How to use blahdns on router level?

[apoorv569]

I want to set blahdns on router level so all the devices connected to it can use it, what are the server address for blahdns DNS servers? I'm using OpenWRT firmware on my router, if you can guide me how to set it up would be great.

[zoonderkins]

Pls check your OpenWRT support either

1. DNSCrypt-proxy https://openwrt.org/docs/guide-user/services/dns/dnscrypt_dnsmasq_dnscrypt-proxy2
2. Stubby (DoT) https://openwrt.org/docs/guide-user/services/dns/stubby
3. Dnsmasq + DoH https://openwrt.org/docs/guide-user/services/dns/doh_dnsmasq_https-dns-proxy

[apoorv569]

Pls check your OpenWRT support either

1. DNSCrypt-proxy https://openwrt.org/docs/guide-user/services/dns/dnscrypt_dnsmasq_dnscrypt-proxy2

2. Stubby (DoT) https://openwrt.org/docs/guide-user/services/dns/stubby

3. Dnsmasq + DoH https://openwrt.org/docs/guide-user/services/dns/doh_dnsmasq_https-dns-proxy

Do I need to use and configure all these 3 tools, or any one of them would work?

[zoonderkins]

Choose 1 of those options.

[apoorv569]

Choose 1 of those options.

But if I say choose Stubby, will it provide all DoH, DoT and DNSCrypt protocols because as for Stubby you only mentioned DoT? Also does blahdns has DNSSEC?

[zoonderkins]

Of course BlahDNS does DNSSEC ( depends on tld registar and domain owner, if they support and configured DNSSEC)

1. Stubby (only support DoT)
2. DNSCrypt (DNSCrypt protocol and DoH)
3. Dnsmasq + DoH (DoH)

[apoorv569]

Of course BlahDNS does DNSSEC ( depends on tld registar and domain owner, if they support and configured DNSSEC)

1. Stubby (only support DoT)

2. DNSCrypt (DNSCrypt protocol and  DoH)

3. Dnsmasq + DoH (DoH)

Ok, I have installed stubby, what settings do I need to put in there to change to BlahDNS, it by default is using cloudflare DNS.

[zoonderkins]

Pls check this stubby yml file: https://github.com/ookangzheng/blahdns/blob/master/client-conf/stubby/stubby.yml

[apoorv569]

Pls check this stubby yml file: https://github.com/ookangzheng/blahdns/blob/master/client-conf/stubby/stubby.yml

Thank you. One more thing, I found the config for dnscrypt there also in the link you provided, should the DNS server I choose be near me, or anywhere in the world would work. Also should I configure both dnscrypt and stubby or just one of them. Sorry I'm not a expert in this field.

[zoonderkins]

Of course choose the location near you. Choose only 1 service to use, you can't run both on the same time.

[apoorv569]

Of course choose the location near you. Choose only 1 service to use, you can't run both on the same time.

Which is more good for privacy and security DoH or DoT?

[zoonderkins]

If your environment (Home, Office) or ISP didn't block port 853, then I recommend DoT instead of DoH.

[apoorv569]

If your environment (Home, Office) or ISP didn't block port 853, then I recommend DoT instead of DoH.

I set up stubby according to the link you sent me, everything is working, I chose the server near me, but according to this site https://www.cloudflare.com/ssl/encrypted-sni/, DNSSEC and Encrypted SNI is not enabled.

I checked on this site https://browserleaks.com/ip, to see if I'm using blahDNS servers, and it shows all the servers I chose near me.

[zoonderkins]

Pls visit https://blahdns.com, if the word "You are not using Blahdns !!!" is turning to “You're using Blahdns” it means everything is working.

https://www.cloudflare.com/ssl/encrypted-sni By default, DNSSEC and TLS1.3 will be green. Ignore other 2 option (Encrypted SNI, Secure DNS) Cloudflare just use marketing term to pursue you to use their product.

Keep in mind, If you choose Singapore, Japan server, on DNS leak test will show WoddyNet provider instead of BlahDNS server. Singapore, Japan server are forwarding DNS resolution to Quad9 (a.k.a. 9.9.9.9, WoddyNet)

[apoorv569]

Pls visit https://blahdns.com, if the word "You are not using Blahdns !!!" is turning to “You're using Blahdns” it means everything is working.

https://www.cloudflare.com/ssl/encrypted-sni By default, DNSSEC and TLS1.3 will be green. Ignore other 2 option (Encrypted SNI, Secure DNS) Cloudflare just use marketing term to pursue you to use their product.

Keep in mind, If you choose Singapore, Japan server, on DNS leak test will show WoddyNet provider instead of BlahDNS server. Singapore, Japan server are forwarding DNS resolution to Quad9 (a.k.a. 9.9.9.9, WoddyNet)

blahdns.com is showing You are using Blahdns. So those forwarding are all safe and encrypted right?

[zoonderkins]

Yes 👍

[apoorv569]

Yes +1

Nice, thank you!

[zoonderkins]

Will close this ticket from now.

[apoorv569]

Will close this ticket from now.

Hi, sorry to bother, but the configuration has stopped working for some reason, I have this stubby.yml in /etc/stubby/stubby.yml

resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private: 1
round_robin_upstreams: 1
idle_timeout: 10000
tls_connection_retries: 3
tls_backoff_time: 300
listen_addresses:
  - 127.0.0.1@5453
  - 0::1@5453

upstream_recursive_servers:
  # BlahDNS servers both with `tls_port: 853` and `tls_port: 443`
  - address_data: 139.180.141.57
    tls_auth_name: "dot-sg.blahdns.com"

  - address_data: 45.32.55.94
    tls_auth_name: "dot-jp.blahdns.com"

  - address_data: 2001:19f0:4400:6bed:5400:2ff:feb1:f9fa
    tls_auth_name: "dot-sg.blahdns.com"

  - address_data: 2001:19f0:7001:3259:5400:02ff:fe71:0bc9
    tls_auth_name: "dot-jp.blahdns.com"

and I have checked to ignore the host file.

and also set custom DNS here,

and in the WAN settings also,

But I cannot use BlahDNS anymore for some reason.