Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:dns:doh_dnsmasq_https-dns-proxy [2019/04/20 10:02] – split from docs:guide-user:services:dns:encrypt vgaeteradocs:guide-user:services:dns:doh_dnsmasq_https-dns-proxy [2022/09/15 18:01] – [DoH provider] add Issues section account4538
Line 1: Line 1:
-====== DNSCrypt via Dnsmasq and dnscrypt-proxy ====== +====== DoH with Dnsmasq and https-dns-proxy ====== 
-{{page>meta:infobox:cli_setup&noheader&nofooter&noeditbtn}}+{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
-  * This guide describes how to configure OpenWrt to protect your DNS traffic. +  * This how-to describes the method for setting up [[wp>DNS_over_HTTPS|DNS over HTTPS]] on OpenWrt. 
-  * It utilizes [[wp>DNS_over_HTTPS|DNS over HTTPS]] to provide DNS encryption+  * It relies on [[docs:guide-user:base-system:dhcp.dnsmasq|Dnsmasq]] and [[packages:pkgdata:https-dns-proxy|https-dns-proxy]] for masking DNS traffic as HTTPS traffic
-  * DNS encryption is limited to DNS trafficuse [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.+  * Follow [[docs:guide-user:firewall:fw3_configurations:intercept_dns|DNS hijacking]] to intercept DNS traffic or use [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.
  
 ===== Goals ===== ===== Goals =====
-{{section>dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}}+{{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}}
  
-===== Instructions ===== +===== Command-line instructions ===== 
-This method utilizes DoH and focuses on masking DNS traffic as HTTPS traffic+Install the required packages
- +DNS encryption should be enabled automatically.
-Enable split DNS mode to encrypt LAN client DNS traffic assuming that local system traffic does not involve private data. +
- +
-Use [[https://github.com/aarond10/https_dns_proxy/#https-dns-proxy|https-dns-proxy]] to encrypt DNS traffic. +
-Configure [[docs:guide-user:base-system:dhcp.dnsmasq|Dnsmasq]] to forward DNS queries to https-dns-proxy. +
-Enforce DNS encryption for LAN clients to prevent DNS leak.+
  
 <code bash> <code bash>
 # Install packages # Install packages
 opkg update opkg update
-opkg install dnsmasq https_dns_proxy +opkg install https-dns-proxy
- +
-# Enable DNS encryption +
-uci -q delete dhcp.@dnsmasq[0].server +
-DOHPROXY_ADDR="$(uci get https_dns_proxy.@https_dns_proxy[0].listen_addr)" +
-DOHPROXY_PORT="$(uci get https_dns_proxy.@https_dns_proxy[0].listen_port)" +
-DOHPROXY_SERV="${DOHPROXY_ADDR//[][]/}#${DOHPROXY_PORT}" +
-uci add_list dhcp.@dnsmasq[0].server="${DOHPROXY_SERV}" +
- +
-# Enforce DNS encryption for LAN clients +
-uci set dhcp.@dnsmasq[0].noresolv="1" +
-uci commit dhcp +
-service dnsmasq restart+
 </code> </code>
 +
 +LAN clients should use Dnsmasq as a primary resolver.
 +Dnsmasq forwards DNS queries to https-dns-proxy which encrypts DNS traffic.
  
 ===== Testing ===== ===== Testing =====
-{{section>dnscrypt_dnsmasq_dnscrypt-proxy#testing&noheader&nofooter&noeditbutton}}+{{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#testing&noheader&nofooter&noeditbutton}}
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
Line 44: Line 30:
  
 <code bash> <code bash>
-# Restart the services +# Restart services 
-service log restart; service dnsmasq restart; service https_dns_proxy restart+/etc/init.d/log restart; /etc/init.d/dnsmasq restart; /etc/init.d/https-dns-proxy restart
  
 # Log and status # Log and status
 logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq
-logread -e https_dns_proxy; netstat -l -n -p | grep -e https_dns+logread -e https-dns; netstat -l -n -p | grep -e https-dns
  
 # Runtime configuration # Runtime configuration
-pgrep -f -a dnsmasq; pgrep -f -a https_dns_proxy+pgrep -f -a dnsmasq; pgrep -f -a https-dns 
 +head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
  
 # Persistent configuration # Persistent configuration
-uci show dhcp; uci show https_dns_proxy+uci show dhcp; uci show https-dns-proxy
 </code> </code>
  
 ===== Extras ===== ===== Extras =====
 +==== Web interface ====
 +If you want to manage the settings using web interface.
 +Install the necessary packages.
 +
 +<code bash>
 +# Install packages
 +opkg update
 +opkg install luci-app-https-dns-proxy
 +/etc/init.d/rpcd restart
 +</code>
 +
 +  * Navigate to **LuCI -> Network -> DHCP and DNS** to configure Dnsmasq.
 +  * Navigate to **LuCI -> Services -> HTTPS DNS Proxy** to configure https-dns-proxy.
 +
 ==== DoH provider ==== ==== DoH provider ====
-https-dns-proxy uses Google DNS by default. +https-dns-proxy is configured with Google DNS and Cloudflare DNS by default. 
-You can change it to another [[wp>Public_recursive_name_server|DoH provider]]. +You can change it to Google DNS or any other [[wp>Public_recursive_name_server|DoH provider]]. 
-Make sure selected provider supports DNSSEC validation if required+Use resolvers supporting DNSSEC validation if necessary
-Specify several servers to improve fault tolerance.+Specify several resolvers to improve fault tolerance.
  
 <code bash> <code bash>
 # Configure DoH provider # Configure DoH provider
-while uci -q delete https_dns_proxy.@https_dns_proxy[-1]; do :; done +while uci -q delete https-dns-proxy.@https-dns-proxy[0]; do :; done 
-uci set https_dns_proxy.dns="https_dns_proxy+uci set https-dns-proxy.dns="https-dns-proxy
-uci set https_dns_proxy.dns.listen_addr="127.0.0.1+uci set https-dns-proxy.dns.bootstrap_dns="8.8.8.8,8.8.4.4
-uci set https_dns_proxy.dns.listen_port="5053+uci set https-dns-proxy.dns.resolver_url="https://dns.google/dns-query
-uci set https_dns_proxy.dns.user="nobody+uci set https-dns-proxy.dns.listen_addr="127.0.0.1
-uci set https_dns_proxy.dns.group="nogroup+uci set https-dns-proxy.dns.listen_port="5053
-uci set https_dns_proxy.dns.url_prefix="https://cloudflare-dns.com/dns-query?ct=application/dns-json&" +uci commit https-dns-proxy 
-uci commit https_dns_proxy +/etc/init.d/https-dns-proxy restart
-service https_dns_proxy restart+
 </code> </code>
  
-==== Local system DNS via Dnsmasq ==== +===== Issues ===== 
-{{section>dnscrypt_dnsmasq_dnscrypt-proxy#local_system_dns_via_dnsmasq&noheader&nofooter&noeditbutton}}+ 
 +If you are using the configurable NextDNS.io (paid subscription), that currently cannot be configured in LuCI. 
 + 
 +Put your private DNS-over-HTTPS resolver endpoint (found in "Setup" in your NextDNS configuration page) into ''option resolver_url'' which is in ''/etc/config/https-dns-proxy''.
  
-{{tag>How-to DNS DoH}}+LuCI will now erroneously show the wrong resolver in ''Instances'' because it doesn't recognize your private resolver.
  
 +If you make any changes for https-dns-proxy in LuCI it will overwrite your private resolver so you will need to manually enter it again.
  • Last modified: 2023/12/07 20:04
  • by frollic