Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Sun Mar 17, 2024 7:46 Post subject:
Best for privacy is DNScrypt-proxy v2...but...to make it work as intended, it has a lot of settings to handle via .toml config file...
DDWRT is using the old version of it (v1.95) it has no settings, you just choose servers and use it as it is...where DNScrypt-proxy v2 has a tons of useful settings and its more versatile...(it can do Doh and QUIC or the standard DNScrypt protocol)
Unbound is next, as it offers a DNS server setup option, not just a forwarder...as the others do...
plus tons of useful settings (it can handle DoT and DoH) There must be a guide for it in the forum i just cant find it now...but its there...
SmartDNS is the DDWRT most versatile encrypt DNS service, as it offers great set of futures/options... (to forward and encrypt the DNS request)...and as egc noted is the easiest option to use...(it can do Dot and DoH)
that is all you need nowadays for SmartDNS to work
Stubby is very light and also recursive encrypted DNS forwarder that works on the top of GetDNS...that comes with it...(it only offers DoT but was announced new version of it will support DoH too)
There is tons of info about those from above ...search forum or the internet,
The best is defined on the scenario used...but, overall as a security DNScrypt and Unbound takes it all...not that the rest are not secure but...as a functionality
Than SmartDNS is the best and the easiest to use and setup...followed by Stubby..Stubby has the lesser settings to fiddle with...but it is light and fast...too
for the record i use Stubby on my old routers, that do not have openssl, as Stubby installation via entware comes with openssl by default
also for the record 'all those from above can coexist with DDWRT DNSmasq with no harm...'
If you dig down deeply enough you will find all sorts of encrypt DNS solutions...but those from above are the one that made it trough...so far _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Sun Mar 17, 2024 13:14; edited 3 times in total
I administer a lot of Broadcom and Atheros routers for friends, family and neighbours and on most of those I use SmartDNS with DoT.
I use SmartDNS as upstream resolver for DNSMasq and not as a replacement.
SmartDNS guide is a sticky in this forum.
Note that you need to make some adaptions to make this compatible with a VPN if you are using PBR to prevent a DNS leak, if you use the VPN only you do not need encrypted DNS as all traffic including DNS is already encrypted
with my other router, I can use OpenWrt and I have dns servers from controld on my wan interface, I run wireguard and I have the surshark dns in the wg setup + I run dnscryptV2 on the router.
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Mon Mar 18, 2024 8:55 Post subject:
egc wrote:
OpenWRT does not handle the DNS from the wg interface correctly.
It is not used exclusively like ddwrt does.
So you might get a dns leak when using openwrt.
AS egc noted from above, with DDWRT DNS request are parsed via DNSmasq inside the encrypted tunnel...that's why disabling of DNSmasq is not recommended, especially when you are using encrypted DNS solutions... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Posted: Mon Mar 18, 2024 16:48 Post subject: I think I know which is easiest to configure
I followed this guide: https://tadeubento.com/2022/dd-wrt-proper-dns-with-smartdns/ but replaced his Cloudflare config with Quad9. It supposedly selects the faster of DoT and DoH, and thus far "Resolve-DnsName -Type txt proto.on.quad9.net." in PowerShell has always returned "dot". (Unless I remove the "server-tls" entries and just go with the "https" ones to get "doh".) Perhaps the pros will weigh in on the suitability of this.
do53-udp (53/UDP - Plaintext)
do53-tcp (53/TCP - Plaintext)
doh (443/TCP - DNS over HTTPS)
dot (853/TCP - DNS over TLS)
dnscrypt-udp (UDP - DNSCrypt)
dnscrypt-tcp (TCP - DNSCrypt)
If you do not receive a response (NXDOMAIN), then Quad9 was not used to perform this DNS query.)
The screenshot in that article is WRONG. You can't use : in the tls-host-verify or any other part of the additional configs, especially on current releases.
SMARTDNS Guide - pg 18 _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Mon Mar 18, 2024 19:13 Post subject:
dale_gribble39 wrote:
The screenshot in that article is WRONG. You can't use : in the tls-host-verify or any other part of the additional configs, especially on current releases.
please elaborate...as Im currently using this config, that you claim is wrong...
the problem you report was solved by BS time ago...
also for SmartDNS router model matters as some router doesn't have ssl, so no encrypted DNS on those... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
The screenshot in question, since you obviously didn't look:
Clearly bad configuration with : in the textbox, which is WRONG. _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Mon Mar 18, 2024 22:16 Post subject:
aghhh yes indeed... on this screenshot config has a wrong syntax...
i took the bait, as this tread harbours one of my screenshots too ..
where it shows the new syntax/format..
sry.. about the misunderstanding... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913