So Quad9 DNS is out and it is performing better than all previous options for me while including DNSSEC.
Currently, it has limited encryption options of DNS-over-TLS, but I'm told that DNSCrypt and other options are on the way. I was thinking that this thread maybe could serve as a forum for discussing these encryption options and their configuration, performance, what works best on LEDE, etc.
Presently, is there a way to get Quad9 DNS-over-TLS working on LEDE? Is it complicated?
No, just use unbound as dns backend.
I'm using unbound plus odhcpd without dnsmasq without any problems (dnssec & dns/tls enabled). Here you'll find the excellent package description.
I tried this and did not end up with DNS over TLS.
I believe the main issue is the lack of a UCI setting such that a forwarder can be set in Unbound to 9.9.9.9@853.
After following the instructions above instead of all DNS queries going to 9.9.9.9 I was connected to DNS servers all over the planet! Easy to see on the real time connections page: http://192.168.1.1/cgi-bin/luci/admin/status/realtime/connections look for connections to port 53.
This is a variant of a 20 year old rsa vulnerability and only affects TLS cipher modes that use RSA encryption. Most modern TLS connections use an Elliptic Curve Diffie Hellman key exchange and need RSA only for signatures.
DNS over TLS is still work in progress, nevertheless RFC 7858 specifies:
[...]
There are known attacks on TLS, such as person-in-the-middle and
protocol downgrade. These are general attacks on TLS and not
specific to DNS over TLS; please refer to the TLS RFCs for
discussion of these security issues. Clients and servers MUST
adhere to the TLS implementation recommendations and security
considerations of [BCP195].
[...]
edit: removed wrong quotation, sort of alternative fact ...
I doubt that. Probably you haven't configured unbound/odhcpd correctly and your client didn't receive a dhcp address from your router - in this case simply configure a static address on your PC and re-connect to your router.
Hi Guys,
I'm using unbound/odhcp and quad9 with TLS, and everything works fine.
Now I've a question, seems that name resolution takes more time using this setup. If I use the non-tls setup the name resolution is almost instantaneous, but with TLS enabled it takes like 1 second to resolve the name, you can notice this delay using any browser (I can hear a voice in my head saying why it's taking so long!).
Any experience with this? is there a way to minimize this delay?
My router is an Archer C7 v2