Sidebar
docs:guide-user:services:dns:doh_dnsmasq_https-dns-proxy
Table of Contents
DNS over HTTPS via Dnsmasq and https-dns-proxy
Introduction
- This guide describes how to configure OpenWrt to protect your DNS traffic.
- It utilizes DNS over HTTPS to provide DNS encryption.
- DNS encryption is limited to DNS traffic, use VPN to protect all traffic.
Goals
- Encrypt your DNS traffic improving security and privacy.
- Prevent DNS leak and DNS hijacking.
- Bypass regional restrictions using public DNS providers.
- Escape DNS-based content filters and internet censorship.
Instructions
This method utilizes DoH via Dnsmasq and https-dns-proxy and focuses on masking DNS traffic as HTTPS traffic.
Enable split DNS mode to encrypt LAN client DNS traffic assuming that local system traffic does not involve private data.
Use https-dns-proxy to encrypt DNS traffic. Configure Dnsmasq to forward DNS queries to https-dns-proxy. Enforce DNS encryption for LAN clients to avoid DNS leak.
# Install packages opkg update opkg install dnsmasq https_dns_proxy # Enable DNS encryption uci -q delete dhcp.@dnsmasq[0].server DOHPROXY_ADDR="$(uci get https_dns_proxy.@https_dns_proxy[0].listen_addr)" DOHPROXY_PORT="$(uci get https_dns_proxy.@https_dns_proxy[0].listen_port)" DOHPROXY_SERV="${DOHPROXY_ADDR//[][]/}#${DOHPROXY_PORT}" uci add_list dhcp.@dnsmasq[0].server="${DOHPROXY_SERV}" # Enforce DNS encryption for LAN clients uci set dhcp.@dnsmasq[0].noresolv="1" uci commit dhcp service dnsmasq restart
See also: DNS hijacking, Random generator
Testing
Verify that domain name resolution works.
nslookup openwrt.org localhost
Check your DNS provider. Make sure there is no DNS leak.
Test DNSSEC validation.
Troubleshooting
Collect and analyze the following information.
# Restart the services service log restart; service dnsmasq restart; service https_dns_proxy restart # Log and status logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq logread -e https_dns_proxy; netstat -l -n -p | grep -e https_dns # Runtime configuration pgrep -f -a dnsmasq; pgrep -f -a https_dns_proxy # Persistent configuration uci show dhcp; uci show https_dns_proxy
Extras
DoH provider
https-dns-proxy uses Google DNS by default. You can change it to another DoH provider. Make sure selected provider supports DNSSEC validation if required. Specify several servers to improve fault tolerance.
# Configure DoH provider while uci -q delete https_dns_proxy.@https_dns_proxy[0]; do :; done uci set https_dns_proxy.dns="https_dns_proxy" uci set https_dns_proxy.dns.listen_addr="127.0.0.1" uci set https_dns_proxy.dns.listen_port="5053" uci set https_dns_proxy.dns.user="nobody" uci set https_dns_proxy.dns.group="nogroup" uci set https_dns_proxy.dns.url_prefix="https://cloudflare-dns.com/dns-query?ct=application/dns-json&" uci commit https_dns_proxy service https_dns_proxy restart
Local system DNS via Dnsmasq
Enforce DNS encryption for local system. Override DNS encryption for NTP provider to avoid deadlock state if system time is not synchronized. Beware of fault tolerance issues.
# Enforce DNS encryption for local system uci set dhcp.@dnsmasq[0].localuse="1" # Fetch DNS provider source /lib/functions/network.sh network_find_wan NET_IF network_find_wan6 NET_IF6 network_get_dnsserver NET_DNS "${NET_IF}" network_get_dnsserver NET_DNS6 "${NET_IF6}" # Override DNS encryption for NTP provider uci get system.ntp.server \ | sed -e "s/\s/\n/g" \ | sed -e "s/^[0-9]*\.//" \ | sort -u \ | while read NTP_DOMAIN do uci add_list dhcp.@dnsmasq[0].server="/${NTP_DOMAIN}/${NET_DNS%% *}" uci add_list dhcp.@dnsmasq[0].server="/${NTP_DOMAIN}/${NET_DNS6%% *}" done uci commit dhcp service dnsmasq restart
docs/guide-user/services/dns/doh_dnsmasq_https-dns-proxy.txt · Last modified: 2019/05/26 17:02 by vgaetera
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
