Encrypt DNS requests with Stubby
- Install dnsmasq-full (even if dnsmasq is already installed, since it doesn’t support DNSSEC).
opkg update opkg install dnsmasq-full --download-only && opkg remove dnsmasq && opkg install dnsmasq-full --cache . && rm *.ipkMake sure to first downoad dnsmasq-full, before uninstalling dnsmasq (Installing new software is a lot harder without a working dns). - Install stubby
opkg install stubby - Configure /etc/config/dhcp
config dnsmasq ... # Add stubby as dns resolver list server '127.0.0.1#5453' # Disable usage of dns resolver from /etc/resolv.conf option noresolv '1' # Enable DNSSEC validation option dnssec '1' option dnsseccheckunsigned '1' - Configure /etc/config/network
# IPv4 config interface 'wan' ... # Disable peer DNS (resolver provided by ISP) option peerdns '0' # Use stubby as dns resolver option dns '127.0.0.1' # IPv6 config interface 'wan6' ... # Disable peer DNS (resolver provided by ISP) option peerdns '0' # Use stubby as dns resolver option dns '0::1' - Reload configuration
reload_config - Configure /etc/config/stubby
- Set min tls version
config stubby 'global' ... option tls_min_version '1.2' - Replace all dns resolver with trusted ones, e.g.:
- Digitalcourage
config resolver option address '5.9.164.112' option tls_auth_name 'dns3.digitalcourage.de' list spki 'sha256/2WFzfO2/56HpeR+v/l25NPf5dacfxLrudH5yZbWCfdo=' - Dismail
config resolver option address '116.203.32.217' option tls_auth_name 'fdns1.dismail.de' list spki 'sha256/MMi3E2HZr5A5GL+badqe3tzEPCB00+OmApZqJakbqUU='
- Digitalcourage
- Set min tls version
- Restart stubby and dnsmasq
/etc/init.d/stubby restart /etc/init.d/dnsmasq restart
To verify your setup visit https://dnsleaktest.com on a client within your network. Your configured reslvers should be listed:
dns leak test result