skeal
Part of the Furniture
I am pretty sure unbound is a replacement for dnsmasq.I'm only using unbound...
I thought unbound and stubby were (kind of) alternatives for each other. What does using them both add to the mix?
I am pretty sure unbound is a replacement for dnsmasq.I'm only using unbound...
I thought unbound and stubby were (kind of) alternatives for each other. What does using them both add to the mix?
Have you read at least the past 5 or 6 pages of comments? There are generally 2 possibilities:I've noticed this doesn't "stick" when the router is rebooted.. I've ran it on my AC3200 without issue but the only way to get my WAN IP is by removing Stubby then re-installing it. Is it just me or am I missing a script to keep it alive during a reboot?
Oh, I thought both unbound and stubby were resolvers (that support DNS over TLS).I am pretty sure unbound is a replacement for dnsmasq.
Have you read at least the past 5 or 6 pages of comments? There are generally 2 possibilities:
1) The router clock not getting set before Stubby runs, the very latest on Github has been patched to fix.
2) You have a DNS entry on your IPv6 page. Delete any IPv6 DNS entries and copy the local IPv6 address of your router into the 1st slot.
Unbound provides a local cache and Stubby manages the upstream TLS connections (since Unbound cannot yet authentication upstreams, or re-use TCP/TLS connections).I'm only using unbound...
I thought unbound and stubby were (kind of) alternatives for each other. What does using them both add to the mix?
The script does make a back-up of the existing stubby.yml file by appending the timestamp to it if an existing stubby.yml file exists. You can then copy the contents to the stubby.yml file or delete the recently downloaded stubby.yml file and renaming stubby.yml.timestamp to stubby.yml.When I run the install function it always overwrites my stubby.yml file. This has happened multiple times. I have an RT-AC66U_B1 running 384.8_2. To run the update I use sh install_stubby.sh from /jffs/scripts. Am I doing something wrong?
--proxy-dnssec Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients and cache it. This is an alternative to having dnsmasq validate DNSSEC, but it depends on the security of the network between dnsmasq and the upstream servers, and the trustworthiness of the upstream servers.
Conclusion: Not all resolvers play well with DNSSEC. Cloudflare does. Quad9 doesn't.
RTR_IP="$(nvram get ipv6_rtr_addr)"
echo "server=$RTR_IP" > /tmp/resolv.dnsmasq
nvram set ipv6_dns1=$RTR_IP
nvram set ipv6_dns2=""
nvram set ipv6_dns3=""
IPV6_DNS1="2606:4700:4700::1111"
nvram set ipv6_dns1="$IPV6_DNS1"
If @Adamm is willing to get fancy on this, I would suggest to base this off the value of nvram dnssec_enable. If user has dnssec enabled in the GUI, replace the normal dnssec parameter with proxy-dnssec. This would mean reconfiguring dnsmasq.conf via the postconf script instead of the .add file, but you would be able to have the user control the feature from the GUI.Thinking out loud on how best to implement:
So if I'm using proxy-dnssec I should have 'Enable DNSSEC Support' set to ON in the GUI?If @Adamm is willing to get fancy on this, I would suggest to base this off the value of nvram dnssec_enable. If user has dnssec enabled in the GUI, replace the normal dnssec parameter with proxy-dnssec. This would mean reconfiguring dnsmasq.conf via the postconf script instead of the .add file, but you would be able to have the user control the feature from the GUI.
Not now. But maybe later if my idea gets support.So if I'm using proxy-dnssec I should have 'Enable DNSSEC Support' set to ON in the GUI?
This was exactly why I wanted to build a version with OpenSSL 1.1.1 statically included:Unbound provides a local cache and Stubby manages the upstream TLS connections (since Unbound cannot yet authentication upstreams, or re-use TCP/TLS connections).
I've been trying proxy-dnssec in dnsmasq.conf.add since @bbunge mentioned it a short while ago, with no issues using Cloudflare. I haven't testing with Quad9 but will try to find time to do so later.Please provide your feedback. Would also be nice if you have time to test the setting with Cloudflare and Quad9 to validate my test results.
Enabling DNSSEC on the Web GUI creates an issue. The Cloudflare test site 1.1.1.1/help will report that DoT is not working. I can't recall now if the other sites have issues as it was a few months ago. There was also a DNSSEC setting in stubby that created issues on test sites as well. I spent a lot of time testing it in the past. Based on the effort and results, I decided to put it in the parking lot and test again when the new version of Stubby is released.So if I'm using proxy-dnssec I should have 'Enable DNSSEC Support' set to ON in the GUI?
Noted for future enhancement. Thanks for doing the preliminary analysis. Also, you just signed up to be the tester for ipv6!I'm not smart enough to offer you a git push or whatever (yet! Git is next on my list to learn!), but I think for people who use IPv6, what you need to add to the stubby install script is something like the below in the appropriate places in "update_wan_and_resolv_settings" function:
and in the "remove_existing_installation" function:Code:RTR_IP="$(nvram get ipv6_rtr_addr)" echo "server=$RTR_IP" > /tmp/resolv.dnsmasq nvram set ipv6_dns1=$RTR_IP nvram set ipv6_dns2="" nvram set ipv6_dns3=""
But, I'm hardly an expert.Code:IPV6_DNS1="2606:4700:4700::1111" nvram set ipv6_dns1="$IPV6_DNS1"
Good idea.If @Adamm is willing to get fancy on this, I would suggest to base this off the value of nvram dnssec_enable. If user has dnssec enabled in the GUI, replace the normal dnssec parameter with proxy-dnssec. This would mean reconfiguring dnsmasq.conf via the postconf script instead of the .add file, but you would be able to have the user control the feature from the GUI.
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!