Now that 3.10 has been out for a while, I have tried putting the pieces together. Here is my recipe:
-
Go to Forris DNS tab and make sure that “Use forwarding” is not checked, save.
-
Grab and convert the needed certificate, as described by HomerSp, ssh into Omnia and from /root
wget https://www.digicert.com/CACerts/DigiCertECCSecureServerCA.crt
openssl x509 -inform der -in DigiCertECCSecureServerCA.crt -out DigiCertECCSecureServerCA.pem- It looks like certificates are in /etc/ssl/certs so put the newly converted file there
cp DigiCertECCSecureServerCA.pem /etc/ssl/certs/DigiCertECCSecureServerCA.pem- We are really making a customized rule for kresd, so create the file /etc/kresd/custom.conf containing a modified version of vcunat’s config
policy.add(policy.all(
policy.TLS_FORWARD({
{'1.1.1.1', hostname='cloudflare-dns.com', ca_file='/etc/ssl/certs/DigiCertECCSecureServerCA.pem'},
{'1.0.0.1', hostname='cloudflare-dns.com', ca_file='/etc/ssl/certs/DigiCertECCSecureServerCA.pem'}
})
))- The resolver needs to know where to find the rule, so edit /etc/config/resolver, adding the following line at the end of the config resolver ‘kresd’ section
option include_config ‘/etc/kresd/custom.conf’
- Everything should be in place now, so give the router a little kick to get things going, type the following
/etc/init.d/resolver restartCongratz, all done. You should be using dns over tls via Cloudflare’s 1.1.1.1
I confirmed things were working from dnsleaktest.com, only entries from Cloudflare should be returned.
It took me some time to figure this out from the forum, I hope this saves somebody else some trouble. Please feel free to knit-pick for any corrections.