rgnldo
Very Senior Member
I await news @SomeWhereOverTheRainBow
as confusing as every ones debian guide is, I can happily say that entware has nginx compiled to support tls 1.3. I am happy about that.I think you can adapt.
I'm excited about a local DoT or DoH solution. Awaiting.support tls 1.3. I
Nginx is very light and takes up little process on the router. I have experience with Nginx shipped on Tomato. Honestly, a router that supports Diversion Adblock's load can handle almost everything. Let's go to the testsI don't quite follow what's on the other end of this proxy? It doesn't do much good on the router, since you can't rely on every authoritative name server to accept DoT. Or is it supposed to run on my theoretical Unbound server in the cloud, so it will accept DoT requests with nginx running on the Linux instance, and the router using Unbound or Stubby to forward local queries over DoT?
Basically it is pushing what ever servers you are ( weather it is google or cloudflare) out using a secure TLS connection. Basically your Google that you have become can be pushed out to be a AD blocking server if you have unbound configured correctly, Clients can then pull it back using forwarding option. the only problem is that Unbound has to open a new connection each time because it cannot reuse the same tcp/tls.I don't quite follow what's on the other end of this proxy? It doesn't do much good on the router, since you can't rely on every authoritative name server to accept DoT. Or is it supposed to run on my theoretical Unbound server in the cloud, so it will accept DoT requests with nginx running on the Linux instance, and the router using Unbound or Stubby to forward local queries over DoT?
Awaiting setup steps.Basically it is pushing what ever servers you are ( weather it is google or cloudflare) out using a secure TLS connection. Basically your Google that you have become can be pushed out to be a AD blocking server if you have unbound configured correctly, Clients can then pull it back using forwarding option. the only problem is that Unbound has to open a new connection each time because it cannot reuse the same tcp/tls.
#!/bin/sh
if [ "$1" = "start" ] || [ "$1" = "restart" ]; then
# Wait for NTP before starting
logger -st "S61unbound" "Waiting for NTP to sync before starting..."
ntptimer=0
while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do
ntptimer=$((ntptimer+1))
sleep 1
done
if [ "$ntptimer" -ge "300" ]; then
logger -st "S61unbound" "NTP failed to sync after 5 minutes - please check immediately!"
echo ""
exit 1
fi
fi
export TZ=$(cat /etc/TZ)
ENABLED=yes
PROCS=unbound
ARGS="-c /opt/var/lib/unbound/unbound.conf"
PREARGS="nohup"
PRECMD=""
POSTCMD="service restart_dnsmasq"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
. /opt/etc/init.d/rc.func
#!/bin/sh
. /opt/share/diversion/file/post-conf.div # Added by Diversion
CONFIG=$1
source /usr/sbin/helper.sh
if [ -n "`pidof unbound`" ]; then
#pc_delete "servers-file" $CONFIG
pc_delete "resolv-file=/tmp/resolv.conf" $CONFIG
pc_append "server=127.0.0.1#5053" $CONFIG
pc_append "proxy-dnssec" $CONFIG
[*]fi
tls-cert-bundle: "/opt/etc/ssl/certs/ca-certificates.crt"
Better to add the argument of the questions which WAN DNS files exist./jffs/scripts/dnsmasq.postconf - I checked to make sure unbound is running before I remove the WAN DNS servers (changed to resolv-file in John's fork vs servers-file in Merlin).
I believe it is better to leave it by default./opt/var/lib/unbound/unbound.conf - Since the CA bundle in John's fork is a bit older than in Merlin, I reverted to the Entware ca-bundle path.
I have switched my firmware from Merlin to John's fork, but I was able to get Unbound working as before. It's a little trickier/riskier because John's fork doesn't let the router rely on WAN DNS only, but must use dnsmasq for router lookups. So I have to be really sure that Unbound is up and running before I restart dnsmasq and remove the WAN DNS configuration.
So I made 3 changes to my configuration:
So far so good. I need to test a reboot again later tonight. I had some issues with the NTP sync before I added my dnsmasq postconf check, since I couldn't resolve the NTP server names. But so far so good!
- /opt/etc/init.d/S61unbound - I made the dnsmasq restart a POSTCMD instead of the PRECMD.
Code:#!/bin/sh if [ "$1" = "start" ] || [ "$1" = "restart" ]; then # Wait for NTP before starting logger -st "S61unbound" "Waiting for NTP to sync before starting..." ntptimer=0 while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do ntptimer=$((ntptimer+1)) sleep 1 done if [ "$ntptimer" -ge "300" ]; then logger -st "S61unbound" "NTP failed to sync after 5 minutes - please check immediately!" echo "" exit 1 fi fi export TZ=$(cat /etc/TZ) ENABLED=yes PROCS=unbound ARGS="-c /opt/var/lib/unbound/unbound.conf" PREARGS="nohup" PRECMD="" POSTCMD="service restart_dnsmasq" DESC=$PROCS PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin . /opt/etc/init.d/rc.func
- /jffs/scripts/dnsmasq.postconf - I checked to make sure unbound is running before I remove the WAN DNS servers (changed to resolv-file in John's fork vs servers-file in Merlin).
Code:#!/bin/sh . /opt/share/diversion/file/post-conf.div # Added by Diversion CONFIG=$1 source /usr/sbin/helper.sh if [ -n "`pidof unbound`" ]; then #pc_delete "servers-file" $CONFIG pc_delete "resolv-file=/tmp/resolv.conf" $CONFIG pc_append "server=127.0.0.1#5053" $CONFIG fi
- /opt/var/lib/unbound/unbound.conf -
Since the CA bundle in John's fork is a bit older than in Merlin, I reverted to the Entware ca-bundle path.
Code:tls-cert-bundle: "/opt/etc/ssl/certs/ca-certificates.crt"
EDIT: Turns out that the ca-bundle.crt are the same version in the firmware. My mistake. I'll leave it for now.
I don't change anything else about dnsmasq yet. I'm not claiming my setup is production-ready for everyone. But it's working well for me at this time. I've got all this extra free memory now that I'm running John's fork.
Dave what about cach-size in DNSMASQ ? do you also set it to 0 instead of the default 1500? the dnsmasq.postconf you posted is your entire config or is there more below the if section?
This is the configuration scenario of the @dave14305 for Asuswrt-Merlin 374.43 LTSDave what about cach-size in DNSMASQ ? do you also set it to 0 instead of the default 1500?
CONFIG=$1
source /usr/sbin/helper.sh
if [ -n "`pidof unbound`" ]; then
pc_delete "resolv-file=/tmp/resolv.conf" $CONFIG
pc_append "server=127.0.0.1#53535" $CONFIG
pc_delete "no-negcache" $CONFIG
pc_replace "cache-size=1500" "cache-size=0" $CONFIG
pc_append "proxy-dnssec" $CONFIG
[*]fi
server:
# port to answer queries from
port: 53535
verbosity: 2
logfile: "/opt/var/lib/unbound/unbound.log"
log-queries: yes
log-replies: yes
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
# don't be picky about interfaces but consider your firewall
interface: 127.0.0.1
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/24 allow
access-control: 192.168.1.0/24 allow
access-control: ::0/0 refuse
access-control: ::1 allow
# private networks:
private-address: 127.0.0.0/8
private-address: 169.254.0.0/16
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: fd00::/8
private-address: fe80::/10
# no threads and no memory slabs for threads
num-threads: 2
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
so-reuseport: yes
outgoing-range: 8192
num-queries-per-thread: 4096
outgoing-num-tcp: 10
incoming-num-tcp: 10
infra-cache-numhosts: 15000
infra-cache-lame-size: 10k
# tiny memory cache
key-cache-size: 16m
msg-cache-size: 8m
rrset-cache-size: 8m
cache-min-ttl: 3600
cache-max-ttl: 86400
cache-max-negative-ttl: 0
infra-host-ttl: 60
infra-lame-ttl: 120
edns-buffer-size: 1472
# prefetch
prefetch: yes
prefetch-key: yes
minimal-responses: yes
# gentle on recursion
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
rrset-roundrobin: yes
harden-glue: yes
harden-referral-path: no
harden-below-nxdomain: yes
harden-algo-downgrade: yes
# Self jail Unbound with user "unbound" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"
root-hints: "/opt/var/lib/unbound/root.hints"
# The pid file
pidfile: "/opt/var/run/unbound.pid"
# DNSSEC and DNS-over-TLS
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
auto-trust-anchor-file: "/root.key"
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 953
server-key-file: "/opt/var/lib/unbound/unbound_server.key"
server-cert-file: "/opt/var/lib/unbound/unbound_server.pem"
control-key-file: "/opt/var/lib/unbound/unbound_control.key"
control-cert-file: "/opt/var/lib/unbound/unbound_control.pem"
I've added the no-negcache and cache-size changes since the assumption is that Unbound is a more efficient caching server. So I'll continue to monitor how it performs.
Dave what about cach-size in DNSMASQ ? do you also set it to 0 instead of the default 1500? the dnsmasq.postconf you posted is your entire config or is there more below the if section?
The change is important. Although dnsmasq is not forwarding queries, it is still monitoring and trying to store local cache.I've added the no-negcache and cache-size
opkg install nginx
stream {
upstream dns-servers {
server 127.0.0.1:53535;
}
server {
listen 853 ssl;
proxy_pass dns-servers;
ssl_certificate /opt/etc/nginx/ssl/dot-server.crt;
ssl_certificate_key /opt/etc/nginx/ssl/dot-server.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_handshake_timeout 10s;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 4h;
}
}
@SomeWhereOverTheRainBow Proposal for local service DoT with Nginx. I think it's over here:
/opt/etc/nginx/nginx.confCode:opkg install nginx
Code:stream { upstream dns-servers { server 127.0.0.1:53535; } server { listen 853 ssl; proxy_pass dns-servers; ssl_certificate /opt/etc/nginx/ssl/dot-server.crt; ssl_certificate_key /opt/etc/nginx/ssl/dot-server.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_handshake_timeout 10s; ssl_session_cache shared:SSL:20m; ssl_session_timeout 4h; } }
That looks like it will work the only thing you may need to do is a firewall rule for tcp on port 853. And every body that decides to go this route has to make the directory for "/opt/etc/nginx/ssl" and provide their own ssl cert for their setup. Let it be noted you need to install the nginx-extras and not the basic nginx because nginx-extras is the full package deal@SomeWhereOverTheRainBow Proposal for local service DoT with Nginx. I think it's over here:
/opt/etc/nginx/nginx.confCode:opkg install nginx
Code:stream { upstream dns-servers { server 127.0.0.1:53535; } server { listen 853 ssl; proxy_pass dns-servers; ssl_certificate /opt/etc/nginx/ssl/dot-server.crt; ssl_certificate_key /opt/etc/nginx/ssl/dot-server.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_handshake_timeout 10s; ssl_session_cache shared:SSL:20m; ssl_session_timeout 4h; } }
But it fails to find the dot-server.crt and dot-server.key
cd /opt/etc/nginx/ssl
chown -R nobody /opt/etc/nginx/ssl
openssl genrsa -out dot-server.key 2048
openssl req -key ca.key -new -x509 -days 720 -sha256 -extensions v3_ca -out dot-server.crt -subj "/CN=Nginx CA"
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!