AR300M - Cloudflare's DNS over TLS/HTTPS


#1

I am trying to set up Cloudflare’s new DNS over TLS, following the method outlined here. Unfortunately, it looks like something is already listening on 0.0.0.0:
root@GL-AR300M:~# unbound
[1522725485] unbound[13292:0] error: can’t bind socket: Address already in use for 0.0.0.0
[1522725485] unbound[13292:0] fatal error: could not open ports

And when I follow the commands in the article, I get a failure at:
root@GL-AR300M:~# uci set 'unbound.@unbound[0].dhcp_link=dnsmasq’
uci: Entry not found

Any help would be appreciated.


#2

This is a good one. I will try later. Protecting DNS is important.


#3

Why not just add their two servers in the GL UI? This is what I’ve done and so far I am delighted with it!


#4

That will get you using their DNS service (which is a big step up compared to the competition, as they don’t keep logs), but it won’t encrypt your request. Anyone can monitor or man-in-the-middle attack your request. They outline why it is important about 2/3 of the way down in their post in layman’s terms (titled “Toward a Better DNS Infrastructure”).

In their words:

DNS itself is a 35-year-old protocol and it’s showing its age. It was never designed with privacy or security in mind. In our conversations with browser, operating system, app, and router manufacturers nearly everyone lamented that, even with a privacy-first service like 1.1.1.1, DNS inherently is unencrypted so it leaks data to anyone who’s monitoring your network connection. While that’s harder to monitor for someone like your ISP than if they run the DNS resolver themselves, it’s still not secure.


#5

I followed this guide and got it setup successfully: https://blog.cloudflare.com/dns-over-tls-for-openwrt/


#6

Funny, they are using a GL.iNET AR750 to do this. Wonder if they follow this forum?

I’ll try it when I get home.


#7

That went pretty smoothly once I factory-reset the firmware. I wasn’t getting a network connection from inside the SSH nor the web interface. Easier to reset to factory than diagnose.

Anything I can do to easily tell if my traffic to DNS is encrypted now without re-configuring it to push data through my computer and running fireshark instead of vice-versa?


#8

I would also like to get to using DNS over HTTPS instead of TLS, as TLS looks slightly problematic still from reading the comments.


#9

Interesting if they saw your post. Not sure how to router via https but it is better to router via vpn.


#10

I just spent quite some time to get DNS-over-TLS to work with unbound just to discover that it’s a pig. It turns each and every DNS query into a full blown TLS connection. Resolution times go from sub-100ms to 200-300ms and more if using a cellular connection. Very disappointing. I’m now looking for a DNS-over-HTTPS solution that keeps a connection open.

Update: I removed unbound and installed dnscrypt-proxy instead. It’s a bit painful because the Go binary is 2.2MB in size, but it works well and is nice and fast! Yay! I have enough space for now, but if I run out I’ll have to pop an SD-card in…


#11

Do you use the Nand flash version? It should be more than enough for installing such small packages.


#12

Sorry, I’m using a Spitz.


#13

stubby works like a charm for me :slight_smile:

https://candrews.integralblue.com/2018/08/dns-over-tls-on-openwrt-18-06/

best!