Thank you @directnupe.
I set everything up and it looks like its working because I can still browse ;D
One question:
When I check for dnsleak at https://www.dnsleaktest.com/,
I see my IP address as DNS.
Is that how it is supposed to work?
Can you try https://www.dnsleaktest.com/ and see?
Regards.
If you mean your IP ADDRESS is displayed next to a BIG HELLO at the top of the page then
yes that it normal -
you have to click on Standard / And Or Extended Test situated directly beneath the picture Map
I find Grc Spoofability to be the best - either one of these -
https://www.grc.com/dns/dns.htm
https://www.grc.com/dns/customtest.htm There are two of them
read my friend - read the instructions - you can just type
dnsleak in google and try several results - you will get plenty
I told you in the tutorial that your servers should be:
Lastly, you can check your DNS at GRC Spoofability Test - DNS Leak - or any of such service. You will see that your DNS results render WoodyNet ( Quad 9 ) and Cloudflare respectively if you followed this guide step by meticulous step.
Thanks again 
The problem was I copy and paste into putty from here and somehow
name: “.” turned into name ........
Rechecked everything and edited that and it works now.
Good tutorial :]
Can someone please explain to me this mess of a mess. Why use GetDns+Stubby+Unbound+Dnsmasq. This looks like a huge performance mess to me. Shouldnt unbound replace dnsmasq? Whats the meaning to use GetDns together with Stubby? Cant you just use stubby+dnsmasq? Why would this be better than dnsmasq+dnscrypt-proxy1.9 which is like 5 lines to configure? dnscrypt-proxy2 is mostly bad for Lede because of this nonsense script Go and it's size. But I wanted to try out cloudfare server and it doesnt work with dnscrypt-proxy1.9 it seems.
Is this important though?
"tls_pubkey_pinset" (Padding)
Wouldn't having that hide it from ISP and VPN too?
upstream_recursive_servers:
#IPv4
#Cloudflare DNS over TLS server
Read here - you could stand to learn how to do some basic research and independent investigatory work
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Public+Resolvers
specifically these assertions from Cloudflare and Quad 9 THEMSELVES "
DNS-over-TLS (DOT)
Quad9 'secure' and Quad9 'insecure'
Quad9 do NOT publish or recommend use of SPKI pins with their servers.
and - same as Quad 9 for Cloudflare
Cloudflare do NOT publish or recommend use of SPKI pins with their servers.
so there you have it from the sources - The answer is " NO"
Read this for Quad 9 -
See https://quad9.net and their FAQ for details of privacy, logging and filtering policies on the main and alternative addresses(1).
UDP and TCP service are also available on these addresses.
and this for Cloudflare -
PRIVACY POLICY: https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/privacy-policy/
And also see https://labs.apnic.net/?p=1127 for details of the APNIC/Cloudflare agreement as mentioned on the Register.
UDP and TCP service are also available on these addresses. DNS-over-HTTPS is also available!
NOTE: To use this service by name only (i.e resolve the IP from the name) use 1dot1dot1dot1.cloudflare-dns.com.
and looking to the future read mid page here
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby
The next release of Stubby (v0.3, getdns v1.5) is expected to support the following:
DNS-over-HTTPS (DOH)
Configuration of servers using authentication name only
so DNSPRIVACY ( Developer of Stubby and GetDNS ) plans to get rid of padding pin in next release and use name only - so it must be secure at least in their view
Peace,
directnupe
Thank you Max again :]
I have some more doubts so I can verify
1]
These are the logs:
Unbound Statistics:
thread0.num.queries=270
thread0.num.queries_ip_ratelimited=0
thread0.num.cachehits=62
thread0.num.cachemiss=208
thread0.num.prefetch=0
thread0.num.zero_ttl=0
thread0.num.recursivereplies=208
thread0.requestlist.avg=4.15385
thread0.requestlist.max=15
thread0.requestlist.overwritten=0
thread0.requestlist.exceeded=0
thread0.requestlist.current.all=0
thread0.requestlist.current.user=0
thread0.recursion.time.avg=2.266355
thread0.recursion.time.median=1.45098
thread0.tcpusage=0
total.num.queries=270
total.num.queries_ip_ratelimited=0
total.num.cachehits=62
total.num.cachemiss=208
total.num.prefetch=0
total.num.zero_ttl=0
total.num.recursivereplies=208
total.requestlist.avg=4.15385
total.requestlist.max=15
total.requestlist.overwritten=0
System log:
Wed May 16 05:39:10 2018 user.notice unbound: iterator will use built-in root hints
Wed May 16 05:39:16 2018 user.notice unbound: iterator will use built-in root hints
Wed May 16 05:39:17 2018 daemon.notice unbound: [1599:0] notice: init module 0: validator
Wed May 16 05:39:17 2018 daemon.notice unbound: [1599:0] notice: init module 1: iterator
Wed May 16 05:39:45 2018 daemon.info procd: Instance unbound::instance1 pid 1599 not stopped on SIGTERM, sending SIGKILL instead
Wed May 16 05:39:47 2018 daemon.notice unbound: [1912:0] notice: init module 0: validator
Wed May 16 05:39:47 2018 daemon.notice unbound: [1912:0] notice: init module 1: iterator
Wed May 16 05:39:52 2018 daemon.info unbound: [1912:0] info: start of service (unbound 1.7.1).
Wed May 16 05:39:54 2018 daemon.info unbound: [1912:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
Is it working well?
2] When you advise in point 7 the following
nano /etc/config/dhcp
config dnsmasq
option domain ‘yourdomain’
option noresolv ‘1’ ## Make sure to change this as indicated
option resolvfile ‘/tmp/resolv.conf.auto’
option port ‘53535’
Does this mean I only have the above entries in config dnsmasq and remove all the extra below?
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'yourdomain'
option noresolv '1'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option port '53535
3] How to edit this in /etc/config/dhcp
list server '127.0.0.1#5453' # Stubby/Unbound Default Address/Port
list server '/pool.ntp.org/84.200.69.80' ## DNS WATCH SECURE
option noresolv '1'
option allservers '1'
Does it look like
config dnsmasq
list server '127.0.0.1#5453'
list server '/pool.ntp.org/84.200.69.80'
option allservers '1'
option domain ‘yourdomain’
option noresolv ‘1’ ## Make sure to change this as indicated
option resolvfile ‘/tmp/resolv.conf.auto’
option port ‘53535’
Thank you so much again ;]
First - Is it working well? Your Unbound Files look fine to me and if followed all the steps the guide I wrote the go to System > Recursive DNS > Status > Log - you can read on a more granular level what Unbound is doing
including cache hits
Second - yes you have /etc/config/dhcp set up correctly under - Does it look like ?
Lastly, do not change anything ( remove or add ) unless it was indicted in the tutorial
you only need to add four lines - DO NOT REMOVE ANYTHING - PERIOD EVER !
these four lines:
/etc/config/dhcp
list server '127.0.0.1#5453'
list server '/pool.ntp.org/84.200.69.80'
option noresolv '1'
option allservers '1'Thank you :]
Thanks for your tutorial @directnupe !
It's working here but I'm getting a lot of Conn closed: TLS - Failure, is this normal?
Local DNS benchmark is not that good too.
One curious question:
By default, the setting on my router is
option domain ‘lan’
should I change it to
option domain ‘yourdomain’
'yourdomain' everywhere.
What's the performance penalty of unbound vs dnsmasq vs actual DNS forwarders?
Response time is dominated by Internet transit time and TLS setup time, not the software itself, at the scales (query rates) that most home users experience.
I dived in and replaced unbound with dnsmasq. Answering my own question:
Hmm...
I also switched over to stubby.
Replacing dnsmasq completely by unbound is not that easy as i thought.
odhcpd doesn't work if the kernel has no ipv6 support.
So i have to use dnsmasq for dhcp.
If you want to link your dhcp to unbound you have to keep the dns part of dnsmasq enabled.
(so dont use port 0)
Also the dns resolution fails on the router if unbound is the main dns server.
I dunno why.
One advantage of unbound is it does query the root servers directly and then goes from there.
So you don't share dns query data with companies like google, opendns, cloudflare and so on.
But the dns traffic can still be analyzed, since there is no encryption.
I think best would be to get some cheap vps in a different country.
And host a dns server on your own.
Is it true cloudflare does share its data with the chinese apnic?
Are there reason for avoiding IPv6 because the Internet is moving towards that direction?
Do you have more information about this or was it about the recent BGP issue with 1.1.1.1?
I find this guide to be very hard to read.
It seems that to have encrypted DNS I need, dnsmasq, unbound, getdns and strubby. Of course each performs a different task and they all rely on each other. What could go wrong?
What the HELL happened to KISS (Keep It Simple, Stupid)???
For now I think I will stay with DNSCrypt. The configuration is easy, well documented and it has been working with OpenWrt for years so it's not experimental compered to his DNS-Over-TLS mess you are proposing. Also DNSCrypt v2 supports DNS-Over-HTTPS witch from what I read is far more secure, reliable and VERY HARD to block by ISP, compered to the TLS alternative.
see this section - what this section describes is an environment where the only DNS resolver being used is Stubby forwarded to Unbound - that is what the " list server " entry does in dnsmasq config file.
Therefore your statement that" Also the dns resolution fails on the router if unbound is the main dns server. is incorrect and misleading. Perhaps - you meant to say that "dns resolution fails on the router if unbound is the ONLY dns server.
7 - From https://github.com/openwrt/packages/tree/master/net/unbound/files 2 HOW TO Integrate with DHCP
Parallel DNSMASQ /etc/config/dhcp
After Some Reflection and Observations - Fine Tuning Your DNS Resolver
After reading System Logs I realized that there is a need to amend DNSMASQ ( DHCP ) after implementing option noresolv ‘1’ in /etc/config/dhcp configuration file. This dawned on me from my years of running DNSCRYPT Proxy on OpenWrt. I referred to this guide:
https://www.leowkahman.com/2016/05/23/openwrt-encrypted-dns-lookup-using-multiple-dnscrypt-servers/ 4
option noresolv ‘1’ is to prevent using any upstream DNS server other than those specified in this file # this file being: /etc/config/dhcp
Solution is as follows add these four lines to /etc/config/dhcp:
nano /etc/config/dhcp - enter these lines before / option domain ‘yourdomain’
list server '127.0.0.1#5453' # Stubby/Unbound Default Address/Port
list server '/pool.ntp.org/84.200.69.80' ## DNS WATCH SECURE
option noresolv ‘1’ ## Make sure to change this as indicated
option allservers '1'
more legible and readable guide here and stop the whining -