Hello everyone,
after I set up my network, wireless and firewall configuration with my Netgear R6220 on OpenWRT 21.02, I am now at the point of DoT and DNSSEC. I have followed the wiki (https://openwrt.org/docs/guide-user/services/dns/dot_dnsmasq_stubby).
My first question for DoT:
On the wiki it says:
Check your DNS provider. Make sure there is no DNS leak. https://dnsleaktest.com/
After I run the test, it shows me "dns3.digitalcourage.de", which I setup during the configuration process.
Does this now mean, that DoT is working? From the quote, I would say no, as there is a DNS leak. Or did I get anything wrong?
My secound question for DNSSEC:
I have setup the following parameters from this quide (german): https://www.kuketz-blog.de/stubby-verschluesselte-dns-anfragen-openwrt-teil5/
uci set dhcp.@dnsmasq[0].dnssec=1
uci set dhcp.@dnsmasq[0].dnsseccheckunsigned=1
After these steps, when running command dig dnssectest.sidn.nl +dnssec +multi @192.168.1.1 the "ad" flag is missing, which shows me that DNSSEC is not working. Output:
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12733
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;dnssectest.sidn.nl. IN A
I took the same steps back in OpenWRT 19.07 and there everyting was working.
Here is my dnsmasq config:
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option confdir '/tmp/dnsmasq.d'
list server '127.0.0.1#5453'
option noresolv '1'
option dnssec '1'
option dnsseccheckunsigned '1'
Thank you for your help & support.
Cheers, Lasko