Dns over tls absolute best configuration for stubby ipv4 and/or ipv6

This tutorial speaks for itself

Supplement for Topic:( From The DNS Privacy Project ) DNS-OVER-TLS on OpenWrt/LEDE FEATURING UNBOUND GETDNS and STUBBY

These are the best DNS PRIVACY NAME SERVERS for the detailed reasons listed below.
Edit your /etc/stubby/stubby.yml - SSH and enter nano /etc/stubby/stubby.yml - Use these listed below for Stubby configuration.

See here for correct format and layout: https://torguard.net/forums/index.php?/topic/1374-from-the-dns-privacy-project-dns-over-tls-on-openwrtlede-featuring-unbound-getdns-and-stubby/

In order to save you some time - here is a list of IPV4 DNS PRIVACY Name Servers which are QNAME minimisation enabled:

This list contains in order Hostname for TLS authentication, IP address, TLS Port ( s ) and SPKI pin

getdnsapi.net   853   foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S=

iana.tenta.io  853    nPzhfahBmQOFKbShlLBymTqPtZY31bPpKFnh0A86ys0= 

kaitain.restena.lu   853   7ftvIkA+UeN/ktVkovd/7rPZ6mbkhVI7/8HnFJIiLa4=

dnsovertls2.sinodun.com   853  NAXBESvpjZMnPWQcrxa2KFIkHV/pDEIjRkA3hLWogSg=

dns.cmrg.net   853 or 443   3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=

dot.securedns.eu   853 or 443  h3mufC43MEqRD6uE4lz6gAgULZ5/riqH/E+U+jE3H8g=

ns1.dnsprivacy.at   853   vqVQ9TcoR9RDY3TpO0MTXw1YQLjF44zdN3/4PkLwtEY=

ns2.dnsprivacy.at  853   s5Em89o0kigwfBF1gcXWd8zlATSWVXsJ6ecZfmBDTKg=

dns.neutopia.org  853 or 443  wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=

Your /etc/stubby/stubby.yml config IPV4 file should look like this screen shot when done editing:

In order to save you some time - here is a list of IPV6 DNS PRIVACY Name Servers which are QNAME minimisation enabled:

This list contains in order Hostname for TLS authentication, IP address, TLS Port ( s ) and SPKI pin

getdnsapi.net     2a04:b900:0:100::37   853   foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S=

cloudflare-dns.com  2606:4700:4700::1111( or 1001 ) 853  yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc= 

kaitain.restena.lu  2001:a18:1::29  853   7ftvIkA+UeN/ktVkovd/7rPZ6mbkhVI7/8HnFJIiLa4=

dnsovertls2.sinodun.com  2001:610:1:40ba:145:100:185:17  853  NAXBESvpjZMnPWQcrxa2KFIkHV/pDEIjRkA3hLWogSg=

dns.cmrg.net  2001:470:1c:76d::53  53053/853/ or 443  5zFN3smRPuHIlM/8L+hANt99LW26T97RFHqHv90awjo=

dot.securedns.eu  2a03:b0c0:0:1010::e9a:3001  853/443     h3mufC43MEqRD6uE4lz6gAgULZ5/riqH/E+U+jE3H8g=

ns1.dnsprivacy.at   2a01:4f8:c0c:3c03::2  853  vqVQ9TcoR9RDY3TpO0MTXw1YQLjF44zdN3/4PkLwtEY=

ns2.dnsprivacy.at  2a01:4f8:c0c:3bfc::2  853      s5Em89o0kigwfBF1gcXWd8zlATSWVXsJ6ecZfmBDTKg=

dns.neutopia.org   2a00:5884:8209::2  853 /443  wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=

All of these name servers listed above DO NOT log ! repeat DO NOT log ! your DNS queries. In full disclosure some name servers claim to log traffic volume only.
See here for details : https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers and look under " Logging " column.

DNS query name minimisation to improve privacy, along with DNS resolution speed and accuracy - Run Test After Completing Full Setup
These name servers listed above help to consistently ensure QNAME Minimisation functions as designed within UNBOUND ( The idea is to minimise the amount of data sent from the DNS resolver to the authoritative name server. )
Use either or both of these two methods to verify QNAME Minimisation
A - You need to opkg install drill and - then run command : drill txt qnamemintest.internet.nl
and / or
B - opkg install bind-dig or opkg install bind-tools with command: dig txt qnamemintest.internet.nl +short and / or dig -t txt qnamemintest.internet.nl ( for more complete readout including DNSSEC results ).
AD = Authenticated Data (for DNSSEC only; indicates that the data was authenticated)
The results in any of these scenarios will show either:
"HOORAY - QNAME minimisation is enabled on your resolver :)!”
or “NO - QNAME minimisation is NOT enabled on your resolver :(.”
Reference https://discourse.pi-hole.net/t/unbound-and-qname-minimisation/10038/4
You will and should get HOORAY ! - if you used the name servers listed in this guide for your Stubby configuration.

Note: Starting with Unbound 1.7.2 qname minimisation is enabled by default.
However, I still add these settings manually.
These settings are entered in " /etc/unbound/unbound_srv.conf " file.
qname-minimisation: yes
qname-minimisation-strict: yes
harden-below-nxdomain: yes

For better DNS resolution follow the /etc/config/unbound file in this tutorial below ( where Lan and Wan are Unbound Triggers ) then add DNS resolvers as follows: Under Network > Interfaces > Edit Wan > Advanced Settings > Remove Check From Box Next To " Use DNS servers advertised by peer " and enter DNS Servers in order, along with Tenta ICANN nameservers and - Your DNS will still resolve using the upstream name servers you selected in stubby.yml - Things Will Work Fine and as Intended. I have found that it is best to use Tenta ICANN DNS name servers as " custom DNS servers " on the Wan interface. I chose Tenta ICANN DNS because their name servers support both emerging DNS privacy standards - DNS-over-TLS, and DNS-over-HTTPS, which both provide last mile encryption to keep your DNS queries private and free from tampering. Tenta DNS also is the only AnyCast DOT service which includes built-in BGP integration, offering single engine convenience for DNS Anycasting with QNAME minimisation enabled on its' name servers by default. Main benefits of Tenta ICANN DNS as the backbone name servers on OpenWrt:
A - Stop ISPs from spying on your browser history. DNS-over-TLS adds a layer of encryption over your DNS requests, keeping your ISP from seeing which websites you visit.
B - Stay private online. Tenta DNS logs a counter instead of queries so your data stays private. No one, not even Tenta, has access to your browsing data.


Working /etc/config/unbound file

nano /etc/config/unbound - as shown below

config unbound
        option dns64 '0'
        option edns_size '4096'
        option extended_luci '1'
        option extended_stats '0'
        option hide_binddata '1'
        option domain 'yourdomain.com'
        option domain_type 'static'
        option enabled '1'
        option listen_port '53'
        option localservice '1'
        option luci_expanded '1'
        option manual_conf '0'
        option query_min_strict '1'
        option rebind_localhost '0'
        option rebind_protection '1'
        option recursion 'passive'
        option resource 'medium'
        option root_age '9'
        option ttl_min '120'
        option unbound_control '2'
        option validator '1'
        option validator_ntp '1'
        option query_minimize '1'
        option dhcp_link 'dnsmasq'
        option enabled '1'
        option protocol 'ip4_only'
        option prefetch_root '0'
        list trigger_interface 'lan'
        list trigger_interface 'wan'

PS -
Tenta DNS OVER TLS does not support IPV6 as of yet - but keep checking the DNS PRIVACY Monitoring Page as these things change frequently and all the time. This whole process is relatively new after all. In this case, under Network > Interfaces > Edit Wan > Advanced Settings > Remove Check From Box Next To " Use DNS servers advertised by peer " and enter DNS Servers in order Local host and Cloudflare DNS and - Cloudflare supports DNS OVER TLS as well. I am not quite sure if you should enter Cloudflare DNS IPV6 Name Servers ( 2606:4700:4700::1111 and 2606:4700:4700::1001 ) here in the case you are using IPV6 blended with IPV4 or IPV6 exclusively.

1 Like