looking for opinions on quality home network security via openwrt

Installing and Using OpenWrt
1

just looking for direction and best practices.

i have been trying to get setup with DoH and an adblocking solution, but I've been reading about recursive dns and that has me wondering if there are “gold standard” setups out here?

I'm aware how vague this is, I'm a dad that likes to tinker and wants to make sure i have a good handle on things when my kids are older. I'm in my experiment and break stuff phase.

theres no wrong answers, i just want to see what people are doing and maybe find a better way to do things for myself in the process.

2

Well recursive DNS server is a bit high bar, you can have separate setup for kids, eg nextdns offers DoH tailored to your needs - kids filter + ad filter for them, less filters for you.

3

My current setup (which I haven't touched for years) is below. If I were to start from scratch, I'd replace putty/DoT with http-dns-proxy/DoH and reconfigure my firewall rules accordingly, but if it ain't broke, don't fix it...

But, since you like to tinker, here's a bunch of details for you to think about. No claims about "best practice", but it seemed like a pretty solid system when I put it together.

  1. dnsmasq using putty as its upstream resolver.

  2. putty implementing DoT, it listens on port 5453 and talks upstream to Quad9 on port 853.

  3. adblock in a simple setup without any of the "hijacking options" turned on, it simply builds a block list for dnsmasq and does nothing else (https://github.com/openwrt/packages/blob/master/net/adblock/files/README.md).

  4. Custom firewall rules to
    a) redirect all LAN DNS/53 requests locally,
    b) block all LAN requests to DoT/853, and
    c) attempt to block all DoH/443.

No.1 is accomplished by (all examples are just snippets without any unrelated settings, of which there are many):

$ cat /etc/config/dhcp
config dnsmasq
        list server '127.0.0.1#5453'
        list server '::1#5453'

No.2 looks like this:

config stubby 'global'
        list listen_address '127.0.0.1@5453'
        list listen_address '0::1@5453'

config resolver
        option address '9.9.9.9'
        option tls_auth_name "dns.quad9.net"
... repeat 'resolver' for all of their ipv4 and ipv6 servers ...

The only thing notable about no.3 adblock config is that I use blocklists that include the Firefox DoH canary domain.

4.a grabs all local lookups and makes sure they go through my local server (i.e., on any devices on the LAN, nslookup something.com google.com does not use google.com, it uses my resolver).

$ nft list ruleset
    chain dstnat_lan {
        meta l4proto { tcp, udp } th dport 53 counter redirect comment "DNS: Redirect all standard DNS to local server."

4.b is the rule just after the above one

        meta l4proto { tcp, udp } th dport 853 counter reject comment "DNS: Block all DoT."

4.c has a couple sets, but the rules are again just after 4.b

        set doh_ipv4 {
                typeof ip daddr
                size 65535
                flags dynamic,timeout
                timeout 7d
                gc-interval 6h
        }

        set doh_ipv6 {
                typeof ip6 daddr
                size 65535
                flags dynamic,timeout
                timeout 7d
                gc-interval 6h
        }

...
        meta l4proto { tcp, udp } th dport 443 ip  daddr @doh_ipv4 counter update @doh_ipv4 { ip  daddr } reject with icmp   port-unreachable comment "DNS: Block IPv4 DoH by selective IPv4 address."
        meta l4proto { tcp, udp } th dport 443 ip6 daddr @doh_ipv6 counter update @doh_ipv6 { ip6 daddr } reject with icmpv6 port-unreachable comment "DNS: Block IPv6 DoH..."

The sets are updated nightly by a script that downloads from https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master, then updates the elements.

2 Likes
4

Could you be a bit more specific about the 4.c "trickery" ?

I'm using the same "list" on my pfSense (URL Alias) , but would like know how to do it on OpenWRT

/Bingo

Ps:
I chose to do my adblocking, using PiHole in a small DEB linux VM (On my home Proxmox).

On vlans where you want adblocking:
Hand out PiHole as DHCP DNS
Allow tcp/udp 53 to the PiHole IP , then block any tcp/udp 53/853

5

could i see the rules you setup for this, i was stuck on this config option previously, forcing the dns to another device without losing local dns for opgk and ntp

6

this is so detailed, i appreciate it, whyswitch from stubby to https-dns-proxy? is there any big difference

7

Yeah, it's not fun as there is no out-of-process "update a set element" in nft (yet, https://bugzilla.netfilter.org/show_bug.cgi?id=1689#c6). So...

I just scan the existing set, if it contains an element that was just downloaded, do delete and add on it. If an element is not in the downloads, but is processed by the blocking rule, then the that update clause causes the timeout to be reset to 7d.

The cron job basically does the following (in reality I batch all this into a single atomic nft invocation, but this shows the logic; also this is v4, but it's really done for both v4 and v6):

ips=$(download-them)
set=$(nft list set | grab-the-elements)
for ip in $ips; do
    if contains "$ip" "$set"; then
        # would be nice if "reset" worked...
        nft delete element inet fw4 doh_ipv4 "{ $ip }"
        nft add    element inet fw4 doh_ipv4 "{ $ip }"
    fi
done
1 Like
8

DoH is supposedly more private, as the queries are obfuscated within that constant flood of https chatter. Although both DoH and DoT can probably provide another key for fingerprinting to anyone who can see the packets, as you can't encrypt the header addresses, just the query contents...