Must watch videos on DNS security: Stubby etc

Discussion in 'Tomato Firmware' started by rs232, Dec 22, 2018.

  1. rs232

    rs232 Network Guru Member

    Not entirely off topic so I would invite everyone who wants to better understand what the issue is with DNS Security nowadays and what chronologically has been attempted/developed until we got to Stubby.

    I can easily say this has been the best 1 hour learning I had for long time.



    and also:

     
    Last edited: Dec 22, 2018
  2. lepa71

    lepa71 Networkin' Nut Member

    I enabled DNSSec on my RT-AC68u running RMerlin fw. How do I test that it is working?
     
  3. rs232

    rs232 Network Guru Member

    Read in order:
    https://www.linksysinfo.org/index.php?threads/fork-freshtomato-arm.74117/page-15#post-301492
    https://www.linksysinfo.org/index.php?threads/fork-freshtomato-arm.74117/page-15#post-301509
    https://www.linksysinfo.org/index.php?threads/fork-freshtomato-arm.74117/page-15#post-301525
    https://www.linksysinfo.org/index.php?threads/fork-freshtomato-arm.74117/page-15#post-301528
    https://www.linksysinfo.org/index.php?threads/fork-freshtomato-arm.74117/page-15#post-301530
    https://www.linksysinfo.org/index.php?threads/fork-freshtomato-arm.74117/page-15#post-301533

    To see if the process is running:
    netstat -tulpn | grep stubby

    then inspect you "dns related" system files:

    cat /etc/resolve.conf
    cat /etc/resolv.dnsmasq
    cat /etc/dnsmasq.conf | grep "server="


    Essentially everything should point to 127.0.0.1 or 127.0.0.1:5453 a there should be no reference to other DNS servers.

    NOTE: because a minor bug in tomato, you must specify DNS as manual for your WAN and fill in at least one of the two fields with 127.0.0.1:5453. This will create a duplicated entry in the dnsmasq.conf (which is irrelevant) however it will prevent from DNS ISPs from being accepted by your tomato router. If you don't though this is affecting only the router DNS resolution and not the LAN clients one.

    Also note the netstat command above is very important, you will have no name resolution until Stubby appears in the list and can take rather long time (e.g. 30 secs per se)

    The actual verification part if a bit tricky as you Stubby by default has multiple Resolvers defined (check the /etc/stubby.yml file) so you can try Cloudflare https://1.1.1.1/help but if Stubby decides to resolve against a different (defined) resolver this page is likely to misleading you.
     
  4. lepa71

    lepa71 Networkin' Nut Member

    I don't think RMerlin is using stubby.
     
  5. rs232

    rs232 Network Guru Member

    I don't know about DNSSEC sorry.
     
  6. rgnldo

    rgnldo Networkin' Nut Member

    Merlin fork 374.43 is the first FW build with native Stubby.
     
  7. Cliffield

    Cliffield Network Newbie Member

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice