AR300M - Cloudflare's DNS over TLS/HTTPS

ABuis · April 3, 2018, 3:22am

I am trying to set up Cloudflare’s new DNS over TLS, following the method outlined here. Unfortunately, it looks like something is already listening on 0.0.0.0:
root@GL-AR300M:~# unbound
[1522725485] unbound[13292:0] error: can’t bind socket: Address already in use for 0.0.0.0
[1522725485] unbound[13292:0] fatal error: could not open ports

And when I follow the commands in the article, I get a failure at:
root@GL-AR300M:~# uci set ‘unbound.@unbound[0].dhcp_link=dnsmasq’
uci: Entry not found

Any help would be appreciated.

alzhao · April 3, 2018, 3:43am

This is a good one. I will try later. Protecting DNS is important.

glitch · April 3, 2018, 9:18am

Why not just add their two servers in the GL UI? This is what I’ve done and so far I am delighted with it!

ABuis · April 3, 2018, 11:49am

That will get you using their DNS service (which is a big step up compared to the competition, as they don’t keep logs), but it won’t encrypt your request. Anyone can monitor or man-in-the-middle attack your request. They outline why it is important about 2/3 of the way down in their post in layman’s terms (titled “Toward a Better DNS Infrastructure”).

In their words:

DNS itself is a 35-year-old protocol and it’s showing its age. It was never designed with privacy or security in mind. In our conversations with browser, operating system, app, and router manufacturers nearly everyone lamented that, even with a privacy-first service like 1.1.1.1, DNS inherently is unencrypted so it leaks data to anyone who’s monitoring your network connection. While that’s harder to monitor for someone like your ISP than if they run the DNS resolver themselves, it’s still not secure.

yochanan · April 17, 2018, 3:12pm

I followed this guide and got it setup successfully: https://blog.cloudflare.com/dns-over-tls-for-openwrt/

ABuis · April 17, 2018, 5:58pm

Funny, they are using a GL.iNET AR750 to do this. Wonder if they follow this forum?

I’ll try it when I get home.

ABuis · April 18, 2018, 1:33am

That went pretty smoothly once I factory-reset the firmware. I wasn’t getting a network connection from inside the SSH nor the web interface. Easier to reset to factory than diagnose.

Anything I can do to easily tell if my traffic to DNS is encrypted now without re-configuring it to push data through my computer and running fireshark instead of vice-versa?

ABuis · April 18, 2018, 1:34am

I would also like to get to using DNS over HTTPS instead of TLS, as TLS looks slightly problematic still from reading the comments.

alzhao · April 20, 2018, 10:33am

Interesting if they saw your post. Not sure how to router via https but it is better to router via vpn.

tve · April 10, 2019, 12:07am

I just spent quite some time to get DNS-over-TLS to work with unbound just to discover that it’s a pig. It turns each and every DNS query into a full blown TLS connection. Resolution times go from sub-100ms to 200-300ms and more if using a cellular connection. Very disappointing. I’m now looking for a DNS-over-HTTPS solution that keeps a connection open.

Update: I removed unbound and installed dnscrypt-proxy instead. It’s a bit painful because the Go binary is 2.2MB in size, but it works well and is nice and fast! Yay! I have enough space for now, but if I run out I’ll have to pop an SD-card in…

alzhao · April 10, 2019, 9:37am

Do you use the Nand flash version? It should be more than enough for installing such small packages.

tve · April 10, 2019, 4:07pm

Sorry, I’m using a Spitz.

tefowene · April 10, 2019, 11:24pm

stubby works like a charm for me

DNS Over TLS on OpenWrt 18.06, 19.07, and 21.01 – Craig Andrews

best!