OK, turns out this was easier than I thought.
I added this line on my router (running Lede 17.04). I did this via Luci, but you can just edit the /etc/opkg/distfeeds.conf file too.
src/gz reboot_packages https://downloads.openwrt.org/snapshots/packages/arm_cortex-a9_vfpv3/packages/
to my package source list. I then did ‘opkg install stubby’.
In /etc/stubby/stubby.yml, I added (seeĀ https://getdnsapi.net/documentation/manpages/stubby/ for docs)
upstream_recursive_servers: # IPv4 addresses # The 1.1.1.1 Cloudflare Servers - address_data: 1.1.1.1 tls_auth_name: "cloudflare-dns.com" tls_pubkey_pinset: - digest: "sha256" value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc= - address_data: 1.0.0.1 tls_auth_name: "cloudflare-dns.com" tls_pubkey_pinset: - digest: "sha256" value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc= # IPv6 addresses # The 1.1.1.1 Cloudflare Servers - address_data: 2606:4700:4700::1111 tls_auth_name: "cloudflare-dns.com" tls_pubkey_pinset: - digest: "sha256" value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc= - address_data: 2606:4700:4700::1001 tls_auth_name: "cloudflare-dns.com" tls_pubkey_pinset: - digest: "sha256" value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
I then added
server '127.0.0.1#5453' noresolv '1'
in /etc/config/dhcp.
And then I was set.
One thing that is nice to see, the cloudflare DNS does ‘padding’. This means you cannot easily infer from the encrypted TCP packet size what the domain-name is.
# dig -p 5453 @127.0.0.1 foobar1.com ; <<>> DiG 9.11.2-P1 <<>> -p 5453 @127.0.0.1 foobar1.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 15256 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1536 ; PAD: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ("............................................................................................................................................................................................................................................................................................................................................................") ;; QUESTION SECTION: ;foobar1.com. IN A ;; AUTHORITY SECTION: com. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1522697188 1800 900 604800 86400 ;; Query time: 100 msec ;; SERVER: 127.0.0.1#5453(127.0.0.1) ;; WHEN: Mon Apr 02 15:26:43 EDT 2018 ;; MSG SIZE rcvd: 471
Leave a Reply