Dnscrypt vs stubby vs unbound DoT

Installing and Using OpenWrt Network and Wireless Configuration
1

hi,

Im using dnscrypt proxy V2 and it is pretty simple and secure. But I like to try other things and if I understand, stubby would be as secure as dnscrypt is and maybe faster ??

And about unbound, it would be less secure, is it possible?

thanks

2

Start here: https://dnscrypt.info/faq/

3

I think dnscrypt proxy + anonimized are the best solution

4

I try stubby but I have some errors..?

and what about DNSSEC, I see an option in the config file but , ''0'' or ''1'', DNSSEC is not enable anyway.

Fri Dec 25 22:27:59 2020 daemon.err stubby[15930]: [03:27:59.628935] STUBBY: Stubby version: Stubby 0.3.0
Fri Dec 25 22:27:59 2020 daemon.err stubby[15930]: [03:27:59.635590] STUBBY: Read config from file /var/etc/stubby/stubby.yml
Fri Dec 25 22:27:59 2020 daemon.err stubby[15930]: [03:27:59.635918] STUBBY: DNSSEC Validation is OFF
Fri Dec 25 22:27:59 2020 daemon.err stubby[15930]: [03:27:59.635938] STUBBY: Transport list is:
Fri Dec 25 22:27:59 2020 daemon.err stubby[15930]: [03:27:59.635948] STUBBY:   - TLS
Fri Dec 25 22:27:59 2020 daemon.err stubby[15930]: [03:27:59.635957] STUBBY: Privacy Usage Profile is Strict (Authentication required)
Fri Dec 25 22:27:59 2020 daemon.err stubby[15930]: [03:27:59.635966] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
Fri Dec 25 22:27:59 2020 daemon.err stubby[15930]: [03:27:59.635975] STUBBY: Starting DAEMON....

config stubby 'global'
option manual '1'
option trigger 'wan'
# option triggerdelay '2'
list dns_transport 'GETDNS_TRANSPORT_TLS'
option tls_authentication '1'
option tls_query_padding_blocksize '128'
# option tls_connection_retries '2'
# option tls_backoff_time '3600'
# option timeout '5000'
# option dnssec_return_status '1' ?????? to enable DNSSEC validation???
option appdata_dir '/var/lib/stubby'
# option trust_anchors_backoff_time 2500
# option dnssec_trust_anchors '/var/lib/stubby/getdns-root.key'
option edns_client_subnet_private '1'
option idle_timeout '10000'
option round_robin_upstreams '1' ''0'' or ''1'' ??
list listen_address '127.0.0.1@5453'
list listen_address '0::1@5453'
# option log_level '5'
# option command_line_arguments ''
# option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20'
# option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
# option tls_min_version '1.2'
# option tls_max_version '1.3'

Upstream resolvers are specified using 'resolver' sections.

config resolver
option address '1.1.1.1'
option tls_auth_name 'cloudflare-dns.com'
# option tls_port 853
# list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc='
# option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20'
# option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
# option tls_min_version '1.2'
# option tls_max_version '1.3'

config resolver
option address '1.0.0.1'
option tls_auth_name 'cloudflare-dns.com'
# option tls_port 853
# list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc='
# option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20'
# option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
# option tls_min_version '1.2'
# option tls_max_version '1.3'

5

also, any other dns resolvers I add, only cloudflare appears in the dnsleaktest.

7

This means that stubby is not using what is configured by OpenWrt/LuCI GUI and what you find in file /etc/config/stubby. If set to "1" you have to use (edit/configure manually) /etc/stubby/stubby.yml instead (this file is used).

9

Yes, i edited stubby.yml , adding quad nine instead of cloudflare but cloudflare was still there. Only cloudflare

10

You have posted the output from /etc/config/stubby only. If you set manual this file is not relevant anymore though /etc/stubby/stubby.yml is instead. So ...
Content of: /etc/stubby/stubby.yml
Did you restart stubby or the router in order to make the changes to take effect?
How did you verify that cloudflare is used instead of quad9?

11

On dnsleaktest.com
I restarted stubby in startup in Gui.

12

I see no reason to set option manual '1' and use /etc/stubby/stubby.yml
For a purpose of testing I deleted all the Cloudflare servers from my /etc/config/stubby, added a section for Quad9 and restarted stubby - dnlsleaktest.com test was successfully passed.

config resolver
        option address '9.9.9.9'
        option tls_auth_name 'dns.quad9.net'
13

you mean set to ''1''?

14

Yes, corrected, thank you. That was a copy/paste from my working configuration.

15

I try with option ''1'' but still have errors in log and I lost wifi.

config stubby 'global'
       option manual '0'
       option trigger 'wan'
       # option triggerdelay '2'
       list dns_transport 'GETDNS_TRANSPORT_TLS'
       option tls_authentication '1'
       option tls_query_padding_blocksize '128'
       # option tls_connection_retries '2'
       # option tls_backoff_time '3600'
       # option timeout '5000'
       # option dnssec_return_status '0'
         dnssec: GETDNS_EXTENSION_TRUE
         dnssec_return_status: GETDNS_EXTENSION_TRUE

       option appdata_dir '/var/lib/stubby'
       # option trust_anchors_backoff_time 2500
       # option dnssec_trust_anchors '/var/lib/stubby/getdns-root.key'
       option edns_client_subnet_private '1'
       option idle_timeout '10000'
       option round_robin_upstreams '0'
       list listen_address '127.0.0.1@5453'
       list listen_address '0::1@5453'
        option log_level '5'
       # option command_line_arguments ''
       option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20'
       # option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
       # option tls_min_version '1.2'
       # option tls_max_version '1.3'

# Upstream resolvers are specified using 'resolver' sections.
config resolver
      config resolver
       option address '1.1.1.1'
       option tls_auth_name 'cloudflare-dns.com'
        option tls_port 853
       # list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc='
       # option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20'
       # option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
       # option tls_min_version '1.2'
       # option tls_max_version '1.3'

config resolver
       option address '1.0.0.1'
       option tls_auth_name 'cloudflare-dns.com'
        option tls_port 853
       # list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc='
       # option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20'
       # option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
       # option tls_min_version '1.2'
       # option tls_max_version '1.3'

and here the logs:

```un Dec 27 12:05:08 2020 daemon.err stubby[17448]: , "Generic error"
Sun Dec 27 12:05:08 2020 daemon.err stubby[17448]: Could not parse config file "/var/etc/stubby/stubby.yml": Generic error
Sun Dec 27 12:05:13 2020 daemon.err stubby[17475]: [17:05:13.621759] STUBBY: Stubby version: Stubby 0.3.0
Sun Dec 27 12:05:13 2020 daemon.err stubby[17475]: Could not parse config file # Autogenerated configuration from uci data
Sun Dec 27 12:05:13 2020 daemon.err stubby[17475]: resolution_type: GETDNS_RESOLUTION_STUB
Sun Dec 27 12:05:13 2020 daemon.err stubby[17475]: round_robin_upstreams: 0
Sun Dec 27 12:05:13 2020 daemon.err stubby[17475]: appdata_dir: "/var/lib/stubby"
Sun Dec 27 12:05:13 2020 daemon.err stubby[17475]: trust_anchors_backoff_time: 2500
Sun Dec 27 12:05:13 2020 daemon.err stubby[17475]: tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
Sun Dec 27 12:05:13 2020 daemon.err stubby[17475]: tls_query_padding_blocksize: 128
Sun Dec 27 12:05:13 2020 daemon.err stubby[17475]: edns_client_subnet_private: 1
Sun Dec 27 12:05:13 2020 daemon.err stubby[17475]: idle_timeout: 10000
Sun Dec 27 12:05:13 2020 daemon.err stubby[17475]: tls_cipher_list: "EECDH+AESGCM:EECDH+CHACHA20"
Sun Dec 27 12:05:13 2020 daemon.err stubby[17475]: listen_addresses:
Sun Dec 27 12:05:13 2020 daemon.err stubby[17475]:   - 127.0.0.1@5453
Sun Dec 27 12:05:13 2020 daemon.err stubby[17475]:   - 0::1@5453
Sun Dec 27 12:05:13 2020 daemon.err stubby[17475]: dns_transport_list:
Sun Dec 27 12:05:13 2020 daemon.err stubby[17475]:   - GETDNS_TRANSPORT_TLS
Sun Dec 27 12:05:13 2020 daemon.err stubby[17475]: upstream_recursive_servers:
Sun Dec 27 12:05:13 2020 daemon.err stubby[17475]:   - address_data:
Sun Dec 27 12:05:13 2020 daemon.err stubby[17475]:     tls_auth_name: ""
Sun Dec 27 12:05:13 2020 daemon.err stubby[17475]:   - address_data: 1.1.1.1
Sun Dec 27 12:05:13 2020 daemon.err stubby[17475]:     tls_auth_name: "cloudflare-dns.com"
Sun Dec 27 12:05:13 2020 daemon.err stubby[17475]:     tls_port: 853
Sun Dec 27 12:05:13 2020 daemon.err stubby[17475]:   - address_data: 1.0.0.1
Sun Dec 27 12:05:13 2020 daemon.err stubby[17475]:     tls_auth_name: "cloudflare-dns.com"
Sun Dec 27 12:05:13 2020 daemon.err stubby[17475]:     tls_port: 853
Sun Dec 27 12:05:13 2020 daemon.err stubby[17475]: , "Generic error"
Sun Dec 27 12:05:13 2020 daemon.err stubby[17475]: Could not parse config file "/var/etc/stubby/stubby.yml": Generic error
16

Make sure you're not using spaces in stubby.yml - use Tab instead.

17

did you see problem in my stubby config?

18

You need to check the config you never posted (stubby.yml). No real need to show it, just check. Alternatively you can delete all the configs and reinstall stubby, then change /etc/config/stubby only.

19 
/etc/config/stubby

just need to keep ''option manual'' to ''0'' ?

and adding the servers I want ?

20

I started from scratch and does not work,..

21

That is that was normally has to be done.

I don't know if stubby is stopping if it cannot parse the other config file. Just rename it or delete the file.

What did you do exactly if you started from "scratch"? Did you reset the router completely?

The syntax for adding a server in /etc/config/stubby is different from /etc/stubby/stubby.yml. Post the output of your current /etc/config/stubby.

1 Like