Mutzli
Very Senior Member
I'm not sure if my router is configured correctly and if DoT and DNSSEC implementation is working. I did some checking today if Stubby is working and if all DNS requests are secured. First thing I found was that not all traffic is going through port 853. I did a tcpdump of port 53 and port 853 and this was sent over port 53:
tcpdump -ni eth0 -p port 53 or port 853
11:25:17.413366 IP My.IP.Add.ress.50132 > 1.1.1.1.53: 57361+ A? dns.msftncsi.com. (34)
11:25:17.413820 IP My.IP.Add.ress.50132 > 1.1.1.1.53: 61713+ AAAA? dns.msftncsi.com. (34)
11:25:17.422094 IP 1.1.1.1.53 > My.IP.Add.ress.50132: 57361 1/0/0 A 131.107.255.255 (50)
11:25:17.426938 IP 1.1.1.1.53 > My.IP.Add.ress.50132: 61713 1/0/0 AAAA fd3e:4f5a:5b81::1 (62)
So then I checked netstat -lnptu and it reported tcp and udp on 127.0.1.1:53 instead of 127.0.1.1.853:
netstat -lnptu | grep stubby
tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN 3025/stubby
udp 0 0 127.0.1.1:53 0.0.0.0:* 3025/stubby
Furthermore stubby -l showed that my DNSSEC validation is OFF? Even though I have it active in the router settings. Here is the log from stubby -l
stubby -l
[16:03:48.475418] STUBBY: Read config from file /etc/stubby/stubby.yml
[16:03:48.475764] STUBBY: DNSSEC Validation is OFF
[16:03:48.475805] STUBBY: Transport list is:
[16:03:48.475839] STUBBY: - TLS
[16:03:48.475872] STUBBY: Privacy Usage Profile is Strict (Authentication required)
[16:03:48.475908] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
[16:03:48.475942] STUBBY: Starting DAEMON....
[16:03:49.598074] STUBBY: 1.1.1.1 : Upstream : Could not setup TLS capable TFO connect
[16:03:49.598553] STUBBY: 1.1.1.1 : Conn opened: TLS - Strict Profile
[16:03:49.598776] STUBBY: 1.0.0.1 : Upstream : Could not setup TLS capable TFO connect
[16:03:49.598919] STUBBY: 1.0.0.1 : Conn opened: TLS - Strict Profile
[16:03:49.599056] STUBBY: 2606:4700:4700::1111 : Upstream : Could not setup TLS capable TFO connect
[16:03:49.599242] STUBBY: 2606:4700:4700::1111 : Conn opened: TLS - Strict Profile
[16:03:49.599368] STUBBY: 2606:4700:4700::1001 : Upstream : Could not setup TLS capable TFO connect
[16:03:49.599485] STUBBY: 2606:4700:4700::1001 : Conn opened: TLS - Strict Profile
And here is my router config:
What am I missing?
tcpdump -ni eth0 -p port 53 or port 853
11:25:17.413366 IP My.IP.Add.ress.50132 > 1.1.1.1.53: 57361+ A? dns.msftncsi.com. (34)
11:25:17.413820 IP My.IP.Add.ress.50132 > 1.1.1.1.53: 61713+ AAAA? dns.msftncsi.com. (34)
11:25:17.422094 IP 1.1.1.1.53 > My.IP.Add.ress.50132: 57361 1/0/0 A 131.107.255.255 (50)
11:25:17.426938 IP 1.1.1.1.53 > My.IP.Add.ress.50132: 61713 1/0/0 AAAA fd3e:4f5a:5b81::1 (62)
So then I checked netstat -lnptu and it reported tcp and udp on 127.0.1.1:53 instead of 127.0.1.1.853:
netstat -lnptu | grep stubby
tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN 3025/stubby
udp 0 0 127.0.1.1:53 0.0.0.0:* 3025/stubby
Furthermore stubby -l showed that my DNSSEC validation is OFF? Even though I have it active in the router settings. Here is the log from stubby -l
stubby -l
[16:03:48.475418] STUBBY: Read config from file /etc/stubby/stubby.yml
[16:03:48.475764] STUBBY: DNSSEC Validation is OFF
[16:03:48.475805] STUBBY: Transport list is:
[16:03:48.475839] STUBBY: - TLS
[16:03:48.475872] STUBBY: Privacy Usage Profile is Strict (Authentication required)
[16:03:48.475908] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
[16:03:48.475942] STUBBY: Starting DAEMON....
[16:03:49.598074] STUBBY: 1.1.1.1 : Upstream : Could not setup TLS capable TFO connect
[16:03:49.598553] STUBBY: 1.1.1.1 : Conn opened: TLS - Strict Profile
[16:03:49.598776] STUBBY: 1.0.0.1 : Upstream : Could not setup TLS capable TFO connect
[16:03:49.598919] STUBBY: 1.0.0.1 : Conn opened: TLS - Strict Profile
[16:03:49.599056] STUBBY: 2606:4700:4700::1111 : Upstream : Could not setup TLS capable TFO connect
[16:03:49.599242] STUBBY: 2606:4700:4700::1111 : Conn opened: TLS - Strict Profile
[16:03:49.599368] STUBBY: 2606:4700:4700::1001 : Upstream : Could not setup TLS capable TFO connect
[16:03:49.599485] STUBBY: 2606:4700:4700::1001 : Conn opened: TLS - Strict Profile
And here is my router config:
What am I missing?