Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:dns:doh_dnsmasq_https-dns-proxy [2019/04/20 10:03] – title vgaetera | docs:guide-user:services:dns:doh_dnsmasq_https-dns-proxy [2022/09/15 18:01] – [DoH provider] add Issues section account4538 | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== | + | ====== |
| - | {{page> | + | {{section> |
| ===== Introduction ===== | ===== Introduction ===== | ||
| - | * This guide describes | + | * This how-to describes the method for setting up [[wp> |
| - | * It utilizes | + | * It relies on [[docs: |
| - | * DNS encryption is limited | + | * Follow [[docs: |
| ===== Goals ===== | ===== Goals ===== | ||
| - | {{section> | + | {{section> |
| - | ===== Instructions | + | ===== Command-line instructions |
| - | This method utilizes DoH and focuses on masking DNS traffic as HTTPS traffic. | + | Install the required packages. |
| - | + | DNS encryption | |
| - | Enable split DNS mode to encrypt LAN client DNS traffic assuming that local system traffic does not involve private data. | + | |
| - | + | ||
| - | Use [[https:// | + | |
| - | Configure [[docs: | + | |
| - | Enforce | + | |
| <code bash> | <code bash> | ||
| # Install packages | # Install packages | ||
| opkg update | opkg update | ||
| - | opkg install | + | opkg install |
| - | + | ||
| - | # Enable DNS encryption | + | |
| - | uci -q delete dhcp.@dnsmasq[0].server | + | |
| - | DOHPROXY_ADDR=" | + | |
| - | DOHPROXY_PORT=" | + | |
| - | DOHPROXY_SERV=" | + | |
| - | uci add_list dhcp.@dnsmasq[0].server=" | + | |
| - | + | ||
| - | # Enforce DNS encryption for LAN clients | + | |
| - | uci set dhcp.@dnsmasq[0].noresolv=" | + | |
| - | uci commit dhcp | + | |
| - | service dnsmasq restart | + | |
| </ | </ | ||
| + | |||
| + | LAN clients should use Dnsmasq as a primary resolver. | ||
| + | Dnsmasq forwards DNS queries to https-dns-proxy which encrypts DNS traffic. | ||
| ===== Testing ===== | ===== Testing ===== | ||
| - | {{section> | + | {{section> |
| ===== Troubleshooting ===== | ===== Troubleshooting ===== | ||
| Line 44: | Line 30: | ||
| <code bash> | <code bash> | ||
| - | # Restart | + | # Restart services |
| - | service | + | / |
| # Log and status | # Log and status | ||
| logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq | logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq | ||
| - | logread -e https_dns_proxy; netstat -l -n -p | grep -e https_dns | + | logread -e https-dns; netstat -l -n -p | grep -e https-dns |
| # Runtime configuration | # Runtime configuration | ||
| - | pgrep -f -a dnsmasq; pgrep -f -a https_dns_proxy | + | pgrep -f -a dnsmasq; pgrep -f -a https-dns |
| + | head -v -n -0 / | ||
| # Persistent configuration | # Persistent configuration | ||
| - | uci show dhcp; uci show https_dns_proxy | + | uci show dhcp; uci show https-dns-proxy |
| </ | </ | ||
| ===== Extras ===== | ===== Extras ===== | ||
| + | ==== Web interface ==== | ||
| + | If you want to manage the settings using web interface. | ||
| + | Install the necessary packages. | ||
| + | |||
| + | <code bash> | ||
| + | # Install packages | ||
| + | opkg update | ||
| + | opkg install luci-app-https-dns-proxy | ||
| + | / | ||
| + | </ | ||
| + | |||
| + | * Navigate to **LuCI -> Network -> DHCP and DNS** to configure Dnsmasq. | ||
| + | * Navigate to **LuCI -> Services -> HTTPS DNS Proxy** to configure https-dns-proxy. | ||
| + | |||
| ==== DoH provider ==== | ==== DoH provider ==== | ||
| - | https-dns-proxy | + | https-dns-proxy |
| - | You can change it to another | + | You can change it to Google DNS or any other [[wp> |
| - | Make sure selected provider supports | + | Use resolvers supporting |
| - | Specify several | + | Specify several |
| <code bash> | <code bash> | ||
| # Configure DoH provider | # Configure DoH provider | ||
| - | while uci -q delete | + | while uci -q delete |
| - | uci set https_dns_proxy.dns="https_dns_proxy" | + | uci set https-dns-proxy.dns="https-dns-proxy" |
| - | uci set https_dns_proxy.dns.listen_addr="127.0.0.1" | + | uci set https-dns-proxy.dns.bootstrap_dns="8.8.8.8,8.8.4.4" |
| - | uci set https_dns_proxy.dns.listen_port="5053" | + | uci set https-dns-proxy.dns.resolver_url="https:// |
| - | uci set https_dns_proxy.dns.user="nobody" | + | uci set https-dns-proxy.dns.listen_addr="127.0.0.1" |
| - | uci set https_dns_proxy.dns.group="nogroup" | + | uci set https-dns-proxy.dns.listen_port="5053" |
| - | uci set https_dns_proxy.dns.url_prefix=" | + | uci commit |
| - | uci commit https_dns_proxy | + | /etc/init.d/https-dns-proxy restart |
| - | service https_dns_proxy | + | |
| </ | </ | ||
| - | ==== Local system DNS via Dnsmasq | + | ===== Issues ===== |
| - | {{section> | + | |
| + | If you are using the configurable NextDNS.io (paid subscription), | ||
| + | |||
| + | Put your private DNS-over-HTTPS resolver endpoint (found in " | ||
| - | {{tag> | + | LuCI will now erroneously show the wrong resolver in '' |
| + | If you make any changes for https-dns-proxy in LuCI it will overwrite your private resolver so you will need to manually enter it again. | ||