LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
27171 Commits
1 Branch
46 MiB
Tree: c5ac15a869
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'c5ac15a869'
${ noResults }
openwrt-packages-dist/net/stubby/files/README.md

454 lines
18 KiB
Raw Normal View History

stubby: add reload_config to documentation Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
6 years ago
stubby: Bump to 0.2.2 plus updates to default config Bump version plus changes to address concerns regarding default config for stubby provided with this package Signed-off-by: David Mora <iamperson347+public@gmail.com>
6 years ago
stubby: add uci support to init file This commit brings UCI support to the stubby package. o All options are documented in the README.md file. o The README.md file has been re-written to include a short usage manual. o The default configuration now includes more Cloudflare addresses. o The stubby service is (re)started using procd triggers from a specified interface with a configurable time delay. o Round robin use of upstream resolvers is now activated by default. o Client privacy is now activated by default. o Options are added for specifying the log level of the daemon and command line options passed to the stubby command. Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
6 years ago
stubby: Bump to 0.2.2 plus updates to default config Bump version plus changes to address concerns regarding default config for stubby provided with this package Signed-off-by: David Mora <iamperson347+public@gmail.com>
6 years ago
stubby: add uci support to init file This commit brings UCI support to the stubby package. o All options are documented in the README.md file. o The README.md file has been re-written to include a short usage manual. o The default configuration now includes more Cloudflare addresses. o The stubby service is (re)started using procd triggers from a specified interface with a configurable time delay. o Round robin use of upstream resolvers is now activated by default. o Client privacy is now activated by default. o Options are added for specifying the log level of the daemon and command line options passed to the stubby command. Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
6 years ago
stubby: switch to ca-bundle Signed-off-by: Maxim Storchak <m.storchak@gmail.com>
5 years ago
stubby: add uci support to init file This commit brings UCI support to the stubby package. o All options are documented in the README.md file. o The README.md file has been re-written to include a short usage manual. o The default configuration now includes more Cloudflare addresses. o The stubby service is (re)started using procd triggers from a specified interface with a configurable time delay. o Round robin use of upstream resolvers is now activated by default. o Client privacy is now activated by default. o Options are added for specifying the log level of the daemon and command line options passed to the stubby command. Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
6 years ago
stubby: Fix UCI command in README Signed-off-by: Salim B <salim@posteo.de>
5 years ago
stubby: add reload_config to documentation Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
6 years ago
stubby: add uci support to init file This commit brings UCI support to the stubby package. o All options are documented in the README.md file. o The README.md file has been re-written to include a short usage manual. o The default configuration now includes more Cloudflare addresses. o The stubby service is (re)started using procd triggers from a specified interface with a configurable time delay. o Round robin use of upstream resolvers is now activated by default. o Client privacy is now activated by default. o Options are added for specifying the log level of the daemon and command line options passed to the stubby command. Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
6 years ago
stubby: add reload_config to documentation Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
6 years ago
stubby: add uci support to init file This commit brings UCI support to the stubby package. o All options are documented in the README.md file. o The README.md file has been re-written to include a short usage manual. o The default configuration now includes more Cloudflare addresses. o The stubby service is (re)started using procd triggers from a specified interface with a configurable time delay. o Round robin use of upstream resolvers is now activated by default. o Client privacy is now activated by default. o Options are added for specifying the log level of the daemon and command line options passed to the stubby command. Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
6 years ago
stubby: add reload_config to documentation Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
6 years ago
stubby: add uci support to init file This commit brings UCI support to the stubby package. o All options are documented in the README.md file. o The README.md file has been re-written to include a short usage manual. o The default configuration now includes more Cloudflare addresses. o The stubby service is (re)started using procd triggers from a specified interface with a configurable time delay. o Round robin use of upstream resolvers is now activated by default. o Client privacy is now activated by default. o Options are added for specifying the log level of the daemon and command line options passed to the stubby command. Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
6 years ago
stubby: add reload_config to documentation Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
6 years ago
stubby: add uci support to init file This commit brings UCI support to the stubby package. o All options are documented in the README.md file. o The README.md file has been re-written to include a short usage manual. o The default configuration now includes more Cloudflare addresses. o The stubby service is (re)started using procd triggers from a specified interface with a configurable time delay. o Round robin use of upstream resolvers is now activated by default. o Client privacy is now activated by default. o Options are added for specifying the log level of the daemon and command line options passed to the stubby command. Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
6 years ago
stubby: add reload_config to documentation Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
6 years ago
stubby: add uci support to init file This commit brings UCI support to the stubby package. o All options are documented in the README.md file. o The README.md file has been re-written to include a short usage manual. o The default configuration now includes more Cloudflare addresses. o The stubby service is (re)started using procd triggers from a specified interface with a configurable time delay. o Round robin use of upstream resolvers is now activated by default. o Client privacy is now activated by default. o Options are added for specifying the log level of the daemon and command line options passed to the stubby command. Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
6 years ago
stubby: update to version 0.2.4 This upstream release adds support for trust_anchors_backoff_time configuration parameter. UCI support has been added for this. This commit also includes a number of clean-ups: o change START=50 to START=30 in init file Starting earlier in the boot means less chance of missing interface trigger events. See: https://github.com/openwrt/packages/pull/4675 o remove unused variables from init file o separate local declarations and assignments in init file o add defensive quoting in init file o use default values for procd respawn in init file o make use of {} in variables consistent in init file o remove unused variable from init file Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
6 years ago
stubby: add uci support to init file This commit brings UCI support to the stubby package. o All options are documented in the README.md file. o The README.md file has been re-written to include a short usage manual. o The default configuration now includes more Cloudflare addresses. o The stubby service is (re)started using procd triggers from a specified interface with a configurable time delay. o Round robin use of upstream resolvers is now activated by default. o Client privacy is now activated by default. o Options are added for specifying the log level of the daemon and command line options passed to the stubby command. Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
6 years ago
stubby: Bump to 0.2.2 plus updates to default config Bump version plus changes to address concerns regarding default config for stubby provided with this package Signed-off-by: David Mora <iamperson347+public@gmail.com>
6 years ago
stubby: add uci support to init file This commit brings UCI support to the stubby package. o All options are documented in the README.md file. o The README.md file has been re-written to include a short usage manual. o The default configuration now includes more Cloudflare addresses. o The stubby service is (re)started using procd triggers from a specified interface with a configurable time delay. o Round robin use of upstream resolvers is now activated by default. o Client privacy is now activated by default. o Options are added for specifying the log level of the daemon and command line options passed to the stubby command. Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
6 years ago
stubby: Bump to 0.2.2 plus updates to default config Bump version plus changes to address concerns regarding default config for stubby provided with this package Signed-off-by: David Mora <iamperson347+public@gmail.com>
6 years ago
stubby: add uci support to init file This commit brings UCI support to the stubby package. o All options are documented in the README.md file. o The README.md file has been re-written to include a short usage manual. o The default configuration now includes more Cloudflare addresses. o The stubby service is (re)started using procd triggers from a specified interface with a configurable time delay. o Round robin use of upstream resolvers is now activated by default. o Client privacy is now activated by default. o Options are added for specifying the log level of the daemon and command line options passed to the stubby command. Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
6 years ago
stubby: Bump to 0.2.2 plus updates to default config Bump version plus changes to address concerns regarding default config for stubby provided with this package Signed-off-by: David Mora <iamperson347+public@gmail.com>
6 years ago
stubby: add uci support to init file This commit brings UCI support to the stubby package. o All options are documented in the README.md file. o The README.md file has been re-written to include a short usage manual. o The default configuration now includes more Cloudflare addresses. o The stubby service is (re)started using procd triggers from a specified interface with a configurable time delay. o Round robin use of upstream resolvers is now activated by default. o Client privacy is now activated by default. o Options are added for specifying the log level of the daemon and command line options passed to the stubby command. Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
6 years ago
stubby: Bump to 0.2.2 plus updates to default config Bump version plus changes to address concerns regarding default config for stubby provided with this package Signed-off-by: David Mora <iamperson347+public@gmail.com>
6 years ago
stubby: add uci support to init file This commit brings UCI support to the stubby package. o All options are documented in the README.md file. o The README.md file has been re-written to include a short usage manual. o The default configuration now includes more Cloudflare addresses. o The stubby service is (re)started using procd triggers from a specified interface with a configurable time delay. o Round robin use of upstream resolvers is now activated by default. o Client privacy is now activated by default. o Options are added for specifying the log level of the daemon and command line options passed to the stubby command. Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
6 years ago
stubby: Bump to 0.2.2 plus updates to default config Bump version plus changes to address concerns regarding default config for stubby provided with this package Signed-off-by: David Mora <iamperson347+public@gmail.com>
6 years ago
stubby: add uci support to init file This commit brings UCI support to the stubby package. o All options are documented in the README.md file. o The README.md file has been re-written to include a short usage manual. o The default configuration now includes more Cloudflare addresses. o The stubby service is (re)started using procd triggers from a specified interface with a configurable time delay. o Round robin use of upstream resolvers is now activated by default. o Client privacy is now activated by default. o Options are added for specifying the log level of the daemon and command line options passed to the stubby command. Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
6 years ago
stubby: Bump to 0.2.2 plus updates to default config Bump version plus changes to address concerns regarding default config for stubby provided with this package Signed-off-by: David Mora <iamperson347+public@gmail.com>
6 years ago
stubby: add uci support to init file This commit brings UCI support to the stubby package. o All options are documented in the README.md file. o The README.md file has been re-written to include a short usage manual. o The default configuration now includes more Cloudflare addresses. o The stubby service is (re)started using procd triggers from a specified interface with a configurable time delay. o Round robin use of upstream resolvers is now activated by default. o Client privacy is now activated by default. o Options are added for specifying the log level of the daemon and command line options passed to the stubby command. Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
6 years ago
stubby: Bump to 0.2.2 plus updates to default config Bump version plus changes to address concerns regarding default config for stubby provided with this package Signed-off-by: David Mora <iamperson347+public@gmail.com>
6 years ago
stubby: add uci support to init file This commit brings UCI support to the stubby package. o All options are documented in the README.md file. o The README.md file has been re-written to include a short usage manual. o The default configuration now includes more Cloudflare addresses. o The stubby service is (re)started using procd triggers from a specified interface with a configurable time delay. o Round robin use of upstream resolvers is now activated by default. o Client privacy is now activated by default. o Options are added for specifying the log level of the daemon and command line options passed to the stubby command. Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
6 years ago
stubby: Bump to 0.2.2 plus updates to default config Bump version plus changes to address concerns regarding default config for stubby provided with this package Signed-off-by: David Mora <iamperson347+public@gmail.com>
6 years ago
stubby: add uci support to init file This commit brings UCI support to the stubby package. o All options are documented in the README.md file. o The README.md file has been re-written to include a short usage manual. o The default configuration now includes more Cloudflare addresses. o The stubby service is (re)started using procd triggers from a specified interface with a configurable time delay. o Round robin use of upstream resolvers is now activated by default. o Client privacy is now activated by default. o Options are added for specifying the log level of the daemon and command line options passed to the stubby command. Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
6 years ago
stubby: Bump to 0.2.2 plus updates to default config Bump version plus changes to address concerns regarding default config for stubby provided with this package Signed-off-by: David Mora <iamperson347+public@gmail.com>
6 years ago
stubby: add uci support to init file This commit brings UCI support to the stubby package. o All options are documented in the README.md file. o The README.md file has been re-written to include a short usage manual. o The default configuration now includes more Cloudflare addresses. o The stubby service is (re)started using procd triggers from a specified interface with a configurable time delay. o Round robin use of upstream resolvers is now activated by default. o Client privacy is now activated by default. o Options are added for specifying the log level of the daemon and command line options passed to the stubby command. Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
6 years ago
stubby: add support for TLS configuration options - tls_cipher_list - tls_ciphersuites - tls_min_version - tls_max_version Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
5 years ago
stubby: add uci support to init file This commit brings UCI support to the stubby package. o All options are documented in the README.md file. o The README.md file has been re-written to include a short usage manual. o The default configuration now includes more Cloudflare addresses. o The stubby service is (re)started using procd triggers from a specified interface with a configurable time delay. o Round robin use of upstream resolvers is now activated by default. o Client privacy is now activated by default. o Options are added for specifying the log level of the daemon and command line options passed to the stubby command. Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
6 years ago
stubby: Bump to 0.2.2 plus updates to default config Bump version plus changes to address concerns regarding default config for stubby provided with this package Signed-off-by: David Mora <iamperson347+public@gmail.com>
6 years ago
stubby: add uci support to init file This commit brings UCI support to the stubby package. o All options are documented in the README.md file. o The README.md file has been re-written to include a short usage manual. o The default configuration now includes more Cloudflare addresses. o The stubby service is (re)started using procd triggers from a specified interface with a configurable time delay. o Round robin use of upstream resolvers is now activated by default. o Client privacy is now activated by default. o Options are added for specifying the log level of the daemon and command line options passed to the stubby command. Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
6 years ago
stubby: Bump to 0.2.2 plus updates to default config Bump version plus changes to address concerns regarding default config for stubby provided with this package Signed-off-by: David Mora <iamperson347+public@gmail.com>
6 years ago
stubby: add uci support to init file This commit brings UCI support to the stubby package. o All options are documented in the README.md file. o The README.md file has been re-written to include a short usage manual. o The default configuration now includes more Cloudflare addresses. o The stubby service is (re)started using procd triggers from a specified interface with a configurable time delay. o Round robin use of upstream resolvers is now activated by default. o Client privacy is now activated by default. o Options are added for specifying the log level of the daemon and command line options passed to the stubby command. Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
6 years ago
stubby: Bump to 0.2.2 plus updates to default config Bump version plus changes to address concerns regarding default config for stubby provided with this package Signed-off-by: David Mora <iamperson347+public@gmail.com>
6 years ago
stubby: add uci support to init file This commit brings UCI support to the stubby package. o All options are documented in the README.md file. o The README.md file has been re-written to include a short usage manual. o The default configuration now includes more Cloudflare addresses. o The stubby service is (re)started using procd triggers from a specified interface with a configurable time delay. o Round robin use of upstream resolvers is now activated by default. o Client privacy is now activated by default. o Options are added for specifying the log level of the daemon and command line options passed to the stubby command. Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
6 years ago
stubby: Bump to 0.2.2 plus updates to default config Bump version plus changes to address concerns regarding default config for stubby provided with this package Signed-off-by: David Mora <iamperson347+public@gmail.com>
6 years ago
stubby: add uci support to init file This commit brings UCI support to the stubby package. o All options are documented in the README.md file. o The README.md file has been re-written to include a short usage manual. o The default configuration now includes more Cloudflare addresses. o The stubby service is (re)started using procd triggers from a specified interface with a configurable time delay. o Round robin use of upstream resolvers is now activated by default. o Client privacy is now activated by default. o Options are added for specifying the log level of the daemon and command line options passed to the stubby command. Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
6 years ago
stubby: Bump to 0.2.2 plus updates to default config Bump version plus changes to address concerns regarding default config for stubby provided with this package Signed-off-by: David Mora <iamperson347+public@gmail.com>
6 years ago
stubby: add support for tls_port resolver config option (#8889) Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
5 years ago
stubby: add support for TLS configuration options - tls_cipher_list - tls_ciphersuites - tls_min_version - tls_max_version Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
5 years ago
stubby: add uci support to init file This commit brings UCI support to the stubby package. o All options are documented in the README.md file. o The README.md file has been re-written to include a short usage manual. o The default configuration now includes more Cloudflare addresses. o The stubby service is (re)started using procd triggers from a specified interface with a configurable time delay. o Round robin use of upstream resolvers is now activated by default. o Client privacy is now activated by default. o Options are added for specifying the log level of the daemon and command line options passed to the stubby command. Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
6 years ago
stubby: Bump to 0.2.2 plus updates to default config Bump version plus changes to address concerns regarding default config for stubby provided with this package Signed-off-by: David Mora <iamperson347+public@gmail.com>
6 years ago
stubby: add uci support to init file This commit brings UCI support to the stubby package. o All options are documented in the README.md file. o The README.md file has been re-written to include a short usage manual. o The default configuration now includes more Cloudflare addresses. o The stubby service is (re)started using procd triggers from a specified interface with a configurable time delay. o Round robin use of upstream resolvers is now activated by default. o Client privacy is now activated by default. o Options are added for specifying the log level of the daemon and command line options passed to the stubby command. Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
6 years ago
stubby: fix typo Signed-off-by: Salim B salim@posteo.de
4 years ago
stubby: add uci support to init file This commit brings UCI support to the stubby package. o All options are documented in the README.md file. o The README.md file has been re-written to include a short usage manual. o The default configuration now includes more Cloudflare addresses. o The stubby service is (re)started using procd triggers from a specified interface with a configurable time delay. o Round robin use of upstream resolvers is now activated by default. o Client privacy is now activated by default. o Options are added for specifying the log level of the daemon and command line options passed to the stubby command. Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
6 years ago
stubby: Bump to 0.2.2 plus updates to default config Bump version plus changes to address concerns regarding default config for stubby provided with this package Signed-off-by: David Mora <iamperson347+public@gmail.com>
6 years ago
stubby: add uci support to init file This commit brings UCI support to the stubby package. o All options are documented in the README.md file. o The README.md file has been re-written to include a short usage manual. o The default configuration now includes more Cloudflare addresses. o The stubby service is (re)started using procd triggers from a specified interface with a configurable time delay. o Round robin use of upstream resolvers is now activated by default. o Client privacy is now activated by default. o Options are added for specifying the log level of the daemon and command line options passed to the stubby command. Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
6 years ago
 
  1. 

  2. # Stubby for OpenWRT

  3. 

  4. ## Stubby Description

  5. 

  6. [Stubby](https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby) is
  7. an application that acts as a local DNS Privacy stub resolver (using
  8. DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine to a DNS
  9. Privacy resolver increasing end user privacy.
  10. 

  11. Stubby is useful on an OpenWRT device, because it can sit between the usual DNS
  12. resolver (dnsmasq by default) and the upstream DNS resolver and be used to
  13. ensure that DNS traffic is encrypted between the OpenWRT device and the
  14. resolver.
  15. 

  16. Stubby is developed by the [getdns](http://getdnsapi.net/) project.
  17. 

  18. For more background and FAQ see the [About
  19. Stubby](https://dnsprivacy.org/wiki/display/DP/About+Stubby) page.
  20. 

  21. 

  22. ## Installation

  23. 

  24. Installation of this package can be achieved at the command line using `opkg
  25. install stubby`, or via the LUCI Web Interface. Installing the stubby package
  26. will also install the required dependency packages, including the
  27. `ca-bundle` package.
  28. 

  29. ## Configuration

  30. 

  31. The default configuration of the package has been chosen to ensure that stubby
  32. should work after installation.
  33. 

  34. By default, configuration of stubby is integrated with the OpenWRT UCI system
  35. using the file `/etc/config/stubby`. The configuration options available are
  36. also documented in that file. If for some reason you wish to configure stubby
  37. using the `/etc/stubby/stubby.yml` file, then you simply need to set `option
  38. manual '1'` in `/etc/config/stubby` and all other settings in
  39. `/etc/config/stubby` will be ignored.
  40. 

  41. ### Stubby port and addresses

  42. 

  43. The default configuration ensures that stubby listens on port 5453 on the
  44. loopback interfaces for IPv4 and IPv6. As such, by default, stubby will respond
  45. only to lookups from the OpenWRT device itself.
  46. 

  47. By setting the listening ports to non-standard values, this allows users to keep
  48. the main name server daemon in place (dnsmasq/unbound/etc.) and have that name
  49. server forward to stubby.
  50. 

  51. ### Upstream resolvers

  52. 

  53. The default package configuration uses the CloudFlare resolvers, configured for
  54. both IPv4 and IPv6. 
  55. 

  56. CloudFlare have not published SPKI pinsets, and even though they are available,
  57. they have made no commitment to maintaining them. Using the currently known SPKI
  58. pinsets for CloudFlare brings the risk that in the future they may be changed by
  59. CloudFlare, and DNS would stop working. The default configuration has those SPKI
  60. entries commented out for this reason.
  61. 

  62. [CloudFlare's privacy
  63. statement](https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/)
  64. details how they treat data from DNS requests.
  65. 

  66. More resolvers are available in the [upstream stubby example
  67. configuration](https://github.com/getdnsapi/stubby/blob/develop/stubby.yml.example)
  68. and the [DNS Privacy
  69. list](https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers).
  70. 

  71. ## Integration of stubby with dnsmasq

  72. 

  73. The recommended way to use stubby on an OpenWRT device is to integrate it with a
  74. caching resolver. The default caching resolver in OpenWRT is dnsmasq.
  75. 

  76. ### Set dnsmasq to send DNS requests to stubby

  77. 

  78. Since dnsmasq responds to LAN DNS requests on port 53 of the OpenWRT device by
  79. default, all that is required is to have dnsmasq forward those requests to
  80. stubby which is listening on port 5453 of the OpenWRT device. To achieve this,
  81. we need to set the `server` option in the dnsmasq configuration in the
  82. `/etc/config/dhcp` file to `'127.0.0.1#5453'`. We also need to tell dnsmasq not
  83. to use resolvers found in `/etc/resolv.conf` by setting the dnsmasq option
  84. `noresolv` to `1` in the same file. This can be achieved by editing the
  85. `/etc/config/dhcp` file directly or executing the following commands at the
  86. command line:
  87. 

  88.     uci add_list dhcp.@dnsmasq[-1].server='127.0.0.1#5453'
  89.     uci set dhcp.@dnsmasq[-1].noresolv=1
  90.     uci commit && reload_config
  91. 

  92. The same outcome can be achieved in the LUCI web interface as follows:
  93. 

  94. 1. Select the Network->DHCP and DNS menu entry.
  95. 2. In the "General Settings" tab, enter the address `127.0.0.1#5453` as the only
  96.    entry in the "DNS Forwardings" dialogue.
  97. 3. In the "Resolv and Host files" tab tick the "Ignore resolve file" checkbox.
  98. 

  99. ### Disable sending DNS requests to ISP provided DNS servers

  100. 

  101. The configuration changes in the previous section ensure that DNS queries are
  102. sent over TLS encrypted connections *once dnsmasq and stubby are started*. When
  103. the OpenWRT device is first brought up, there is a possibility that DNS queries
  104. can go to ISP provided DNS servers ahead of dnsmasq and stubby being active. In
  105. order to mitigate this leakage, it's necessary to ensure that upstream resolvers
  106. aren't available, and the only DNS resolver used by the system is
  107. dnsmasq+stubby. 
  108. 

  109. This requires setting the option `peerdns` to `0` and the option `dns` to the
  110. loopback address for both the `wan` and `wan6` interfaces in the
  111. `/etc/config/network` file. This can be achieved by editing the
  112. `/etc/config/network` file directly, or by executing the following commands:
  113. 

  114.     uci set network.wan.peerdns='0'
  115.     uci set network.wan.dns='127.0.0.1'
  116.     uci set network.wan6.peerdns='0'
  117.     uci set network.wan6.dns='0::1'
  118.     uci commit && reload_config
  119. 

  120. The same outcome can also be achieved using the LUCI web interface as follows:
  121. 

  122. 1. Select the Network->Interfaces menu entry.
  123. 2. Click on Edit for the WAN interfaces.
  124. 3. Choose the Advanced Settings tab.
  125. 4. Unselect the "Use DNS servers advertised by peer" checkbox
  126. 5. Enter `127.0.0.1` in the "Use custom DNS servers" dialogue box.
  127. 6. Repeat the above steps for the WAN6 interface, but use the address `0::1`
  128.    instead of `127.0.0.1`.
  129.    
  130. ### Enabling DNSSEC

  131. 

  132. The configuration described above ensures that DNS queries are executed over TLS
  133. encrypted links. However, the responses themselves are not validated; DNSSEC
  134. provides the ability to validate returned DNS responses, and mitigate against
  135. DNS poisoning risks.
  136. 

  137. With the combination of stubby+dnsmasq there are two possible ways to enable
  138. DNSSEC:
  139. 

  140. 1. Configure stubby to perform DNSSEC validation, and configure dnsmasq to proxy
  141.    the DNSSEC data to clients.
  142. 2. Configure stubby not to perform DNSSEC validation and configure dnsmasq to
  143.    require DNSSEC validation.
  144. 

  145. Either option achieves the same outcome, and there appears to be little reason
  146. for choosing one over the other other than that the second option is easier to
  147. configure in the LUCI web interface. Both options are detailed below, and both
  148. require that the `dnsmasq` package on the OpenWRT device is replaced with the
  149. `dnsmasq-full` package. That can be achieved by running the following command:
  150. 

  151.     opkg install dnsmasq-full --download-only && opkg remove dnsmasq && opkg install dnsmasq-full --cache . && rm *.ipk
  152. 

  153. #### DNSSEC by stubby

  154. 

  155. Configuring stubby to perform DNSSEC validation requires setting the stubby
  156. configuration option `dnssec_return_status` to `'1'` in `/etc/config/stubby`,
  157. which can be done by editing the file directly or by executing the commands:
  158. 

  159.     uci set stubby.global.dnssec_return_status=1
  160.     uci commit && reload_config
  161.     
  162. With stubby performing DNSSEC validation, dnsmasq needs to be configured to
  163. proxy the DNSSEC data to clients. This requires setting the option `proxydnssec`
  164. to 1 in the dnsmasq configuration in `/etc/config/dhcp`. That can be achieved by
  165. the following commands:
  166. 

  167.     uci set dhcp.@dnsmasq[-1].proxydnssec=1
  168.     uci commit && reload_config
  169. 

  170. #### DNSSEC by dnsmasq

  171. 

  172. Configuring dnsmasq to perform DNSSEC validation requires setting the dnsmasq
  173. option `dnssec` to `1` in the `/etc/config/dhcp` file. In addition, it is
  174. advisable to also set the dnsmasq option `dnsseccheckunsigned` to `1`. this can
  175. be achieved by editing the file `/etc/config/dhcp` or by executing the following
  176. commands:
  177. 

  178.     uci set dhcp.@dnsmasq[-1].dnssec=1
  179.     uci set dhcp.@dnsmasq[-1].dnsseccheckunsigned=1
  180.     uci commit && reload_config
  181. 

  182. The same options can be set in the LUCI web interface as follows:
  183. 

  184. 1. Select the "Network->DHCP and DNS" menu entry.
  185. 2. Select the "Advanced Settings" tab.
  186. 3. Ensure both the "DNSSEC" and "DNSSEC check unsigned" check boxes are ticked.
  187. 

  188. #### Validating DNSSEC operation

  189. 

  190. Having configured DNSSEC validation using one of the two approaches above, it's
  191. important to check it's actually working. The following command can be used:
  192. 

  193.     dig dnssectest.sidn.nl +dnssec +multi @192.168.1.1
  194.     
  195. This command should return output like the following:
  196. 

  197.     ; <<>> DiG 9.11.4-P1-RedHat-9.11.4-5.P1.fc28 <<>> dnssectest.sidn.nl +dnssec +multi @192.168.1.1
  198.     ;; global options: +cmd
  199.     ;; Got answer:
  200.     ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26579
  201.     ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
  202. 

  203.     ;; OPT PSEUDOSECTION:
  204.     ; EDNS: version: 0, flags: do; udp: 512
  205.     ;; QUESTION SECTION:
  206.     ;dnssectest.sidn.nl.	IN A
  207. 

  208.     ;; ANSWER SECTION:
  209.     dnssectest.sidn.nl.	14399 IN A 213.136.9.12
  210.     dnssectest.sidn.nl.	14399 IN RRSIG A 8 3 14400 (
  211. 				20181104071058 20181005071058 42033 sidn.nl.
  212. 				YAQl3tef36M9EQUOmCneHKCCkxox3csLpfUOql5i/6ND
  213. 				zPrQFsNr3g32HPoxOsi+hD2BE5+bEsnARayDSVLyx0qU
  214. 				6Hpi2rzQ0zGNZZkCJhCsdp3wnM1BWlMgPrCD0iIsJDok
  215. 				+DH5zu+yYufVUdSLQrMqA3MZDFUIqDUqSZuYDF4= )
  216. 

  217.     ;; Query time: 77 msec
  218.     ;; SERVER: 192.168.1.1#53(192.168.1.1)
  219.     ;; WHEN: Sat Oct 06 20:36:25 BST 2018
  220.     ;; MSG SIZE  rcvd: 230
  221. 

  222. The key thing to note is the `flags: qr rd ra ad` part - the `ad` flag signifies
  223. that DNSSEC validation is working. If that flag is absent DNSSEC validation is
  224. not working.
  225. 

  226. ## Appendix: stubby configuration options

  227. 

  228. This section details the options available for use in the `/etc/config/stubby`
  229. file. The `global` configuration section specifies the configuration parameters
  230. for the stubby daemon. One or more `resolver` sections are used to configure
  231. upstream resolvers for the stubby daemon to use.
  232. 

  233. ### `global` section options

  234. 

  235. #### `option manual`

  236. 

  237. Specify whether to use this file to configure the stubby service. If this is set
  238. to `'1'` stubby will be configured using the file `/etc/stubby/stubby.yml`. If this
  239. is set to `'0'`, configuration options will be taken from this file, and the service
  240. will be managed through UCI.
  241. 

  242. #### `option trigger`

  243. 

  244. This specifies an interface to trigger stubby start up on; stubby startup will
  245. be triggered by a procd signal associated with this interface being ready. If
  246. this interface is restarted, stubby will also be restarted. 
  247. 

  248. This option can also be set to `'timed'`, in which case a time, specified by the
  249. option `triggerdelay`, will be waited before starting stubby.
  250. 

  251. 

  252. #### `option triggerdelay`

  253. 

  254. If the `trigger` option specifies an interface, this option sets the time that
  255. is waited after the procd signal is received before starting stubby. 
  256. 

  257. If `trigger` is set to `'timed'` then this is the delay before starting stubby.
  258. This option is specified in seconds and defaults to the value `'2'`.
  259. 

  260. #### `list dns_transport`

  261. 

  262. The `dns_transport` list specifies the allowed transports. Allowed values are:
  263. `GETDNS_TRANSPORT_UDP`, `GETDNS_TRANSPORT_TCP` and `GETDNS_TRANSPORT_TLS`. The
  264. transports are tried in the order listed.
  265. 

  266. #### `option tls_authentication`

  267. 

  268. This option specifies whether TLS authentication is mandatory. A value of `'1'`
  269. mandates TLS authentication, and is the default.
  270. 

  271. If this is set to `'0'`, and `GETDNS_TRANSPORT_TCP` or `GETDNS_TRANSPORT_UDP`
  272. appears in the `dns_transport` list, stubby is allowed to fall back to non-TLS
  273. authenticated lookups. You probably don't want this though.
  274. 

  275. #### `option tls_query_padding_blocksize`

  276. 

  277. This option specifies the block size to pad DNS queries to. You shouldn't need
  278. to set this to anything but `'128'` (the default), as recommended by
  279. https://tools.ietf.org/html/draft-ietf-dprive-padding-policy-03
  280. 

  281. #### `option tls_connection_retries`

  282. 

  283. This option specifies the number of connection failures stubby permits before
  284. Stubby backs-off from using an individual upstream resolver. You shouldn't need
  285. to change this from the default value of `'2'`.
  286. 

  287. #### `option tls_backoff_time`

  288. 

  289. This option specifies the maximum time in seconds Stubby will back-off from
  290. using an individual upstream after failures. You shouldn't need to change this
  291. from the default value of `'3600'`.
  292. 

  293. #### `option timeout`

  294. 

  295. This option specifies the timeout on getting a response to an individual
  296. request. This is specified in milliseconds. You shouldn't need to change this
  297. from the default value of ` '5000'`.
  298. 

  299. #### `option dnssec_return_status`

  300. 

  301. This option specifies whether stubby should require DNSSEC validation. Specify
  302. to `'1'` to turn on validation, and `'0'` to turn it off. By default it is off.
  303. 

  304. #### `option appdata_dir`

  305. 

  306. This option specifies the location for storing stubby runtime data. In
  307. particular, if DNSSEC is turned on, stubby will store its automatically
  308. retrieved trust anchor data here. The default value is `'/var/lib/stubby'`.
  309. 

  310. #### `option trust_anchors_backoff_time`

  311. 

  312. When Zero configuration DNSSEC failed, because of network unavailability or
  313. failure to write to the appdata directory, stubby will backoff trying to refetch
  314. the DNSSEC trust-anchor for a specified amount of time expressed in milliseconds
  315. (which defaults to two and a half seconds).
  316. 

  317. #### `option dnssec_trust_anchors`

  318. 

  319. This option sets the location of the file containing the trust anchor data used
  320. for DNSSEC validation. If this is not specified, stubby will automatically
  321. retrieve a trust anchor at startup. It's unlikely you'll want to manage the
  322. trust anchor data manually, so in most cases this is not needed. By default,
  323. this is unset.
  324. 

  325. #### `option edns_client_subnet_private`

  326. 

  327. This option specifies whether to enforce ECS client privacy. The default is
  328. `'1'`. Set to `'0'` to disable client privacy.
  329. 

  330. For more details see Section 7.1.2 [here](https://tools.ietf.org/html/rfc7871).
  331. 

  332. #### `option idle_timeout`

  333. 

  334. This option specifies the time (in milliseconds) to hold TLS connections open to
  335. avoid the overhead of opening a new connection for every query. You should not
  336. normally need to change this from the default value (currently `'10000'`).
  337. 

  338. See [here](https://tools.ietf.org/html/rfc7828) for more details.
  339. 

  340. #### `option round_robin_upstreams`

  341. 

  342. This option specifies how stubby will use the upstream DNS resolvers. Set to
  343. `'1'` (the default) to instruct stubby to distribute queries across all
  344. available name servers - this will use multiple simultaneous connections which
  345. can give better performance in most (but not all) cases. Set to `'0'` to treat
  346. the upstream resolvers as an ordered list and use a single upstream resolver
  347. until it becomes unavailable, then use the next one.
  348. 

  349. #### `list listen_address`

  350. 

  351. This list sets the addresses and ports for the stubby daemon to listen for
  352. requests on. the default configuration configures stubby to listen on port 5453
  353. on the loopback interface for both IPv4 and IPv6.
  354. 

  355. #### `option log_level`

  356. 

  357. If set, this option specifies the level of logging from the stubby
  358. daemon. By default, this option is not set.
  359. 

  360. The possible levels are:
  361. 

  362.     '0': EMERG  - System is unusable
  363.     '1': ALERT  - Action must be taken immediately
  364.     '2': CRIT   - Critical conditions
  365.     '3': ERROR  - Error conditions
  366.     '4': WARN   - Warning conditions
  367.     '5': NOTICE - Normal, but significant, condition
  368.     '6': INFO   - Informational message
  369.     '7': DEBUG  - Debug-level message
  370. 

  371. #### `option command_line_arguments`

  372. 

  373. This option specifies additional command line arguments for
  374. stubby daemon. By default, this is an empty string.
  375. 

  376. #### `option tls_cipher_list`

  377. 

  378. If set, this specifies the acceptable ciphers for DNS over TLS. With OpenSSL
  379. 1.1.1 this list is for TLS1.2 and older only. Ciphers for TLS1.3 should be set
  380. with the `tls_ciphersuites` option. This option can also be given per upstream
  381. resolver. By default, this option is not set.
  382. 

  383. #### `option tls_ciphersuites`

  384. 

  385. If set, this specifies the acceptable cipher for DNS over TLS1.3. OpenSSL
  386. version 1.1.1 or greater is required for this option. This option can also be
  387. given per upstream resolver. By default, this option is not set.
  388. 

  389. #### `option tls_min_version`

  390. 

  391. If set, this specifies the minimum acceptable TLS version. Works with OpenSSL
  392. 1.1.1 or greater only. This option can also be given per upstream resolver. By
  393. default, this option is not set.
  394. 

  395. #### `option tls_max_version`

  396. 

  397. If set, this specifies the maximum acceptable TLS version. Works with OpenSSL
  398. 1.1.1 or greater only. This option can also be given per upstream resolver. By
  399. default, this option is not set.
  400. 

  401. 

  402. ### `resolver` section options

  403. 

  404. #### `option address`

  405. 

  406. This option specifies the resolver IP address, and can either be an IPv4 or an
  407. IPv6 address.
  408. 

  409. #### `option tls_auth_name`

  410. 

  411. This option specifies the upstream domain name used for TLS authentication with
  412. the supplied server certificate
  413. 

  414. #### `option tls_port`

  415. 

  416. This option specifies the TLS port for the upstream resolver. If not specified,
  417. this defaults to 853.
  418. 

  419. #### `option tls_cipher_list`

  420. 

  421. If set, this specifies the acceptable ciphers for DNS over TLS. With OpenSSL
  422. 1.1.1 this list is for TLS1.2 and older only. Ciphers for TLS1.3 should be set
  423. with the `tls_ciphersuites` option. By default, this option is not set. If set,
  424. this overrides the global value.
  425. 

  426. #### `option tls_ciphersuites`

  427. 

  428. If set, this specifies the acceptable cipher for DNS over TLS1.3. OpenSSL
  429. version 1.1.1 or greater is required for this option. By default, this option is
  430. not set. If set, this overrides the global value.
  431. 

  432. #### `option tls_min_version`

  433. 

  434. If set, this specifies the minimum acceptable TLS version. Works with OpenSSL
  435. 1.1.1 or greater only. By default, this option is not set. If set, this
  436. overrides the global value.
  437. 

  438. #### `option tls_max_version`

  439. 

  440. If set, this specifies the maximum acceptable TLS version. Works with OpenSSL
  441. 1.1.1 or greater only. By default, this options is not set. If set, this
  442. overrides the global value.
  443. 

  444. #### `list spki`

  445. 

  446. This list specifies the SPKI pinset which is verified against the keys in the
  447. server certificate. The value takes the form `'<digest type>/value>'`, where
  448. the `digest type` is the hashing algorithm used, and the value is the Base64
  449. encoded hash of the public key. At present, only `sha256` is
  450. supported for the digest type.
  451. 

  452. This should ONLY be used if the upstream resolver has committed to maintaining
  453. the pinset. CloudFlare have made no such commitment, and so we do not specify
  454. the SPKI values in the default configuration, even though they are available.