How to dns over tls?

timur.davletshin · August 12, 2024, 2:58am

Try with this minimal config:

config stubby 'global'
	option manual '0'
	option trigger 'wan'
	option tls_authentication '1'
	list dns_transport 'GETDNS_TRANSPORT_TLS'
	list listen_address '127.0.0.1@5453'
	list listen_address '0::1@5453'

config resolver
	option address '8.8.8.8'
	option tls_auth_name 'dns.google'

config resolver
	option address '8.8.4.4'
	option tls_auth_name 'dns.google'

config resolver
	option address '2001:4860:4860::8888'
	option tls_auth_name 'dns.google'

config resolver
	option address '2001:4860:4860::8844'
	option tls_auth_name 'dns.google'

froyic · August 12, 2024, 3:34am

yes from 20mb i was receivin 2mb , disabled stubby and went to normal

froyic · August 12, 2024, 3:36am

that is the default config

timur.davletshin · August 12, 2024, 3:50am

... and it does work.

timur.davletshin · August 12, 2024, 3:51am

DNS makes no impact on network throughput.

JustAnotherEndUser · August 12, 2024, 4:11am

I've used it in conjunction with DNSMASQ. Yes it is stable, and performance is good.

brada4 · August 12, 2024, 12:14pm

"speed" claims should be backed by link to a result of
https://www.waveform.com/tools/bufferbloat
directly to internet, wired via openwrt and wifi of openwrt.
Many things feel slow but we have to start somewhere.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/firewall

froyic · August 13, 2024, 1:03am

how do i know if stubby is working? thats the problem

froyic · August 13, 2024, 1:07am

is there a better and lightweight alternative for stubby? router is only 1 mb

heeelp

froyic · August 13, 2024, 1:32am

installed:

https://openwrt.org/packages/pkgdata/luci-app-https-dns-proxy

how can i tell if it is working really?

timur.davletshin · August 13, 2024, 3:03am

You jumped from DoT to DoH hastily without understanding how both work. Stubby provides its service on port 5453 (hence the lines 127.0.0.1@5453 for IPv4 and 0::1@5453 for IPv6). In order to test it you have to use it by running from router's console (login via ssh root@192.168.1.1) line like this nslookup -debug -type=A openwrt.org 127.0.0.1:5453. If it works then point dnsmasq and system's DNS to these addresses. How to make it? Check the link from my first post in this thread: https://github.com/openwrt/packages/blob/master/net/stubby/files/README.md

If you make everything the way I explained you should see network status like this (maybe IPv6 will be missing if your ISP does provide it). DNS on local ports is highlighted with red (before there were addresses from ISP):

timur.davletshin · August 13, 2024, 3:05am

DoH works the same way, it provides its service on some port and you point your router to it instead of those addresses from your provider.

anon8176936 · August 13, 2024, 5:21am

Hi,
What do you think about dnsproxy package and which protocol to encrypt DNS is better?

[OpenWrt Wiki] DoH/DoH3, DoT, DoQ and DNSCrypt with Dnsmasq and dnsproxy

Information:

brada4 · August 13, 2024, 6:16am

Also dnscrypt is similar. You can have all 3 towards seame provider if protocols are supported.

anon8176936 · August 13, 2024, 6:51am

I'm using Unbound, I replaced dnsmasq for odhcpd + Unbound and I have no problems.

timur.davletshin · August 13, 2024, 7:07am

Never tried it. I'm pretty happy with DoT via stubby. I also tested dnscrypt (v2) and DoH-proxy with luci interface. Even more I'd be happy with regular DNS over port 53 but some websites use EDNS Client Subnet to sanction users from my country (for example www.themoviedb.org uses this mechanism).

I chose DoT because stubby is lean and has little functionality which I don't need (e.g. dnscypt v2 also comes with DoH server, DoH client). I don't like DoH for its reliance on HTML. HTML parser is a complex thing and provides some space for bugs and has certain processing cost. But I accept the fact that it's harder to block service on port 443 than port 853.

anon8176936 · August 13, 2024, 7:21am

Thank you so much.

anon8176936 · August 13, 2024, 8:07am

@brada4 and @timur.davletshin I have tested dnsproxy package together with the DNS provider NextDNS, because NextDNS supports all encryption protocols (except DNSCrypt) and they all work without problems, this is the page to test which protocol I'm using:

NextDNS Test

froyic · September 8, 2024, 4:01am

i recommend you Dot or doh, or doh3(quic) preferably because is the best protocol and most advanced enhanced version of https-tls

timur.davletshin · September 8, 2024, 7:39am

DNSCrypt and DoT have most compact queries. Probably I would prefer using DNSCrypt but it has very limited support among providers and dnscrypt-proxy2 is far from being a compact implementation. Ideally I would recommend everyone to make primitive test before making decision. DNS should be fast, as fast as possible.