TODO: DNS-over-TLS - to be evaluated

[FirestormAngel]

Multiple vendors has now implemented DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH), and secure dns over wifi should be considered for all private wifi networks.

The dnsmasq chapter will be re-written when i find a suitable and simple enough solution/software to be implemented on the raspberry wifi-router.

Software to be evaluated:

• dnscrypt-proxy
• stubby
• dnsmasq

[FirestormAngel]

Configuration: Stubby Stubby has a very nice and simple layout, easy to configure, easy to understand, readable configuration.

However it does have a lot of software dependencies, and some settings are complicated - which makes upgrading it, understanding them a bit complicated. Also, the examples also only goes through 127.0.0.1:53000 in combinations with dnsmasq, which completely misses the point of sending the clients encrypted dns lookups over wifi networks..

[FirestormAngel]

Configuration: dnscrypt-proxy No dependencies and easy to understand.

Configuring and reading the list of providers seem a bit overly complicated as they are presented as binary/base64 strings?

Also, again, the guides only provide configuration for 127.0.0.1? I tried some different configurations and also creating the listener at 0.0.0.0:53000, which seems to work.

[FirestormAngel]

Progress on dnscrypt-proxy: I've had this running on my accesspoint now successfully for a couple of weeks. The dnscrypt-proxy has been acting as a forwarder of requests going to the Internet. I've also configured it as a forwarder to the local dnsmasq installation, forwarding the local domain lookups to dnsmasq.

This does provide tls security for the requests going over the internet, however over the wifi are unfortunately in cleartext when not using the ipsec tunnel feature.