Dns over tls support

Greetings,

I've stumbled onto this: https://blog.cloudflare.com/dns-over-tls-for-openwrt/ has anyone tried this and got it to work with latest openwrt? is it demanding?

thanks.

Might want to search the forum. Plenty of discussion and tutorials over the last year or two

1 Like

I used the methods in this post:
https://candrews.integralblue.com/2018/08/dns-over-tls-on-openwrt-18-06/
including the DNSSEC method linked to (after setting up the DNS over TLS).
Not overly demanding, but when I upgraded from 18.06.1 to 18.06.2 I needed to add a public server to the list and set noresolv to '0'

https://openwrt.org/?do=showtag&tag=DNSCrypt+DoH+DoT

image

not sure which posting I should hijack, but I see well known names above so I try to post my question here. Apologies upfront.
Looking at the options I have https://openwrt.org/docs/guide-user/services/dns/start it feels like " DNS over TLS via Unbound" looks the best.
But which one is the most recommended - most stable option for the future?
I don't really care about performance and speed, Internet is fast enough. Security and stability is more important.
In the TLS via unbound wiki I see that google dns is used. This is like using TOR and making sure that the exit nodes are operated by some of the agencies... (if possible)
Is it possible to use another one like opendns instead? Shouldn't the wiki be changed and google be removed?

BR, Frood

Yes, it is. I use Unbound (and Stubby, for that matter) with alternative DoT and DoH resolvers. Personally, I like CleanBrowsing's resolvers.

You can find a pretty comprehensive list of resolvers that you might like to use on the DNS Privacy Project's homepage: test servers and public resolvers

1 Like

First of all, I don't understand why this option (Unbound & Stubby) isn't explained in the Wiki:
DNS_TLS

Second, I do also not understand why do you need Stubby?

Why is it not possible to simply use another resolver and replace the 8888 as described in "DNS over TLS via Unbound"?

But I do understand that I should not replace / turn off dnsmasq if I already need it for other internal name resolution stuff...

I think it depends on your use case. For me, personally: I have multiple dnsmasq instances and forward to either Stubby or Unbound for reasons to which I allude here.

If you search this forum and the web, there are a number of tutorials / guides which you may find more useful than the Wiki. I cobbled-together a solution that works for my use-case based on a number of these.

I'd recommend trying one of them out: learn by doing and making mistakes; then, if you get stuck on a particular problem, start a new thread here and there are plenty of folk who are happy to try and help you out.

Because

  • All of this is relatively new and changing quickly
  • The wiki is basically volunteer effort
  • There are literally dozens of threads here on various way to implement “secure” / “hidden” DNS
  • The wiki is, at least in my opinion, such a pain to edit in any non-trivial way that it drives away would-be contributors
3 Likes

Yes. It is not just a pain, it is like Spanish or Chinese. Simply requires a two - three year study to try to get along with it.

Do you know https://openwrt.org/wiki/syntax? You only need a fraction of this for every day use.
If you need 3 years to understand this, you should really not mess with anything technical at all.

But this is a separate discussion which does not belong in this topic.

Is it me Frood, Junior Member to tell tmomas "the Leader" to take a look here
https://forum.openwrt.org/guidelines
?
No, I don't think I want to do that. Instead, I will take a deeper look at the forum postings about this topic and I might raise a new posting as mentioned by tectonic.

Thanks.

Perhaps that discussion should be reopened, as there seems to be many contributions on this topic alone that chose to post here, with a modern topic editor and a readable layout, as opposed to the 1990s wiki and style sheet still in place. It's not just one poster either

Last posting from my side to this off-topic discussion.

Your additions do not meet my intention.


That is yet a different discussion.

Feel free to open new topics in the Talk about Documentation section of the forum.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.