Run stubby on port 853 | listen to Android DoT while forcing all dns queries to router to be encrypted?

wirelesscapybara · December 22, 2024, 2:20pm

I have set up dnsmasq to listen on port 53 and forward to stubby so the request itself can be encrypted, while blocking all tcp/udp traffic to wan from lan/other zones, so the only allowed output dns is stubby on the router

It works fine for 'dumb' devices that don't have DoT or DoH, their requests are finally being encrypted

However, deveices like Android DoT or IOS using a DoH app fail to connect to DNS

I can't get dnsmasq to listen to something other than port 53, so I tried to change stubby's listening port to also include 853 because it seems that multiple instances of stubby is not possible (Multiple stubby instances?)

stubby is running as root

31790 root 6944 S /usr/sbin/stubby -C /var/etc/stubby/stubby.yml -v 7

config files through uci and even the yaml are set to port 853

        list listen_address '127.0.0.1@5453'
        list_listen_address '0::1@853'

listen_addresses:
  - 127.0.0.1@5453
  - 0::1@853

netstat -tunlp

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 redacted:53       0.0.0.0:*               LISTEN      30353/dnsmasq
tcp        0      0 192.168.3.1:53          0.0.0.0:*               LISTEN      30353/dnsmasq
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      30353/dnsmasq
tcp        0      0 192.168.1.1:53          0.0.0.0:*               LISTEN      30353/dnsmasq
tcp        0      0 127.0.0.1:5453          0.0.0.0:*               LISTEN      31790/stubby
tcp        0      0 192.168.2.1:53          0.0.0.0:*               LISTEN      30353/dnsmasq
tcp        0      0 fe80::74fe:ceff:fe8d:8cfd:53 :::*                    LISTEN      30353/dnsmasq
tcp        0      0 ::1:53                  :::*                    LISTEN      30353/dnsmasq
tcp        0      0 fe80::74fe:ceff:fe8d:8cfe:53 :::*                    LISTEN      30353/dnsmasq
tcp        0      0 2804:1b3:a5db:a198:242b:c9d4:ac7a:dd8f:53 :::*                    LISTEN      30353/dnsmasq
tcp        0      0 fe80::242b:c9d4:ac7a:dd8f:53 :::*                    LISTEN      30353/dnsmasq
tcp        0      0 2804:1b3:a803:d611::1:53 :::*                    LISTEN      30353/dnsmasq
tcp        0      0 fe80::76fe:ceff:fe8d:8cfe:53 :::*                    LISTEN      30353/dnsmasq
tcp        0      0 fd57:e6d0:1a07::1:53    :::*                    LISTEN      30353/dnsmasq
udp        0      0 127.0.0.1:53            0.0.0.0:*                           30353/dnsmasq
udp        0      0 192.168.2.1:53          0.0.0.0:*                           30353/dnsmasq
udp        0      0 192.168.1.1:53          0.0.0.0:*                           30353/dnsmasq
udp        0      0 192.168.3.1:53          0.0.0.0:*                           30353/dnsmasq
udp        0      0 redacted:53       0.0.0.0:*                           30353/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           30353/dnsmasq
udp        0      0 127.0.0.1:5453          0.0.0.0:*                           31790/stubby
udp        0      0 ::1:53                  :::*                                30353/dnsmasq
udp        0      0 fe80::74fe:ceff:fe8d:8cfe:53 :::*                                30353/dnsmasq
udp        0      0 2804:1b3:a803:d611::1:53 :::*                                30353/dnsmasq
udp        0      0 fd57:e6d0:1a07::1:53    :::*                                30353/dnsmasq
udp        0      0 fe80::76fe:ceff:fe8d:8cfe:53 :::*                                30353/dnsmasq
udp        0      0 fe80::74fe:ceff:fe8d:8cfd:53 :::*                                30353/dnsmasq
udp        0      0 2804:1b3:a5db:a198:242b:c9d4:ac7a:dd8f:53 :::*                                30353/dnsmasq
udp        0      0 fe80::242b:c9d4:ac7a:dd8f:53 :::*                                30353/dnsmasq

it's not a matter of ipv6 vs v4, if I changed the port back to 5453 on ipv6 it listens in that port

firewall rules include

config rule
    option name 'Allow-DNS-TLS'
    option src 'wan'
    option dest_port '853'
    option proto 'tcp udp'
    option target 'ACCEPT'

logs when stubby start

 STUBBY: Read config from file /var/etc/stubby/stubby.yml[14:06:44.153058] STUBBY: Stubby version: Stubby 0.4.3
 STUBBY: DNSSEC Validation is ON
 STUBBY: Transport list is:
 STUBBY:   - TLS
 STUBBY: Privacy Usage Profile is Strict (Authentication required)
 STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
 STUBBY: Starting DAEMON....
 STUBBY: 2a07:a8c0::                              : Conn opened: TLS - Strict Profile
 STUBBY: 2a07:a8c0::                              : Verify passed : TLS
 STUBBY: Read config from file /var/etc/stubby/stubby.yml[14:07:27.822846] STUBBY: Stubby version: Stubby 0.4.3
 STUBBY: DNSSEC Validation is ON
 STUBBY: Transport list is:
 STUBBY:   - TLS
 STUBBY: Privacy Usage Profile is Strict (Authentication required)
 STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
 STUBBY: Starting DAEMON....
 STUBBY: 2a07:a8c0::                              : Conn opened: TLS - Strict Profile
 STUBBY: 2a07:a8c0::                              : Verify passed : TLS
 STUBBY: Read config from file /var/etc/stubby/stubby.yml[14:07:36.033167] STUBBY: Stubby version: Stubby 0.4.3
 STUBBY: DNSSEC Validation is ON
 STUBBY: Transport list is:
 STUBBY:   - TLS
 STUBBY: Privacy Usage Profile is Strict (Authentication required)
 STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
 STUBBY: Starting DAEMON....

the "var" file doesn't include the port 853, I've tried manually editing it without any success

/var/etc/stubby/stubby.yml

# Autogenerated configuration from uci data
resolution_type: GETDNS_RESOLUTION_STUB
round_robin_upstreams: 0
appdata_dir: "/var/lib/stubby"
trust_anchors_backoff_time: 2500
timeout: 3000
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
dnssec_return_status: GETDNS_EXTENSION_TRUE
tls_query_padding_blocksize: 128
edns_client_subnet_private: 1
idle_timeout: 10000
listen_addresses:
  - 127.0.0.1@5453
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
upstream_recursive_servers:
  - address_data: "2a07:a8c0::0"
    tls_auth_name: "redacteddns.nextdns.io"
  - address_data: "2a07:a8c1::0"
    tls_auth_name: "redacteddns.nextdns.io"
  - address_data: "45.90.28.0"
    tls_auth_name: "redacteddns.nextdns.io"
  - address_data: "45.90.28.30"
    tls_auth_name: "redacteddns.nextdns.io"

Is there a way to force all "dumb" devices to use dnsmasq with stubby, while still allowing DoT/DoH-enabled devices to work in the network?

totkeks · December 22, 2024, 2:29pm

Shouldn't it suffice if you open up the ports for encrypted DNS traffic of supported devices and then force all other DNS traffic through dnsmasq?

lleachii · December 22, 2024, 2:30pm

Are you blocking DoT/DoH somewhere?

As the other user noted, it's not really clear why your DoT isn't working.

brada4 · December 22, 2024, 2:35pm

Stubby does not work as dot server. You need like unbound or so.

wirelesscapybara · December 22, 2024, 6:42pm

ports 853 and 443 are explicitly open from the zone the devices are in to the router

wirelesscapybara · December 22, 2024, 6:43pm

doesn't dnsmasq+stubby forward already encrypted queries?

I'm looking at Unbound

lleachii · December 22, 2024, 8:11pm

So you blocked it to the Internet?

BTW, this firewall rule is not correct (I wasn't sure if you're referring to this rule). This allows hosts from the Internet to reach your router at port 853/udp and tcp. I don't think that you want that.

wirelesscapybara · December 23, 2024, 2:02pm

I"ve reset the firmware for other reasons and what ended up solving this specific problem was codr1's approach using tags:

system · January 2, 2025, 2:03pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.