I’m far from being a person that understands network configurations ( ). I followed the OpenWRT’s site guides to replace my router’s firmware (I have the habit of buying compatible ones and repaling their firmware) and how to set up the network (main, guests etc) and also how to get more privacy with Unbound and DoT + DNSSEC. There is also a page about DNS Hijacking with “guides” to improve and enforce settings, BUT I don´t know what that means nor if it is effective and also they are lacking in explanations.
I can’t afford any other router for the foreseeable future, so I have to use what I have: Xiaomi Mi Router 4A Gigabit Edition.
I’m not sure, but it seems that the Unbound configuration is not working anymore for DoT + DNSSEC. Leak tests now instead of showing a random IP from one of the public DNSs (Quad9, CloudFlare, Mullvad etc) is showing my ISP IP and name.
I have no problem with having to start from scratch, just want to make sure will be right.
I was going to suggest adguard running in a container but not sure it’s enough ram. Unbound will have to do.
Basically first page lets you turn off dnsmasq DNS server running on your router, which would normally forward DNS requests to your ISP, and replace it with unbound.
Unbound will receive requests from clients and will forward them to cloudflare if you follow instructions on that page.
The second page hijacks DNS requests that your clients might be trying to do to public DNS services directly, normally these clients would bypass router DNS settings, but instructions there make them go through unbound.
Personally I don’t like the instructions in the first page, I’d like to keep dnsmasq for local stuff, and configure it to use unbound as its upstream.
Don’t you have an old PC/laptop? Or a cheap SBC ($30) and Pi-Hole + Cloudflare Tunnel client on it. And the dns is solved.
On your router, limit yourself to routing and firewall and light services…
All done for months in exception of the Hijacking ones. Some I did but don’t understand what they need: ISP ip range? MAC address? . It was working, now every leak test I use is showing the ISP information and DoT tests show that I’m not using DoT depite it being configure in all Zones inside Unbound the same way they were before.
Here a “dump” of most of the configuration exported with uci show.
It would be a 12W (12V*1A) devices at its max vs a laptop that would go from a 40-45W and up if we’re lucky. And living in Brazil, that would not be insignificant.
OT, but help me understand electricity prices in Brazil… I’m reading about “second highest electricity cost in the world”, 800 Reals/MWh (15 euro cents / kWh). Meanwhile I’m paying around 45c/kWh. What’s the deal here?
I don’t know where you got that value R$800 is 61% of the current minimum wage, that is not correct. Today’s Euro against Real: One Euro is R$5,342 (five Reais, three hundred and forty two cents). Mind you that our thousands separator is “.” and cents “,”, so: 1,010 is one and 1 cent and 1.010 is one thousand and ten).
I don´t know enough to explain it. It’s mostly hydro-electric generated. The price per KWh is not a fixed one during the year, can change any time after an evaluation, so the next month the flag changes. They flag seasonably, when the thermal electrics are activated to compensate, with Green, yellow, Red 1, Red 2 and water scarcity. Taking from my estate’s provider:
Green - normal condition = R$13,43/MWh;
Yellow R$1,874 is added for each 100kWh;
Red 1 R$3,971 is added for each 100kWh;
Red 2 R$9,492 is added for each 100kWh;
Water scarcity R$14,20 is added for each 100kWh;
Monthly minimum Wage here, by federal law, is R$ 1.302,00 (give or take) and it has its corrections/adjustments for each estate’s cost of living and type of job.
Gotcha, so on average, if you’re not being super careful, and not running electric cars, two typical people spending around 100k-150kWh a month , or 5kWh per day, would be paying around 0.15 USD - 0.20 USD or EUR per kwh. (which is more than some other places, less than here where I am).
For 1 USD, you get 5-6kWh, or maybe about your daily aerage electricity usage IIUC?
Back to topic at hand,
… what DNS server address is OpenWRT issuing over DHCP? … and if you try and use nslookup or dig tool, does unbound work?
I’m wondering if perhaps your browsers are maybe just using DoH / DNS over HTTPS , and bypassing whatever your router is instructing your phones and computers to do?
The UCI settings from OpenWRT you posted will get interpreted by a startup shell script in order to put together a config file for unbound.
It’s also possible that perhaps unbound upstream ends up being whatever DNS server is provided by the ISP to OpenWRT, it’d be worth checking what configuration unbound is using.
The source code for the OpenWRT unbound package has its own documentation with several options on how to run it.
Try and figure out where a DNS request from your computer is going - is it to unbound? … and if yes, what does the resulting unbound config look like?
When it comes to DOH, it also works on a similar principle to what you want with DOT.
Your devices should be set to dhcp, OpenWrt becomes a dns server for them, you block outgoing udp/tcp 53 traffic on the firewall and use the appropriate package on OpenWrt…
I’m not saying DOH is better or worse than DOT, I just think it might be easier for you to implement.
I to would think web browsers are using DOH not DOT since web brower’s are not programmed to use DOT. As I understand how DNS over https and DOT. DOT uses the stronger encryption.
Well, we might disagree a bit about the general sense. Both are more or less the same in terms of security. The significant differences are not in the strength of cryptography but in the way the transmission works.
From the point of view of a home user, mixing DNS traffic with the rest of https traffic can be considered as a significant increase in traffic anomization.
I have yet to meet an admin who would choose DOT over DOH because it is better in terms of cryptographic security. It is more convenient for control in corporate networks and this is the main reason for choosing it.
There’s also SNI, which could be used to discriminate, and there’s ECH which helps assuming you already have working DNS (HTTPS resource records). I’m not 100% sure how that chicken and egg thing gets resolved.
By the way, you can enable ECH in chrome… chrome://flags/#encrypted-client-hello … it looks like it’ll be enabled by default soon. Firefox already does it by default - and does its own DNS.
Gotcha, so on average, if you’re not being super careful, and not running electric cars, two typical people spending around 100k-150kWh a month , or 5kWh per day, would be paying around 0.15 USD - 0.20 USD or EUR per kwh. (which is more than some other places, less than here where I am).
For 1 USD, you get 5-6kWh, or maybe about your daily aerage electricity usage IIUC?
Probably those values. Cost of leaving here is awful now, we’re not financially well. Our prices are absurd for our country.
I configured the Unbound zones with Quad9 and CloudFlare as main, CloudFlare Familly, Mullvad and AdGuard as Fallback.
What I understood of the Highjacking part, was that all devices DoT, DoH etc would be “redirected” to the routers DNS (DoT DNSSEC) forcefully.
This section hijacks regular old DNS, redirects everything outgoing from LAN->WAN on port 53 to local port 53.
the other two are about blocking DNS-over-TLS and DNS-over-HTTPS in the hopes that the client would fallback to plain old DNS, which you’re hijacking.
This other section blocks port 853, which is used to DNS over TLS, and the assumption is that no other port is used for this.
There’s a link to blocking DoH / DNS over HTTPS ([OpenWrt Wiki] banIP) on that page, the idea is that you’d block some IPs that are only used for DNS over HTTPS, and that you get the list of those IPs from somewhere, and that the list is complete.
I think the approach in 2 and 3 should work in most of the cases, but I wouldn’t bet the house on it.
Since you say you followed all those instructions, and you’re seeing issues, if you want to fix issues you need a way to tell whether your pieces of configuration are doing something. e.g. by looking at traffic to find a “broken example”.
For example, you’d log in and do something like tcpdump -nvvvvvi lan port 53 or port 853 , same on the wan interface, and on e.g. your laptop you’d try opening some website you haven’t opened recently, and you’d try seeing whether there’s any DNS requests coming thought.
If it turns out hosts on your LAN are behaving as you think they should, … you should check what unbound is doing.
So, if I’m not using a VPN and just using DoT or DoH with Unbound or Stubby or https-dns-proxy and use the dns leak test sites, what result should I expect as a good result?