Hello,
I have configured Stubby for DNS over TLS (DoT).
This is actually replacing unbound.
The output of dig dnssectest.sidn.nl +dnssec +multi @<OpenWrt-Gateway-IP-Address>
confirms that DNSSEC validation works.
$ dig dnssectest.sidn.nl +dnssec +multi @172.21.1.2
; <<>> DiG 9.18.4 <<>> dnssectest.sidn.nl +dnssec +multi @172.21.1.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44247
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;dnssectest.sidn.nl. IN A
;; ANSWER SECTION:
dnssectest.sidn.nl. 3600 IN A 212.114.120.64
dnssectest.sidn.nl. 3600 IN RRSIG A 13 3 3600 (
20220708232610 20220623230558 12678 sidn.nl.
t3xPCw2bQIxNk2CLdWWkZFd+bUiMvKyxcFf/79U2E/EO
tUzRWB4rQAjPvai+diXfWnpZebx6rSszWYcRXHjP5A== )
dnssectest.sidn.nl. 3600 IN RRSIG A 13 3 3600 (
20220708232610 20220623230558 43647 sidn.nl.
gXXztFT5Q4PKd7PSRCVc/x7EJmKCxeU2S7DrYkgoWLN1
kMHH0kwksAfWesjb4V3biLPPSdRng1cgTf/OURaA9w== )
;; Query time: 99 msec
;; SERVER: 172.21.1.2#53(172.21.1.2) (UDP)
;; WHEN: Sat Jun 25 16:34:58 CEST 2022
;; MSG SIZE rcvd: 269
Now I have started setup of OpenWrt WireGuard for provider IVPN based on this guide.
This VPN provider instructs to
[...] uncheck the Use DNS servers advertised by peer
and specify one of the following DNS servers in the Use custom DNS servers
field:
172.16.0.1 = regular DNS with no blocking
10.0.254.2 = standard AntiTracker to block advertising and malware domains
10.0.254.3 = Hardcore Mode AntiTracker to also block Google and Facebook domains
My understanding is that this settings using VPN's DNS servers should prevent DNS leaks.
However I thought that my setup with Stubby would prevent DNS leaks, too.
Could you please comment which DNS setup is reasonable and recommended?
THX