I'm trying to understand the precedence of the various DNS options available in the context of my current set-up, as I'm seeing some unexpected results.
I currently have two firewall zones: lan and guest. Traffic from my lan zone is configured to be routed over a Wireguard interface where as traffic from guest goes over the WAN.
Under Network > Interfaces > LAN > DHCP Server > Advanced Settings > DHCP-options and Network I've set 6,10.64.0.1 to use my VPN provider's resolver.
Under Network > Interfaces > WAN > Common Configuration > Advanced Settings > Use custom DNS servers I've set 127.0.0.1 (and 0::1 under the WAN6 interface).
Under Network > DHCP and DNS > Server Settings > DNS forwardings I've set 127.0.0.1#5453 in order to use DNS over TLS via Stubby.
This seems to work well: clients on my LAN are using my VPN provider's resolver (i.e. no DNS leaks) whereas guest clients are using Cloudflare's resolvers and https://184.108.40.206/help shows that they're using DoT.
Following the Stubby readme, I proceeded to enable DNSSEC using:
uci set dhcp.@dnsmasq[-1].dnssec=1 uci set dhcp.@dnsmasq[-1].dnsseccheckunsigned=1 uci commit && reload_config
As soon as I do this, https://220.127.116.11/help shows that I'm no longer using DoT. However, it does appear that DSNSEC is working (I see the
Can anybody educate me here? Why, as soon as I enable DNSSEC, does DoT stop working? Happy to post configs here if it would help to understand why I'm seeing this behaviour.
EDIT: I'm also running adblock on the router, if that has any bearing on things.