_data: 5.45.107.88 tls_auth_name: "doh.defaultroutes.de" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: p7t6DDebAlM1rwkrJgZJ6CDkuJG0Ff5PKYZ8bUPQCM0= ## 48 - The CIRA Canadian Shield DNS TLS Servers A+ ( CAN ) - address_data: 149.112.121.10 tls_auth_name: "private.canadianshield.cira.ca" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: sXmZXPsnkbQMw68THpV0Tgh9zCe12TtXIinSTf7lkkw= - address_data: 149.112.122.10 tls_auth_name: "private.canadianshield.cira.ca" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: sXmZXPsnkbQMw68THpV0Tgh9zCe12TtXIinSTf7lkkw= # 49 - The dns.dnshome.de DNS TLS Server #1 A+ ( DEU ) - address_data: 185.233.106.232 tls_auth_name: "dns.dnshome.de" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: q5AkxgnWVCVjCUNUKl3aIBpGTfXF5GahE0RcncwbZoc= - address_data: 185.233.107.4 tls_auth_name: "dns.dnshome.de" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: q5AkxgnWVCVjCUNUKl3aIBpGTfXF5GahE0RcncwbZoc= ## 50 - The Usable Privacy DNS TLS Server A+ ( DEU / AUT ) - address_data: 149.154.153.153 tls_auth_name: "adfree.usableprivacy.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: wnJgPKtu/QHXHx3QZ7mZuIsNMv85buI5jsdsS9cTU5w= ## 51 - The DeCloudUs DNS TLS Server A+ ( DEU ) - address_data: 176.9.199.152 tls_auth_name: "dot.decloudus.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: +rBZZHFEVTmFwA8RuR9I5vdPqqaBSighP7rcoWgY9MI= ## 52 - The Arapurayil DNS TLS Server A+ ( AUS ) - address_data: 3.7.156.128 tls_auth_name: "dns.arapurayil.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: c3S8JssMSrXuMjDfjwzXHoO4RQckTYTTeUThdW+meo0= ## 53 - The Hurricane Electric DNS TLS Server A+ ( USA ) - address_data: 74.82.42.42 tls_auth_name: "ordns.he.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: G9pQNrYB98Wll0AmBF/GsMMn6gaDbXDnInV1je1MaPo= ## 54 - The Stéphane Bortzmeyer DNS TLS Server A+ ( FRA ) - address_data: 193.70.85.11 tls_auth_name: "dot.bortzmeyer.fr" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: eHAFsxc9HJW8QlJB6kDlR0tkTwD97X/TXYc1AzFkTFY= ### Anycast Publicly Available DOT Test Servers ### ## 55 - The NixNet Uncensored Anycast DNS TLS Servers ( Anycast ) - address_data: 198.251.90.114 tls_auth_name: "uncensored.any.dns.nixnet.xyz" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Ryhjf7K6V9/Fw/7XU7fqzrVJVEOyPtlHR/rFetOXrug= - address_data: 198.251.90.89 tls_auth_name: "adblock.any.dns.nixnet.xyz" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Ryhjf7K6V9/Fw/7XU7fqzrVJVEOyPtlHR/rFetOXrug= ## 56 - The DNSlify DNS TLS Servers A+ ( Anycast ) - address_data: 185.235.81.1 tls_auth_name: "doh.dnslify.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: w5AEEaNvoBOl4+QeDIuRaaL6ku+nZfrhZdB2f0lSITM= - address_data: 185.235.81.2 tls_auth_name: "doh.dnslify.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: w5AEEaNvoBOl4+QeDIuRaaL6ku+nZfrhZdB2f0lSITM= ### DNS Privacy Anycast DOT Public Resolvers ### ## 57 - The DNS.SB DNS TLS Servers A+ ( Anycast ) - address_data: 185.222.222.222 tls_auth_name: "dns.sb" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: /qCm+kZoAyouNBtgd1MPMS/cwpN4KLr60bAtajPLt0k= - address_data: 185.184.222.222 tls_auth_name: "dns.sb" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: /qCm+kZoAyouNBtgd1MPMS/cwpN4KLr60bAtajPLt0k= ## 58 - The Comss.one DNS TLS Server #1 A+ ( CHN ) - address_data: 92.38.152.163 tls_port: 853 tls_auth_name: "dns.comss.one" tls_pubkey_pinset: - digest: "sha256" value: biGOXwJ1zClsvIfsjqV1FOdRq1jZdw5Sy61AqrlgKj4= ## 59 - The Comss.one DNS TLS Server #2 A+ ( CHN ) - address_data: 93.115.24.205 tls_port: 853 tls_auth_name: "dns.comss.one" tls_pubkey_pinset: - digest: "sha256" value: biGOXwJ1zClsvIfsjqV1FOdRq1jZdw5Sy61AqrlgKj4= ## 60 - The Comss.one DNS TLS Server #3 A+ ( CHN ) - address_data: 93.115.24.204 tls_port: 853 tls_auth_name: "dns.comss.one" tls_pubkey_pinset: - digest: "sha256" value: biGOXwJ1zClsvIfsjqV1FOdRq1jZdw5Sy61AqrlgKj4= Starting with pfSense 2.5.0 Snapshots in order for TLSv1.3 protocol to work properly ( read at all ) in your Stubby instance, OpenSSL 1.1.1 must be active and configured in the kernel. pfSense 2.5.0 and above does provide OpenSSL 1.1.1 support. When you have OpenSSL 1.1.1 with TLSv1.3 support simply add the section above in order to set Stubby to implement TLS1.3. The operative lines necessary are these two specifically found at the bottom of the stubby.yml file above: tls_ciphersuites: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" tls_max_version: GETDNS_TLS1_3 See below for TLS1.3 Support Check SSH Commands - openssl s_client -connect 46.101.66.244:853 OR : openssl s_client -connect 45.32.55.94:443 Read Out Will Be Verified By These Lines Below: Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_CHACHA20_POLY1305_SHA256 OR : Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Depending on Configuration on Tested DOT Server Lastly, you can and should take advantage of this new DNS OVER TLS provider. You need to sign up and use configured settings in order to use it. NextDNS is a free service - ANYCAST and pretty much cutting edge. ANYCAST speeds up your DNS - Here it is: NextDNS https://my.nextdns.io/signup or feel free to use and test NextDNS " Try it now for free " Feature go to : https://nextdns.io/ I also strongly encourage you to subscribe to blockerDNS found here : https://blockerdns.com/ This new DOH / DNS OVER TLS provider is the fastest I have run across. blockerDNS is run by Tambe Barsbay a seasoned, thorough and extremely proficient tech practitioner. blockerDNS is based in the U.S. and its infrastructure is hosted on Google Cloud Platform and DigitalOcean. You can view blockerDNS subscription options here : https://blockerdns.com/tryit - Most significantly, Tambe stands by his claim that he offers " Instant support by phone or email ". Overall blockerDNS is a great DNSPRIVACY DNS Service. Tip : The Mobile $0.99 per month option should suffice for most home users. Links : https://tambeb.com/ https://blockerdns.com/blog https://blockerdns.com/support https://blockerdns.com/overview 6- Now you must configure your Unbound DNS Server to use Stubby for DNS Over TLS. Go To Services > DNS Resolver > GENERAL SETTINGS UNDER DNS Resolver > GENERAL SETTINGS Network Interfaces = Select LAN ONLY ! # IF You Have Multiple Lan Interfaces - Select ALL LAN INTERFACES Under Custom options enter the following : server: forward-zone: name: "." # Allow all DNS queries forward-addr: [email protected] ## ( Your One Main LAN Address ) ## END OF ENTRY ## Note : do-not-query-localhost: no ## this entry is necessarily removed ## from this UNBOUND configuration ## Disabling DNS Queries From Localhost ( 127.0.0.1 ) Outgoing Network Interfaces = Select LAN ONLY ! # IF You Have Multiple Lan Interfaces - Select ALL LAN INTERFACES Make Sure to NOT CHECK - DO NOT CHECK - the box for DNS Query Forwarding. Save and Apply Settings Next -Under System > General Setup > DNS Server Settings Set the first DNS Server to Your One Main LAN Address ( 192.168.7.11 ) with no gateway selected / Make sure that DNS server option A - Allow DNS server list to be overridden by DHCP/PPP on WAN - Is Not I repeat - Is Not Checked ! and DNS server option B - Disable DNS Forwarder Is Checked - I repeat - Is Checked ! - Save and Apply Settings All of these name servers listed above DO NOT log ! repeat DO NOT log ! your DNS queries. In full disclosure some name servers claim to log traffic volume only. See here for details : https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers and look under " Logging " column. C'est Fini C'est Ci Bon C'est Magnifique Reboot your router just to sure. Lastly, you can check your DNS at GRC DNS Nameserver Spoofability Test - DNSLeak.com - or any such service. Your results will render the DNS PRIVACY Name Servers which you selected in your stubby.yml configuration file. You are now running DNS OVER TLS with GETDNS plus STUBBY ( a fully featured TLS forwarder ) along with an Unbound DNS Caching Server. Note: Starting with Unbound 1.7.2 qname minimisation is enabled by default. However, I still add these settings manually. These settings are entered under Unbound " Custom Options": qname-minimisation: yes qname-minimisation-strict: yes harden-below-nxdomain: yes Use either or both of these two methods to verify QNAME Minimisation A - Run command : drill txt qnamemintest.internet.nl and / or B - Run command: dig txt qnamemintest.internet.nl +short and / or dig -t txt qnamemintest.internet.nl ( for more complete readout including DNSSEC results ). AD = Authenticated Data (for DNSSEC only; indicates that the data was authenticated) The results in any of these scenarios will show either: "HOORAY - QNAME minimisation is enabled on your resolver :)!” or “NO - QNAME minimisation is NOT enabled on your resolver :(.” Reference https://discourse.pi-hole.net/t/unbound-and-qname-minimisation/10038/4 You will and should get HOORAY ! - if you used the name servers listed in this guide for your Stubby configuration. VERY IMPORTANT TIP: Please note that right at the top of the main DNS Privacy Test Servers Homepage ( https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers ) It Ominously Declares: DoT servers The following servers are experimental DNS-over-TLS servers. Note that they are experimental offerings (mainly by individuals/small organisations) with no guarantees on the lifetime of the service, service level provided. The level of logging may also vary (see the individual websites where available) - the information here about logging has not been verified. Also note that the single SPKI pins published here for many of these servers are subject to change (e.g on Certificate renewal) and should be used with care!! For these reasons it is most important to check and verify your SPKI pin(s) for TLS authentication manually yourself from time to time. There are sure fire methods to make sure that you are using the correct value for any upstream nameserver ( aka tls_pubkey_pinset value ) - Go to https://blahdns.com/ and scroll down to the section to the yellow section entitled What is DNS OVER TLS click on it and it will open up. When you do it will state some general information, but what you want to pay attention to is this section: How to get SPKI Most Simple and Direct Method: gnutls-cli --print-cert -p 853 159.69.198.101 | grep "pin-sha256" | head -1 And / Or With Adjustment For SSL Port and Address Being Tested gnutls-cli --print-cert -p 443 159.69.198.101 | grep "pin-sha256" | head -1 - where you must pkg install gnutls OR echo | openssl s_client -connect '185.49.141.37:853' 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 Remember to change port to 443 or port for IPV6 if different than standard 853 where applicable. https://www.dnsleaktest.com/ https://www.perfect-privacy.com/dns-leaktest https://cryptoip.info/dns-leak-test https://www.grc.com/dns/dns.htm https://www.vpninsights.com/dns-leak-test and last but not least https://cmdns.dev.dns-oarc.net/ for a thorough in depth DNS Test https://bash.ws/dnsleak/test/ Now all you need to do is run is a properly configured VPN Service. By doing so, running DNS over TLS with Stubby and GetDns will keep your VPN provider from spying on your encrypted DNS look ups - and also your DNS providers both the ISP ( replaced by encrypted Stubby ) and your Encrypted TLS DNS Service Provider will see your IP as the one from your encrypted tunneled VPN provider. I am convinced this setup is the right strategy for both security and privacy. I think it to be the best practice for all those most serious about multi-layered cyber security.

LAN Interface For GETDNS and STUBBY Plus UNBOUND WHY YOU ASK ? ANSWER : IN LIFE ONE SHOULD HAVE OPTIONS IMPORTANT UPDATED INFORMATION !!! - READ FULL GUIDE BEFORE GETTING STARTED !!! Stop OpenWRT Router from occasionally allowing UNBOUND Root Hints to resolve queries on its own. This configuration ensures that localhost ( 127.0.0.1 ) will not be used as a resolver on OpenWRT Box. You will only use GETDNS and STUBBY DNS SERVERS if you follow this tutorial. You will use your One Main LAN Interface as the listening interface for STUBBY and the listening and outgoing interface for your UNBOUND DNS RESOLVER for OpenWRT. So, let's get started. See Below For Definition and Function Of Unbound Root Hints : Unbound is a caching DNS resolver. It uses a built in list of authoritative nameservers for the root zone (.), the so called root hints. On receiving a DNS query it will ask the root nameservers for an answer and will in almost all cases receive a delegation to a top level domain (TLD) authoritative nameserver. Source Document : https://man.openbsd.org/unbound This is an updated guide / tutorial which explains how to setup adding DNS-Over-TLS support for OpenWRT . First you all know the drill by now - " The Intro " we would all have a better world if we remember to practice the concept that - NOW ! is the time for all of US ( A ) to GET UP & GET INVLOVED and act with SOUL POWER ! - lyrics to sing along : https://genius.com/James-brown-get-up-get-into-it-get-involved-lyrics plus https://genius.com/James-brown-soul-power-lyrics and video : https://www.youtube.com/watch?v=1pvIarW3xHg Bonus JB : https://www.youtube.com/watch?v=v8TvBPshngE I run GetDns and Stubby forwarded to and integrated with Unbound. For those who wish to explore Stubby and GetDns - this method is the one recommended by DNSPRIVACY - see here : https://getdnsapi.net/ https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients#DNSPrivacyClients-Unbound - please read this carefully - you will note that it indicates : Unbound As A DNS TLS Client Features:Unbound can be run as a local caching forwarder, configured to use SSL upstream, however it cannot yet authenticate upstreams, re-use TCP/TLS connections, be configured for Opportunistic mode or send several of the privacy related options (padding, ECS privacy) etc. Some users combine Unbound (as a caching proxy with other features such as DNS Blacklisting) and Stubby (as a fully featured TLS forwarder). These are the reasons I choose to use GetDns and Stubby with Unbound. Those reasons being so that I can take full advantage of all of the most secure privacy features available when running DNS OVER TLS. What I give you here is the absolute best method of implementation and deployment of DNS OVER TLS. For any and all who may be wondering why DNS OVER TLS is all the rage - read this: https://tenta.com/blog/post/2017/12/dns-over-tls-vs-dnscrypt I always set up DNS OVER TLS first before configuring OpenVPN and / or WireGuard on OPNsense - this DNS solution works flawlessly with either VPN protocol. So here we go. I was asked by a still skeptical devotee of DOH " What makes this way better than just running the DNS-over-https-proxy ? My answer was : Read this and make your decisions and conclusions concerning DOH vs DOT . Here is the article below : https://www.netmeister.org/blog/doh-dot-dnssec.html Bottom Line Conclusion From Jan Schaumann - The Author of This Blog Entry : For that, my current preference is quite clearly DNS-over-TLS: I fear a bifurcation of DNS resolution by apps combined with the push for using public resolvers with DoH will lead to a more complex environment and threat model for many users. Short Synopsis of DOH: In other words , ( with DOH ) we gain the same protections as with DoT for our web applications, but leaves all other DNS traffic vulnerable. Subsequently, as a matter of fact and in practice with DNS OVER TLS ALL DNS traffic is invulnerable and protected.This is why I run DOT and eschew DOH on my OPNsense Router. Further, Personally, I run GETDNS STUBBY and UNBOUND as described here along with ( wait for it ) FireFox DOH along with Encrypted SNI - plus TLS v 1.3 in Stubby and naturally a properly configured and encrypted VPN - Let Me Save You A Future Headache Complete These Steps 1 - 7 Detailed Below Before Proceeding With LAN Interface For GETDNS and STUBBY Plus UNBOUND Tutorial I compared my OpenWRT /etc/resolv.conf file to my OPNsense and pfSense Firewalls' /etc/resolv.conf files before and after configuring LAN Interface For GETDNS and STUBBY Plus UNBOUND on these three Routers - See Results Below : # Note** # domain secureone.duckdns.org # Domain Used Throughout This Guide # Is Strictly For Illustrative Purposes and Comes From My # OpenWRT DuckDNS LET’S ENCRYPT CERTIFICATES MADE SIMPLE Tutorial My OPNsense Firewall Before Results Below : # cat /etc/resolv.conf domain secureone.duckdns.org nameserver 127.0.0.1 nameserver 127.0.0.1 After Results Below : ~ # cat /etc/resolv.conf domain secureone.duckdns.org nameserver 192.168.7.11 My pfSense Firewall Before Results Below : cat /etc/resolv.conf nameserver 127.0.0.1 search secureone.duckdns.org After Results Below : cat /etc/resolv.conf nameserver 192.168.7.11 search secureone.duckdns.org OpenWRT Before Results Below : cat /etc/resolv.conf nameserver 127.0.0.1 search secureone.duckdns.org. After Results Below - 127.0.0.1 Still Present and Now Controlled By UNBOUND : [[email protected] ~]# cat /etc/resolv.conf # /tmp/resolv.conf generated by Unbound UCI 2020-02-18T10:38:51-0500 nameserver 127.0.0.1 nameserver ::1 search secureone.duckdns.org. As you see 127.0.0.1 was still being used as resolver in /etc/resolv.conf - OPNsense and pfSense have a box to check so 127.0.0.1 is disabled and not used as resolver on the router. I wanted my OpenWRT /etc/resolv.conf file to mirror the same /etc/resolv.conf contents as on my OPNsense and pfSense Firewalls. Here is how I achieved that end on OpenWRT Router ( follow directions below ) : Source Documents : https://unix.stackexchange.com/questions/421977/how-to-set-chattr-i-for-my-etc-resolv-conf and https://www.ostechnix.com/prevent-files-folders-accidental-deletion-modification-linux/ 1 - opkg update ; opkg install chattr lsattr 2 - rm /etc/resolv.conf ( remove the symlink ) 3 - touch /etc/resolv.conf ( create the new file ) 4 - nano /etc/resolv.conf ( populate it with lan and search data ) 5 - enter as below for this example : nameserver 192.168.7.11 search secureone.duckdns.org Save and Exit 6 - chattr +i /etc/resolv.conf ( make new /etc/resolv.conf immutable / undeletable ) 7 - reboot & exit Source Document : https://www.tecmint.com/make-file-directory-undeletable-immutable-in-linux/ After Taking Above Steps 1-7 Results Are Detailed Below : [[email protected] ~]# cat /etc/resolv.conf nameserver 192.168.7.11 search secureone.duckdns.org This is what I wanted - the elimination of localhost ( 127.0.0.1 ) being used as a resolver for my OpenWRT Router's /etc/resolv.conf file. Most importantly, your OpenWRT /etc/resolv.conf file ( with LAN setting ) will persist and remain unchanged after setting up your LAN Interface For GETDNS and STUBBY Plus UNBOUND as detailed in this guide. I undertook Steps 1 - 7 above to ensure that Root Hints will not be used at all by OpenWRT Router. After all, that is the ultimate goal of this project. Take Special Attention ( Unlock /etc/resolv.conf to reset Router ) : In order to reset your OpenWRT Router to default settings for any reason - you MUST ! first issue this command # chattr -i /etc/resolv.conf After doing so - you may now reset your router using your regular method Back To Setting Up DNS Over TLS On OpenWRT : Here is a basic guide as to how to do it - https://blog.grobox.de/2018/what-is-dns-privacy-and-how-to-set-it-up-for-openwrt/ However a few modifications are needed - see below and follow along : As always - opkg update first and foremost Prerequisite You have a ca cert bundle installed on your router. You can do this by running the following opkg install ca-certificates 1 - opkg update ; opkg install unbound-daemon-heavy unbound-control unbound-control-setup luci-app-unbound unbound-anchor unbound-host unbound-checkconf odhcpd 2 - opkg update ; opkg install stubby getdns 3- My WORKING CONFIGS /etc/unbound/unbound_srv.conf ( Adjust For Your Router - I Run WRT1900ACS and WRT3200ACM So I Have Plenty Of Ram, Storage and 2 CPU's ) You should " Optimize Unbound " - especially increase size of cache among other things see guide here and adjust for your router's memory , number of cores and so on- see here: https://nlnetlabs.nl/documentation/unbound/howto-optimise/ ## Note : do-not-query-localhost: no ## this entry is necessarily removed ## from this UNBOUND configuration below ## Disabling DNS Queries From Localhost ( 127.0.0.1 ) cat >> /etc/unbound/unbound_srv.conf <<UNBOUND_SERVER_CONF server: tls-cert-bundle: "/var/lib/unbound/ca-certificates.crt" # use all CPUs num-threads: 2 # power of 2 close to num-threads msg-cache-slabs: 4 rrset-cache-slabs: 4 infra-cache-slabs: 4 key-cache-slabs: 4 # more cache memory, rrset=msg*2 rrset-cache-size: 200m msg-cache-size: 100m # more outgoing connections # depends on number of cores: 1024/cores - 50 outgoing-range: 8192 # Larger socket buffer. OS may need config. so-rcvbuf: 4m so-sndbuf: 4m interface: 192.168.7.11 # Put Your One Main LAN Address Here outgoing-interface: 192.168.7.11 # Likewise Put Your One Main LAN Address Here cache-min-ttl: 3600 cache-max-ttl: 86400 hide-identity: yes hide-version: yes hide-trustanchor: yes harden-glue: yes harden-dnssec-stripped: yes infra-cache-numhosts: 100000 num-queries-per-thread: 4096 max-udp-size: 3072 minimal-responses: yes rrset-roundrobin: yes use-caps-for-id: no do-ip6: no do-ip4: yes do-tcp: yes do-udp: yes prefetch: yes prefetch-key: yes qname-minimisation: yes qname-minimisation-strict: yes harden-below-nxdomain: yes aggressive-nsec: yes so-reuseport: yes unwanted-reply-threshold: 10000000 interface-automatic: yes verbosity: 1 private-domain: "secureone.duckdns.org" # Used For Illustrative Purposes ( See **Note Above ) harden-referral-path: yes target-fetch-policy: "0 0 0 0 0" val-clean-additional: yes ip-ratelimit: 300 ip-ratelimit-factor: 10 incoming-num-tcp: 100 edns-buffer-size: 4096 UNBOUND_SERVER_CONF As per guide :# Don’t let each server know the next recursion Enter via SSH command line: uci set '[email protected][0].query_minimize=1' uci commit I choose to use the /etc/stubby/stubby.yml file to configure STUBBY. My reasons for preferring to configure Stubby with the /etc/stubby/stubby.yml file instead of the now default UCI system /etc/config/stubby file are for several reasons. I found that I have more control over the security options which DNS OVER TLS is intended to provide. Like padding - 853 or 443 port and so on. So in order to use /etc/stubby/stubby.yml file, you must change a default setting in the /etc/config/stubby file to allow manual configuration. To keep this simple - go into default UCI STUBBY file which is /etc/config/stubby by entering nano /etc/config/stubby and then set option manual '1' - if you leave it at default setting of option manual 'o' you will not be able to use the /etc/stubby/stubby.yml file in order to configure STUBBY as before. So, after changing option manual '1' in the /etc/config/stubby file - configure /etc/stubby/stubby.yml as follows enter nano /etc/stubby/stubby.yml : 4 - VERY IMPORTANT UPDATE: After checking, rechecking and the triple checking on this website mentioned above : https://www.immuniweb.com/ssl/?id=Su8SeUQ4 I have made some very serious discoveries regarding which DNS Privacy Test Servers to use. The bottom line that I strongly suggest you only choose to deploy servers which support the TLSv1.3 protocol . See here for information and importance of TLSv1.3 : https://kinsta.com/blog/tls-1-3/ I will save you some considerable leg work and post below the best configuration for your stubby.yml file. Here it is: # All DNS Privacy Servers Below Tested and Updated On August 21 2020 With A+ Rating - # 100% Perfecto Configuration on website: https://www.immuniweb.com/ssl/?id=Su8SeUQ4n # These servers support the most recent and secure TLS protocol version of TLS 1.3 ** # Good configuration - These server configurations support only TLSv1.2 and TLSv1.3 protocols - current most secure encryption. # Also I have added the Country Locations of These DNS PRIVACY Servers using the Alpha 3 Code Format # see country code lists here : # https://www.nationsonline.org/oneworld/country_code_list.htm or https://www.iban.com/country-codes # Use as many or as few depending on your specific needs # Note: by default on OpenWRT stubby configuration is handled via # the UCI system and the file /etc/config/stubby. If you want to # use this file to configure stubby, then set "option manual '1'" # in /etc/config/stubby. resolution_type: GETDNS_RESOLUTION_STUB round_robin_upstreams: 1 appdata_dir: "/var/lib/stubby" tls_authentication: GETDNS_AUTHENTICATION_REQUIRED tls_query_padding_blocksize: 128 edns_client_subnet_private: 1 idle_timeout: 9000 listen_addresses: - [email protected] # Put Your One Main LAN Address Here dns_transport_list: - GETDNS_TRANSPORT_TLS tls_connection_retries: 5 tls_backoff_time: 900 timeout: 2000 tls_ca_path: "/etc/ssl/certs/" upstream_recursive_servers: ### IPV4 Servers ### ### DNS Privacy DOT Test Servers ### ## 1 - The getdnsapi.net DNS TLS Server A+ ( NLD ) - address_data: 185.49.141.37 tls_auth_name: "getdnsapi.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= ## 2 - The Surfnet/Sinodun DNS TLS Server #3 A+ ( NLD ) - address_data: 145.100.185.18 tls_port: 853 tls_auth_name: "dnsovertls3.sinodun.com" tls_pubkey_pinset: - digest: "sha256" value: 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8= ## 3 - The The Surfnet/Sinodun DNS TLS Server A ( NLD ) - address_data: 145.100.185.15 tls_auth_name: "dnsovertls.sinodun.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= ## 4 - The The Surfnet/Sinodun DNS TLS Server #1 A ( NLD ) - address_data: 145.100.185.16 tls_auth_name: "dnsovertls1.sinodun.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA= ## 5 - The dns.cmrg.net DNS TLS Server A+ ( CAN ) - address_data: 199.58.81.218 tls_auth_name: "dns.cmrg.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo= ## 6 - The BlahDNS Japan DNS TLS Server A+ ( JPN ) - address_data: 45.32.55.94 tls_auth_name: "dot-jp.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: gIoiNFxX1Nw+7/pVsmUKBU941bMBYjEYuB2T9drULOM= ## 7 - The BlahDNS German DNS TLS Server A+ ( USA Hosted In DEU ) - address_data: 159.69.198.101 tls_auth_name: "dot-de.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: YZeyeJf/suAR2fMHLc9RDPkcQi/e8EEnzk5Y1N90QQE= ## 8 - The BlahDNS Finland DNS TLS Server A+ ( FIN ) - address_data: 95.216.212.177 tls_auth_name: "dot-fi.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: PID8ufrN/lfloA6y/C+mpR8MT53GG6GkAd8k+RmgTwc= ## 9 - The dns.neutopia.org DNS TLS Server A+ ( FRA ) - address_data: 89.234.186.112 tls_auth_name: "dns.neutopia.org" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI= ## 10 - The Foundation for Applied Privacy DNS TLS Server #1 A+ ( AUT ) - address_data: 94.130.106.88 tls_auth_name: "dot1.applied-privacy.net" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: 78kfbZFJaxGrAl+0hkiyWER0ajTgFL/KxMAZQHSNhWU= ## 11 - The Foundation for Applied Privacy DNS TLS Server #2 A+ ( AUT ) - address_data: 93.177.65.183 tls_auth_name: "dot1.applied-privacy.net" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: 78kfbZFJaxGrAl+0hkiyWER0ajTgFL/KxMAZQHSNhWU= ## 12 - The Secure DNS Project by PumpleX DNS TLS Server #1 A+ ( GBR ) - address_data: 51.38.83.141 tls_auth_name: "dns.oszx.co" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Bt3fAHJeDPU2dneCx9Md6zTiKhzWtZ152To0j0f32Us= ## 13 - The Rubyfish Internet Tech DNS TLS Server A+ ( CHN ) - address_data: 115.159.131.230 tls_auth_name: "dns.rubyfish.cn" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: DBDigty3zDS7TN/zbQOmnjZ0qW+qbRVzlsDKSsTwSxo= ## 14 - The Lorraine Data Network DNS TLS Server A+ ( FRA ) - address_data: 80.67.188.188 tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM= ## This certificate is currently expired which ## does not pose any concerns in SPKI mode ## (in practice with Stubby) ## Source : https://ldn-fai.net/serveur-dns-recursif-ouvert/ ## 15 - The DNSPRIVACY.at TLS Server #1 A+ ( DEU ) - address_data: 94.130.110.185 tls_auth_name: "ns1.dnsprivacy.at" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Fr9YdIAIg7TXJLLHp0XbeWKBS2utev0stoEIb+7rZjM= ## 16 - The DNSPRIVACY.at TLS Server #2 A+ ( DEU ) - expired 2020-04-01 - address_data: 94.130.110.178 tls_auth_name: "ns2.dnsprivacy.at" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 68MH4G5hipbK1xYATBFgA+/DNLDd333oXr22QyB/RRo= # 17 - The ibksturm.synology.me DNS TLS Server A+ ( CHE ) - address_data: 85.5.93.230 tls_auth_name: "ibksturm.synology.me" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: npNOnBcLbvZWZgdmcuFaEqYJbaGjBlHMf9DknDoIkgg= ## 18 - The dns.flatuslifir.is DNS TLS Server A+ ( ISL ) - address_data: 46.239.223.80 tls_auth_name: "dns.flatuslifir.is" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: OvqVajUX+2j/xfYqPZid2Z8DMX2Vex8geaYw0UG77BE= ### Publicly Available DOT Test Servers ### ## 19 - The ContainerPI.com - CPI DNS TLS Server A+ ( JPN ) - address_data: 45.77.180.10 tls_auth_name: "dns.containerpi.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: xz8kGlumwEGkPwJ3QV/XlHRKCVNo2Fae8bM5YqlyvFs= ## 20 - The FEROZ SALAM DNS TLS Server A+ ( GBR ) - address_data: 46.101.66.244 tls_auth_name: "doh.li" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: fiOT+xcarY8uz1UBZ0DzA+Gi5kcSHdBDrofcsZL3HGo= ## 21 - The Andrews & Arnold DNS TLS Server #1 A+ ( GBR ) - address_data: 217.169.20.23 tls_auth_name: "dns.aa.net.uk" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: BrjhBir4pbQ0+uTjlViVlc5qf1172WLQxDWevO/4bKI= ## 22 - The Andrews & Arnold DNS TLS Server #2 A+ ( GBR ) - address_data: 217.169.20.22 tls_auth_name: "dns.aa.net.uk" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 1Mu+KSivSkoBfLiCzL+8xhg1YO7xmAjPJAJkjrv5ZvA= ## 23 - The dns.seby.io - Vultr DNS TLS Server A+ ( AUS ) - address_data: 45.76.113.31 tls_auth_name: "dot.seby.io" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: H13Su1659zEn0ZIblEShwjZO+M5gxKK2wXpVKQHgibM= ## 24 - The dns.seby.io - OVH DNS TLS Server A+ ( AUS ) - address_data: 139.99.222.72 tls_auth_name: "dot.seby.io" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 8A/1KQQiN+aFWenQon076nAINhlZjGkB15C4E/qogGw= ## 25 - The Digitale Gesellschaft DNS TLS Server #1 A+ ( CHE ) - address_data: 185.95.218.43 tls_auth_name: "dns.digitale-gesellschaft.ch" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: OHdm30CP5hu1KI1bLnIokKL1eKbLNWQvN9bNsXb5TJQ= ## 26 - The Digitale Gesellschaft DNS TLS Server #2 A+ ( CHE ) - address_data: 185.95.218.42 tls_auth_name: "dns.digitale-gesellschaft.ch" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: W0CoacPgp4VP2zsOt2ERQuFqXTG37ud5t3ClB5Xh7dY= ## 27 - The Antoine Aflalo DNS TLS Server #1 A+ ( USA ) - address_data: 168.235.81.167 tls_auth_name: "dns-nyc.aaflalo.me" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: NZqlaEd1y4tc4z2s/GcclhKlOQtynBKtbomw1dVCydU= ## 28 - The Privacy-First DNS TLS Server #1 A+ ( JPN ) - address_data: 172.104.93.80 tls_auth_name: "jp.tiar.app" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: +Q7ZdLW0QXokd2OY/vUJm10ZAnm2KFC+ovJfm5++hDc= ## 29 - The Privacy-First DNS TLS Server #2 A+ ( SGP Hosted In USA ) - address_data: 174.138.29.175 tls_auth_name: "dot.tiar.app" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: +zKyo0IWR+e38Yw2KN7pMAkktQSjZUGN4h7BoYLytTk= ## 30 - The ibuki.cgnat.net DNS TLS Server A+ ( USA ) - address_data: 35.198.2.76 tls_auth_name: "ibuki.cgnat.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: gWjnc5JNaub1U83vNZtyY/7f1ZYH+Zwt+LWLeTzbLEU= ## 31 - The PI-DNS.COM West USA DNS TLS Server A+ ( USA ) - address_data: 45.67.219.208 tls_auth_name: "dot.westus.pi-dns.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: R9/K3atF+ZHuBAVREmFiTX5N0qse+JIqoMF+usZ2dZg= ## 32 - The PI-DNS.COM DNS TLS East USA Server A+ ( USA ) - address_data: 185.213.26.187 tls_auth_name: "dot.eastus.pi-dns.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: oZQKQh794UHpdtZc/7CG+9VUw+3uGIrQFfAhCvYcds4= ## 33 - The PI-DNS.COM Central Europe DNS TLS Server A+ ( DEU ) - address_data: 88.198.91.187 tls_auth_name: "dot.centraleu.pi-dns.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: ZdED9Ry+FfdsbpGVr2IxR/IB0D7FaVpSBWvsRWutrjg= ## 34 - The PI-DNS.COM North Europe DNS TLS Server A+ ( FIN ) - address_data: 95.216.181.228 tls_auth_name: "dot.northeu.pi-dns.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: xb6yo+7vmxFhyrA+NV1ZOKBGHuA03J4BjTwkWjZ3uZk= ## 35 - The PI-DNS.COM East Australia DNS TLS Server A+ ( AUS ) - address_data: 45.63.30.163 tls_auth_name: "dot.eastau.pi-dns.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 0oVEbW/240sc4++zXjICyOO4XKTIEewY9zY5G5v9YnY= ## 36 - The PI-DNS.COM East Asia DNS TLS Server A+ ( USA ) - address_data: 66.42.33.135 tls_auth_name: "dot.eastas.pi-dns.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 3dV7cgTZbmHD/JTfocBI6FvoyGevpZf2n5k2fG4uVr8= ## 37 - The Snopyta DNS TLS Server A+ ( FIN ) - address_data: 95.216.24.230 tls_auth_name: "fi.dot.dns.snopyta.org" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: cYf+8BXhzbBmQe6qP+BHzLb2UZ/rgOspuyCmk2aVhlE= ## 38 - The NixNet Uncensored Las Vegas DNS TLS Server A+ ( USA ) ## - or use ( tls_auth_name: "adblock.lv1.dns.nixnet.xyz" ) - address_data: 209.141.34.95 tls_auth_name: "uncensored.lv1.dns.nixnet.xyz" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Ua+l/cIZ9dbJPExk4grit6qFZWmQZcoIoMBvMLwUDHc= ## 39 - The NixNet Uncensored New York DNS TLS Server A+ ( USA ) ## - or use ( tls_auth_name: "adblock.ny1.dns.nixnet.xyz" ) - address_data: 199.195.251.84 tls_auth_name: "uncensored.ny1.dns.nixnet.xyz" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: P8A1QEHTXs7QSmAuwR4FupMd3L/OW9TXbTXcFaazzoU= ## 40 - The NixNet Uncensored Luxembourg DNS TLS Server A+ ( LUX ) ## - or use ( tls_auth_name: "adblock.lux1.dns.nixnet.xyz" ) - address_data: 104.244.78.231 tls_auth_name: "uncensored.lux1.dns.nixnet.xyz" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: ncPZ5vhEPiv7VOf2nesJW9GYOGZ48MsAhzd4PO+3NJQ= ## 41 - The Lelux.fi DNS TLS Server A+ ( FRA Hosted In GBR ) - address_data: 51.158.147.50 tls_auth_name: "resolver-eu.lelux.fi" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 8ZpLg8m7CE41EnXddCRJGsaWK2UVjy2UnhPo/7BsPIo= ## 42 - The Lightning Wire Labs DNS TLS Server A+ ( DEU ) - address_data: 81.3.27.54 tls_auth_name: "recursor01.dns.lightningwirelabs.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 9QRO8JyJCVMU+KAO9acW5xfQnSXRuj1OqAz5aZHwH+4= ## 43 - The Hostux DNS TLS Server A+ ( LUX ) - address_data: 185.26.126.37 tls_auth_name: "dns.hostux.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: P0gaP31TQQzAIN3DomM5vXS3+8oCgYcTA/ZJ09Jw4QE= ## 44 - The dnsforge.de DNS TLS Server #1 A+ ( DEU ) - address_data: 176.9.1.117 tls_auth_name: "dnsforge.de" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw= ## 45 - The dnsforge.de DNS TLS Server #2 A+ ( DEU ) - address_data: 176.9.93.198 tls_auth_name: "dnsforge.de" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw= # 46 - The Freifunk München DNS TLS Server A+ ( DEU ) - address_data: 195.30.94.28 tls_auth_name: "doh.ffmuc.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: vAgfcoO9rzejY7Pdv9MK9DymLvYYJ4PF5V1QzReF4MU= # 47 - The doh.defaultroutes.de DNS TLS Server A+ ( DEU ) - address_data: 5.45.107.88 tls_auth_name: "doh.defaultroutes.de" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: p7t6DDebAlM1rwkrJgZJ6CDkuJG0Ff5PKYZ8bUPQCM0= ## 48 - The CIRA Canadian Shield DNS TLS Servers A+ ( CAN ) - address_data: 149.112.121.10 tls_auth_name: "private.canadianshield.cira.ca" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: sXmZXPsnkbQMw68THpV0Tgh9zCe12TtXIinSTf7lkkw= - address_data: 149.112.122.10 tls_auth_name: "private.canadianshield.cira.ca" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: sXmZXPsnkbQMw68THpV0Tgh9zCe12TtXIinSTf7lkkw= # 49 - The dns.dnshome.de DNS TLS Server #1 A+ ( DEU ) - address_data: 185.233.106.232 tls_auth_name: "dns.dnshome.de" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: q5AkxgnWVCVjCUNUKl3aIBpGTfXF5GahE0RcncwbZoc= - address_data: 185.233.107.4 tls_auth_name: "dns.dnshome.de" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: q5AkxgnWVCVjCUNUKl3aIBpGTfXF5GahE0RcncwbZoc= ## 50 - The Usable Privacy DNS TLS Server A+ ( DEU / AUT ) - address_data: 149.154.153.153 tls_auth_name: "adfree.usableprivacy.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: wnJgPKtu/QHXHx3QZ7mZuIsNMv85buI5jsdsS9cTU5w= ## 51 - The DeCloudUs DNS TLS Server A+ ( DEU ) - address_data: 176.9.199.152 tls_auth_name: "dot.decloudus.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: +rBZZHFEVTmFwA8RuR9I5vdPqqaBSighP7rcoWgY9MI= ## 52 - The Arapurayil DNS TLS Server A+ ( AUS ) - address_data: 3.7.156.128 tls_auth_name: "dns.arapurayil.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: c3S8JssMSrXuMjDfjwzXHoO4RQckTYTTeUThdW+meo0= ## 53 - The Hurricane Electric DNS TLS Server A+ ( USA ) - address_data: 74.82.42.42 tls_auth_name: "ordns.he.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: G9pQNrYB98Wll0AmBF/GsMMn6gaDbXDnInV1je1MaPo= ## 54 - The Stéphane Bortzmeyer DNS TLS Server A+ ( FRA ) - address_data: 193.70.85.11 tls_auth_name: "dot.bortzmeyer.fr" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: eHAFsxc9HJW8QlJB6kDlR0tkTwD97X/TXYc1AzFkTFY= ### Anycast Publicly Available DOT Test Servers ### ## 55 - The NixNet Uncensored Anycast DNS TLS Servers ( Anycast ) - address_data: 198.251.90.114 tls_auth_name: "uncensored.any.dns.nixnet.xyz" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Ryhjf7K6V9/Fw/7XU7fqzrVJVEOyPtlHR/rFetOXrug= - address_data: 198.251.90.89 tls_auth_name: "adblock.any.dns.nixnet.xyz" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Ryhjf7K6V9/Fw/7XU7fqzrVJVEOyPtlHR/rFetOXrug= ## 56 - The DNSlify DNS TLS Servers A+ ( Anycast ) - address_data: 185.235.81.1 tls_auth_name: "doh.dnslify.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: w5AEEaNvoBOl4+QeDIuRaaL6ku+nZfrhZdB2f0lSITM= - address_data: 185.235.81.2 tls_auth_name: "doh.dnslify.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: w5AEEaNvoBOl4+QeDIuRaaL6ku+nZfrhZdB2f0lSITM= ### DNS Privacy Anycast DOT Public Resolvers ### ## 57 - The DNS.SB DNS TLS Servers A+ ( Anycast ) - address_data: 185.222.222.222 tls_auth_name: "dns.sb" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: /qCm+kZoAyouNBtgd1MPMS/cwpN4KLr60bAtajPLt0k= - address_data: 185.184.222.222 tls_auth_name: "dns.sb" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: /qCm+kZoAyouNBtgd1MPMS/cwpN4KLr60bAtajPLt0k= ## 58 - The Comss.one DNS TLS Server #1 A+ ( CHN ) - address_data: 92.38.152.163 tls_port: 853 tls_auth_name: "dns.comss.one" tls_pubkey_pinset: - digest: "sha256" value: biGOXwJ1zClsvIfsjqV1FOdRq1jZdw5Sy61AqrlgKj4= ## 59 - The Comss.one DNS TLS Server #2 A+ ( CHN ) - address_data: 93.115.24.205 tls_port: 853 tls_auth_name: "dns.comss.one" tls_pubkey_pinset: - digest: "sha256" value: biGOXwJ1zClsvIfsjqV1FOdRq1jZdw5Sy61AqrlgKj4= ## 60 - The Comss.one DNS TLS Server #3 A+ ( CHN ) - address_data: 93.115.24.204 tls_port: 853 tls_auth_name: "dns.comss.one" tls_pubkey_pinset: - digest: "sha256" value: biGOXwJ1zClsvIfsjqV1FOdRq1jZdw5Sy61AqrlgKj4= # Set the acceptable ciphers for DNS over TLS. With OpenSSL 1.1.1 this list is # for TLS1.2 and older only. Ciphers for TLS1.3 should be set with the #tls_ciphersuites option. This option can also be given per upstream. tls_cipher_list: "EECDH+AESGCM:EECDH+CHACHA20" # Set the acceptable cipher for DNS over TLS1.3. OpenSSL >= 1.1.1 is required # for this option. This option can also be given per upstream. tls_ciphersuites: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_28_GCM_SHA256" # Set the minimum acceptable TLS version. Works with OpenSSL >= 1.1.1 only. # This option can also be given per upstream. tls_min_version: GETDNS_TLS1_2 # Set the maximum acceptable TLS version. Works with OpenSSL >= 1.1.1 only. # This option can also be given per upstream. tls_max_version: GETDNS_TLS1_3 In order for TLSv1.3 protocol to work properly ( read at all ) in your Stubby instance, OpenWrt must have OpenSSL 1.1.1 active and configured in the kernel. Any OpenWrt 18.06 Build does not offer OpenSSL 1.1.1 in any shape, form or fashion.OpenWrt 19.07.0 Release Candidates and Snapshots do provide OpenSSL 1.1.1 support. Once you have OpenSSL 1.1.1 with TLSv1.3 simply follow the guide above in order to set Stubby to implement TLS1.3. The operative lines necessary are these two specifically found at the bottom of the stubby.yml file above: tls_ciphersuites: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" tls_max_version: GETDNS_TLS1_3 See below for TLS1.3 Support Check SSH Commands - openssl s_client 168.235.81.167:853 OR : openssl s_client 159.69.198.101:443 Read Out Will Be Verified By These Lines Below: Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_CHACHA20_POLY1305_SHA256 OR : Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Depending on Configuration on Tested DOT Server I also strongly encourage you to subscribe to blockerDNS found here : https://blockerdns.com/ This new DOH / DNS OVER TLS provider is the fastest I have run across. blockerDNS is run by Tambe Barsbay a seasoned, thorough and extremely proficient tech practitioner. blockerDNS is based in the U.S. and its infrastructure is hosted on Google Cloud Platform and DigitalOcean. You can view blockerDNS subscription options here : https://blockerdns.com/tryit - Most significantly, Tambe stands by his claim that he offers " Instant support by phone or email ". Overall blockerDNS is a great DNSPRIVACY DNS Service. Tip : The Mobile $0.99 per month option should suffice for most home users. Links : https://tambeb.com/ https://blockerdns.com/blog https://blockerdns.com/support https://blockerdns.com/overview 5 - MY WORKING CONFIG /etc/unbound/unbound_ext.conf ( Simply Copy and Paste Into Your SSH Session and Hit Enter ) cat >> /etc/unbound/unbound_ext.conf <<UNBOUND_FORWARD_CONF forward-zone: name: "." # Allow all DNS queries forward-addr: [email protected] # Forward Unbound To Stubby Address/Port UNBOUND_FORWARD_CONF 6 - # Move dnsmasq to port 53535 where it will still serve local DNS from DHCP # Network -> DHCP & DNS -> Advanced Settings -> DNS server port to 53535 uci set '[email protected][0].port=53535' # Configure dnsmasq to send a DNS Server DHCP option with its LAN IP # since it does not do this by default when port is configured. uci add_list "dhcp.lan.dhcp_option=option:dns-server,$(uci get network.lan.ipaddr)" uci set '[email protected][0].dhcp_link=dnsmasq' # Save & Apply (will restart dnsmasq, DNS unreachable until unbound is up) uci commit && reload_config # Restart (or start) unbound (System -> Startup -> unbound -> Restart) /etc/init.d/unbound restart 7 - uci add_list [email protected][-1].server='192.168.7.11#5453' # Put Your One Main LAN Address Here uci set [email protected][-1].noresolv=1 uci commit && reload_config A - Via UCI (Unified Configuration Interface) - in shell uci set [email protected][0].cachesize=8192 uci set [email protected]masq[0].dnsforwardmax=250 uci set [email protected][0].rebind_protection=1 uci set [email protected][0].ednspacket_max=4096 uci commit dhcp && reload_config 8 - nano /etc/config/network uci set network.wan.peerdns='0' uci set network.wan.dns='192.168.7.11' uci commit && reload_config 9 - nano /etc/config/unbound # Edit Unbound Config File config unbound option add_extra_dns '0' option add_local_fqdn '1' option add_wan_fqdn '0' option dhcp4_slaac6 '0' option dns64 '0' option dns64_prefix '64:ff9b::/96' option domain "secureone.duckdns.org" # Used For Illustrative Purposes ( See **Note Above ) option domain_type 'transparent' option edns_size '4096' option extended_stats '1' option hide_binddata '1' option extended_luci '1' option luci_expanded '1' option listen_port '53' option localservice '1' option num_threads '2' option manual_conf '0' option protocol 'ip4_only' option query_minimize '1' option query_min_strict '1' option rebind_localhost '1' option rebind_protection '1' option recursion 'aggressive' option resource 'medium' option root_age '9' option ttl_min '150' option unbound_control '3' option validator '1' option validator_ntp '1' option verbosity '2' list trigger_interface 'wan' list trigger_interface 'lan' list domain_insecure '3.us.pool.ntp.org' option dhcp_link 'dnsmasq' 10 - Final Step --- # /etc/init.d/unbound restart 11 - # reboot & exit 12 - Install OpenWRT dnsmasq-full package - ( Optional ) # opkg update ; opkg install dnsmasq-full --download-only && opkg remove dnsmasq && opkg install dnsmasq-full --cache . && rm *.ipk Done - See https://forums.torguard.net/index.php?/topic/1374-from-the-dns-privacy-project-dns-over-tls-on-openwrtlede-featuring-unbound-getdns-and-stubby/ or ( From The DNS Privacy Project ) https://forum.openwrt.org/t/from-the-dns-privacy-project-dns-over-tls-on-openwrt-lede-featuring-unbound-getdns-and-stubby/13765 For Comparisons - Peace Lastly, Check Your DNS Servers Below : https://www.dnsleaktest.com/ https://cryptoip.info/dns-leak-test https://www.grc.com/dns/dns.htm https://bash.ws/dnsleak/test/ and last but not least https://cmdns.dev.dns-oarc.net/ for a thorough in depth DNS Test Now all you need to do is run is a properly configured VPN Service. By doing so, running DNS over TLS with Stubby and GetDns will keep your VPN provider from spying on your encrypted DNS look ups - and also your DNS providers both the ISP ( replaced by encrypted Stubby ) and your Encrypted TLS DNS Service Provider will see your IP as the one from your encrypted tunneled VPN provider. I am convinced this setup is the right strategy for both security and privacy. I think it to be the best practice for all those most serious about multi-layered cyber security.

LAN Interface For GETDNS and STUBBY Plus UNBOUND WHY YOU ASK ? ANSWER : IN LIFE ONE SHOULD HAVE OPTIONS IMPORTANT UPDATED INFORMATION !!! - READ FULL GUIDE BEFORE GETTING STARTED !!! Stop OPNsense Router from occasionally allowing UNBOUND Root Hints to resolve queries on its own. This configuration ensures that localhost ( 127.0.0.1 ) will not be used as a resolver on OPNsense Box. You will only use GETDNS and STUBBY DNS SERVERS if you follow this tutorial. You will use your One Main LAN Interface as the listening interface for STUBBY and the listening and outgoing interface for your UNBOUND DNS RESOLVER on OPNsense. So, let's get started. See Below For Definition and Function Of Unbound Root Hints : Unbound is a caching DNS resolver. It uses a built in list of authoritative nameservers for the root zone (.), the so called root hints. On receiving a DNS query it will ask the root nameservers for an answer and will in almost all cases receive a delegation to a top level domain (TLD) authoritative nameserver. Source Document : https://man.openbsd.org/unbound First you all know the drill by now - " The Intro " we would all have a better world if we remember to practice the concept that - NOW ! is the time for all of US ( A ) to GET UP & GET INVLOVED and act with SOUL POWER ! - lyrics to sing along : https://genius.com/James-brown-get-up-get-into-it-get-involved-lyrics plus https://genius.com/James-brown-soul-power-lyrics and video : https://www.youtube.com/watch?v=1pvIarW3xHg Bonus JB : https://www.youtube.com/watch?v=v8TvBPshngE - Since version OPNsense 18.7 - you may install stubby and getdns on OPNsense by simply issuing command # pkg install getdns ( Special Thanks and Kudos to Franco and the marvelous OPNsense Development Team ) - Please disregard and do not use any guides and / or tutorials which pre-date this one which covers installation and configuration of DNS Privacy on OPNsense FireWall. This is an updated guide / tutorial which explains how to setup adding DNS-Over-TLS support for OPNsense. I run GetDns and Stubby forwarded to and integrated with Unbound. For those who wish to explore Stubby and GetDns - this method is the one recommended by DNSPRIVACY - see here : https://getdnsapi.net/ https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients#DNSPrivacyClients-Unbound - please read this carefully - you will note that it indicates : Unbound As A DNS TLS Client Features:Unbound can be run as a local caching forwarder, configured to use SSL upstream, however it cannot yet authenticate upstreams, re-use TCP/TLS connections, be configured for Opportunistic mode or send several of the privacy related options (padding, ECS privacy) etc. Some users combine Unbound (as a caching proxy with other features such as DNS Blacklisting) and Stubby (as a fully featured TLS forwarder). I was asked by a still skeptical devotee of DOH " What makes this way better than just running the DNS-over-https-proxy ? My answer was : Read this and make your decisions and conclusions concerning DOH vs DOT . Here is the article below : https://www.netmeister.org/blog/doh-dot-dnssec.html Bottom Line Conclusion From Jan Schaumann - The Author of This Blog Entry : For that, my current preference is quite clearly DNS-over-TLS: I fear a bifurcation of DNS resolution by apps combined with the push for using public resolvers with DoH will lead to a more complex environment and threat model for many users. Short Synopsis of DOH: In other words , ( with DOH ) we gain the same protections as with DoT for our web applications, but leaves all other DNS traffic vulnerable. Subsequently, as a matter of fact and in practice with DNS OVER TLS ALL DNS traffic is invulnerable and protected.This is why I run DOT and eschew DOH on my OPNsense Router. Further, Personally, I run GETDNS STUBBY and UNBOUND as described here along with ( wait for it ) FireFox DOH along with Encrypted SNI - plus TLS v 1.3 in Stubby and naturally a properly configured and encrypted VPN - Your OPNsense /etc/resolv.conf file before and after configuring LAN Interface For GETDNS and STUBBY Plus UNBOUND as described in this tutorial. Your OPNsense Firewall # domain secureone.duckdns.org # Domain Used In My # OpenWRT DuckDNS LET’S ENCRYPT CERTIFICATES MADE SIMPLE Tutorial Before Below : # cat /etc/resolv.conf domain secureone.duckdns.org nameserver 127.0.0.1 nameserver 127.0.0.1 After Below : ~ # cat /etc/resolv.conf domain secureone.duckdns.org nameserver 192.168.7.11 These are the reasons I choose to use GetDns and Stubby with Unbound. Those reasons being so that I can take full advantage of all of the most secure privacy features available when running DNS OVER TLS. What I give you here is the absolute best method of implementation and deployment of DNS OVER TLS. For any and all who may be wondering why DNS OVER TLS is all the rage - read this: https://tenta.com/blog/post/2017/12/dns-over-tls-vs-dnscrypt I always set up DNS OVER TLS first before configuring OpenVPN and / or WireGuard on OPNsense - this DNS solution works flawlessly with either VPN protocol. So here we go. So go ahead and issue command # pkg install getdns in order to get started. After installing getdns which includes stubby follow the steps below. 1 - Now Ryan Steinmetz aka zi - the port maintainer and developer of this port was kind enough to include a start up script ( stubby.in ) for this package. See the stubby.in here in the raw : https://svnweb.freebsd.org/ports/head/dns/getdns/files/stubby.in?view=markup. All I had to do was ask him and he did for any and all who elect to use this great piece of FreeBSD software. 2 - Now to put all of this together, The stubby.in file is located here - /usr/local/etc/rc.d/stubby by default. First though Stubby needs Unbound root.key - run this command before getting started: # su -m unbound -c /usr/local/sbin/unbound-anchor Then - A - Issue this command : # mv /usr/local/etc/rc.d/stubby /usr/local/etc/rc.d/stubby.sh Make it executable - I run two commands - it works for me: # chmod 744 /usr/local/etc/rc.d/stubby.sh # chmod a+x /usr/local/etc/rc.d/stubby.sh B - Yes must enable Stubby Daemon in the file - open file by : nano /usr/local/etc/rc.d/stubby.sh go to line 27 - : ${stubby_enable="NO"} change the setting to : ${stubby_enable="YES"} - that is all you have to do to this file. It comes pre-configured. Save and exit. 3 - You can and should also check real time status of DNS Privacy Servers as they are experimental and are not always stable - you can monitor DNS TLS Servers Real Time Status here below: https://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/ I have read here: https://www.monperrus.net/martin/randomization-encryption-dns-requests that Also, it is good to set up some servers that listens on port 443 and others on port 853, so as to be resilient if you are on a network with blocked ports. You can also blend IPv4 and IPv6 addresses. Now you must configure Stubby to resolve DNS OVER TLS - nano /usr/local/etc/stubby/stubby.yml VERY IMPORTANT UPDATE: After checking, rechecking and the triple checking on this website mentioned above : https://www.immuniweb.com/ssl/?id=Su8SeUQ4 I have made some very serious discoveries regarding which DNS Privacy Test Servers to use. The bottom line that I strongly suggest you only choose to deploy servers which support the TLSv1.3 protocol. See here for information and importance of TLSv1.3 : https://kinsta.com/blog/tls-1-3/ I will save you some considerable leg work and post below the best configuration for your stubby.yml file. Here it is: # All DNS Privacy Servers Below Tested and Updated On August 21 2020 With A+ Rating - # 100% Perfecto Configuration on website: https://www.immuniweb.com/ssl/?id=Su8SeUQ4n # These servers support the most recent and secure TLS protocol version of TLS 1.3 ** # Good configuration - These server configurations support only TLSv1.2 and TLSv1.3 protocols - current most secure encryption. # Also I have added the Country Locations of These DNS PRIVACY Servers using the Alpha 3 Code Format # see country code lists here : # https://www.nationsonline.org/oneworld/country_code_list.htm or https://www.iban.com/country-codes # Use as many or as few depending on your specific needs ## Go Into SSH shell and enter : # nano /usr/local/etc/stubby/stubby.yml resolution_type: GETDNS_RESOLUTION_STUB dns_transport_list: - GETDNS_TRANSPORT_TLS tls_authentication: GETDNS_AUTHENTICATION_REQUIRED dnssec_return_status: GETDNS_EXTENSION_TRUE tls_query_padding_blocksize: 128 edns_client_subnet_private : 1 idle_timeout: 9000 listen_addresses: - [email protected] ## Enter Your One Main LAN Address Here tls_connection_retries: 5 tls_backoff_time: 900 timeout: 2000 round_robin_upstreams: 1 tls_ca_path: "/etc/ssl/" upstream_recursive_servers: ### IPV4 Servers ### ### DNS Privacy DOT Test Servers ### ## 1 - The getdnsapi.net DNS TLS Server A+ ( NLD ) - address_data: 185.49.141.37 tls_auth_name: "getdnsapi.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= ## 2 - The Surfnet/Sinodun DNS TLS Server #3 A+ ( NLD ) - address_data: 145.100.185.18 tls_port: 853 tls_auth_name: "dnsovertls3.sinodun.com" tls_pubkey_pinset: - digest: "sha256" value: 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8= ## 3 - The The Surfnet/Sinodun DNS TLS Server A ( NLD ) - address_data: 145.100.185.15 tls_auth_name: "dnsovertls.sinodun.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= ## 4 - The The Surfnet/Sinodun DNS TLS Server #1 A ( NLD ) - address_data: 145.100.185.16 tls_auth_name: "dnsovertls1.sinodun.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA= ## 5 - The dns.cmrg.net DNS TLS Server A+ ( CAN ) - address_data: 199.58.81.218 tls_auth_name: "dns.cmrg.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo= ## 6 - The BlahDNS Japan DNS TLS Server A+ ( JPN ) - address_data: 45.32.55.94 tls_auth_name: "dot-jp.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: gIoiNFxX1Nw+7/pVsmUKBU941bMBYjEYuB2T9drULOM= ## 7 - The BlahDNS German DNS TLS Server A+ ( USA Hosted In DEU ) - address_data: 159.69.198.101 tls_auth_name: "dot-de.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: YZeyeJf/suAR2fMHLc9RDPkcQi/e8EEnzk5Y1N90QQE= ## 8 - The BlahDNS Finland DNS TLS Server A+ ( FIN ) - address_data: 95.216.212.177 tls_auth_name: "dot-fi.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: PID8ufrN/lfloA6y/C+mpR8MT53GG6GkAd8k+RmgTwc= ## 9 - The dns.neutopia.org DNS TLS Server A+ ( FRA ) - address_data: 89.234.186.112 tls_auth_name: "dns.neutopia.org" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI= ## 10 - The Foundation for Applied Privacy DNS TLS Server #1 A+ ( AUT ) - address_data: 94.130.106.88 tls_auth_name: "dot1.applied-privacy.net" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: 78kfbZFJaxGrAl+0hkiyWER0ajTgFL/KxMAZQHSNhWU= ## 11 - The Foundation for Applied Privacy DNS TLS Server #2 A+ ( AUT ) - address_data: 93.177.65.183 tls_auth_name: "dot1.applied-privacy.net" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: 78kfbZFJaxGrAl+0hkiyWER0ajTgFL/KxMAZQHSNhWU= ## 12 - The Secure DNS Project by PumpleX DNS TLS Server #1 A+ ( GBR ) - address_data: 51.38.83.141 tls_auth_name: "dns.oszx.co" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Bt3fAHJeDPU2dneCx9Md6zTiKhzWtZ152To0j0f32Us= ## 13 - The Rubyfish Internet Tech DNS TLS Server A+ ( CHN ) - address_data: 115.159.131.230 tls_auth_name: "dns.rubyfish.cn" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: DBDigty3zDS7TN/zbQOmnjZ0qW+qbRVzlsDKSsTwSxo= ## 14 - The Lorraine Data Network DNS TLS Server A+ ( FRA ) - address_data: 80.67.188.188 tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM= ## This certificate is currently expired which ## does not pose any concerns in SPKI mode ## (in practice with Stubby) ## Source : https://ldn-fai.net/serveur-dns-recursif-ouvert/ ## 15 - The DNSPRIVACY.at TLS Server #1 A+ ( DEU ) - address_data: 94.130.110.185 tls_auth_name: "ns1.dnsprivacy.at" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Fr9YdIAIg7TXJLLHp0XbeWKBS2utev0stoEIb+7rZjM= ## 16 - The DNSPRIVACY.at TLS Server #2 A+ ( DEU ) - expired 2020-04-01 - address_data: 94.130.110.178 tls_auth_name: "ns2.dnsprivacy.at" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 68MH4G5hipbK1xYATBFgA+/DNLDd333oXr22QyB/RRo= # 17 - The ibksturm.synology.me DNS TLS Server A+ ( CHE ) - address_data: 85.5.93.230 tls_auth_name: "ibksturm.synology.me" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: npNOnBcLbvZWZgdmcuFaEqYJbaGjBlHMf9DknDoIkgg= ## 18 - The dns.flatuslifir.is DNS TLS Server A+ ( ISL ) - address_data: 46.239.223.80 tls_auth_name: "dns.flatuslifir.is" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: OvqVajUX+2j/xfYqPZid2Z8DMX2Vex8geaYw0UG77BE= ### Publicly Available DOT Test Servers ### ## 19 - The ContainerPI.com - CPI DNS TLS Server A+ ( JPN ) - address_data: 45.77.180.10 tls_auth_name: "dns.containerpi.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: xz8kGlumwEGkPwJ3QV/XlHRKCVNo2Fae8bM5YqlyvFs= ## 20 - The FEROZ SALAM DNS TLS Server A+ ( GBR ) - address_data: 46.101.66.244 tls_auth_name: "doh.li" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: fiOT+xcarY8uz1UBZ0DzA+Gi5kcSHdBDrofcsZL3HGo= ## 21 - The Andrews & Arnold DNS TLS Server #1 A+ ( GBR ) - address_data: 217.169.20.23 tls_auth_name: "dns.aa.net.uk" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: BrjhBir4pbQ0+uTjlViVlc5qf1172WLQxDWevO/4bKI= ## 22 - The Andrews & Arnold DNS TLS Server #2 A+ ( GBR ) - address_data: 217.169.20.22 tls_auth_name: "dns.aa.net.uk" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 1Mu+KSivSkoBfLiCzL+8xhg1YO7xmAjPJAJkjrv5ZvA= ## 23 - The dns.seby.io - Vultr DNS TLS Server A+ ( AUS ) - address_data: 45.76.113.31 tls_auth_name: "dot.seby.io" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: H13Su1659zEn0ZIblEShwjZO+M5gxKK2wXpVKQHgibM= ## 24 - The dns.seby.io - OVH DNS TLS Server A+ ( AUS ) - address_data: 139.99.222.72 tls_auth_name: "dot.seby.io" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 8A/1KQQiN+aFWenQon076nAINhlZjGkB15C4E/qogGw= ## 25 - The Digitale Gesellschaft DNS TLS Server #1 A+ ( CHE ) - address_data: 185.95.218.43 tls_auth_name: "dns.digitale-gesellschaft.ch" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: OHdm30CP5hu1KI1bLnIokKL1eKbLNWQvN9bNsXb5TJQ= ## 26 - The Digitale Gesellschaft DNS TLS Server #2 A+ ( CHE ) - address_data: 185.95.218.42 tls_auth_name: "dns.digitale-gesellschaft.ch" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: W0CoacPgp4VP2zsOt2ERQuFqXTG37ud5t3ClB5Xh7dY= ## 27 - The Antoine Aflalo DNS TLS Server #1 A+ ( USA ) - address_data: 168.235.81.167 tls_auth_name: "dns-nyc.aaflalo.me" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: NZqlaEd1y4tc4z2s/GcclhKlOQtynBKtbomw1dVCydU= ## 28 - The Privacy-First DNS TLS Server #1 A+ ( JPN ) - address_data: 172.104.93.80 tls_auth_name: "jp.tiar.app" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: +Q7ZdLW0QXokd2OY/vUJm10ZAnm2KFC+ovJfm5++hDc= ## 29 - The Privacy-First DNS TLS Server #2 A+ ( SGP Hosted In USA ) - address_data: 174.138.29.175 tls_auth_name: "dot.tiar.app" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: +zKyo0IWR+e38Yw2KN7pMAkktQSjZUGN4h7BoYLytTk= ## 30 - The ibuki.cgnat.net DNS TLS Server A+ ( USA ) - address_data: 35.198.2.76 tls_auth_name: "ibuki.cgnat.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: gWjnc5JNaub1U83vNZtyY/7f1ZYH+Zwt+LWLeTzbLEU= ## 31 - The PI-DNS.COM West USA DNS TLS Server A+ ( USA ) - address_data: 45.67.219.208 tls_auth_name: "dot.westus.pi-dns.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: R9/K3atF+ZHuBAVREmFiTX5N0qse+JIqoMF+usZ2dZg= ## 32 - The PI-DNS.COM DNS TLS East USA Server A+ ( USA ) - address_data: 185.213.26.187 tls_auth_name: "dot.eastus.pi-dns.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: oZQKQh794UHpdtZc/7CG+9VUw+3uGIrQFfAhCvYcds4= ## 33 - The PI-DNS.COM Central Europe DNS TLS Server A+ ( DEU ) - address_data: 88.198.91.187 tls_auth_name: "dot.centraleu.pi-dns.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: ZdED9Ry+FfdsbpGVr2IxR/IB0D7FaVpSBWvsRWutrjg= ## 34 - The PI-DNS.COM North Europe DNS TLS Server A+ ( FIN ) - address_data: 95.216.181.228 tls_auth_name: "dot.northeu.pi-dns.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: xb6yo+7vmxFhyrA+NV1ZOKBGHuA03J4BjTwkWjZ3uZk= ## 35 - The PI-DNS.COM East Australia DNS TLS Server A+ ( AUS ) - address_data: 45.63.30.163 tls_auth_name: "dot.eastau.pi-dns.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 0oVEbW/240sc4++zXjICyOO4XKTIEewY9zY5G5v9YnY= ## 36 - The PI-DNS.COM East Asia DNS TLS Server A+ ( USA ) - address_data: 66.42.33.135 tls_auth_name: "dot.eastas.pi-dns.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 3dV7cgTZbmHD/JTfocBI6FvoyGevpZf2n5k2fG4uVr8= ## 37 - The Snopyta DNS TLS Server A+ ( FIN ) - address_data: 95.216.24.230 tls_auth_name: "fi.dot.dns.snopyta.org" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: cYf+8BXhzbBmQe6qP+BHzLb2UZ/rgOspuyCmk2aVhlE= ## 38 - The NixNet Uncensored Las Vegas DNS TLS Server A+ ( USA ) ## - or use ( tls_auth_name: "adblock.lv1.dns.nixnet.xyz" ) - address_data: 209.141.34.95 tls_auth_name: "uncensored.lv1.dns.nixnet.xyz" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Ua+l/cIZ9dbJPExk4grit6qFZWmQZcoIoMBvMLwUDHc= ## 39 - The NixNet Uncensored New York DNS TLS Server A+ ( USA ) ## - or use ( tls_auth_name: "adblock.ny1.dns.nixnet.xyz" ) - address_data: 199.195.251.84 tls_auth_name: "uncensored.ny1.dns.nixnet.xyz" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: P8A1QEHTXs7QSmAuwR4FupMd3L/OW9TXbTXcFaazzoU= ## 40 - The NixNet Uncensored Luxembourg DNS TLS Server A+ ( LUX ) ## - or use ( tls_auth_name: "adblock.lux1.dns.nixnet.xyz" ) - address_data: 104.244.78.231 tls_auth_name: "uncensored.lux1.dns.nixnet.xyz" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: ncPZ5vhEPiv7VOf2nesJW9GYOGZ48MsAhzd4PO+3NJQ= ## 41 - The Lelux.fi DNS TLS Server A+ ( FRA Hosted In GBR ) - address_data: 51.158.147.50 tls_auth_name: "resolver-eu.lelux.fi" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 8ZpLg8m7CE41EnXddCRJGsaWK2UVjy2UnhPo/7BsPIo= ## 42 - The Lightning Wire Labs DNS TLS Server A+ ( DEU ) - address_data: 81.3.27.54 tls_auth_name: "recursor01.dns.lightningwirelabs.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 9QRO8JyJCVMU+KAO9acW5xfQnSXRuj1OqAz5aZHwH+4= ## 43 - The Hostux DNS TLS Server A+ ( LUX ) - address_data: 185.26.126.37 tls_auth_name: "dns.hostux.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: P0gaP31TQQzAIN3DomM5vXS3+8oCgYcTA/ZJ09Jw4QE= ## 44 - The dnsforge.de DNS TLS Server #1 A+ ( DEU ) - address_data: 176.9.1.117 tls_auth_name: "dnsforge.de" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw= ## 45 - The dnsforge.de DNS TLS Server #2 A+ ( DEU ) - address_data: 176.9.93.198 tls_auth_name: "dnsforge.de" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw= # 46 - The Freifunk München DNS TLS Server A+ ( DEU ) - address_data: 195.30.94.28 tls_auth_name: "doh.ffmuc.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: vAgfcoO9rzejY7Pdv9MK9DymLvYYJ4PF5V1QzReF4MU= # 47 - The doh.defaultroutes.de DNS TLS Server A+ ( DEU ) - address_data: 5.45.107.88 tls_auth_name: "doh.defaultroutes.de" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: p7t6DDebAlM1rwkrJgZJ6CDkuJG0Ff5PKYZ8bUPQCM0= ## 48 - The CIRA Canadian Shield DNS TLS Servers A+ ( CAN ) - address_data: 149.112.121.10 tls_auth_name: "private.canadianshield.cira.ca" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: sXmZXPsnkbQMw68THpV0Tgh9zCe12TtXIinSTf7lkkw= - address_data: 149.112.122.10 tls_auth_name: "private.canadianshield.cira.ca" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: sXmZXPsnkbQMw68THpV0Tgh9zCe12TtXIinSTf7lkkw= # 49 - The dns.dnshome.de DNS TLS Server #1 A+ ( DEU ) - address_data: 185.233.106.232 tls_auth_name: "dns.dnshome.de" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: q5AkxgnWVCVjCUNUKl3aIBpGTfXF5GahE0RcncwbZoc= - address_data: 185.233.107.4 tls_auth_name: "dns.dnshome.de" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: q5AkxgnWVCVjCUNUKl3aIBpGTfXF5GahE0RcncwbZoc= ## 50 - The Usable Privacy DNS TLS Server A+ ( DEU / AUT ) - address_data: 149.154.153.153 tls_auth_name: "adfree.usableprivacy.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: wnJgPKtu/QHXHx3QZ7mZuIsNMv85buI5jsdsS9cTU5w= ## 51 - The DeCloudUs DNS TLS Server A+ ( DEU ) - address_data: 176.9.199.152 tls_auth_name: "dot.decloudus.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: +rBZZHFEVTmFwA8RuR9I5vdPqqaBSighP7rcoWgY9MI= ## 52 - The Arapurayil DNS TLS Server A+ ( AUS ) - address_data: 3.7.156.128 tls_auth_name: "dns.arapurayil.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: c3S8JssMSrXuMjDfjwzXHoO4RQckTYTTeUThdW+meo0= ## 53 - The Hurricane Electric DNS TLS Server A+ ( USA ) - address_data: 74.82.42.42 tls_auth_name: "ordns.he.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: G9pQNrYB98Wll0AmBF/GsMMn6gaDbXDnInV1je1MaPo= ## 54 - The Stéphane Bortzmeyer DNS TLS Server A+ ( FRA ) - address_data: 193.70.85.11 tls_auth_name: "dot.bortzmeyer.fr" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: eHAFsxc9HJW8QlJB6kDlR0tkTwD97X/TXYc1AzFkTFY= ### Anycast Publicly Available DOT Test Servers ### ## 55 - The NixNet Uncensored Anycast DNS TLS Servers ( Anycast ) - address_data: 198.251.90.114 tls_auth_name: "uncensored.any.dns.nixnet.xyz" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Ryhjf7K6V9/Fw/7XU7fqzrVJVEOyPtlHR/rFetOXrug= - address_data: 198.251.90.89 tls_auth_name: "adblock.any.dns.nixnet.xyz" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Ryhjf7K6V9/Fw/7XU7fqzrVJVEOyPtlHR/rFetOXrug= ## 56 - The DNSlify DNS TLS Servers A+ ( Anycast ) - address_data: 185.235.81.1 tls_auth_name: "doh.dnslify.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: w5AEEaNvoBOl4+QeDIuRaaL6ku+nZfrhZdB2f0lSITM= - address_data: 185.235.81.2 tls_auth_name: "doh.dnslify.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: w5AEEaNvoBOl4+QeDIuRaaL6ku+nZfrhZdB2f0lSITM= ### DNS Privacy Anycast DOT Public Resolvers ### ## 57 - The DNS.SB DNS TLS Servers A+ ( Anycast ) - address_data: 185.222.222.222 tls_auth_name: "dns.sb" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: /qCm+kZoAyouNBtgd1MPMS/cwpN4KLr60bAtajPLt0k= - address_data: 185.184.222.222 tls_auth_name: "dns.sb" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: /qCm+kZoAyouNBtgd1MPMS/cwpN4KLr60bAtajPLt0k= ## 58 - The Comss.one DNS TLS Server #1 A+ ( CHN ) - address_data: 92.38.152.163 tls_port: 853 tls_auth_name: "dns.comss.one" tls_pubkey_pinset: - digest: "sha256" value: biGOXwJ1zClsvIfsjqV1FOdRq1jZdw5Sy61AqrlgKj4= ## 59 - The Comss.one DNS TLS Server #2 A+ ( CHN ) - address_data: 93.115.24.205 tls_port: 853 tls_auth_name: "dns.comss.one" tls_pubkey_pinset: - digest: "sha256" value: biGOXwJ1zClsvIfsjqV1FOdRq1jZdw5Sy61AqrlgKj4= ## 60 - The Comss.one DNS TLS Server #3 A+ ( CHN ) - address_data: 93.115.24.204 tls_port: 853 tls_auth_name: "dns.comss.one" tls_pubkey_pinset: - digest: "sha256" value: biGOXwJ1zClsvIfsjqV1FOdRq1jZdw5Sy61AqrlgKj4= Save and Exit Configure Stubby To Implement TLSv1.3 For OPNsense 20.1 And Above Add this entry ( found directly below ) to the bottom of your stubby.yml configuration file ( aka /usr/local/etc/stubby/stubby.yml ) - make sure to skip a line after last entry before appending these settings: # Set the acceptable ciphers for DNS over TLS. With OpenSSL 1.1.1 this list is # for TLS1.2 and older only. Ciphers for TLS1.3 should be set with the #tls_ciphersuites option. This option can also be given per upstream. tls_cipher_list: "EECDH+AESGCM:EECDH+CHACHA20" # Set the acceptable cipher for DNS over TLS1.3. OpenSSL >= 1.1.1 is required # for this option. This option can also be given per upstream. tls_ciphersuites: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" # Set the minimum acceptable TLS version. Works with OpenSSL >= 1.1.1 only. # This option can also be given per upstream. tls_min_version: GETDNS_TLS1_2 # Set the maximum acceptable TLS version. Works with OpenSSL >= 1.1.1 only. # This option can also be given per upstream. tls_max_version: GETDNS_TLS1_3 Starting with OPNsense 20.1-RC1 in order for TLSv1.3 protocol to work properly ( read at all ) in your Stubby instance, OpenSSL 1.1.1 must be active and configured in the kernel. OPNsense 20.1-RC1 and above does provide OpenSSL 1.1.1 support. When you have OpenSSL 1.1.1 with TLSv1.3 support simply add the section above in order to set Stubby to implement TLS1.3. The operative lines necessary are these two specifically found at the bottom of the stubby.yml file above: tls_ciphersuites: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" tls_max_version: GETDNS_TLS1_3 See below for TLS1.3 Support Check SSH Commands - openssl s_client -connect 46.101.66.244:853 OR : openssl s_client -connect 45.32.55.94:443 Read Out Will Be Verified By These Lines Below: Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_CHACHA20_POLY1305_SHA256 OR : Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Depending on Configuration on Tested DOT Server Note: You will not get a readout indicating that the selected Tested DOT Server utilizes TLS1.3. This is due to the fact that OPNsense 20.1 does not fully utilize OpenSSL 1.1.1 - When you run command # openssl version - you will see that OPNsense 20.1 still runs on OpenSSL 1.02 - This is slated to be fixed on the next major OPNsense release. Lastly, you can and should take advantage of this new DNS OVER TLS provider. You need to sign up and use configured settings in order to use it. NextDNS is a free service - ANYCAST and pretty much cutting edge. ANYCAST speeds up your DNS - Here it is: NextDNS https://my.nextdns.io/signup or feel free to use and test NextDNS " Try it now for free " Feature go to : https://nextdns.io/ I also strongly encourage you to subscribe to blockerDNS found here : https://blockerdns.com/ This new DOH / DNS OVER TLS provider is the fastest I have run across. blockerDNS is run by Tambe Barsbay a seasoned, thorough and extremely proficient tech practitioner. blockerDNS is based in the U.S. and its infrastructure is hosted on Google Cloud Platform and DigitalOcean. You can view blockerDNS subscription options here : https://blockerdns.com/tryit - Most significantly, Tambe stands by his claim that he offers " Instant support by phone or email ". Overall blockerDNS is a great DNSPRIVACY DNS Service. Tip : The Mobile $0.99 per month option should suffice for most home users. Links : https://tambeb.com/ https://blockerdns.com/blog https://blockerdns.com/support https://blockerdns.com/overview 4 - In order to have OPNsense use default start up script ( /usr/local/etc/rc.d/stubby.sh ) at boot time you will have to create a boot time start up script for it in /etc/rc.conf.d/. Not to prolong this - do the following : # touch /etc/rc.conf.d/stubby - create the needed new file # nano /etc/rc.conf.d/stubby - in the new file enter the following two lines: stubby_enable="YES" stubby_bootup_run="/usr/local/etc/rc.d/stubby.sh" Save and exit / then make the file executable - once again - works for me : # chmod 744 /etc/rc.conf.d/stubby # chmod a+x /etc/rc.conf.d/stubby 5- Now you must configure your Unbound DNS Server to use Stubby for DNS Over TLS. Go To Services > UNBOUND > GENERAL SETTINGS UNDER UNBOUND GENERAL SETTINGS Network Interfaces = Select LAN ONLY ! # IF You Have Multiple Lan Interfaces - Select ALL LAN INTERFACES Under Custom options enter the following : server: forward-zone: name: "." # Allow all DNS queries forward-addr: [email protected] ## ( Your One Main LAN Address ) ## END OF ENTRY ## Note : do-not-query-localhost: no ## this entry is necessarily removed ## from this UNBOUND configuration ## Disabling DNS Queries From Localhost ( 127.0.0.1 ) Outgoing Network Interfaces = Select LAN ONLY ! # IF You Have Multiple Lan Interfaces - Select ALL LAN INTERFACES Make Sure to NOT CHECK - DO NOT CHECK - the box for DNS Query Forwarding. Save and Apply Settings Next -Under System > Settings > General Settings Set the first DNS Server to Your One Main LAN Address ( 192.168.7.11 ) with no gateway selected / Make sure that DNS server option A - Allow DNS server list to be overridden by DHCP/PPP on WAN - Is Not I repeat - Is Not Checked ! and DNS server option B - Do not use the DNS Forwarder/Resolver as a DNS server for the firewall Is Checked - I repeat - Is Checked ! - Save and Apply Settings C'est Fini C'est Ci Bon C'est Magnifique Reboot your router just to sure. Lastly, you can check your DNS at GRC DNS Nameserver Spoofability Test - DNSLeak.com - or any such service. Your results will render the DNS PRIVACY Name Servers which you selected in your stubby.yml configuration file. You are now running DNS OVER TLS with GETDNS plus STUBBY ( a fully featured TLS forwarder ) along with an Unbound DNS Caching Server. Note: Starting with Unbound 1.7.2 qname minimisation is enabled by default. However, I still add these settings manually. These settings are entered under Unbound " Custom Options": qname-minimisation: yes qname-minimisation-strict: yes harden-below-nxdomain: yes Use either or both of these two methods to verify QNAME Minimisation A - Run command : drill txt qnamemintest.internet.nl and / or B - Run command: dig txt qnamemintest.internet.nl +short and / or dig -t txt qnamemintest.internet.nl ( for more complete readout including DNSSEC results ). AD = Authenticated Data (for DNSSEC only; indicates that the data was authenticated) The results in any of these scenarios will show either: "HOORAY - QNAME minimisation is enabled on your resolver :)!” or “NO - QNAME minimisation is NOT enabled on your resolver :(.” Reference https://discourse.pi-hole.net/t/unbound-and-qname-minimisation/10038/4 You will and should get HOORAY ! - if you used the name servers listed in this guide for your Stubby configuration. VERY IMPORTANT TIP: Please note that right at the top of the main DNS Privacy Test Servers Homepage ( https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers ) It Ominously Declares: DoT servers The following servers are experimental DNS-over-TLS servers. Note that they are experimental offerings (mainly by individuals/small organisations) with no guarantees on the lifetime of the service, service level provided. The level of logging may also vary (see the individual websites where available) - the information here about logging has not been verified. Also note that the single SPKI pins published here for many of these servers are subject to change (e.g on Certificate renewal) and should be used with care!! For these reasons it is most important to check and verify your SPKI pin(s) for TLS authentication manually yourself from time to time. There are sure fire methods to make sure that you are using the correct value for any upstream nameserver ( aka tls_pubkey_pinset value ) - Go to https://blahdns.com/ and scroll down to the section to the yellow section entitled What is DNS OVER TLS click on it and it will open up. When you do it will state some general information, but what you want to pay attention to is this section: How to get SPKI Most Simple and Direct Method: gnutls-cli --print-cert -p 853 159.69.198.101 | grep "pin-sha256" | head -1 And / Or With Adjustment For SSL Port and Address Being Tested gnutls-cli --print-cert -p 443 159.69.198.101 | grep "pin-sha256" | head -1 - where you must pkg install gnutls OR echo | openssl s_client -connect '185.49.141.37:853' 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 Remember to change port to 443 or port for IPV6 if different than standard 853 where applicable. https://www.dnsleaktest.com/ https://www.perfect-privacy.com/dns-leaktest https://cryptoip.info/dns-leak-test https://www.grc.com/dns/dns.htm https://www.vpninsights.com/dns-leak-test and last but not least https://cmdns.dev.dns-oarc.net/ for a thorough in depth DNS Test https://bash.ws/dnsleak/test/ Now all you need to do is run is a properly configured VPN Service. By doing so, running DNS over TLS with Stubby and GetDns will keep your VPN provider from spying on your encrypted DNS look ups - and also your DNS providers both the ISP ( replaced by encrypted Stubby ) and your Encrypted TLS DNS Service Provider will see your IP as the one from your encrypted tunneled VPN provider. I am convinced this setup is the right strategy for both security and privacy. I think it to be the best practice for all those most serious about multi-layered cyber security.

READ ENTIRE GUIDE BEFORE YOU BEGIN This Tutorial / Guide Was Updated on Jan 15 2020 in order to keep you in step with changes on packages needed for OpenWrt 19.07.0 First you all know the drill by now - " The Intro " we would all have a better world if we remember to practice the concept that - NOW ! is the time for all of US ( A ) to GET UP & GET INVLOVED and act with SOUL POWER ! - lyrics to sing along : https://genius.com/James-brown-get-up-get-into-it-get-involved-lyrics plus https://genius.com/James-brown-soul-power-lyrics and video : https://www.youtube.com/watch?v=1pvIarW3xHg Bonus JB : https://www.youtube.com/watch?v=v8TvBPshngE See here for GETDNS AND STUBBY on OPENWRT / LEDE: https://github.com/openwrt/packages/blob/master/net/stubby/files/README.md - this page is designed for DNS OVER TLS with DNSMASQ but it still is useful and informative . See Here For OPENWRT STUBBY DNS OVER TLS USING DNSMASQ-FULL FOR DNSSEC & CACHING https://forum.openwrt.org/t/stubby-dns-over-tls-using-dnsmasq-full-for-dnssec-caching/19107 UPDATED GUIDE For UNBOUND: ( IF YOU NEED IT ! ) https://torguard.net/forums/index.php?/topic/1509-updated-guide-for-getdns-142-2-stubby-023-3-and-unbound-181-2/ Why I am so damn serious about DNS Privacy ( just watch these when you have time - all at once or in intervals - very educational 😞 https://dnsprivacy.org/wiki/display/DP/IETF+DNS+Privacy+Tutorial https://www.youtube.com/watch?v=2JeYIecfwdc https://www.youtube.com/watch?v=JnxE5RPnyiE Active work is also underway at the IETF on DNS-over-HTTP (DOH) but today the only method standardized by the IETF is DNS-over-TLS. In the world of encryption, it's always safer to go with standardized protocols that have gone through a rigorous review process. Unfortunately DNSCrypt has not been standardized yet, and some of the ways it uses cryptography are unusual. If you need more storage and swap memory for your router see here: http://ediy.com.my/index.php/blog/item/118-how-to-increase-storage-on-tp-link-tl-mr3020-with-extroot and here: https://samhobbs.co.uk/2013/11/more-space-for-packages-with-extroot-on-your-openwrt-router For partitioning USB external flash drives I personally prefer GParted Live and / or MiniTool Partition Wizard 9.1 Boot Iso and both work great - found here: https://gparted.org/download.php and here respectively https://www.chip.de/downloads/Partition-Wizard-Bootable-CD_38297298.html For all of those who are using UNBOUND with tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt" # For OpenWrt option: found here This will have to wait until OpenSSL 1.1.x .From Unbound Recursive DNS Server with UCI found here: https://github.com/openwrt/packages/blob/master/net/unbound/files/README.md And Look for section at the bottom entitled HOW TO: TLS Over DNS read this: NOTICE: Unbound requires openssl-1.1.0 to verify host certificates. OpenWrt at present is configured with openssl-1.0.2. Connections will be over TLS, but theoretically, certificates may not be from a trusted source. See report https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658 When this is resolved, it will be recommended again to install ca-bundle, maintain it, and be sure to include the TLS certificate domain index with the host addresses. For all the doubters and naysayers concerning GETDNS and STUBBY - they are developed by NLnet Labs - the same folks who bring us Unbound, NSD, OPENDNSSEC and now GETDNS ( and STUBBY ) see here: https://www.nlnetlabs.nl/ https://www.nlnetlabs.nl/projects/getdns/ Yes I run GETDNS and STUBBY. For those who wish to explore GETDNS and STUBBY - this method is the one recommended by DNSPRIVACY - see here : https://getdnsapi.net/ 5 https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby 2 https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients#DNSPrivacyClients-Unbound 3 - please read this carefully - you will note that it indicates : Unbound As A DNS TLS Client Features: Unbound can be run as a local caching forwarder, configured to use SSL upstream, however it cannot yet authenticate upstreams, re-use TCP/TLS connections, be configured for Opportunistic mode or send several of the privacy related options (padding, ECS privacy) etc. Some users combine Unbound (as a caching proxy with other features such as DNS Blacklisting) and Stubby (as a fully featured TLS forwarder). These are the reasons I choose to use GETDNS and STUBBY with Unbound. Those reasons being so that I can take full advantage of all of the most secure privacy features available when running DNS OVER TLS. What I give you here is the absolute best method of implementation and deployment of DNS OVER TLS. For any and all who may be wondering why DNS OVER TLS is all the rage - read this: https://tenta.com/blog/post/2017/12/dns-over-tls-vs-dnscrypt So here we go. I was asked by a still skeptical devotee of DOH " What makes this way better than just running the DNS-over-https-proxy ? My answer was : Read this and make your decisions and conclusions concerning DOH vs DOT . Here is the article below : https://www.netmeister.org/blog/doh-dot-dnssec.html Bottom Line Conclusion From Jan Schaumann - The Author of This Blog Entry : For that, my current preference is quite clearly DNS-over-TLS: I fear a bifurcation of DNS resolution by apps combined with the push for using public resolvers with DoH will lead to a more complex environment and threat model for many users. Short Synopsis of DOH: In other words , ( with DOH ) we gain the same protections as with DoT for our web applications, but leaves all other DNS traffic vulnerable. Subsequently, as a matter of fact and in practice with DNS OVER TLS ALL DNS traffic is invulnerable and protected.This is why I run DOT and eschew DOH on my OPNsense Router. Further, Personally, I run GETDNS STUBBY and UNBOUND as described here along with ( wait for it ) FireFox DOH along with Encrypted SNI - plus TLS v 1.3 in Stubby and naturally a properly configured and encrypted VPN - FYI, David Mora aka iamperson347 the developer and maintainer of GETDNS and STUBBY package for OpenWRT / LEDE assisted me in putting this all together. Dave strongly suggested using DNSMASQ for DHCP and UNBOUND and STUBBY for DNS OVER TLS. Dave's reason was that OpenWrt / Lede performs best when configured in this fashion. Directly from David Mora aka iamperson347 the developer and maintainer of GETDNS and STUBBY and I quote: "I recommend running Unbound to utilize the caching. Sometimes the connections from stubby to the resolver can have a little but of lag, so caching + prefetch helps minimize the effects." Unbound is a recursive caching DNS Resolver - which by design and definition speeds up your DNS RESOLUTION. DNS addresses are stored in the cache and called upon and directed to almost IMMEDIATELY ! ( Query time: 0 msec ) resolve dns addresses in subsequent DNS look ups after your first visit to cached objects. A small number has questioned DNS OVER TLS and the supposed complexity of this setup vis a’ vis DNSCrypt. DNSCrypt has always been suggested to best deployed when forwarded to Unbound as a Caching Server. In effect, this methodology simply drops Stubby and GetDns in place instead of DNSCrypt. The use of DNSMasq for DHCP is particular to OpenWRT / LEDE. However, it is a fairly simple and straightforward task to setup DNSMasq for purposes of DHCP and well described and referenced in this tutorial. Lastly, GetDns and Stubby do allow for TLS OVER Port 443 and I have amended this guide to reflect that option for those who may worry about being blocked behind a firewall while using TLS OVER Port 853. https://www.nlnetlabs.nl/projects/unbound/about/ This method combines Unbound (as a caching proxy) and Stubby (as fully featured TLS forwarder). Stubby is essential - please read the following: Stubby' is an application that acts as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver increasing end user privacy. Stubby is developed by the getdns project. Stubby is essential - please read the following: https://dnsprivacy.org/wiki/display/DP/About+Stubby I run GETDNS and STUBBY with Unbound DNS and Dnsmasq for DHCP. You can use odhcpd which will handle both DNS and DHCP where you disable and/ or remove DNSMASQ - but you will experience a performance hit. This why I use Unbound/ STUBBY for DNS and Dnsmasq for DHCP . Here is a basic guide as to how to do it - https://blog.grobox.de/2018/what-is-dns-privacy-and-how-to-set-it-up-for-openwrt/ 5 However a few modifications are necessary in order to to have GetDns and Stubby up and running and successfully integrated with Unbound DNS and Dnsmasq for DHCP. I will write up a guide here - but don’t give me a hard time later on. Directly From DNS Privacy Website: Stubby is an experimental implementation of a DNS Privacy enabled stub resolver. It is currently suitable for advanced/technical users - all feedback is welcome! Also see https://dnsprivacy.org/ for more information on DNS Privacy. I have read here: https://www.monperrus.net/martin/randomization-encryption-dns-requests that Also, it is good to set up some servers that listens on port 443 and others on port 853, so as to be resilient if you are on a network with blocked ports. You can also blend IPv4 and IPv6 addresses. By the way I run Davidc502 LEDE Snapshots - Moderately Customized LEDE Development Builds for Linksys 1900ac v.1 and 1900ac v.2, 1900acs v.1 v.2, 3200acm, WRT32X and 1200ac v.1 v.2 series routers. These builds keep up to date package repositories.. GetDns and Stubby are included. Dave's Builds have many other pre-installed common packages as well.. Check out homepage and downloads here: https://davidc502sis.dynamic-dns.net/ and downloads here: https://davidc502sis.dynamic-dns.net/snapshots/ . In addition, there is a very informative, instructive and active thread ( forum ) for Dave's builds and discussion of many OpenWrt / Lede packages, features, and issues. In short great technical advice and assistance can be found here: https://forum.openwrt.org/t/davidc502-wrt1200ac-wrt1900acx-wrt3200acm-wrt32x-builds/ Dave releases new updated builds every two weeks - near the middle and first of each month. - As always - opkg update first and foremost Prerequisite You have a ca cert bundle installed on your router. You can do this by running the following opkg install ca-certificates Now Let’s Move On 1 - opkg update ; opkg install unbound-daemon-heavy unbound-control unbound-control-setup luci-app-unbound unbound-anchor unbound-host unbound-checkconf odhcpd 2 - opkg update ; opkg install stubby getdns 3- My WORKING CONFIGS /etc/unbound/unbound_srv.conf ( Must Adjust For Your Router - I Run WRT1900ACS and WRT3200ACM So I Have Plenty Of Ram, Storage and 2 CPU's ) You should " Optimize Unbound " - especially increase size of cache among other things see guide here and adjust for your router's memory , number of cores and so on- see here: https://nlnetlabs.nl/documentation/unbound/howto-optimise/ for basic guide ( Simply Copy and Paste Into Your SSH Session and Hit Enter ) cat >> /etc/unbound/unbound_srv.conf <<UNBOUND_SERVER_CONF server: # use all CPUs num-threads: 2 # power of 2 close to num-threads msg-cache-slabs: 4 rrset-cache-slabs: 4 infra-cache-slabs: 4 key-cache-slabs: 4 # more cache memory, rrset=msg*2 rrset-cache-size: 256m msg-cache-size: 128m # more outgoing connections # depends on number of cores: 1024/cores - 50 outgoing-range: 8192 # Larger socket buffer. OS may need config. so-rcvbuf: 4m so-sndbuf: 4m cache-min-ttl: 3600 cache-max-ttl: 86400 hide-identity: yes hide-version: yes hide-trustanchor: yes harden-glue: yes harden-dnssec-stripped: yes infra-cache-numhosts: 100000 num-queries-per-thread: 4096 max-udp-size: 3072 minimal-responses: yes rrset-roundrobin: yes use-caps-for-id: no do-ip6: no do-ip4: yes do-tcp: yes do-udp: yes prefetch: yes prefetch-key: yes qname-minimisation: yes qname-minimisation-strict: yes harden-below-nxdomain: yes aggressive-nsec: yes so-reuseport: yes unwanted-reply-threshold: 10000000 interface-automatic: yes verbosity: 1 private-domain: "your.domain" ## put your domain here do-not-query-localhost: no harden-referral-path: yes target-fetch-policy: "0 0 0 0 0" val-clean-additional: yes ip-ratelimit: 300 ip-ratelimit-factor: 10 incoming-num-tcp: 100 edns-buffer-size: 1472 UNBOUND_SERVER_CONF As per guide :# Don’t let each server know the next recursion Enter via SSH command line: uci set ‘[email protected][0].query_minimize=1’ I choose to use the /etc/stubby/stubby.yml file to configure STUBBY. My reasons for preferring to configure Stubby with the /etc/stubby/stubby.yml file instead of the now default UCI system /etc/config/stubby file are for several reasons. I found that I have more control over the security options which DNS OVER TLS is intended to provide. Like padding - 853 or 443 port and so on. So in order to use /etc/stubby/stubby.yml file, you must change a default setting in the /etc/config/stubby file to allow manual configuration. To keep this simple - go into default UCI STUBBY file which is /etc/config/stubby by entering nano /etc/config/stubby and then set option manual '1' - if you leave it at default setting of option manual 'o' you will not be able to use the /etc/stubby/stubby.yml file in order to configure STUBBY as before. So, after changing option manual '1' in the /etc/config/stubby file - configure /etc/stubby/stubby.yml as follows : 4 - My WORKING CONFIG /etc/stubby/stubby.yml I prefer to run these DNS TLS SERVERS as they tend to be stable most all of the time. However, even if you run ssl-upstream with Unbound you still will need to monitor real time status of DNS Privacy Test Servers. So, Stubby is still the full featured way to go. See all DNS TLS SERVERS here if you choose to run others: DNS Privacy Test Servers https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers You can and should also check real time status of DNS Privacy Servers as they are experimental and are not always stable - you can monitor Dns Servers Real Time Status here below: https://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/ Here is a list of all DNS Privacy Servers in the raw. Add ( tls_port: 853 ) after ( - address_data: ) entry: https://raw.githubusercontent.com/getdnsapi/stubby/develop/stubby.yml.example See here for how to configure Stubby: https://github.com/getdnsapi/stubby DNS OVER TLS ABSOLUTE BEST CONFIGURATION FOR STUBBY FOR THE REASONS DETAILED BELOW: nano /etc/stubby/stubby.yml - replace contents of file with configuration below: VERY IMPORTANT UPDATE: After checking, rechecking and the triple checking on this website mentioned above : https://www.immuniweb.com/ssl/?id=Su8SeUQ4 I have made some very serious discoveries regarding which DNS Privacy Test Servers to use. The bottom line that I strongly suggest you only choose to deploy servers which support the TLSv1.3 protocol. See here for information and importance of TLSv1.3 : https://kinsta.com/blog/tls-1-3/ 1 I will save you some considerable leg work and post below the best configuration for your stubby.yml file. Here it is: # All DNS Privacy Servers Below Tested and Updated On August 21 2020 With A+ Rating - # 100% Perfecto Configuration on website: https://www.immuniweb.com/ssl/?id=Su8SeUQ4n # These servers support the most recent and secure TLS protocol version of TLS 1.3 ** # Good configuration - These server configurations support only TLSv1.2 and TLSv1.3 protocols - current most secure encryption. # Also I have added the Country Locations of These DNS PRIVACY Servers using the Alpha 3 Code Format # see country code lists here : # https://www.nationsonline.org/oneworld/country_code_list.htm or https://www.iban.com/country-codes # Use as many or as few depending on your specific needs # Note: by default on OpenWRT stubby configuration is handled via # the UCI system and the file /etc/config/stubby. If you want to # use this file to configure stubby, then set "option manual '1'" # in /etc/config/stubby. resolution_type: GETDNS_RESOLUTION_STUB round_robin_upstreams: 1 appdata_dir: "/var/lib/stubby" tls_authentication: GETDNS_AUTHENTICATION_REQUIRED tls_query_padding_blocksize: 128 edns_client_subnet_private: 1 idle_timeout: 9000 listen_addresses: - [email protected] dns_transport_list: - GETDNS_TRANSPORT_TLS tls_connection_retries: 5 tls_backoff_time: 900 timeout: 2000 tls_ca_path: "/etc/ssl/certs/" upstream_recursive_servers: ### IPV4 Servers ### ### DNS Privacy DOT Test Servers ### ## 1 - The getdnsapi.net DNS TLS Server A+ ( NLD ) - address_data: 185.49.141.37 tls_auth_name: "getdnsapi.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= ## 2 - The Surfnet/Sinodun DNS TLS Server #3 A+ ( NLD ) - address_data: 145.100.185.18 tls_port: 853 tls_auth_name: "dnsovertls3.sinodun.com" tls_pubkey_pinset: - digest: "sha256" value: 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8= ## 3 - The The Surfnet/Sinodun DNS TLS Server A ( NLD ) - address_data: 145.100.185.15 tls_auth_name: "dnsovertls.sinodun.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= ## 4 - The The Surfnet/Sinodun DNS TLS Server #1 A ( NLD ) - address_data: 145.100.185.16 tls_auth_name: "dnsovertls1.sinodun.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA= ## 5 - The dns.cmrg.net DNS TLS Server A+ ( CAN ) - address_data: 199.58.81.218 tls_auth_name: "dns.cmrg.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo= ## 6 - The BlahDNS Japan DNS TLS Server A+ ( JPN ) - address_data: 45.32.55.94 tls_auth_name: "dot-jp.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: gIoiNFxX1Nw+7/pVsmUKBU941bMBYjEYuB2T9drULOM= ## 7 - The BlahDNS German DNS TLS Server A+ ( USA Hosted In DEU ) - address_data: 159.69.198.101 tls_auth_name: "dot-de.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: YZeyeJf/suAR2fMHLc9RDPkcQi/e8EEnzk5Y1N90QQE= ## 8 - The BlahDNS Finland DNS TLS Server A+ ( FIN ) - address_data: 95.216.212.177 tls_auth_name: "dot-fi.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: PID8ufrN/lfloA6y/C+mpR8MT53GG6GkAd8k+RmgTwc= ## 9 - The dns.neutopia.org DNS TLS Server A+ ( FRA ) - address_data: 89.234.186.112 tls_auth_name: "dns.neutopia.org" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI= ## 10 - The Foundation for Applied Privacy DNS TLS Server #1 A+ ( AUT ) - address_data: 94.130.106.88 tls_auth_name: "dot1.applied-privacy.net" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: 78kfbZFJaxGrAl+0hkiyWER0ajTgFL/KxMAZQHSNhWU= ## 11 - The Foundation for Applied Privacy DNS TLS Server #2 A+ ( AUT ) - address_data: 93.177.65.183 tls_auth_name: "dot1.applied-privacy.net" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: 78kfbZFJaxGrAl+0hkiyWER0ajTgFL/KxMAZQHSNhWU= ## 12 - The Secure DNS Project by PumpleX DNS TLS Server #1 A+ ( GBR ) - address_data: 51.38.83.141 tls_auth_name: "dns.oszx.co" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Bt3fAHJeDPU2dneCx9Md6zTiKhzWtZ152To0j0f32Us= ## 13 - The Rubyfish Internet Tech DNS TLS Server A+ ( CHN ) - address_data: 115.159.131.230 tls_auth_name: "dns.rubyfish.cn" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: DBDigty3zDS7TN/zbQOmnjZ0qW+qbRVzlsDKSsTwSxo= ## 14 - The Lorraine Data Network DNS TLS Server A+ ( FRA ) - address_data: 80.67.188.188 tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM= ## This certificate is currently expired which ## does not pose any concerns in SPKI mode ## (in practice with Stubby) ## Source : https://ldn-fai.net/serveur-dns-recursif-ouvert/ ## 15 - The DNSPRIVACY.at TLS Server #1 A+ ( DEU ) - address_data: 94.130.110.185 tls_auth_name: "ns1.dnsprivacy.at" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Fr9YdIAIg7TXJLLHp0XbeWKBS2utev0stoEIb+7rZjM= ## 16 - The DNSPRIVACY.at TLS Server #2 A+ ( DEU ) - expired 2020-04-01 - address_data: 94.130.110.178 tls_auth_name: "ns2.dnsprivacy.at" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 68MH4G5hipbK1xYATBFgA+/DNLDd333oXr22QyB/RRo= # 17 - The ibksturm.synology.me DNS TLS Server A+ ( CHE ) - address_data: 85.5.93.230 tls_auth_name: "ibksturm.synology.me" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: npNOnBcLbvZWZgdmcuFaEqYJbaGjBlHMf9DknDoIkgg= ## 18 - The dns.flatuslifir.is DNS TLS Server A+ ( ISL ) - address_data: 46.239.223.80 tls_auth_name: "dns.flatuslifir.is" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: OvqVajUX+2j/xfYqPZid2Z8DMX2Vex8geaYw0UG77BE= ### Publicly Available DOT Test Servers ### ## 19 - The ContainerPI.com - CPI DNS TLS Server A+ ( JPN ) - address_data: 45.77.180.10 tls_auth_name: "dns.containerpi.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: xz8kGlumwEGkPwJ3QV/XlHRKCVNo2Fae8bM5YqlyvFs= ## 20 - The FEROZ SALAM DNS TLS Server A+ ( GBR ) - address_data: 46.101.66.244 tls_auth_name: "doh.li" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: fiOT+xcarY8uz1UBZ0DzA+Gi5kcSHdBDrofcsZL3HGo= ## 21 - The Andrews & Arnold DNS TLS Server #1 A+ ( GBR ) - address_data: 217.169.20.23 tls_auth_name: "dns.aa.net.uk" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: BrjhBir4pbQ0+uTjlViVlc5qf1172WLQxDWevO/4bKI= ## 22 - The Andrews & Arnold DNS TLS Server #2 A+ ( GBR ) - address_data: 217.169.20.22 tls_auth_name: "dns.aa.net.uk" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 1Mu+KSivSkoBfLiCzL+8xhg1YO7xmAjPJAJkjrv5ZvA= ## 23 - The dns.seby.io - Vultr DNS TLS Server A+ ( AUS ) - address_data: 45.76.113.31 tls_auth_name: "dot.seby.io" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: H13Su1659zEn0ZIblEShwjZO+M5gxKK2wXpVKQHgibM= ## 24 - The dns.seby.io - OVH DNS TLS Server A+ ( AUS ) - address_data: 139.99.222.72 tls_auth_name: "dot.seby.io" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 8A/1KQQiN+aFWenQon076nAINhlZjGkB15C4E/qogGw= ## 25 - The Digitale Gesellschaft DNS TLS Server #1 A+ ( CHE ) - address_data: 185.95.218.43 tls_auth_name: "dns.digitale-gesellschaft.ch" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: OHdm30CP5hu1KI1bLnIokKL1eKbLNWQvN9bNsXb5TJQ= ## 26 - The Digitale Gesellschaft DNS TLS Server #2 A+ ( CHE ) - address_data: 185.95.218.42 tls_auth_name: "dns.digitale-gesellschaft.ch" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: W0CoacPgp4VP2zsOt2ERQuFqXTG37ud5t3ClB5Xh7dY= ## 27 - The Antoine Aflalo DNS TLS Server #1 A+ ( USA ) - address_data: 168.235.81.167 tls_auth_name: "dns-nyc.aaflalo.me" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: NZqlaEd1y4tc4z2s/GcclhKlOQtynBKtbomw1dVCydU= ## 28 - The Privacy-First DNS TLS Server #1 A+ ( JPN ) - address_data: 172.104.93.80 tls_auth_name: "jp.tiar.app" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: +Q7ZdLW0QXokd2OY/vUJm10ZAnm2KFC+ovJfm5++hDc= ## 29 - The Privacy-First DNS TLS Server #2 A+ ( SGP Hosted In USA ) - address_data: 174.138.29.175 tls_auth_name: "dot.tiar.app" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: +zKyo0IWR+e38Yw2KN7pMAkktQSjZUGN4h7BoYLytTk= ## 30 - The ibuki.cgnat.net DNS TLS Server A+ ( USA ) - address_data: 35.198.2.76 tls_auth_name: "ibuki.cgnat.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: gWjnc5JNaub1U83vNZtyY/7f1ZYH+Zwt+LWLeTzbLEU= ## 31 - The PI-DNS.COM West USA DNS TLS Server A+ ( USA ) - address_data: 45.67.219.208 tls_auth_name: "dot.westus.pi-dns.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: R9/K3atF+ZHuBAVREmFiTX5N0qse+JIqoMF+usZ2dZg= ## 32 - The PI-DNS.COM DNS TLS East USA Server A+ ( USA ) - address_data: 185.213.26.187 tls_auth_name: "dot.eastus.pi-dns.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: oZQKQh794UHpdtZc/7CG+9VUw+3uGIrQFfAhCvYcds4= ## 33 - The PI-DNS.COM Central Europe DNS TLS Server A+ ( DEU ) - address_data: 88.198.91.187 tls_auth_name: "dot.centraleu.pi-dns.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: ZdED9Ry+FfdsbpGVr2IxR/IB0D7FaVpSBWvsRWutrjg= ## 34 - The PI-DNS.COM North Europe DNS TLS Server A+ ( FIN ) - address_data: 95.216.181.228 tls_auth_name: "dot.northeu.pi-dns.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: xb6yo+7vmxFhyrA+NV1ZOKBGHuA03J4BjTwkWjZ3uZk= ## 35 - The PI-DNS.COM East Australia DNS TLS Server A+ ( AUS ) - address_data: 45.63.30.163 tls_auth_name: "dot.eastau.pi-dns.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 0oVEbW/240sc4++zXjICyOO4XKTIEewY9zY5G5v9YnY= ## 36 - The PI-DNS.COM East Asia DNS TLS Server A+ ( USA ) - address_data: 66.42.33.135 tls_auth_name: "dot.eastas.pi-dns.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 3dV7cgTZbmHD/JTfocBI6FvoyGevpZf2n5k2fG4uVr8= ## 37 - The Snopyta DNS TLS Server A+ ( FIN ) - address_data: 95.216.24.230 tls_auth_name: "fi.dot.dns.snopyta.org" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: cYf+8BXhzbBmQe6qP+BHzLb2UZ/rgOspuyCmk2aVhlE= ## 38 - The NixNet Uncensored Las Vegas DNS TLS Server A+ ( USA ) ## - or use ( tls_auth_name: "adblock.lv1.dns.nixnet.xyz" ) - address_data: 209.141.34.95 tls_auth_name: "uncensored.lv1.dns.nixnet.xyz" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Ua+l/cIZ9dbJPExk4grit6qFZWmQZcoIoMBvMLwUDHc= ## 39 - The NixNet Uncensored New York DNS TLS Server A+ ( USA ) ## - or use ( tls_auth_name: "adblock.ny1.dns.nixnet.xyz" ) - address_data: 199.195.251.84 tls_auth_name: "uncensored.ny1.dns.nixnet.xyz" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: P8A1QEHTXs7QSmAuwR4FupMd3L/OW9TXbTXcFaazzoU= ## 40 - The NixNet Uncensored Luxembourg DNS TLS Server A+ ( LUX ) ## - or use ( tls_auth_name: "adblock.lux1.dns.nixnet.xyz" ) - address_data: 104.244.78.231 tls_auth_name: "uncensored.lux1.dns.nixnet.xyz" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: ncPZ5vhEPiv7VOf2nesJW9GYOGZ48MsAhzd4PO+3NJQ= ## 41 - The Lelux.fi DNS TLS Server A+ ( FRA Hosted In GBR ) - address_data: 51.158.147.50 tls_auth_name: "resolver-eu.lelux.fi" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 8ZpLg8m7CE41EnXddCRJGsaWK2UVjy2UnhPo/7BsPIo= ## 42 - The Lightning Wire Labs DNS TLS Server A+ ( DEU ) - address_data: 81.3.27.54 tls_auth_name: "recursor01.dns.lightningwirelabs.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 9QRO8JyJCVMU+KAO9acW5xfQnSXRuj1OqAz5aZHwH+4= ## 43 - The Hostux DNS TLS Server A+ ( LUX ) - address_data: 185.26.126.37 tls_auth_name: "dns.hostux.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: P0gaP31TQQzAIN3DomM5vXS3+8oCgYcTA/ZJ09Jw4QE= ## 44 - The dnsforge.de DNS TLS Server #1 A+ ( DEU ) - address_data: 176.9.1.117 tls_auth_name: "dnsforge.de" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw= ## 45 - The dnsforge.de DNS TLS Server #2 A+ ( DEU ) - address_data: 176.9.93.198 tls_auth_name: "dnsforge.de" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw= # 46 - The Freifunk München DNS TLS Server A+ ( DEU ) - address_data: 195.30.94.28 tls_auth_name: "doh.ffmuc.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: vAgfcoO9rzejY7Pdv9MK9DymLvYYJ4PF5V1QzReF4MU= # 47 - The doh.defaultroutes.de DNS TLS Server A+ ( DEU ) - address_data: 5.45.107.88 tls_auth_name: "doh.defaultroutes.de" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: p7t6DDebAlM1rwkrJgZJ6CDkuJG0Ff5PKYZ8bUPQCM0= ## 48 - The CIRA Canadian Shield DNS TLS Servers A+ ( CAN ) - address_data: 149.112.121.10 tls_auth_name: "private.canadianshield.cira.ca" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: sXmZXPsnkbQMw68THpV0Tgh9zCe12TtXIinSTf7lkkw= - address_data: 149.112.122.10 tls_auth_name: "private.canadianshield.cira.ca" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: sXmZXPsnkbQMw68THpV0Tgh9zCe12TtXIinSTf7lkkw= # 49 - The dns.dnshome.de DNS TLS Server #1 A+ ( DEU ) - address_data: 185.233.106.232 tls_auth_name: "dns.dnshome.de" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: q5AkxgnWVCVjCUNUKl3aIBpGTfXF5GahE0RcncwbZoc= - address_data: 185.233.107.4 tls_auth_name: "dns.dnshome.de" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: q5AkxgnWVCVjCUNUKl3aIBpGTfXF5GahE0RcncwbZoc= ## 50 - The Usable Privacy DNS TLS Server A+ ( DEU / AUT ) - address_data: 149.154.153.153 tls_auth_name: "adfree.usableprivacy.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: wnJgPKtu/QHXHx3QZ7mZuIsNMv85buI5jsdsS9cTU5w= ## 51 - The DeCloudUs DNS TLS Server A+ ( DEU ) - address_data: 176.9.199.152 tls_auth_name: "dot.decloudus.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: +rBZZHFEVTmFwA8RuR9I5vdPqqaBSighP7rcoWgY9MI= ## 52 - The Arapurayil DNS TLS Server A+ ( AUS ) - address_data: 3.7.156.128 tls_auth_name: "dns.arapurayil.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: c3S8JssMSrXuMjDfjwzXHoO4RQckTYTTeUThdW+meo0= ## 53 - The Hurricane Electric DNS TLS Server A+ ( USA ) - address_data: 74.82.42.42 tls_auth_name: "ordns.he.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: G9pQNrYB98Wll0AmBF/GsMMn6gaDbXDnInV1je1MaPo= ## 54 - The Stéphane Bortzmeyer DNS TLS Server A+ ( FRA ) - address_data: 193.70.85.11 tls_auth_name: "dot.bortzmeyer.fr" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: eHAFsxc9HJW8QlJB6kDlR0tkTwD97X/TXYc1AzFkTFY= ### Anycast Publicly Available DOT Test Servers ### ## 55 - The NixNet Uncensored Anycast DNS TLS Servers ( Anycast ) - address_data: 198.251.90.114 tls_auth_name: "uncensored.any.dns.nixnet.xyz" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Ryhjf7K6V9/Fw/7XU7fqzrVJVEOyPtlHR/rFetOXrug= - address_data: 198.251.90.89 tls_auth_name: "adblock.any.dns.nixnet.xyz" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Ryhjf7K6V9/Fw/7XU7fqzrVJVEOyPtlHR/rFetOXrug= ## 56 - The DNSlify DNS TLS Servers A+ ( Anycast ) - address_data: 185.235.81.1 tls_auth_name: "doh.dnslify.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: w5AEEaNvoBOl4+QeDIuRaaL6ku+nZfrhZdB2f0lSITM= - address_data: 185.235.81.2 tls_auth_name: "doh.dnslify.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: w5AEEaNvoBOl4+QeDIuRaaL6ku+nZfrhZdB2f0lSITM= ### DNS Privacy Anycast DOT Public Resolvers ### ## 57 - The DNS.SB DNS TLS Servers A+ ( Anycast ) - address_data: 185.222.222.222 tls_auth_name: "dns.sb" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: /qCm+kZoAyouNBtgd1MPMS/cwpN4KLr60bAtajPLt0k= - address_data: 185.184.222.222 tls_auth_name: "dns.sb" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: /qCm+kZoAyouNBtgd1MPMS/cwpN4KLr60bAtajPLt0k= ## 58 - The Comss.one DNS TLS Server #1 A+ ( CHN ) - address_data: 92.38.152.163 tls_port: 853 tls_auth_name: "dns.comss.one" tls_pubkey_pinset: - digest: "sha256" value: biGOXwJ1zClsvIfsjqV1FOdRq1jZdw5Sy61AqrlgKj4= ## 59 - The Comss.one DNS TLS Server #2 A+ ( CHN ) - address_data: 93.115.24.205 tls_port: 853 tls_auth_name: "dns.comss.one" tls_pubkey_pinset: - digest: "sha256" value: biGOXwJ1zClsvIfsjqV1FOdRq1jZdw5Sy61AqrlgKj4= ## 60 - The Comss.one DNS TLS Server #3 A+ ( CHN ) - address_data: 93.115.24.204 tls_port: 853 tls_auth_name: "dns.comss.one" tls_pubkey_pinset: - digest: "sha256" value: biGOXwJ1zClsvIfsjqV1FOdRq1jZdw5Sy61AqrlgKj4= # Set the acceptable ciphers for DNS over TLS. With OpenSSL 1.1.1 this list is # for TLS1.2 and older only. Ciphers for TLS1.3 should be set with the #tls_ciphersuites option. This option can also be given per upstream. tls_cipher_list: "EECDH+AESGCM:EECDH+CHACHA20" # Set the acceptable cipher for DNS over TLS1.3. OpenSSL >= 1.1.1 is required # for this option. This option can also be given per upstream. tls_ciphersuites: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_28_GCM_SHA256" # Set the minimum acceptable TLS version. Works with OpenSSL >= 1.1.1 only. # This option can also be given per upstream. tls_min_version: GETDNS_TLS1_2 # Set the maximum acceptable TLS version. Works with OpenSSL >= 1.1.1 only. # This option can also be given per upstream. tls_max_version: GETDNS_TLS1_3 Save and Exit In order for TLSv1.3 protocol to work properly ( read at all ) in your Stubby instance, OpenWrt must have OpenSSL 1.1.1 active and configured in the kernel. Any OpenWrt 18.06 Build does not offer OpenSSL 1.1.1 in any shape, form or fashion. OpenWrt 19.07.0 Release Candidates and Snapshots do provide OpenSSL 1.1.1 support. As I have mentioned, I run Davidc502 OpenWrt Snapshots - moderately customized Builds for Linksys wrt1200ac wrt1900acx wrt3200acm wrt32x Routers found here: https://dc502wrt.org/ - These Builds come out approximately every two weeks with the latest Linux Kernels, software packages and other bleeding edge features including OpenSSL 1.1.1 with TLSv1.3 support. Once you have OpenSSL 1.1.1 with TLSv1.3 simply follow the guide above in order to set Stubby to implement TLS1.3. The operative lines necessary are these two specifically found at the bottom of the stubby.yml file above: tls_ciphersuites: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" tls_max_version: GETDNS_TLS1_3 See below for TLS1.3 Support Check SSH Commands - openssl s_client 168.235.81.167:853 OR - openssl s_client 159.69.198.101:443 Read Out Will Be Verified By These Lines Below: Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_CHACHA20_POLY1305_SHA256 OR : Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Depending on Configuration on Tested DOT Server Lastly, you can and should take advantage of this new DNS OVER TLS provider. You need to sign up and use configured settings in order to use it. NextDNS is a free service - ANYCAST and pretty much cutting edge. ANYCAST speeds up your DNS - Here it is: NextDNS https://my.nextdns.io/signup or feel free to use and test NextDNS " Try it now for free " Feature go to : https://nextdns.io/ I also strongly encourage you to subscribe to blockerDNS found here : https://blockerdns.com/ This new DOH / DNS OVER TLS provider is the fastest I have run across. blockerDNS is run by Tambe Barsbay a seasoned, thorough and extremely proficient tech practitioner. blockerDNS is based in the U.S. and its infrastructure is hosted on Google Cloud Platform and DigitalOcean. You can view blockerDNS subscription options here : https://blockerdns.com/tryit - Most significantly, Tambe stands by his claim that he offers " Instant support by phone or email ". Overall blockerDNS is a great DNSPRIVACY DNS Service. Tip : The Mobile $0.99 per month option should suffice for most home users. Links : https://tambeb.com/ https://blockerdns.com/blog https://blockerdns.com/support https://blockerdns.com/overview All of these name servers listed above DO NOT log ! repeat DO NOT log ! your DNS queries. In full disclosure some name servers claim to log traffic volume only. See here for details : https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers and look under " Logging " column. DNS query name minimisation to improve privacy, along with DNS resolution speed and accuracy - Run Test After Completing Full Setup These name servers listed above help to consistently ensure QNAME Minimisation functions as designed within UNBOUND ( The idea is to minimise the amount of data sent from the DNS resolver to the authoritative name server. ) Use either or both of these two methods to verify QNAME Minimisation A - You need to opkg install drill and - then run command : drill txt qnamemintest.internet.nl and / or B - opkg install bind-dig or opkg install bind-tools with command: dig txt qnamemintest.internet.nl +short and / or dig -t txt qnamemintest.internet.nl ( for more complete readout including DNSSEC results ). AD = Authenticated Data (for DNSSEC only; indicates that the data was authenticated) The results in any of these scenarios will show either: "HOORAY - QNAME minimisation is enabled on your resolver :)!” or “NO - QNAME minimisation is NOT enabled on your resolver :(.” Reference https://discourse.pi-hole.net/t/unbound-and-qname-minimisation/10038/4 You will and should get HOORAY ! - if you used the name servers listed in this guide for your Stubby configuration. Note: Starting with Unbound 1.7.2 qname minimisation is enabled by default. However, I still add these settings manually. These settings are entered in " /etc/unbound/unbound_srv.conf " file. qname-minimisation: yes qname-minimisation-strict: yes harden-below-nxdomain: yes See configuration above in Step # 3 . 5 - MY WORKING CONFIG /etc/unbound/unbound_ext.conf ( Simply Copy and Paste Into Your SSH Session and Hit Enter ) cat >> /etc/unbound/unbound_ext.conf <<UNBOUND_FORWARD_CONF forward-zone: name: "." # Allow all DNS queries forward-addr: [email protected] # Forward Unbound To Stubby Address/Port UNBOUND_FORWARD_CONF 6 - From The Guide referred to in the link above - self explanatory: # Move dnsmasq to port 53535 where it will still serve local DNS from DHCP# Network -> DHCP & DNS -> Advanced Settings -> DNS server port to 53535 Enter via SSH command line: uci set ‘[email protected][0].port=53535’ uci add_list “dhcp.lan.dhcp_option=option:dns-server,$(uci get network.lan.ipaddr)” uci set ‘[email protected][0].dhcp_link=dnsmasq’ uci commit /etc/init.d/unbound restart 7 - From https://github.com/openwrt/packages/tree/master/net/unbound/files HOW TO Integrate with DHCP Parallel DNSMASQ /etc/config/dhcp After Some Reflection and Observations - Fine Tuning Your DNS Resolver After reading System Logs I realized that there is a need to amend DNSMASQ ( DHCP ) after implementing option noresolv ‘1’ in /etc/config/dhcp configuration file. This dawned on me from my years of running DNSCRYPT Proxy on OpenWrt. I referred to this guide: Go to this section near bottom of page. Use specific DNS server to lookup one or more host names https://www.leowkahman.com/2016/05/23/openwrt-encrypted-dns-lookup-using-multiple-dnscrypt-servers/ option noresolv ‘1’ is to prevent using any upstream DNS server other than those specified in this file # this file being: /etc/config/dhcp Solution is as follows add these two lines to /etc/config/dhcp: nano /etc/config/dhcp - enter these lines before / option domain ‘yourdomain’ list server '127.0.0.1#5453' # Stubby/Unbound Default Address/Port option noresolv ‘1’ # Make sure to change this as indicated or Via Uci uci add_list [email protected][-1].server='127.0.0.1#5453' uci set [email protected][-1].noresolv=1 uci commit && reload_config 7A - Disable Sending DNS Requests to ISP Provided DNS Servers uci set network.wan.peerdns='0' uci set network.wan.dns='127.0.0.1' uci commit && reload_config After you complete all the steps in this tutorial and restart your Router Check Status > System Log - You will find an entry like the one below: daemon.info dnsmasq[8532]: using nameserver 127.0.0.1#5453 - which indicates that your OpenWrt Router is using Unbound and Stubby for Encrypted DNS Resolution 8 - Working /etc/config/unbound file nano /etc/config/unbound config unbound option add_extra_dns '0' option add_local_fqdn '1' option add_wan_fqdn '0' option dhcp4_slaac6 '0' option dns64 '0' option dns64_prefix '64:ff9b::/96' option domain "your.domain" ## put your domain here option domain_type 'static' option edns_size '1280' option extended_stats '1' option hide_binddata '1' option extended_luci '1' option luci_expanded '1' option listen_port '53' option localservice '1' option manual_conf '0' option protocol 'ip4_only' option query_min_strict '1' option rebind_localhost '0' option rebind_protection '1' option recursion 'default' option resource 'medium' option root_age '28' option ttl_min '120' option unbound_control '2' option validator '1' option validator_ntp '1' option verbosity '2' list trigger_interface 'lan' list trigger_interface 'wan' option query_minimize '1' option dhcp_link 'dnsmasq' VERY IMPORTANT STEP: Now run /etc/init.d/unbound restart one more time. When you do this you will see that your unbound root.key will be installed to /var/lib/unbound/root.key and also it will install root.key to /etc/unbound/root.key. This will automatically configure DNSSEC on your router. The function also lists your auto-trust anchor in your /var/lib/unbound/unbound.conf file. You will now be running DNS OVER TLS with GETDNS and Stubby on LEDE / OpenWrt Make sure to follow this guide precisely and it works GREAT!!! You can check logs under Services > Recursive DNS > Status > Log - you will see that you have a caching encrypted DNS Resolver !!! You can install - opkg install bind-dig or opkg install bind-tools in order to be able to issue dig commands in order to check DNS resolution if you opt to - as you test you will see that your cache is working also. Bonus Setup Option ( Highly Recommended ) - Install WatchCat http://www.ibuyopenwrt.com/index.php/2-uncategorised/224-watchcat-reboot-on-internet-drop I set "Reboot on Internet Connection Lost" option. I have WatchCat set to ping Fourth Estate DNS address - 179.43.139.226 - every 20 minutes. This will keep your router up and running consistently. Now all you need to do is run is a properly configured VPN Service. By doing so, running DNS over TLS with Stubby and GetDns will keep your VPN provider from spying on your encrypted DNS look ups - and also your DNS providers both the ISP ( replaced by encrypted Stubby ) and your Encrypted TLS DNS Service Provider will see your IP as the one from your encrypted tunneled VPN provider. I am convinced this setup is the right strategy for both security and privacy. I think it to be the best practice for all those most serious about multi-layered cyber security. Lastly, you can check your DNS at GRC Spoofability Test - DNS Leak - or any of such service. Your results will render the DNS PRIVACY Name Servers which you selected in your stubby.yml configuration file. You are now running DNS OVER TLS with GETDNS plus STUBBY ( a fully featured TLS forwarder ) along with an Unbound DNS Caching Server. VERY IMPORTANT TIP: Please note that right at the top of the main DNS Privacy Test Servers Homepage ( https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers ) It Ominously Declares: DoT servers The following servers are experimental DNS-over-TLS servers. Note that they are experimental offerings (mainly by individuals/small organisations) with no guarantees on the lifetime of the service, service level provided. The level of logging may also vary (see the individual websites where available) - the information here about logging has not been verified.Also note that the single SPKI pins published here for many of these servers are subject to change (e.g on Certificate renewal) and should be used with care!! For these reasons it is most important to check and verify your SPKI pin(s) for TLS authentication manually yourself from time to time. There are sure fire methods to make sure that you are using the correct value for any upstream nameserver ( aka tls_pubkey_pinset value ) - Go to https://blahdns.com/ and scroll down to the section to the yellow section entitled What is DNS OVER TLS click on it and it will open up. When you do it will state some general information, but what you want to pay attention to is this section: How to get SPKI Most Simple and Direct Method: gnutls-cli --print-cert -p 853 159.69.198.101 | grep "pin-sha256" | head -1 And / Or With Adjustment For SSL Port and Address Being Tested gnutls-cli --print-cert -p 443 159.69.198.101 | grep "pin-sha256" | head -1 - where you must opkg install gnutls-utils OR echo | openssl s_client -connect '185.49.141.37:853' 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 There is also a third option. kdig -d @185.49.141.37 +tls-ca +tls-host=getdnsapi.net example.com - where you must install knot-dig / opkg install knot-dig This is my personal favorite as the readout from this command will list the certificate specifically like so: ;; DEBUG: #1, CN=getdnsapi.net ;; DEBUG: SHA-256 PIN: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= and let you know that the certificate is valid like so: ;; DEBUG: TLS, The certificate is trusted. Remember to change port to 443 or port for IPV6 if different than standard 853 where applicable. To use kdig certificate verification method on an alternate port example: kdig -d @199.58.81.218 -p 443 +tls-ca +tls-host=dns.cmrg.net example.com https:/www.dnsleaktest.com/ https://www.perfect-privacy.com/dns-leaktest/ https://www.grc.com/dns/dns.htm http://www.vpninsights.com/dns-leak-test and last but not least https://cmdns.dev.dns-oarc.net/ for a thorough in depth DNS Test https://bash.ws/dnsleak/test/ See here for TorGuard Open VPN Setup https://torguard.net/forums/index.php?/topic/1247-lede-openwrt-torguard-vpn-setup/ And now you are cooking with plenty of Gas - c'est fini c'est manifique c'est ci bon