( From The DNS Privacy Project ) DNS-OVER-TLS on OpenWrt/LEDE FEATURING UNBOUND GETDNS and STUBBY

Also, how i know, unbound in openwrt builded without tcp fast open.

So it seems to me that dnsmasq+stubby would perform better than dnsmasq+unbound. No?

Yes but stubby does not support (l)uci.

The defaults from the Makefile:

CONFIGURE_ARGS += \
        --disable-dsa \
        --disable-gost \
        --enable-allsymbols \
        --enable-tfo-client \
        --enable-tfo-server \
        --with-libexpat="$(STAGING_DIR)/usr" \
        --with-ssl="$(STAGING_DIR)/usr" \
        --with-user=unbound \
        --with-run-dir=/var/lib/unbound \
        --with-conf-file=/var/lib/unbound/unbound.conf \
        --with-pidfile=/var/run/unbound.pid

Okey. It was added couple months ago.

I have a working configuration of Stubby+Dnsmasq (no Unbound), running on an old router (4/32MB), v18.06.0, no Luci, everything configured via console and stubby is installed into RAM upon boot, if anyone's interested. :slight_smile:

1 Like

Tutorial will be really helpful

Here you are : [Tutorial] DNS-over-TLS with dnsmasq and stubby (no need for unbound)

2 Likes

STUBBY needs GETDNS - read here:
Stubby is developed by the getdns team. libgetdns is a dependancy for Stubby, the getdns library provides all the core functionality for DNS resolution done by Stubby so it is important to build against the latest version of getdns. Just stating the facts no ill will intended. So, I do not know how this will work out.

'opkg install stubby' installs getdns as a dependency. You should know this by just looking at the package.
GetDNS does not need to be referenced because you don't need to configure it in anyway, it's a library.

Dear Specimen,
Thanks and yes you are correct. My bad as they say. I should have noticed that and I apologize for my errant observations and comments. I always go -
opkg install stubby getdns / so that is why I never noticed that stubby has getdns as a dependecy.
Still - I apologize By the way RE: ( your comment ) "It's pretty obvious that you haven't actually installed or used stubby." I am the OP who wrote this entire tutorial / guide - so you are just a bit off base there.
Peace,

directnupe

1 Like

Thank you for your understanding.
I removed that bit about having not installed stubby. I apologise for my harshness.
I would like to share with you my understanding of stubby, from my experience with it to help understand maybe our different mindsets: Stubby is a DNS resolving proxy (with privacy and security enhancing features) as such you can connect to it a variety of DNS caching and DNS management tools, you can even have clients connect directly to it, so unbound or dnsmasq isn't even a requirement.

And this is the reason why I created the other tutorial, to present a much simpler setup (and less space demanding) for having DNS-over-TLS with minimal modifications to default OpenWRT configuration (dnsmasq already comes baked in).

1 Like

Dear Specimen,
Thanks for that bit of information and knowledge. When I first sit this up I was following the advice and guidance of David Mora aka iamperson347 the developer and maintainer of GETDNS and STUBBY package for OpenWRT / LEDE. With that being said; good folks like you have been kind enough to educate me concerning the various permutations available when using GetDns and Stubby.
I need to be more open-minded and I do appreciate your work in this area and taking time to advance the development and implementation of DNS OVER TLS for OpenWrt/ LEDE.

Peace,

directnupe

I have read through the instructions but cannot make out what I need to follow to accomplish the above. Can someone please help direct/guide me to what I need to do?

I have OpenWRT running on my TP-Link Archer C7 v2.

OpenWrt 18.06.1 r7258-5eb055306f / LuCI openwrt-18.06 branch (git-18.228.31946-f64b152)

This worked for me:
https://candrews.integralblue.com/2018/08/dns-over-tls-on-openwrt-18-06/

1 Like

Oh this is great. Thank you so much!

Note that there have been quite a lot of changes to the stubby package, and the documentation has been updated:

Yes but stubby does not support (l)uci.

It does now in the latest package, which will make its way to 18.06 sometime.

which will make its way to 18.06 sometime.

Does not look like it.

stubby uci support is in master, maybe it will find its way into 19.x

Hello, directnupe. I've got an issue with this part of stubby.yml file. Subby can not establish connection with such parameters, while I use openwrt 18.06.4.
The logs are like this:

daemon.err stubby[12020]: Could not schedule query: The library did not have the requested API feature implemented.

Dear vanyaindigo,
Hello and I hope that you are well. The answer to your dilemma is a straightforward and simple one - please note this in all of the settings for tls and ciphers - Works with OpenSSL >= 1.1.1 only and /or
OpenSSL >= 1.1.1 is required # for this option
I suspect that this is why you get the error in your logs - I told folks at the beginning of this tutorial that :

By the way I run Davidc502 LEDE Snapshots -
 Moderately Customized LEDE Development Builds 
for Linksys 1900ac v.1 and 1900ac v.2, 1900acs v.1 v.2, 3200acm, WRT32X and 1200ac v.1 v.2 series routers. 
These builds keep up to date package repositories

So I am running OpenSSL 1.1.1 or greater - I do not run standard OpenWRT Builds . My guess is that 18.06.4 uses OpenSSL 1.0' still - so you need to omit the end of stubby.yml file starting with
# Set the minimum acceptable TLS version
You can check / verify your OpenSSL Version by going to this reference page :https://www.a2hosting.com/kb/security/ssl/determining-the-openssl-version and enter in SSH shell the following command :

# openssl version

Peace,