Should I stop using my ISP DNS server?

Discussion in 'Tomato Firmware' started by Bird333, Jun 12, 2018.

  1. Bird333

    Bird333 Network Guru Member

    In general I would say I'm a big proponent of privacy so in the spirit of that I think I should stop using my ISP's DNS. Which DNS server(s) should I use? What settings do I need to change in the router?
     
  2. eibgrad

    eibgrad Network Guru Member

    Assuming you're using DNSMasq for DNS on your router (the default), the best option imo to avoid the ISP's DNS servers is to add the following to DNSMasq.

    Code:
    no-resolv
    server=1.1.1.1 # cloudflare
    server=1.0.0.1 # cloudflare (backup)
    server=8.8.8.8 # google
    server=8.8.4.4 # google (backup)
    Doesn't really matter what you uses for servers, take your pick. The key is the use of the no-resolv directive. It says to ignore whatever other sources exist for pubic DNS servers and only used what's specified in this DNSMasq config file in the form of server directives.

    Of course, it would be even better to route DNS over a VPN, because even if you change the DNS servers, there's always the risk the ISP might intercept your DNS queries over port 53 and redirect them back to his own DNS servers! That's why you're seeing other DNS options appearing, like DNS over https, dnscrypt, etc. These make it possible to secure DNS w/o the need for a VPN.
     
  3. Bird333

    Bird333 Network Guru Member

    Thanks for the reply. Actually your responses here http://linksysinfo.org/index.php?threads/dns-leak.73296/ got me to thinking about this. I've got a OpenVPN server (manual not in GUI) running on the router but not a client. Are saying I would need to pay for a vpn service somewhere and use it for DNS? Also, I think I would like to try dnscrypt, is it hard to setup?
     
    Last edited: Jun 12, 2018
  4. eibgrad

    eibgrad Network Guru Member

    I'm saying one way to solve it is w/ a VPN. Whether you pay for it, leverage a friend's VPN server, whatever, is up to you. Of course, few ppl would use a VPN *solely* for the purposes DNS privacy. If you're interested in DNS privacy, you're highly likely to be concerned about privacy in general, for everything, making a VPN a necessity. The ability to also have privacy for DNS is just a bonus.

    As long as you're using a relatively recent build, there should already be an option on the Basic->Network page. You just enable it, pick your preferred resolver, and it will start a DNS proxy on the router for that DNS provider. Then DNSMasq is reconfigured to point to that proxy for all public IP name resolution.

    So it's not hard to setup at all. But iirc, dnscrypt may be on the way out, at least in the long term. There's been numerous attempts to solve this problem w/ different solutions, and none has proven to be the winner, at least not yet. The most recent candidate seems to be DNS over HTTPS (I believe initiated by Cloudflare). And in order to use any of these DNS alternates, your router has to have necessary libraries from the provider. And as yet, that isn't the case w/ tomato (at least afaik).

    So as long as dnscrypt continues to be supported, it's certainly one way to solve the problem. But it relies heavily on those supporting the DNS resolvers to continue keeping their servers running. And that *might* prove to be a problem if other solutions gain more traction.
     
    Last edited: Jun 12, 2018
  5. Bird333

    Bird333 Network Guru Member

    Just had a thought. Since DNSCrypt is OpenDNS, would I have my browsing filtered? I don't want any restrictions just the encrypted DNS.
     
  6. eibgrad

    eibgrad Network Guru Member

    Not sure what you mean by "DNSCrypt is OpenDNS". OpenDNS is a company offering their own DNS servers w/ blocking, filtering, etc. DNSCrypt is an open protocol ( https://dnscrypt.info/ ) and is NOT associated w/ any particular company or organization. Different ppl and organizations have decided to support their own DNS resolvers using the protocol, and at least a good portion of those are listed in the dnscrypt option in the GUI.

    Now I suppose it's always possible OpenDNS (the company) could decide to do the same. And perhaps as an extension of their existing service, w/ all the blocking and filtering their customers have come to love. But I'm not aware of any such thing at the moment.
     
    Last edited: Jun 12, 2018
  7. Bird333

    Bird333 Network Guru Member

    Ok thanks! I have implemented it. How can I tell that I am actually using DNScrypt?
     
    Last edited: Jun 13, 2018
  8. xips_

    xips_ Networkin' Nut Member

    Your syslog will have entries. You should be able to set loglevel too.
     
  9. Bird333

    Bird333 Network Guru Member

    What log are you referring to? I looked in /tmp/var/log/messages and I didn't see anything.
     
  10. eibgrad

    eibgrad Network Guru Member

    Last time I used it (and that's quite some time ago), it would start a local proxy on the router (e.g., port 5353), then reconfigure DNSMasq to only use that proxy for its public DNS queries. IIRC, the DNSMasq config file ( /tmp/etc/dnsmasq.conf ) would contain the following directives.

    Code:
    no-resolv
    server=127.0.0.0#5353
    With that being in DNSMasq, the only available public DNS is via that proxy (which, btw, was one of its weakness; no backup DNS is defined).

    One way to track DNS is to dump connection tracking.

    Code:
    cat /proc/net/ip_conntrack | grep ' dport=53 '
    But that assumes the DNSCrypt resolver is using destination port 53, which might not necessarily be the case.
     
  11. xips_

    xips_ Networkin' Nut Member

    Status > Logs for one. Example from a retired Shibby 140 log entry:
    Code:
    Sep 24 02:58:12 R7000 daemon.notice dnscrypt-proxy[7803]: Proxying from 127.0.0.1:40 to 107.170.57.34:443

    It logs key exchanges frequently which is why I mentioned the loglevel. Loglevel runs from 0 (critical) to 7 (debug-level) where default is 6. I set mine to 5.
     
  12. Bird333

    Bird333 Network Guru Member

    Where do you change the log level? I don't see any dnscrypt lines. I do see dnsmasq lines that are forwarded to 127.0.0.1.
     
  13. xips_

    xips_ Networkin' Nut Member

  14. Bird333

    Bird333 Network Guru Member

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice