Trying to understand how dns resolution is working behind the scene with dns privacy on

[collations_interrena]

Hello,

I'm a beginner there trying to understand how things are working behind the scene about dns resolution on the router I'm using

I'm actually using dns privacy in Merlin with my AC-68U (latest firmware --> 386.3) and when I use tcpdump, I only see request on port 853 and none on port 53. So far so good about all my dns requests.

From what I can see into /tmp/etc/dnsmasq.conf :

no-resolv
servers-file=/tmp/resolv.dnsmasq

So dnsmasq is only using content of resolv.dnsmasq file as resolver.

We can see this into /tmp/resolv.dnsmasq :

server=127.0.1.1

So the resolver used by dnsmasq is 127.0.1.1

Making sense because I can also see this into the file /tmp/etc/stubby/stubby.yml :

[...]
resolvconf: "/tmp/resolv.conf"
[...]
listen_addresses:
- 127.0.1.1@53
[...]
So stubby is listening on tcp port 53 at 127.0.1.1 for all the request coming from dnsmasq (because dnsmasq use 127.0.1.1 as resolver as seen above)

The thing I don't understand is about the line "resolvconf: "/tmp/resolv.conf"" into stubby.yml

The content of this file is :

nameserver 9.9.9.9
nameserver 149.112.112.112
nameserver 127.0.1.1

The first two nameserver are the dns I've set on the WAN page with the GUI (quad9 dns). But why does stubby has a resolv.conf file into stubby.yml? Maybe to resolve DoT nameserver but I'm unsure about this.
And it's even more weird for me to see 127.0.1.1 into the file because it's the adress where stubby is listening itself.

I would appreciate any help to understand this.

 

[dave14305]

See here when I was smarter.

[Preview] Asuswrt-Merlin 384.11 with DNS over TLS

As for proxy-dnssec in dnsmasq.conf, use it or not. Makes no difference to stubby dnssec validation. I feel it is good to have there as web browsers begin to use dnssec validation. Agreed, we found that the get extensions true in the .yml takes precedence in the Stubby trials.

www.snbforums.com

 

[bbunge]

Hello,

I'm a beginner there trying to understand how things are working behind the scene about dns resolution on the router I'm using

I'm actually using dns privacy in Merlin with my AC-68U (latest firmware --> 386.3) and when I use tcpdump, I only see request on port 853 and none on port 53. So far so good about all my dns requests.

From what I can see into /tmp/etc/dnsmasq.conf :

no-resolv
servers-file=/tmp/resolv.dnsmasq

So dnsmasq is only using content of resolv.dnsmasq file as resolver.

We can see this into /tmp/resolv.dnsmasq :

server=127.0.1.1

So the resolver used by dnsmasq is 127.0.1.1

Making sense because I can also see this into the file /tmp/etc/stubby/stubby.yml :

[...]
resolvconf: "/tmp/resolv.conf"
[...]
listen_addresses:
- 127.0.1.1@53
[...]
So stubby is listening on tcp port 53 at 127.0.1.1 for all the request coming from dnsmasq (because dnsmasq use 127.0.1.1 as resolver as seen above)

The thing I don't understand is about the line "resolvconf: "/tmp/resolv.conf"" into stubby.yml

The content of this file is :

nameserver 9.9.9.9
nameserver 149.112.112.112
nameserver 127.0.1.1

The first two nameserver are the dns I've set on the WAN page with the GUI (quad9 dns). But why does stubby has a resolv.conf file into stubby.yml? Maybe to resolve DoT nameserver but I'm unsure about this.
And it's even more weird for me to see 127.0.1.1 into the file because it's the adress where stubby is listening itself.

I would appreciate any help to understand this.

OK, here goes:

You have discovered that dnsmasq is acting as a caching DNS server for clients on your LAN and gets requests via port 53.
On router boot it will use WAN DNS Server 1 and 2 mainly to set the router hardware clock.
With DoT enabled dnsmasq will pass requests to Stubby via the 121.0.1.1 loopback on port 53. Stubby then encrypts and sends those requests to the upstream resolvers, in turn, on port 853. The requests are returned on port 853, Stubby decrypts them and send to dnsmasq on port 53 at 121.0.1.1. Dnsmasq will cache the requests up to its settings limit then send the request to the client.
With DNSSEC enabled the requests are verified by dnsmasq.

That is the basics. It is possible to change those settings in Merlin and I have just because I'm old and stubborn and did not do it that way in development. But it works very well in Merlin the way it is.
Supposedly in time Stubby will have the ability to use DoH. But why wait for it when it works very well with DoT and DNSSEC.
Oh, you should enable DNS Filtering to router in LAN - DNSFilter.

 

[collations_interrena]

Thanks to both of you. Yes, DNS Filter is already enable (to "router", to be sure to capture any plain dns request from any client on my LAN).
Everything seem logical except about finding the stubby's loopback (nameserver 127.0.1.1) into resolv.conf
Stubby using this file for the startup but he could result to ask to itself, like in a loop.

 

[dave14305]

Everything seem logical except about finding the stubby's loopback (nameserver 127.0.1.1) into resolv.conf
Stubby using this file for the startup but he could result to ask to itself, like in a loop.

It’s a last resort for local resolution by the router. Likely never going to get used when it’s third in line. Also discussed in the original thread by themiron who ported stubby to the firmware.

https://www.snbforums.com/threads/preview-asuswrt-merlin-384-11-with-dns-over-tls.56095/page-9#post-481706

Once Stubby establishes its connections with the specified upstream servers, it won’t get into any loop with resolvconf settings.

You’re asking the same questions I asked a couple years ago, so you must have above-average intelligence.

 

[bbunge]

Also discussed in the original thread by themiron who ported stubby to the firmware.


Actually, there were several of us (Xentrk and skeal) who had Stubby/Get DNS working as an Entware add on well before Merlin 384.11. We had Stubby doing DNSSEC as well as DoT and used loopback 121.0.0.1 on port 5453 between Dnsmasq and Srubby. Guess that was the easy part....

 

[ColinTaylor]

@bbunge 127.0.x.x not 121.0.x.x.

 

[collations_interrena]

Thank you for all the answers, now I get it.

It’s a last resort for local resolution by the router. Likely never going to get used when it’s third in line. Also discussed in the original thread by themiron who ported stubby to the firmware.

https://www.snbforums.com/threads/preview-asuswrt-merlin-384-11-with-dns-over-tls.56095/page-9#post-481706

Once Stubby establishes its connections with the specified upstream servers, it won’t get into any loop with resolvconf settings.

You’re asking the same questions I asked a couple years ago, so you must have above-average intelligence.

Ah ah, indeed I can see similarities in your past questions and mine

 

[bbunge]

@bbunge 127.0.x.x not 121.0.x.x.

Yup!

 

[aolone]

It’s a last resort for local resolution by the router. Likely never going to get used when it’s third in line. Also discussed in the original thread by themiron who ported stubby to the firmware.

https://www.snbforums.com/threads/preview-asuswrt-merlin-384-11-with-dns-over-tls.56095/page-9#post-481706

Once Stubby establishes its connections with the specified upstream servers, it won’t get into any loop with resolvconf settings.

You’re asking the same questions I asked a couple years ago, so you must have above-average intelligence.

and out of left field
I am not clear at all about the DNS privacy issue and the use cloudflare/quad9... servers instead of the ISP
when ovpn is set to strict and using the ISP dns in wan, ipleak.net shows that there is only one resolver that has the same IP as the VPN
when using cloudflare and dns over tls, I get at least two additional dns servers and not always in the same country as the VPN server
I don't understand, which is more private and safer, using the VPN dns or having 3 DNS resolvers? what is their purpose and how do they increase my privacy?
my local dns is my router ip, so all connected gizmos go through it and presumably the VPN dns. Correct me if I'm wrong.