read my friend - read the instructions - you can just type
dnsleak in google and try several results - you will get plenty
I told you in the tutorial that your servers should be:
Lastly, you can check your DNS at GRC Spoofability Test - DNS Leak - or any of such service. You will see that your DNS results render WoodyNet ( Quad 9 ) and Cloudflare respectively if you followed this guide step by meticulous step.
Can someone please explain to me this mess of a mess. Why use GetDns+Stubby+Unbound+Dnsmasq. This looks like a huge performance mess to me. Shouldnt unbound replace dnsmasq? Whats the meaning to use GetDns together with Stubby? Cant you just use stubby+dnsmasq? Why would this be better than dnsmasq+dnscrypt-proxy1.9 which is like 5 lines to configure? dnscrypt-proxy2 is mostly bad for Lede because of this nonsense script Go and it's size. But I wanted to try out cloudfare server and it doesnt work with dnscrypt-proxy1.9 it seems.
specifically these assertions from Cloudflare and Quad 9 THEMSELVES "
DNS-over-TLS (DOT)
Quad9 'secure' and Quad9 'insecure'
Quad9 do NOT publish or recommend use of SPKI pins with their servers.
and - same as Quad 9 for Cloudflare
Cloudflare do NOT publish or recommend use of SPKI pins with their servers.
so there you have it from the sources - The answer is " NO"
Read this for Quad 9 -
See https://quad9.net and their FAQ for details of privacy, logging and filtering policies on the main and alternative addresses(1).
UDP and TCP service are also available on these addresses.
The next release of Stubby (v0.3, getdns v1.5) is expected to support the following:
DNS-over-HTTPS (DOH)
Configuration of servers using authentication name only
so DNSPRIVACY ( Developer of Stubby and GetDNS ) plans to get rid of padding pin in next release and use name only - so it must be secure at least in their view
Wed May 16 05:39:10 2018 user.notice unbound: iterator will use built-in root hints
Wed May 16 05:39:16 2018 user.notice unbound: iterator will use built-in root hints
Wed May 16 05:39:17 2018 daemon.notice unbound: [1599:0] notice: init module 0: validator
Wed May 16 05:39:17 2018 daemon.notice unbound: [1599:0] notice: init module 1: iterator
Wed May 16 05:39:45 2018 daemon.info procd: Instance unbound::instance1 pid 1599 not stopped on SIGTERM, sending SIGKILL instead
Wed May 16 05:39:47 2018 daemon.notice unbound: [1912:0] notice: init module 0: validator
Wed May 16 05:39:47 2018 daemon.notice unbound: [1912:0] notice: init module 1: iterator
Wed May 16 05:39:52 2018 daemon.info unbound: [1912:0] info: start of service (unbound 1.7.1).
Wed May 16 05:39:54 2018 daemon.info unbound: [1912:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
Is it working well?
2] When you advise in point 7 the following
nano /etc/config/dhcp
config dnsmasq
option domain ‘yourdomain’
option noresolv ‘1’ ## Make sure to change this as indicated
option resolvfile ‘/tmp/resolv.conf.auto’
option port ‘53535’
Does this mean I only have the above entries in config dnsmasq and remove all the extra below?
list server '127.0.0.1#5453' # Stubby/Unbound Default Address/Port
list server '/pool.ntp.org/84.200.69.80' ## DNS WATCH SECURE
option noresolv '1'
option allservers '1'
Does it look like
config dnsmasq
list server '127.0.0.1#5453'
list server '/pool.ntp.org/84.200.69.80'
option allservers '1'
option domain ‘yourdomain’
option noresolv ‘1’ ## Make sure to change this as indicated
option resolvfile ‘/tmp/resolv.conf.auto’
option port ‘53535’
First - Is it working well? Your Unbound Files look fine to me and if followed all the steps the guide I wrote the go to System > Recursive DNS > Status > Log - you can read on a more granular level what Unbound is doing
including cache hits
Second - yes you have /etc/config/dhcp set up correctly under - Does it look like ?
Lastly, do not change anything ( remove or add ) unless it was indicted in the tutorial
you only need to add four lines - DO NOT REMOVE ANYTHING - PERIOD EVER !
these four lines:
/etc/config/dhcp
list server '127.0.0.1#5453'
list server '/pool.ntp.org/84.200.69.80'
option noresolv '1'
option allservers '1'
Response time is dominated by Internet transit time and TLS setup time, not the software itself, at the scales (query rates) that most home users experience.
Replacing dnsmasq completely by unbound is not that easy as i thought.
odhcpd doesn't work if the kernel has no ipv6 support.
So i have to use dnsmasq for dhcp.
If you want to link your dhcp to unbound you have to keep the dns part of dnsmasq enabled.
(so dont use port 0)
Also the dns resolution fails on the router if unbound is the main dns server.
I dunno why.
One advantage of unbound is it does query the root servers directly and then goes from there.
So you don't share dns query data with companies like google, opendns, cloudflare and so on.
But the dns traffic can still be analyzed, since there is no encryption.
I think best would be to get some cheap vps in a different country.
And host a dns server on your own.
Is it true cloudflare does share its data with the chinese apnic?
It seems that to have encrypted DNS I need, dnsmasq, unbound, getdns and strubby. Of course each performs a different task and they all rely on each other. What could go wrong?
What the HELL happened to KISS (Keep It Simple, Stupid)???
For now I think I will stay with DNSCrypt. The configuration is easy, well documented and it has been working with OpenWrt for years so it's not experimental compered to his DNS-Over-TLS mess you are proposing. Also DNSCrypt v2 supports DNS-Over-HTTPS witch from what I read is far more secure, reliable and VERY HARD to block by ISP, compered to the TLS alternative.
see this section - what this section describes is an environment where the only DNS resolver being used is Stubby forwarded to Unbound - that is what the " list server " entry does in dnsmasq config file. Therefore your statement that" Also the dns resolution fails on the router if unbound is the main dns server. is incorrect and misleading. Perhaps - you meant to say that "dns resolution fails on the router if unbound is the ONLY dns server.
Parallel DNSMASQ /etc/config/dhcp
After Some Reflection and Observations - Fine Tuning Your DNS Resolver
After reading System Logs I realized that there is a need to amend DNSMASQ ( DHCP ) after implementing option noresolv ‘1’ in /etc/config/dhcp configuration file. This dawned on me from my years of running DNSCRYPT Proxy on OpenWrt. I referred to this guide:
option noresolv ‘1’ is to prevent using any upstream DNS server other than those specified in this file # this file being: /etc/config/dhcp
Solution is as follows add these four lines to /etc/config/dhcp:
nano /etc/config/dhcp - enter these lines before / option domain ‘yourdomain’
list server '127.0.0.1#5453' # Stubby/Unbound Default Address/Port
list server '/pool.ntp.org/84.200.69.80' ## DNS WATCH SECURE option noresolv ‘1’ ## Make sure to change this as indicated
option allservers '1'