DNS over TLS, not working? DNSSEC Stubby / masqdns

Hello,

i was configuring DNS over TLS / DNSSEC with Stubby / masqdns following that tutorial (did it via SSH, copy&paste):

I used the "Stubby-Method" for DNSSEC but ESNI checker said "Your resolver does not appear to validate DNS responses with DNSSEC.".

So I decided to reset the values Ive set for Stubby DNSSEC to try the dnsmasq-method.

There DNSSEC seems to work but on the other hand DNS doesnt seem to...

Can someone help me figuring out whats wrong here?

/etc/config/network:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd39:5c14:8824::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'
        option peerdns '0'
        option dns '127.0.0.1'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'
        option peerdns '0'
        option dns '0::1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

/etc/config/stubby:

config stubby 'global'
        option manual '0'
        option trigger 'wan'
        list dns_transport 'GETDNS_TRANSPORT_TLS'
        option tls_authentication '1'
        option tls_query_padding_blocksize '128'
        option appdata_dir '/var/lib/stubby'
        option edns_client_subnet_private '1'
        option idle_timeout '10000'
        option round_robin_upstreams '1'
        list listen_address '127.0.0.1@5453'
        list listen_address '0::1@5453'
        option dnssec_return_status '0'

config resolver
        option address '2606:4700:4700::1111'
        option tls_auth_name 'cloudflare-dns.com'

config resolver
        option address '2606:4700:4700::1001'
        option tls_auth_name 'cloudflare-dns.com'

config resolver
        option address '1.1.1.1'
        option tls_auth_name 'cloudflare-dns.com'

config resolver
        option address '1.0.0.1'
        option tls_auth_name 'cloudflare-dns.com'

/etc/config/dhcp:

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option nonwildcard '1'
        option localservice '1'
        list server '127.0.0.1#5453'
        list server '127.0.0.1#5453'
        option noresolv '1'
        option proxydnssec '0'
        option dnssec '1'
        option dnsseccheckunsigned '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

Stubby worked normally for me but since Friday he stopped DNS over HTTPS.
What dns do you have on your network card set?

I have set the network-adapter to get the IP and DNS settings "automatically" ....

@branc, welcome to the communtiy!

Here's a thread with same issue from earlier today (Cloudflare site shows red X's for DNSSEC):

I think it's Cloudflare's page. I also get various red/green combinations depending on if I:

  • Use Google DNS DoH instead
  • Disable browser scripting
  • Send the Web traffic over Tor/Proxy/VPN but use DoH on the raw wire
  • Send both web traffic and DoH over Tor

For example, using DoH with Cloudflare and Scripts off:

For example, using DoH with Cloudflare and Scripts on:

Lastly, if you are not connecting directly to DoH on the browser, I'm not sure how the page would detect that anyways (unless a random Cloudflare domain is generated by the page for one-time DNS lookup).

1 Like