Hacker News new | comments | ask | show | jobs | submit login

I recently configured my OPNsense router, for DNS over TLS with Quad9, with certificate domain validation. It uses included Unbound resolver. Not sure what I achieved, but it does feel good :)


I've done the very same thing, on an EdgeRouter Lite [1].

Quad9 also supports DNSSEC.

[1] https://www.chameth.com/2017/12/17/dns-over-tls-on-edgeroute...

Switching to unbound seems like extra work. I kept dnsmasq on my EdgeRouter and just pointed it at doh-client from [0] which is trivial to cross-compile. I’m using Google’s dns servers as upstream.

[0] https://github.com/m13253/dns-over-https/tree/master/doh-cli...

Thanks for mentioning an alternative.

It is extra work either way. What is better performance though?

I'm using dnsmasq with Pi-Hole's blocklists, and forwarding to unbound for DNS over TLS. Forwarding to another client such as doh-client could also work though I'm not sure how this would work with Quad9.

My router is being backup for this ensure there's less load on the MIPS machine.

Go is cross-platform, sure. However dnscrypt-proxy [1] is also very portable.

[1] https://github.com/jedisct1/dnscrypt-proxy

I’m not sure about better performance. Once it’s cached it doesn’t matter.

Using unbound won’t survive an EdgeOS upgrade will it? Maybe a script under /config/scripts could ensure unbound is installed and configured though.

From what I learned, for DNS over TLS (DoT) you have three options:

- dnsmasq resolver using Stubby for DoT stuff

- Unbound resolver using Stubby for DoT stuff

- Unbound doing it all

The last one, as of today, is not quite ready, missing some stuff Stubby [0] does better.

[0] https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+...

Ah right, I’m using DoH, not DoT.

Well done !

How secure is this EdgeRouter lite? Is it open source? For what it's worth, I found one blog with VPNFilter botnet and Ubiquiti on the same page :)

Its based Vyatta/VyOS [1]. There's a way to get OpenBSD running on it as well, but I don't have a link handy.

The router isn't open hardware but its a good bang for the buck (I also run WireGuard on it, btw). If you want a fully open source router, I can recommend having a look at Router7 [2]. The author's using a PC Engines APU2.

Downside is you gotta do a lot of work yourself, just like with OPNSense. But I like OPNSense, even though the hardware from the company behind it is expensive the same is true for PFSense. And the company behind that isn't so friendly...

[1] https://en.wikipedia.org/wiki/VyOS

[2] https://news.ycombinator.com/item?id=17530086

> ... do a lot of work yourself

What work? Install is super easy ... I use OPNsense on small, fanless, cheap 'mini PC' with 2 LAN ports, you buy from aliexpress. Full x86-64, Intel with AES-NI support, for like $200 with 4GB RAM and 40GB ssd

4 GB RAM and a 40 GB SSD on a router??? I don't need that.

What work? Work to maintain it, test it, etc. Essentially, every time a software update is rolled out you do not know for sure if it is going to work flawless on your platform. For a random home network that might be sufficient; for a corporate network not so much.

I know about Aliexpress (and the like), but I don't find comparing Chinaware with non-Chinaware fair without taking that into account as a minus. Not that I wouldn't go that route if I would go for DIY though.

Router7 uses coreboot and a heartbeat to restart the machine if it fails.

x86-64 still uses more kWh than this MIPS machine. The ER-L has 3 ports, allowing physically separated networks. Depending on your setup you can even use both. The ER-X is less powerful and is MIPS32, though does support more hardware offloading (and WireGuard has optimalisations written in C for MIPS32).

Routers must run open source software, no exceptions, they are keys to the kingdom, corporate or home, no difference. FreeBSD/OpenBSD is de facto standard. Good projects like OPNsense test their production releases extensively.

Hardware is your choice, but x86 gives you the best compatibility, and kWh is good, x86 CPU power management, mine uses less than 1W, max TDP is 6W.

Cisco, Juniper, and other closed source ones have a history of backdoors [0]. Consumer grade routers are joke.

[0] https://www.bleepingcomputer.com/news/security/cisco-removes...

You were dependant on Cisco and Juniper routers whilst you posted this very message.

I've used the mess called Quagga back in '00s. No, thank you. I did like OpenBGPd, but it isn't a necessity to have BGP support on every router. Linux can be suffice on a router. Even though I do prefer PF, nftables seems promising.

I don't want to use x86-32 for a myriad of reasons. I don't need the software compatibility x86-32 offers.

> You were dependant on Cisco and Juniper routers

I don't think so, i have my own fortress :)

You don't have control over every hop between news.ycombinator.com and whatever it is you are located. Lets stop this game.

Yeah, and? There's HTTPS between my browser and news.ycombinator.com as well. So what does that have to do with my ER-L?

There's no need to link to Wikipedia's HTTPS either. We both know what that is.

FYI: The malware you linked was for older or badly configured versions of those routers. If you don't upgrade OPNSense or Linux/BSD in general you're also in trouble.

There is a HTTPS, between HN and me. "HTTPS creates a secure channel over an insecure network. This ensures reasonable protection from eavesdroppers and man-in-the-middle attacks ..."


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact