Encrypt DNS requests with Stubby

1. Install dnsmasq-full (even if dnsmasq is already installed, since it doesn’t support DNSSEC).

   apk --update-cache add dnsmasq-full
   

2. Configure /etc/config/dhcp

   config dnsmasq
       ...
       # Add stubby as dns resolver
       list server '127.0.0.1#5453'
       # Disable usage of dns resolver from /etc/resolv.conf
       option noresolv '1'
       # Enable DNSSEC validation
       option dnssec '1'
       option dnsseccheckunsigned '1'
   

3. Configure /etc/config/network

   # IPv4
   config interface 'wan'
           ...
           # Disable peer DNS (resolver provided by ISP)
           option peerdns '0'
           # Use stubby as dns resolver
           option dns '127.0.0.1'
   
   # IPv6
   config interface 'wan6'
           ...
           # Disable peer DNS (resolver provided by ISP)
           option peerdns '0'
           # Use stubby as dns resolver
           option dns '0::1'
   

4. Reload configuration

   reload_config
   

5. Configure /etc/config/stubby
   • Set min tls version

     config stubby 'global'
             ...
             # for bridged AP mode
             option trigger 'lan'
             option tls_min_version '1.2'
     

   • Replace all dns resolver with trusted ones, e.g.:
     • Digitalcourage

       config resolver         
               option address '5.9.164.112'
               option tls_auth_name 'dns3.digitalcourage.de'
               list spki 'sha256/2WFzfO2/56HpeR+v/l25NPf5dacfxLrudH5yZbWCfdo='
       

     • Dismail

       config resolver  
               option address '116.203.32.217'
               option tls_auth_name 'fdns1.dismail.de'
               list spki 'sha256/MMi3E2HZr5A5GL+badqe3tzEPCB00+OmApZqJakbqUU='
       

6. Restart stubby and dnsmasq

   service stubby restart
   service dnsmasq restart
   

To verify your setup visit https://dnsleaktest.com on a client within your network. Your configured reslvers should be listed:

• kuketz-blog