Stubby + Dnsmasq does not work with Google DNS

Hello friends, I have configured on my TP Link 1043ND the stubby together with Dnsmasq and it works perfectly with the DNS of the cloudflare, but I would like to use the DNS of google because it is much faster for me, but it is not working.

I can't access any sites after the change.

This is stubby configuration:

# Autogenerated configuration from uci data
resolution_type: GETDNS_RESOLUTION_STUB
round_robin_upstreams: 1
appdata_dir: "/var/lib/stubby"
trust_anchors_backoff_time: 2500
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private: 1
idle_timeout: 10000
listen_addresses:
  - 127.0.0.1@5453
  - 0::1@5453
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
upstream_recursive_servers:
  - address_data: 2001:4860:4860::8888
    tls_auth_name: "dns.google"
  - address_data: 2001:4860:4860::8844
    tls_auth_name: "dns.google"
  - address_data: 8.8.8.8
    tls_auth_name: "dns.google"
  - address_data: 8.8.4.4
    tls_auth_name: "dns.google"

OpenWrt 19.07.2 r10947-65030d81f3

Thanks!

1 Like

openssl s_client -connect 1.1.1.1:853 > ok

openssl s_client -connect 8.8.8.8:853 >

2012728964:error:02002092:system library:connect:reason(146):crypto/bio/b_sock2.c:110:
2012728964:error:2008A067:BIO routines:BIO_connect:connect error:crypto/bio/b_sock2.c:111:
connect:errno=146

Same here, always got Cloudflare DNS

I don't see this, I was able to change resolver fine. From the default CloudFlare, replaced by Google. I think my setting are pretty much default per the setup page below.


uci show stubby
/etc/config$ uci show stubby
stubby.global=stubby
stubby.global.manual='0'
stubby.global.trigger='wan'
stubby.global.dns_transport='GETDNS_TRANSPORT_TLS'
stubby.global.tls_authentication='1'
stubby.global.tls_query_padding_blocksize='128'
stubby.global.appdata_dir='/var/lib/stubby'
stubby.global.edns_client_subnet_private='1'
stubby.global.idle_timeout='10000'
stubby.global.round_robin_upstreams='1'
stubby.global.listen_address='127.0.0.1@5453' '0::1@5453'
stubby.@resolver[0]=resolver
stubby.@resolver[0].address='2001:4860:4860::8888'
stubby.@resolver[0].tls_auth_name='dns.google'
stubby.@resolver[1]=resolver
stubby.@resolver[1].address='2001:4860:4860::8844'
stubby.@resolver[1].tls_auth_name='dns.google'
stubby.@resolver[2]=resolver
stubby.@resolver[2].address='8.8.8.8'
stubby.@resolver[2].tls_auth_name='dns.google'
stubby.@resolver[3]=resolver
stubby.@resolver[3].address='8.8.4.4'
stubby.@resolver[3].tls_auth_name='dns.google'

etc/config/stubby
config stubby 'global'
       option manual '0'
       option trigger 'wan'
       # option triggerdelay '2'
       list dns_transport 'GETDNS_TRANSPORT_TLS'
       option tls_authentication '1'
       option tls_query_padding_blocksize '128'
       # option tls_connection_retries '2'
       # option tls_backoff_time '3600'
       # option timeout '5000'
       # option dnssec_return_status '0'
       option appdata_dir '/var/lib/stubby'
       # option trust_anchors_backoff_time 2500
       # option dnssec_trust_anchors '/var/lib/stubby/getdns-root.key'
       option edns_client_subnet_private '1'
       option idle_timeout '10000'
       option round_robin_upstreams '1'
       list listen_address '127.0.0.1@5453'
       list listen_address '0::1@5453'
       # option log_level '7'
       # option command_line_arguments ''
       # option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20'
       # option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
       # option tls_min_version '1.2'
       # option tls_max_version '1.3'

# Upstream resolvers are specified using 'resolver' sections.
config resolver
       option address '2001:4860:4860::8888'
       option tls_auth_name 'dns.google'


config resolver
       option address '2001:4860:4860::8844'
       option tls_auth_name 'dns.google'



config resolver
       option address '8.8.8.8'
       option tls_auth_name 'dns.google'


config resolver
       option address '8.8.4.4'
       option tls_auth_name 'dns.google'
1 Like

Just modify the config files on /etc/config/stubby

here's my Google DNS Setup

config resolver
       option address '8.8.8.8'
       option tls_auth_name 'dns.google.com'
       option tls_port 853
       list spki 'sha256/**COPY_PASTE_THE_GENERATE_SHA256_FROM_OPENSSL-UTILS**'
       option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20'
       option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
       option tls_min_version '1.2'
       option tls_max_version '1.3'


config resolver
       option address '8.8.4.4'
       option tls_auth_name 'dns.google.com'
       option tls_port 853
       list spki 'sha256/**COPY_PASTE_THE_GENERATE_SHA256_FROM_OPENSSL-UTILS**'
       option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20'
       option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
       option tls_min_version '1.2'
       option tls_max_version '1.3'

for generate the SHA256 you need use openssl-utils on terminal by using this command :

echo | openssl s_client -connect '**GOOGLE_DNS_IP**:853' 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

Replace COPY_PASTE_THE_GENERATE_SHA256_FROM_OPENSSL-UTILS from terminal and finally replace too GOOGLE_DNS_IP from terminal

1 Like

Anyone know how long the generated Google SHA spki works. The reason I'm asking is from the Git's Statement on CloudFlare.

Upstream resolvers

The default package configuration uses the CloudFlare resolvers, configured for both IPv4 and IPv6.

CloudFlare have not published SPKI pinsets, and even though they are available, they have made no commitment to maintaining them. Using the currently known SPKI pinsets for CloudFlare brings the risk that in the future they may be changed by CloudFlare, and DNS would stop working. The default configuration has those SPKI entries commented out for this reason.