DNS: choose / config dnsmasq, dnscrypt (+proxy(2)), dnssec, adguard/adblock, stubby... help!

Hi everybody,
I need some big help to understand what is the best tools and configs to use for DNS, considering the following goals:

  • dns security (privacy, spoofing, poisoning, leaking...)
  • dns filtering
  • easy to install and maintain
  • intercept and manage all dns traffic in a trasparent way for the client;
    I have seen the wiki pages https://openwrt.org/docs/guide-user/services/dns/start#encryption but it doesn't not explain which are the difference between the various solutions proposed (or if all have to be applied). DNS-over-TLS is better than DNS-over-HTTPS? Ubound or stubby?

Another problem I have is that some dns configs seems to be placed in several luci functions (I will try to post here where exactly), in network-interfaces-lan but also in services-dhcp&dns (and maybe something in adblock too).

For example in network-interfaces-lan-general settings there is:

should I put here localhost? I think no...

or here, even if I dont want to use IPv6, should I put something:

In network-Dhcp and DNS there is also

In network-Dhcp and DNS-Resolv and Host files, this other combo I think but not sure are complementary... I have to modify the resolv file or ignore it?

In services-adblock there is:

Have to do something here? When?

I started applied this guide https://openwrt.org/docs/guide-user/services/dns/dnscrypt_dnsmasq_dnscrypt-proxy2 but I dont understand:

  1. which dns is used or which collections of dns servers is used and to modify it;
  2. why, after applying it, some test site like this https://dnssec.vs.uni-due.de/ said that I'm not secure... maybe because the guide is not about dnssec?

By the way, to summerize: what it the easier, more stable, more anonimous combination of tools and configs for dns?

1 Like

There are at least three DNS settings in your setup.

  • for the router itself
  • for the clients (provided via DHCP)
  • for the DNS service you provide to your clients (via the DHCP, or static)

they're all independent of each other.

should I open 3 different thread?
I want to provide dns via the dhcp, automatically (this might answer to your third bullet).
Any help/suggestion about the question I raise?

If you're looking for easy and stable, just install https-dns-proxy (and optionally luci-app-https-dns-proxy). The https-dns-proxy package automagically reconfigures dnsmasq and forces encrypted DNS use onto LAN clients.

1 Like

Really thanks: I assume adblock is a separate thing to be configured (how?).
The other and more difficult solutions offer something more?

The simple-adblock is pretty much zero-config, you just need to enable it after installation and it will work with the dnsmasq and https-dns-proxy without any issues or additional steps. It's been a while since I've tried running @dibdot's adblock, but if you only use dnsmasq and https-dns-proxy it should be a similar experience.

Yeah, I've asked this same question a few times and never got a good answer. If your objective is to have your DNS queries encrypted so that your ISP cannot resell your DNS lookup logs, the combination I suggested does the job.

You can solve this if you use only resolvers with DNSSEC:

I've installed both adblock (for filtering: it is included in the hynman build) and dns-https-proxy (for encryption, even if I have seen I can use dns server with ad block features included), should I un-install the first one, one?
... testing dnssec seems good now. I've understood where dns ip are specified but it's ok...

The parameter in luci are these, need others?

by the way, if someone would explain all the config options in luci that I put in the first post, will be very appreciated too :hugs:!!!