I am trying to set up Cloudflare’s new DNS over TLS, following the method outlined here. Unfortunately, it looks like something is already listening on 0.0.0.0:
root@GL-AR300M:~# unbound
[1522725485] unbound[13292:0] error: can’t bind socket: Address already in use for 0.0.0.0
[1522725485] unbound[13292:0] fatal error: could not open ports
And when I follow the commands in the article, I get a failure at:
root@GL-AR300M:~# uci set ‘unbound.@unbound[0].dhcp_link=dnsmasq’
uci: Entry not found
That will get you using their DNS service (which is a big step up compared to the competition, as they don’t keep logs), but it won’t encrypt your request. Anyone can monitor or man-in-the-middle attack your request. They outline why it is important about 2/3 of the way down in their post in layman’s terms (titled “Toward a Better DNS Infrastructure”).
In their words:
DNS itself is a 35-year-old protocol and it’s showing its age. It was never designed with privacy or security in mind. In our conversations with browser, operating system, app, and router manufacturers nearly everyone lamented that, even with a privacy-first service like 1.1.1.1, DNS inherently is unencrypted so it leaks data to anyone who’s monitoring your network connection. While that’s harder to monitor for someone like your ISP than if they run the DNS resolver themselves, it’s still not secure.
That went pretty smoothly once I factory-reset the firmware. I wasn’t getting a network connection from inside the SSH nor the web interface. Easier to reset to factory than diagnose.
Anything I can do to easily tell if my traffic to DNS is encrypted now without re-configuring it to push data through my computer and running fireshark instead of vice-versa?
I just spent quite some time to get DNS-over-TLS to work with unbound just to discover that it’s a pig. It turns each and every DNS query into a full blown TLS connection. Resolution times go from sub-100ms to 200-300ms and more if using a cellular connection. Very disappointing. I’m now looking for a DNS-over-HTTPS solution that keeps a connection open.
Update: I removed unbound and installed dnscrypt-proxy instead. It’s a bit painful because the Go binary is 2.2MB in size, but it works well and is nice and fast! Yay! I have enough space for now, but if I run out I’ll have to pop an SD-card in…