Jump to content
TorGuard
Sign in to follow this  
directnupe

OpenWRT NEW AND IMPROVED GETDNS STUBBY AND UNBOUND AKA DNS PRIVACY

Rate this topic

Recommended Posts

directnupe

LAN Interface For GETDNS and STUBBY Plus UNBOUND
WHY YOU ASK ? ANSWER : IN LIFE ONE SHOULD HAVE OPTIONS

IMPORTANT UPDATED INFORMATION !!! - READ FULL GUIDE BEFORE GETTING STARTED !!!

Stop OpenWRT Router from occasionally allowing UNBOUND Root Hints to resolve queries on its own. This configuration ensures that localhost ( 127.0.0.1 ) will not be used as a resolver on OpenWRT Box. You will only use GETDNS and STUBBY DNS SERVERS if you follow this tutorial. You will use your One Main LAN Interface as the listening interface for STUBBY and the listening and outgoing interface for your UNBOUND DNS RESOLVER  for OpenWRT. So, let's get started.

See Below For Definition and Function Of Unbound Root Hints :
Unbound is a caching DNS resolver. It uses a built in list of authoritative 
nameservers for the root zone (.), the so called root hints.
On receiving a 
DNS query it will ask the root nameservers for an answer and will in almost 
all cases receive a delegation to a top level domain (TLD) authoritative nameserver.
Source Document : https://man.openbsd.org/unbound

This is an updated guide / tutorial which explains how to setup adding DNS-Over-TLS support for OpenWRT . First you all know the drill by now - " The Intro " we would all have a better world if we remember to practice the concept that - NOW ! is the time for all of US ( A ) to GET UP & GET INVLOVED and act with SOUL POWER ! - lyrics to sing along : https://genius.com/James-brown-get-up-get-into-it-get-involved-lyrics plus https://genius.com/James-brown-soul-power-lyrics and video : https://www.youtube.com/watch?v=1pvIarW3xHg Bonus JB : https://www.youtube.com/watch?v=v8TvBPshngE I run GetDns and Stubby forwarded to and integrated with Unbound. For those who wish to explore Stubby and GetDns - this method is the one recommended by DNSPRIVACY - see here :

https://getdnsapi.net/
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients#DNSPrivacyClients-Unbound - please read this carefully - you will note that it indicates : Unbound As A DNS TLS Client Features:Unbound can be run as a local caching forwarder, configured to use SSL upstream, however it cannot yet authenticate upstreams, re-use TCP/TLS connections, be configured for Opportunistic mode or send several of the privacy related options (padding, ECS privacy) etc. Some users combine Unbound (as a caching proxy with other features such as DNS Blacklisting) and Stubby (as a fully featured TLS forwarder). These are the reasons I choose to use GetDns and Stubby with Unbound. Those reasons being so that I can take full advantage of all of the most secure privacy features available when running DNS OVER TLS. What I give you here is the absolute best method of implementation and deployment of DNS OVER TLS. For any and all who may be wondering why DNS OVER TLS is all the rage - read this: https://tenta.com/blog/post/2017/12/dns-over-tls-vs-dnscrypt  I always set up DNS OVER TLS first before configuring OpenVPN and / or WireGuard on OPNsense - this DNS solution works flawlessly with either VPN protocol. So here we go.

I was asked by a still skeptical devotee of DOH
" What makes this way better than just running the DNS-over-https-proxy ?
My answer was : Read this and make your
decisions and conclusions concerning DOH vs DOT .
Here is the article below :
https://www.netmeister.org/blog/doh-dot-dnssec.html

Bottom Line Conclusion From Jan Schaumann - The Author of This Blog Entry :
For that, my current preference is quite clearly DNS-over-TLS:

I fear a bifurcation of DNS resolution by apps combined with the
push for using public resolvers with DoH will lead to a more complex
environment and threat model for many users.

Short Synopsis of DOH:
In other words , ( with DOH ) we gain the same
protections as with DoT for our web applications,
but leaves all other DNS traffic vulnerable.

Subsequently, as a matter of fact and in practice
with DNS OVER TLS ALL DNS traffic is invulnerable
and protected.This is why I run DOT and
eschew DOH on my OPNsense Router.

Further, Personally, I run GETDNS STUBBY and UNBOUND as
described here along with ( wait for it )
FireFox DOH along with Encrypted SNI - plus TLS v 1.3 in Stubby
and naturally a properly configured and encrypted VPN -

Let Me Save You A Future Headache
Complete These Steps 1 - 7  Detailed Below
Before Proceeding With LAN Interface For GETDNS
and STUBBY Plus UNBOUND Tutorial

I compared my OpenWRT /etc/resolv.conf file to
my OPNsense and pfSense Firewalls' /etc/resolv.conf files before and
after
configuring LAN Interface For GETDNS and STUBBY Plus UNBOUND
on these three Routers - See Results Below :

# Note**
# domain secureone.duckdns.org # Domain Used Throughout This Guide
# Is Strictly For Illustrative Purposes and Comes From My
# OpenWRT DuckDNS LET’S ENCRYPT CERTIFICATES MADE SIMPLE Tutorial 

My OPNsense Firewall

Before Results Below :
# cat /etc/resolv.conf
domain secureone.duckdns.org
nameserver 127.0.0.1
nameserver 127.0.0.1

After Results Below :
~ # cat /etc/resolv.conf
domain secureone.duckdns.org
nameserver 192.168.7.11

My pfSense Firewall

Before Results Below :
cat /etc/resolv.conf
nameserver 127.0.0.1
search secureone.duckdns.org

After Results Below :
cat /etc/resolv.conf
nameserver 192.168.7.11
search secureone.duckdns.org

OpenWRT

Before Results Below :
cat /etc/resolv.conf
nameserver 127.0.0.1
search secureone.duckdns.org.

After Results Below - 127.0.0.1 Still 
Present and Now Controlled By UNBOUND :

 [[email protected] ~]# cat /etc/resolv.conf
# /tmp/resolv.conf generated by Unbound UCI 2020-02-18T10:38:51-0500
nameserver 127.0.0.1
nameserver ::1
search secureone.duckdns.org.

As you see 127.0.0.1 was still being used as resolver in /etc/resolv.conf -
OPNsense and pfSense have a box to check so 127.0.0.1 is disabled 
and not used as resolver on the router.
I wanted my OpenWRT /etc/resolv.conf file to mirror the same /etc/resolv.conf 
contents as on my OPNsense and pfSense Firewalls. Here is how I achieved that
end on OpenWRT Router ( follow directions below ) : 

Source Documents : 
https://unix.stackexchange.com/questions/421977/how-to-set-chattr-i-for-my-etc-resolv-conf
and https://www.ostechnix.com/prevent-files-folders-accidental-deletion-modification-linux/

1 - opkg update ; opkg install chattr lsattr
2 - rm /etc/resolv.conf ( remove the symlink )
3 - touch /etc/resolv.conf ( create the new file )
4 - nano /etc/resolv.conf (  populate it with lan and search data )
5 -
enter as below for this example :

nameserver 192.168.7.11
search secureone.duckdns.org

Save and Exit
6 - chattr +i /etc/resolv.conf ( make new /etc/resolv.conf immutable / undeletable )
7 - reboot & exit

Source Document : https://www.tecmint.com/make-file-directory-undeletable-immutable-in-linux/

After Taking Above Steps 1-7 
Results Are Detailed Below :

[[email protected] ~]# cat /etc/resolv.conf
nameserver 192.168.7.11
search secureone.duckdns.org

This is what I wanted - the elimination of localhost ( 127.0.0.1 )
being used as a resolver
for my OpenWRT Router's /etc/resolv.conf file.

Most importantly, your OpenWRT /etc/resolv.conf
file ( with LAN setting ) will persist and remain unchanged 
after setting up your LAN Interface For GETDNS and 
STUBBY Plus UNBOUND as detailed in this guide.

I undertook Steps 1 - 7  above to ensure that  Root Hints will not be used  
at all by OpenWRT Router. After all, that is the ultimate goal of this project.

Take Special Attention ( Unlock /etc/resolv.conf to reset Router ) :
In order to reset your OpenWRT Router to default settings for any reason -
you MUST ! first issue this command # chattr -i /etc/resolv.conf
After doing so - you may now reset your router using your regular method

Back To Setting Up DNS Over TLS On OpenWRT :
Here is a basic guide as to how to do it -
https://blog.grobox.de/2018/what-is-dns-privacy-and-how-to-set-it-up-for-openwrt/
However a few modifications are needed -  see below and follow along :

As always - opkg update
first and foremost
Prerequisite
You have a ca cert bundle installed on your router.
You can do this by running the following

opkg install ca-certificates

1 - opkg update ; opkg install unbound-daemon-heavy unbound-control unbound-control-setup luci-app-unbound unbound-anchor unbound-host unbound-checkconf odhcpd
2 - opkg update ; opkg install stubby getdns

3- My WORKING CONFIGS /etc/unbound/unbound_srv.conf
( Adjust For Your Router - I Run WRT1900ACS and 
WRT3200ACM So I Have Plenty Of Ram, Storage and 2 CPU's )
You should " Optimize Unbound " - especially increase size
of cache among other things see guide here and adjust for 
your router's memory , number of cores and so on-
see here: https://nlnetlabs.nl/documentation/unbound/howto-optimise/

## Note : do-not-query-localhost: no 
## this entry is necessarily removed 
## from this UNBOUND configuration below
## Disabling DNS Queries From Localhost ( 127.0.0.1 )

cat >> /etc/unbound/unbound_srv.conf <<UNBOUND_SERVER_CONF
server:
tls-cert-bundle: "/var/lib/unbound/ca-certificates.crt"
# use all CPUs
num-threads: 2

# power of 2 close to num-threads
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4

# more cache memory, rrset=msg*2
rrset-cache-size: 200m
msg-cache-size: 100m

# more outgoing connections
# depends on number of cores: 1024/cores - 50
outgoing-range: 8192

# Larger socket buffer.  OS may need config.
so-rcvbuf: 4m
so-sndbuf: 4m

interface: 192.168.7.11 # Put Your One Main LAN Address Here
outgoing-interface: 192.168.7.11 # Likewise Put Your One Main LAN Address Here
cache-min-ttl: 3600
cache-max-ttl: 86400
hide-identity: yes
hide-version: yes
hide-trustanchor: yes
harden-glue: yes
harden-dnssec-stripped: yes
infra-cache-numhosts: 100000
num-queries-per-thread: 4096
max-udp-size: 3072
minimal-responses: yes
rrset-roundrobin: yes
use-caps-for-id: no
do-ip6: no
do-ip4: yes
do-tcp: yes
do-udp: yes
prefetch: yes
prefetch-key: yes
qname-minimisation: yes
qname-minimisation-strict: yes
harden-below-nxdomain: yes
aggressive-nsec: yes
so-reuseport: yes
unwanted-reply-threshold: 10000000
interface-automatic: yes
verbosity: 1
private-domain: "secureone.duckdns.org" # Used For Illustrative Purposes ( See **Note Above )
harden-referral-path: yes
target-fetch-policy: "0 0 0 0 0"
val-clean-additional: yes
ip-ratelimit: 300
ip-ratelimit-factor: 10
incoming-num-tcp: 100
edns-buffer-size: 4096
UNBOUND_SERVER_CONF

As per guide :# Don’t let each server know the next recursion
Enter via SSH command line:
uci set '[email protected][0].query_minimize=1'
uci commit

I choose to use the /etc/stubby/stubby.yml file to configure STUBBY. My reasons for preferring to configure Stubby with the /etc/stubby/stubby.yml file instead of the now default UCI system /etc/config/stubby file are for several reasons. I found that I have more control over the security options which DNS OVER TLS is intended to provide. Like padding - 853 or 443 port and so on. So in order to use /etc/stubby/stubby.yml file, you must change a default setting in the /etc/config/stubby file to allow manual configuration. To keep this simple - go into default UCI STUBBY file which is /etc/config/stubby by entering nano /etc/config/stubby and then set option manual '1' - if you leave it at default setting of option manual 'o' you will not be able to use the /etc/stubby/stubby.yml file in order to configure STUBBY as before. So, after changing option manual '1' in the /etc/config/stubby file - configure /etc/stubby/stubby.yml as follows enter nano /etc/stubby/stubby.yml :

4 - VERY IMPORTANT UPDATE:
After checking, rechecking and the triple checking on this website mentioned above : https://www.immuniweb.com/ssl/?id=Su8SeUQ4 I have made some very serious discoveries regarding which DNS Privacy Test Servers to use. The bottom line that I strongly suggest you only choose to deploy servers which support the TLSv1.3 protocol . See here for information and importance of TLSv1.3 : https://kinsta.com/blog/tls-1-3/
I will save you some considerable leg work and post below the best configuration for your stubby.yml file. Here it is:

# All DNS Privacy Servers Below Tested and Updated On April 1 2020 With A+ Rating - 
# 100%  Perfecto Configuration on website: https://www.immuniweb.com/ssl/?id=Su8SeUQ4n
# These servers support the most recent and secure TLS protocol version of TLS 1.3 **
# Good configuration - These server configurations support only TLSv1.2 and TLSv1.3 protocols - current most secure encryption.
# Also I have added the Country Locations of These DNS PRIVACY Servers using the Alpha 3 Code Format
# see country code lists here :

# https://www.nationsonline.org/oneworld/country_code_list.htm or https://www.iban.com/country-codes
# Use as many or as few depending on your specific needs

# Note: by default on OpenWRT stubby configuration is handled via
# the UCI system and the file /etc/config/stubby. If you want to
# use this file to configure stubby, then set "option manual '1'"
# in /etc/config/stubby.
resolution_type: GETDNS_RESOLUTION_STUB
round_robin_upstreams: 1
appdata_dir: "/var/lib/stubby"
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private: 1
idle_timeout: 9000
listen_addresses:
- [email protected] # Put Your One Main LAN Address Here 
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_connection_retries: 5
tls_backoff_time: 900
timeout: 2000
tls_ca_path: "/etc/ssl/certs/"
upstream_recursive_servers:
### IPV4 Servers ###
### DNS Privacy DOT Test Servers ###
## 1 - The getdnsapi.net DNS TLS Server A+ ( NLD )
  - address_data: 185.49.141.37
    tls_auth_name: "getdnsapi.net"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=
## 2 - The Surfnet/Sinodun DNS TLS Server #3  A+ ( NLD )
  - address_data: 145.100.185.18
    tls_port: 853
    tls_auth_name: "dnsovertls3.sinodun.com"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8=
## 3 - The dns.cmrg.net DNS TLS Server  A+ ( CAN )
  - address_data: 199.58.81.218
    tls_auth_name: "dns.cmrg.net"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=
## 4 - The BlahDNS Japan DNS TLS Server  A+ ( JPN )
  - address_data: 45.32.55.94
    tls_auth_name: "dot-jp.blahdns.com"
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: oo7UO3PO7GhSEuOahGQRPpAcvdFUC7ZRDH3YpoGio4I=
## 5 - The BlahDNS German DNS TLS Server  A+ ( USA Hosted In DEU )
  - address_data: 159.69.198.101
    tls_auth_name: "dot-de.blahdns.com"
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: YZeyeJf/suAR2fMHLc9RDPkcQi/e8EEnzk5Y1N90QQE=
## 6 - The BlahDNS Finland DNS TLS Server  A+ ( FIN )
  - address_data: 95.216.212.177
    tls_auth_name: "dot-fi.blahdns.com"
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: PID8ufrN/lfloA6y/C+mpR8MT53GG6GkAd8k+RmgTwc=
## 7 - The dns.neutopia.org  DNS TLS Server  A+ ( FRA )
  - address_data: 89.234.186.112
    tls_auth_name: "dns.neutopia.org"
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=
## 8 - The Foundation for Applied Privacy DNS TLS Server #1  A+ ( AUT )
  - address_data: 94.130.106.88
    tls_auth_name: "dot1.applied-privacy.net"
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: 2x9bg3D2uUv/aR3P22pDS2OGyKRXxDQFY+EjY3u2o+w=
## 9 - The Foundation for Applied Privacy DNS TLS Server #2  A+ ( AUT )
  - address_data: 93.177.65.183
    tls_auth_name: "dot1.applied-privacy.net"
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: +qcX6xelJzGg5+0jn1j05vrssAueYej9XrnhL9+NKXo=
## 10 - The Secure DNS Project by PumpleX DNS TLS Server #1  A+ ( GBR )
  - address_data: 51.38.83.141
    tls_auth_name: "dns.oszx.co"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: TSy1ZYYNACIkGRWFAH0IoPJI4HHksmpST4ckZCb7MRY=
## 11 - The SecureDNS DNS TLS Server A+ ( NLD )
  - address_data: 146.185.167.43
    tls_auth_name: "ads-dot.securedns.eu"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: h3mufC43MEqRD6uE4lz6gAgULZ5/riqH/E+U+jE3H8g=
## 12 - The Rubyfish Internet Tech DNS TLS Server A+ ( CHN )
  - address_data: 115.159.131.230
    tls_auth_name: "dns.rubyfish.cn"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: DBDigty3zDS7TN/zbQOmnjZ0qW+qbRVzlsDKSsTwSxo=
## 13 - The Lorraine Data Network DNS TLS Server A+ ( FRA ) 
  - address_data: 80.67.188.188
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM=
## This certificate is currently expired which 
## does not pose any concerns in SPKI mode 
## (in practice with Stubby)
## Source : https://ldn-fai.net/serveur-dns-recursif-ouvert/
## 14 - The DNSPRIVACY.at TLS Server #1  A+ ( DEU )
  - address_data: 94.130.110.185 
    tls_auth_name: "ns1.dnsprivacy.at"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: xctlty6R/YkqPxauSkA7cEBhbt1HwGhhpEEYMkiYOQE=
## 15 - The DNSPRIVACY.at TLS Server #2  A+ ( DEU )
  - address_data: 94.130.110.178 
    tls_auth_name: "ns2.dnsprivacy.at"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: 68MH4G5hipbK1xYATBFgA+/DNLDd333oXr22QyB/RRo=
# 16 - The ibksturm.synology.me DNS TLS Server  A+ ( CHE ) 
  - address_data: 83.77.85.7
    tls_auth_name: "ibksturm.synology.me"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: q9Y8ZwuY/wceu7raJGZwnN5z6MrjAKGbzpWSgH9cI5s= 
## 17 - The dns.flatuslifir.is DNS TLS Server  A+ ( ISL )
  - address_data: 46.239.223.80 
    tls_auth_name: "dns.flatuslifir.is"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: r3RmOoDlDavbinPSwyWNnz0qYsfx4gaIGYfORLPNQOs=
### Publicly Available DOT Test Servers ###
## 18 - The ContainerPI.com - CPI DNS TLS Server  A+ ( JPN )
  - address_data: 45.77.180.10
    tls_auth_name: "dns.containerpi.com"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: xz8kGlumwEGkPwJ3QV/XlHRKCVNo2Fae8bM5YqlyvFs=
## 19 - The FEROZ SALAM DNS TLS Server  A+ ( GBR )
  - address_data: 46.101.66.244
    tls_auth_name: "doh.li"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: 4yTZwSW8TkOrgC2m4+Iv7KQZF0idX5Ga9Jjwhqz0SmI=
## 20 - The Andrews & Arnold DNS TLS Server #1  A+ ( GBR )
  - address_data: 217.169.20.23
    tls_auth_name: "dns.aa.net.uk"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: QU5xobzrRJeiNVUXh0bpUO42Xwj1HQgZo/uA3Uztfhc=
## 21 - The Andrews & Arnold DNS TLS Server #2  A+ ( GBR )
  - address_data: 217.169.20.22
    tls_auth_name: "dns.aa.net.uk"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: SbMmQBuIp1HNX9FCCXuzHT0Nq4qnfwdwwH9i1/FYwT8=
## 22 - The dns.seby.io - Vultr DNS TLS Server  A+ ( AUS )
  - address_data: 45.76.113.31
    tls_auth_name: "dot.seby.io"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: H13Su1659zEn0ZIblEShwjZO+M5gxKK2wXpVKQHgibM=           
## 23 - The dns.seby.io - OVH DNS TLS Server  A+ ( AUS )
  - address_data: 139.99.222.72
    tls_auth_name: "dot.seby.io"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: 8A/1KQQiN+aFWenQon076nAINhlZjGkB15C4E/qogGw=
## 24 - The Digitale Gesellschaft DNS TLS Server #1  A+ ( CHE )
  - address_data: 185.95.218.43
    tls_auth_name: "dns.digitale-gesellschaft.ch"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: 2eJJ5MfiACVAn+gi9V8RB04KqLuRh3LZE7dNZZ1MoX0=
## 25 - The Digitale Gesellschaft DNS TLS Server #2  A+ ( CHE )
  - address_data: 185.95.218.42
    tls_auth_name: "dns.digitale-gesellschaft.ch"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: i5wCQs+XOuvCkeUUzUISl79hfyQYCPvookY9+cBY8mE=
## 26 - The Antoine Aflalo DNS TLS Server #1  A+ ( USA )
  - address_data: 168.235.81.167
    tls_auth_name: "dns-nyc.aaflalo.me"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: hI/OsKOCPSEM9JYk3YjNNbbXCVvKAeHqbbasEP08hNE=
## 27 - The Antoine Aflalo DNS TLS Server #2  A+ ( NLD )
  - address_data: 176.56.236.175
    tls_auth_name: "dns.aaflalo.me"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: cgtNzBzfLuhQ2DrFMoi55U1W+44KLJ2pU/UkqxS06Z8=
## 28 - The Privacy-First DNS TLS Server #1  A+ ( JPN )
  - address_data: 172.104.93.80
    tls_auth_name: "jp.tiar.app"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: 5mweIYRkQwvITwGFbt+/zhcHFBdKjSwX4Vahut8nYgE=
## 29 - The Privacy-First DNS TLS Server #2  A+ ( SGP Hosted In USA )
  - address_data: 174.138.29.175
    tls_auth_name: "dot.tiar.app"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: 2YRX8uxQBwmduoGohhLaYWPQevVEV9EgZTCTsXOqT24=
## 30 - The ibuki.cgnat.net DNS TLS Server  A+ ( USA )
  - address_data: 35.198.2.76
    tls_auth_name: "ibuki.cgnat.net"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: OcRaI3p/xMjnj5+LlSpXP1aCnEgtRs5g38QQi7PbIO8=
## 31 - The PI-DNS.COM West USA DNS TLS Server A+ ( USA )
  - address_data: 45.67.219.208
    tls_auth_name: "dot.westus.pi-dns.com"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: M+nrb/hd9eMJuPWeFht/k1dc1/jVc5BBfh+CYCliAJ4=
## 32 - The PI-DNS.COM DNS TLS East USA Server A+ ( USA )
  - address_data: 185.213.26.187
    tls_auth_name: "dot.eastus.pi-dns.com"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: zxgnoyq2tM5LwFUFTmXFp8iHKen7hf0KcIHbRtanQAs=
## 33 - The PI-DNS.COM Central Europe DNS TLS Server A+ ( DEU )
  - address_data: 88.198.91.187
    tls_auth_name: "dot.centraleu.pi-dns.com"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: Y0SQDuhfYthhzLnCOxREWsxqFoCzOTvWlUdpi0wr25Y=
## 34 - The PI-DNS.COM North Europe DNS TLS Server A+ ( FIN )
  - address_data: 95.216.181.228
    tls_auth_name: "dot.northeu.pi-dns.com"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: TFadmV6S2C1WerCF+NY+/cHBjDS2iWRHZpT7JqktSpk=
## 35 - The Snopyta DNS TLS Server A+ ( FIN )
  - address_data: 95.216.24.230
    tls_auth_name: "fi.dot.dns.snopyta.org"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: 4N75mKYSJ0hU7b2Ptmp2splcB4LAQHQqvWXPdJN7YtQ=
## 36 - The NixNet Uncensored Las Vegas DNS TLS Server A+ ( USA )    
## - or use ( tls_auth_name: "adblock.lv1.dns.nixnet.xyz" )
  - address_data: 209.141.34.95
    tls_auth_name: "uncensored.lv1.dns.nixnet.xyz"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: Wd/+3VJW7Xu904nJC35EBocuVs9XQNAnIOPoda848NQ=
## 37 - The NixNet Uncensored New York DNS TLS Server A+ ( USA )
## - or use ( tls_auth_name: "adblock.ny1.dns.nixnet.xyz" )
  - address_data: 199.195.251.84
    tls_auth_name: "uncensored.ny1.dns.nixnet.xyz"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: Zfbl1gzu2ziQ/rBw+zxBGsuoguapUfhEkQm7s8GwRiI=
## 38 - The NixNet Uncensored Luxembourg DNS TLS Server A+ ( LUX )
## - or use ( tls_auth_name: "adblock.lux1.dns.nixnet.xyz" )
  - address_data: 104.244.78.231
    tls_auth_name: "uncensored.lux1.dns.nixnet.xyz"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: fumOUAwTnToMZ4SBt1zmzZthDDwGAr25qr1b0Lgvuuo=
## 39 - The Lelux.fi DNS TLS Server  A+ ( FRA Hosted In GBR )
  - address_data: 51.158.147.50
    tls_auth_name: "resolver-eu.lelux.fi"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: /Gv53+cvMW9zvbIbw4bg0WSvKAnsUxCYsvUp1TaOSb0=
## 40 - The Lightning Wire Labs DNS TLS Server  A+ ( DEU )
  - address_data: 81.3.27.54 
    tls_auth_name: "recursor01.dns.lightningwirelabs.com"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: pRkLbNTOGLXo3d2RtPmM8hIGB/zySnZCxaDLNlvg0rI=
## 41 - The Hostux DNS TLS Server  A+ ( LUX )
  - address_data: 185.26.126.37 
    tls_auth_name: "dns.hostux.net"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: P0gaP31TQQzAIN3DomM5vXS3+8oCgYcTA/ZJ09Jw4QE=
## 42 - The dnsforge.de DNS TLS Server #1  A+ ( DEU )
  - address_data: 176.9.1.117 
    tls_auth_name: "dnsforge.de"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw=
### Anycast Publicly Available DOT Test Servers ###
## 43 - The NixNet Uncensored Anycast DNS TLS Server A+ ( Anycast )
  - address_data: 198.251.90.114
    tls_auth_name: "uncensored.any.dns.nixnet.xyz"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: Ryhjf7K6V9/Fw/7XU7fqzrVJVEOyPtlHR/rFetOXrug=
## 44 - The NixNet Adblock Anycast DNS TLS Server A+ ( Anycast )
  - address_data: 198.251.90.89
    tls_auth_name: "adblock.any.dns.nixnet.xyz"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: Ryhjf7K6V9/Fw/7XU7fqzrVJVEOyPtlHR/rFetOXrug=
## 45 - The DNSlify DNS TLS Servers  A+ ( Anycast )
  - address_data: 185.235.81.1
    tls_auth_name: "doh.dnslify.com"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: w5AEEaNvoBOl4+QeDIuRaaL6ku+nZfrhZdB2f0lSITM=
  - address_data: 185.235.81.2
    tls_auth_name: "doh.dnslify.com"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: w5AEEaNvoBOl4+QeDIuRaaL6ku+nZfrhZdB2f0lSITM=
### DNS Privacy Anycast DOT Public Resolvers ###
## 46 - The DNS.SB DNS TLS Servers  A+ ( Anycast )
  - address_data: 185.222.222.222
    tls_auth_name: "dns.sb"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: /qCm+kZoAyouNBtgd1MPMS/cwpN4KLr60bAtajPLt0k=
  - address_data: 185.184.222.222
    tls_auth_name: "dns.sb"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: /qCm+kZoAyouNBtgd1MPMS/cwpN4KLr60bAtajPLt0k=
## 47 Quad9 'secure' service - Filters, does DNSSEC, doesn't send ECS
## ( NOTE: recommend reducing idle_timeout to 9000 if using Quad9 )
  - address_data: 149.112.112.112
    tls_auth_name: "dns.quad9.net"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg=
  - address_data: 9.9.9.9
    tls_auth_name: "dns.quad9.net"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg=

# Set the acceptable ciphers for DNS over TLS.  With OpenSSL 1.1.1 this list is
# for TLS1.2 and older only. Ciphers for TLS1.3 should be set with the
# tls_ciphersuites option. This option can also be given per upstream.
# tls_cipher_list: "EECDH+AESGCM:EECDH+CHACHA20"
# Set the acceptable cipher for DNS over TLS1.3. OpenSSL >= 1.1.1 is required
# for this option. This option can also be given per upstream.
tls_ciphersuites: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
# Set the minimum acceptable TLS version. Works with OpenSSL >= 1.1.1 only.
# This option can also be given per upstream.
tls_min_version: GETDNS_TLS1_3
# Set the maximum acceptable TLS version. Works with OpenSSL >= 1.1.1 only.
# This option can also be given per upstream.
# tls_max_version: GETDNS_TLS1_3

In order for TLSv1.3 protocol to work properly ( read at all ) in your Stubby 
instance, OpenWrt must have OpenSSL 1.1.1 active and configured in the kernel.
Any OpenWrt 18.06 Build does not offer OpenSSL 1.1.1 
in any shape, form or fashion.OpenWrt 19.07.0 Release 
Candidates and Snapshots do provide OpenSSL 1.1.1 support.
Once you have OpenSSL 1.1.1 with TLSv1.3 simply follow 
the guide above in order to set Stubby to implement TLS1.3. 
The operative lines necessary are these two specifically 
found at the bottom of the stubby.yml file above:

tls_ciphersuites: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
tls_min_version: GETDNS_TLS1_3

See below for TLS1.3 Support Check SSH Commands -

openssl s_client 168.235.81.167:853

OR :

openssl s_client 159.69.198.101:443

Read Out Will Be Verified By These Lines Below:

Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_CHACHA20_POLY1305_SHA256

OR :

Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384

Depending on Configuration on Tested DOT Server

I also strongly encourage you to subscribe to blockerDNS found here : https://blockerdns.com/
This new DOH / DNS OVER TLS provider is the fastest I have run across. blockerDNS is run by 
Tambe Barsbay a seasoned, thorough and extremely proficient tech practitioner. 
blockerDNS is based in the U.S. and its infrastructure is hosted on Google Cloud Platform 
and DigitalOcean.
You can view blockerDNS subscription options here : https://blockerdns.com/tryit
Most significantly, Tambe stands by his claim that he offers " Instant support by phone or email ". 
Overall blockerDNS is a great DNSPRIVACY DNS Service. Tip : The Mobile $0.99 per month option should
suffice for most home users. Links : https://tambeb.com/ https://blockerdns.com/blog
https://blockerdns.com/support https://blockerdns.com/overview

5 -  MY WORKING CONFIG /etc/unbound/unbound_ext.conf

( Simply Copy and Paste Into Your SSH Session and Hit Enter )

cat >> /etc/unbound/unbound_ext.conf <<UNBOUND_FORWARD_CONF
forward-zone:
name: "." # Allow all DNS queries
forward-addr: [email protected] # Forward Unbound To Stubby Address/Port
UNBOUND_FORWARD_CONF

6 - # Move dnsmasq to port 53535 where it will still serve local DNS from DHCP
# Network -> DHCP & DNS -> Advanced Settings -> DNS server port to 53535
uci set '[email protected][0].port=53535'

# Configure dnsmasq to send a DNS Server DHCP option with its LAN IP
# since it does not do this by default when port is configured.
uci add_list "dhcp.lan.dhcp_option=option:dns-server,$(uci get network.lan.ipaddr)"

uci set '[email protected][0].dhcp_link=dnsmasq'

# Save & Apply (will restart dnsmasq, DNS unreachable until unbound is up)    
uci commit && reload_config

# Restart (or start) unbound (System -> Startup -> unbound -> Restart)
/etc/init.d/unbound restart


7 - uci add_list [email protected][-1].server='192.168.7.11#5453' # Put Your One Main LAN Address Here
    uci set [email protected][-1].noresolv=1
    uci commit && reload_config

A - Via UCI (Unified Configuration Interface) - in shell
uci set [email protected][0].cachesize=8192
uci set [email protected][0].dnsforwardmax=250
uci set [email protected][0].rebind_protection=1
uci set [email protected][0].ednspacket_max=4096
uci commit dhcp && reload_config

8 - nano /etc/config/network 

uci set network.wan.peerdns='0'
uci set network.wan.dns='192.168.7.11'
uci commit && reload_config

9 - nano /etc/config/unbound  # Edit Unbound Config File

config unbound
        option add_extra_dns '0'
        option add_local_fqdn '1'
        option add_wan_fqdn '0'
        option dhcp4_slaac6 '0'
        option dns64 '0'
        option dns64_prefix '64:ff9b::/96'
        option domain "secureone.duckdns.org" # Used For Illustrative Purposes ( See **Note Above )
        option domain_type 'transparent'
        option edns_size '4096'
        option extended_stats '1'
        option hide_binddata '1'
        option extended_luci '1'
        option luci_expanded '1'
        option listen_port '53'
        option localservice '1'
        option num_threads '2'
        option manual_conf '0'
        option protocol 'ip4_only'
        option query_minimize '1'
        option query_min_strict '1'
        option rebind_localhost '1'
        option rebind_protection '1'
        option recursion 'aggressive'
        option resource 'medium'
        option root_age '9'
        option ttl_min '150'
        option unbound_control '3'
        option validator '1'
        option validator_ntp '1'
        option verbosity '2'
        list trigger_interface 'wan'
        list trigger_interface 'lan'
        list domain_insecure '3.us.pool.ntp.org'
        option dhcp_link 'dnsmasq'

10 - Final Step ---  # /etc/init.d/unbound restart

11 -  # reboot & exit

12 - Install OpenWRT dnsmasq-full package - ( Optional )

 # opkg update ; opkg install dnsmasq-full --download-only && opkg remove dnsmasq && opkg install dnsmasq-full --cache . && rm *.ipk

Done - See https://forums.torguard.net/index.php?/topic/1374-from-the-dns-privacy-project-dns-over-tls-on-openwrtlede-featuring-unbound-getdns-and-stubby/  or ( From The DNS Privacy Project ) https://forum.openwrt.org/t/from-the-dns-privacy-project-dns-over-tls-on-openwrt-lede-featuring-unbound-getdns-and-stubby/13765
For Comparisons - Peace

Lastly, Check Your DNS Servers Below :

https://www.dnsleaktest.com/ https://cryptoip.info/dns-leak-test
https://www.grc.com/dns/dns.htm https://bash.ws/dnsleak/test/
and last but not least
https://cmdns.dev.dns-oarc.net/ for a thorough in depth DNS Test   

Now all you need to do is run is a properly configured VPN Service. By doing so, running DNS over TLS with Stubby and GetDns will keep your VPN provider from spying on your encrypted DNS look ups - and also your DNS providers both the ISP ( replaced by encrypted Stubby ) and your Encrypted TLS DNS Service Provider will see your IP as the one from your encrypted tunneled VPN provider.
I am convinced this setup is the right strategy for both security and privacy. I think it to be the best practice for all those most serious about multi-layered cyber security.

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...