Quick questions regarding DNSSEC, compiling and DNS in general

Leverbush · August 26, 2017, 8:19pm

If someone has a working config of dnssec + dnscrypt using unbound, could you share your unbound.conf, dncp.conf an dnscrypt-proxy.conf files? Im going crazy, I spent the entire day and I cant get it to work. Some very strange behavior too like, dnscrypt stops working, I'm getting my ISPs DNS and poignant cant update. Yes I added the command to update ntp on launch on Rv local, I'm forwarding 53535 to 5353 in unbound, resolv file shows 127.0.0.1.
I'm using this shell script to install https://wiki.openwrt.org/doc/howto/unbound#failures_for_dnssec-secured_domains. Are these two packages really all I need or do I need more?
Please help.

stangri · August 26, 2017, 9:14pm

Yes. The opposite AFAIK is also true, the extra settings would be ignored.

Equivalent of $(nvram get lan_ipaddr) would be $(uci get network.lan.ipaddr)

Leverbush · August 26, 2017, 9:26pm

This one works too, just found it

iptables -t nat -I PREROUTING -i br-lan -p udp --dport 53 -j REDIRECT --to-port 53
iptables -t nat -I PREROUTING -i br-lan -p tcp --dport 53 -j REDIRECT --to-port 53

Leaving it here for anyone having the same issue.

anomeome · August 26, 2017, 9:27pm

No idea, but if using DNSCrypt, may as well leave it off of Dnsmasq and just use DNSCrypt.
A
With a lot of luck. Given dependencies, it is difficult, if not impossible. Try making a diffconfig, edit file removing all PPP, and use that to create a new .config. Worked for me once, but on the next update dependencies will probably force some things back into the config file.
Not sure, but I would guess no, due to support for smaller devices.
A

Leverbush · August 26, 2017, 9:39pm

Thanks.
Just curious, what's the general consensus when it comes to maximize DNS Security?
Dnscrypt and outbund? DNScrypt alone? Sorry if the question is too dumb, Im kinda new.

anomeome · August 26, 2017, 9:43pm

Don't think there is one. Myself, I'm still using DNSCrypt wo DNSSEC on ar71xx target, but have changed to unbound with DNSSEC on mvebu target. I'm kinda leaning towards unbound w DNSSEC at the current time.

Leverbush · August 26, 2017, 9:45pm

Interesting. I'm curious, why did you leave DNScrypt out? Isn't encrypting the DNS queries enough to stop a MITM attack?
Have you considered adding DNScrypt on top of unbound and DNSSEC?
Thanks.

Leverbush · August 28, 2017, 6:14am

If someone has a working config of dnssec + dnscrypt using unbound, could you share your unbound.conf, dncp.conf an dnscrypt-proxy.conf files? Im going crazy, I spent the entire day and I cant get it to work. Some very strange behavior too like, dnscrypt stops working, I'm getting my ISPs DNS and poignant cant update. Yes I added the command to update ntp on launch on Rv local, I'm forwarding 53535 to 5353 in unbound, resolv file shows 127.0.0.1.
I'm using this shell script to install https://wiki.openwrt.org/doc/howto/unbound#failures_for_dnssec-secured_domains. Are these two packages really all I need or do I need more?
Please help.