Hello,
i was configuring DNS over TLS / DNSSEC with Stubby / masqdns following that tutorial (did it via SSH, copy&paste):
I used the "Stubby-Method" for DNSSEC but ESNI checker said "Your resolver does not appear to validate DNS responses with DNSSEC.".
So I decided to reset the values Ive set for Stubby DNSSEC to try the dnsmasq-method.
There DNSSEC seems to work but on the other hand DNS doesnt seem to...
Can someone help me figuring out whats wrong here?
/etc/config/network:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd39:5c14:8824::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
option peerdns '0'
option dns '127.0.0.1'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
option peerdns '0'
option dns '0::1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
/etc/config/stubby:
config stubby 'global'
option manual '0'
option trigger 'wan'
list dns_transport 'GETDNS_TRANSPORT_TLS'
option tls_authentication '1'
option tls_query_padding_blocksize '128'
option appdata_dir '/var/lib/stubby'
option edns_client_subnet_private '1'
option idle_timeout '10000'
option round_robin_upstreams '1'
list listen_address '127.0.0.1@5453'
list listen_address '0::1@5453'
option dnssec_return_status '0'
config resolver
option address '2606:4700:4700::1111'
option tls_auth_name 'cloudflare-dns.com'
config resolver
option address '2606:4700:4700::1001'
option tls_auth_name 'cloudflare-dns.com'
config resolver
option address '1.1.1.1'
option tls_auth_name 'cloudflare-dns.com'
config resolver
option address '1.0.0.1'
option tls_auth_name 'cloudflare-dns.com'
/etc/config/dhcp:
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option nonwildcard '1'
option localservice '1'
list server '127.0.0.1#5453'
list server '127.0.0.1#5453'
option noresolv '1'
option proxydnssec '0'
option dnssec '1'
option dnsseccheckunsigned '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'