Multiple DNS over TLS (DoT) per device or network?

[Yota]

Surely that's the whole point of doing this. You said you want LAN clients to be able to access it. Otherwise you run into the problem Dave mentioned where you have to run a second instance of dnsmasq or some other DNS forwarder on the router.

No, I want to use DNS Filter/Director as a DNS forwarder instead of juggling complicated iptabes myself.

Client2 --> Router (192.168.50.1) --> DNS Filter/Director (iptables) --> stubby2@127.0.2.1 --> 9.9.9.9
                                              ↑
                      When i fill client2 and 127.0.2.1 here it doesn't work

 

[ColinTaylor]

For normal DNS traffic you seem to be contradicting what you said in that other thread with respect to not using dnsmasq as a forwarder and having DHCP clients go directly to the second stubby instance.

For redirected (DNS Director) traffic a loopback address won't work. The only way I can think to make it compatible with DNS Director (port 53) would be to do something similar to Diversion/Pixelserv. Create a new virtual interface on br0 (e.g. br0:1/192.168.50.3) and bind stubby2 to that. You could then use this 192.168.50.3 address in DNS Director. EDIT: I've just tried this and it works fine.

 

[Yota]

For normal DNS traffic you seem to be contradicting what you said in that other thread with respect to not using dnsmasq as a forwarder and having DHCP clients go directly to the second stubby instance.

Indeed, that's because I haven't figured out how to use dnsmasq yet, I need to do more work, in the meantime I just thought having a user-friendly DNS Director would be a nice alternative to dnsmasq's complicated configuration.

For redirected (DNS Director) traffic a loopback address won't work. The only way I can think to make it compatible with DNS Director (port 53) would be to do something similar to Diversion/Pixelserv. Create a new virtual interface on br0 (e.g. br0:1/192.168.50.3) and bind stubby2 to that. You could then use this 192.168.50.3 address in DNS Director

This sounds great, but I don't know what I'm supposed to do, it's more confusing to me than dnsmasq.

EDIT: I've just tried this and it works fine.

Can you please post an example? Thank you.

 

[ColinTaylor]

Can you please post an example? Thank you.

You'll have to modify the IP addresses according to your needs, this was just a PoC. In particular you'd need to avoid conflicting with Diversion.

Create the virtual interface:

ifconfig br0:1 192.168.1.2 netmask 255.255.255.0

Configure Stubby2 to listen on that interface:

listen_addresses:
  - 192.168.1.2@53

Start Stubby2:

/usr/sbin/stubby -g -C /etc/stubby/stubby2.yml

Check that it's listening:

# netstat -nlp | grep -E "dnsmasq|stubby"
tcp        0      0 192.168.1.2:53          0.0.0.0:*               LISTEN      29302/stubby
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      26989/dnsmasq
tcp        0      0 192.168.1.1:53          0.0.0.0:*               LISTEN      26989/dnsmasq
udp        0      0 192.168.1.2:53          0.0.0.0:*                           29302/stubby
udp        0      0 127.0.0.1:53            0.0.0.0:*                           26989/dnsmasq
udp        0      0 192.168.1.1:53          0.0.0.0:*                           26989/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           26989/dnsmasq

LAN clients can now be assigned 192.168.1.2 as their DNS server via DHCP and DNS Director can use it as a target.

 

[Yota]

You'll have to modify the IP addresses according to your needs, this was just a PoC. In particular you'd need to avoid conflicting with Diversion.

Create the virtual interface:

ifconfig br0:1 192.168.1.2 netmask 255.255.255.0

Configure Stubby2 to listen on that interface:

listen_addresses:
  - 192.168.1.2@53

Start Stubby2:

/usr/sbin/stubby -g -C /etc/stubby/stubby2.yml

Check that it's listening:

# netstat -nlp | grep -E "dnsmasq|stubby"
tcp        0      0 192.168.1.2:53          0.0.0.0:*               LISTEN      29302/stubby
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      26989/dnsmasq
tcp        0      0 192.168.1.1:53          0.0.0.0:*               LISTEN      26989/dnsmasq
udp        0      0 192.168.1.2:53          0.0.0.0:*                           29302/stubby
udp        0      0 127.0.0.1:53            0.0.0.0:*                           26989/dnsmasq
udp        0      0 192.168.1.1:53          0.0.0.0:*                           26989/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           26989/dnsmasq

LAN clients can now be assigned 192.168.1.2 as their DNS server via DHCP and DNS Director can use it as a target.

Omg thank you so much!

 

[HarryMuscle]

You'll have to modify the IP addresses according to your needs, this was just a PoC. In particular you'd need to avoid conflicting with Diversion.

Create the virtual interface:

ifconfig br0:1 192.168.1.2 netmask 255.255.255.0

Configure Stubby2 to listen on that interface:

listen_addresses:
  - 192.168.1.2@53

Start Stubby2:

/usr/sbin/stubby -g -C /etc/stubby/stubby2.yml

Check that it's listening:

# netstat -nlp | grep -E "dnsmasq|stubby"
tcp        0      0 192.168.1.2:53          0.0.0.0:*               LISTEN      29302/stubby
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      26989/dnsmasq
tcp        0      0 192.168.1.1:53          0.0.0.0:*               LISTEN      26989/dnsmasq
udp        0      0 192.168.1.2:53          0.0.0.0:*                           29302/stubby
udp        0      0 127.0.0.1:53            0.0.0.0:*                           26989/dnsmasq
udp        0      0 192.168.1.1:53          0.0.0.0:*                           26989/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           26989/dnsmasq

LAN clients can now be assigned 192.168.1.2 as their DNS server via DHCP and DNS Director can use it as a target.

Is there any need to delete the stubby pid file? Or is that no longer used by stubby?

 

[ColinTaylor]

Is there any need to delete the stubby pid file? Or is that no longer used by stubby?

Yes you need to delete (or temporarily move) the pid file. Stubby uses a hard-coded pid file. Stubby will refuse to start up a second instance if it finds an existing pid file.

 

[HarryMuscle]

For normal DNS traffic you seem to be contradicting what you said in that other thread with respect to not using dnsmasq as a forwarder and having DHCP clients go directly to the second stubby instance.

For redirected (DNS Director) traffic a loopback address won't work. The only way I can think to make it compatible with DNS Director (port 53) would be to do something similar to Diversion/Pixelserv. Create a new virtual interface on br0 (e.g. br0:1/192.168.50.3) and bind stubby2 to that. You could then use this 192.168.50.3 address in DNS Director. EDIT: I've just tried this and it works fine.

Just wondering if you know the technical reason why a loopback address wouldn't work with DNS Director? Does the UI prevent using loopback addresses or is it a limitation of the iptable rules for DNS Director?

 

[HarryMuscle]

Yes you need to delete (or temporarily move) the pid file. Stubby uses a hard-coded pid file. Stubby will refuse to start up a second instance if it finds an existing pid file.

Thanks. BTW, I noticed that if you don't use the -g option to start stubby but instead just use an & at the end of the command to run it in the background it doesn't care if an existing pid file is there nor does it create a new one. I'm able to run three additional instances that way.

 

[ColinTaylor]

Just wondering if you know the technical reason why a loopback address wouldn't work with DNS Director? Does the UI prevent using loopback addresses or is it a limitation of the iptable rules for DNS Director?

This is the intended behaviour of Linux/Unix systems and nothing to do with Merlin's firmware. See posts #9 and #14.