after I set up my network, wireless and firewall configuration with my Netgear R6220 on OpenWRT 21.02, I am now at the point of DoT and DNSSEC. I have followed the wiki (https://openwrt.org/docs/guide-user/services/dns/dot_dnsmasq_stubby).
My first question for DoT:
On the wiki it says:
Check your DNS provider. Make sure there is no DNS leak. https://dnsleaktest.com/
After I run the test, it shows me "dns3.digitalcourage.de", which I setup during the configuration process.
Does this now mean, that DoT is working? From the quote, I would say no, as there is a DNS leak. Or did I get anything wrong?
My secound question for DNSSEC:
I have setup the following parameters from this quide (german): https://www.kuketz-blog.de/stubby-verschluesselte-dns-anfragen-openwrt-teil5/
uci set dhcp.@dnsmasq.dnssec=1 uci set dhcp.@dnsmasq.dnsseccheckunsigned=1
After these steps, when running command
dig dnssectest.sidn.nl +dnssec +multi @192.168.1.1 the "ad" flag is missing, which shows me that DNSSEC is not working. Output:
;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12733 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;dnssectest.sidn.nl. IN A
I took the same steps back in OpenWRT 19.07 and there everyting was working.
Here is my dnsmasq config:
config dnsmasq option domainneeded '1' option boguspriv '1' option filterwin2k '0' option localise_queries '1' option rebind_protection '1' option rebind_localhost '1' option local '/lan/' option domain 'lan' option expandhosts '1' option nonegcache '0' option authoritative '1' option readethers '1' option leasefile '/tmp/dhcp.leases' option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto' option nonwildcard '1' option localservice '1' option ednspacket_max '1232' option confdir '/tmp/dnsmasq.d' list server '127.0.0.1#5453' option noresolv '1' option dnssec '1' option dnsseccheckunsigned '1'
Thank you for your help & support.