Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:dns:doh_dnsmasq_https-dns-proxy [2019/10/11 22:42] – [Instructions] Start and enable https_dns_proxy stansmithdocs:guide-user:services:dns:doh_dnsmasq_https-dns-proxy [2022/09/15 18:01] – [DoH provider] add Issues section account4538
Line 1: Line 1:
-====== DNS over HTTPS with Dnsmasq and https-dns-proxy ======+====== DoH with Dnsmasq and https-dns-proxy ======
 {{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}} {{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
   * This how-to describes the method for setting up [[wp>DNS_over_HTTPS|DNS over HTTPS]] on OpenWrt.   * This how-to describes the method for setting up [[wp>DNS_over_HTTPS|DNS over HTTPS]] on OpenWrt.
-  * It relies on [[docs:guide-user:base-system:dhcp.dnsmasq|Dnsmasq]] and [[https://github.com/aarond10/https_dns_proxy/#https-dns-proxy|https-dns-proxy]] for masking DNS traffic as HTTPS traffic. +  * It relies on [[docs:guide-user:base-system:dhcp.dnsmasq|Dnsmasq]] and [[packages:pkgdata:https-dns-proxy|https-dns-proxy]] for masking DNS traffic as HTTPS traffic. 
-  * Follow [[docs:guide-user:services:dns:start#encryption|DNS encryption]] for alternative methods or use [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.+  * Follow [[docs:guide-user:firewall:fw3_configurations:intercept_dns|DNS hijacking]] to intercept DNS traffic or use [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.
  
 ===== Goals ===== ===== Goals =====
 {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}} {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}}
  
-===== Instructions ===== +===== Command-line instructions ===== 
-Enable split DNS mode to encrypt LAN client DNS traffic assuming that local system traffic does not involve private data+Install the required packages
- +DNS encryption should be enabled automatically.
-Use https-dns-proxy to encrypt DNS traffic. +
-Configure Dnsmasq to forward DNS queries to https-dns-proxy. +
-Enforce DNS encryption for LAN clients to avoid DNS leak.+
  
 <code bash> <code bash>
 # Install packages # Install packages
 opkg update opkg update
-opkg install dnsmasq https_dns_proxy+opkg install https-dns-proxy 
 +</code>
  
-# Enable DNS encryption +LAN clients should use Dnsmasq as a primary resolver. 
-uci -q delete dhcp.@dnsmasq[0].server +Dnsmasq forwards DNS queries to https-dns-proxy which encrypts DNS traffic.
-DOHPROXY_ADDR="$(uci get https_dns_proxy.@https_dns_proxy[0].listen_addr)" +
-DOHPROXY_PORT="$(uci get https_dns_proxy.@https_dns_proxy[0].listen_port)" +
-DOHPROXY_SERV="${DOHPROXY_ADDR//[][]/}#${DOHPROXY_PORT}" +
-uci add_list dhcp.@dnsmasq[0].server="${DOHPROXY_SERV}"+
  
-# Enforce DNS encryption for LAN clients 
-uci set dhcp.@dnsmasq[0].noresolv="1" 
-uci commit dhcp 
-/etc/init.d/dnsmasq restart 
- 
-# Start the https_dns_proxy plugin 
-/etc/init.d/https_dns_proxy enable 
-/etc/init.d/https_dns_proxy start 
-</code> 
 ===== Testing ===== ===== Testing =====
 {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#testing&noheader&nofooter&noeditbutton}} {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#testing&noheader&nofooter&noeditbutton}}
Line 45: Line 30:
  
 <code bash> <code bash>
-# Restart the services +# Restart services 
-/etc/init.d/log restart; /etc/init.d/dnsmasq restart; /etc/init.d/https_dns_proxy restart+/etc/init.d/log restart; /etc/init.d/dnsmasq restart; /etc/init.d/https-dns-proxy restart
  
 # Log and status # Log and status
 logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq
-logread -e https_dns_proxy; netstat -l -n -p | grep -e https_dns+logread -e https-dns; netstat -l -n -p | grep -e https-dns
  
 # Runtime configuration # Runtime configuration
-pgrep -f -a dnsmasq; pgrep -f -a https_dns_proxy+pgrep -f -a dnsmasq; pgrep -f -a https-dns 
 +head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
  
 # Persistent configuration # Persistent configuration
-uci show dhcp; uci show https_dns_proxy+uci show dhcp; uci show https-dns-proxy
 </code> </code>
  
 ===== Extras ===== ===== Extras =====
 ==== Web interface ==== ==== Web interface ====
-Install the necessary packages if you want to manage the settings via web interface.+If you want to manage the settings using web interface
 +Install the necessary packages.
  
 <code bash> <code bash>
 # Install packages # Install packages
 opkg update opkg update
-opkg install luci-app-https_dns_proxy+opkg install luci-app-https-dns-proxy 
 +/etc/init.d/rpcd restart
 </code> </code>
  
-  * Navigate to **[[http://openwrt.lan/|LuCI]] -> Network -> DHCP and DNS** to configure Dnsmasq. +  * Navigate to **LuCI -> Network -> DHCP and DNS** to configure Dnsmasq. 
-  * Navigate to **[[http://openwrt.lan/|LuCI]] -> Services -> HTTPS DNS Proxy** to configure https-dns-proxy.+  * Navigate to **LuCI -> Services -> HTTPS DNS Proxy** to configure https-dns-proxy.
  
 ==== DoH provider ==== ==== DoH provider ====
-https-dns-proxy is configured with Google DNS by default. +https-dns-proxy is configured with Google DNS and Cloudflare DNS by default. 
-You can change it to another [[wp>Public_recursive_name_server|DoH provider]]. +You can change it to Google DNS or any other [[wp>Public_recursive_name_server|DoH provider]]. 
-Make sure selected provider supports DNSSEC validation if required+Use resolvers supporting DNSSEC validation if necessary
-Specify several servers to improve fault tolerance.+Specify several resolvers to improve fault tolerance.
  
 <code bash> <code bash>
 # Configure DoH provider # Configure DoH provider
-while uci -q delete https_dns_proxy.@https_dns_proxy[0]; do :; done +while uci -q delete https-dns-proxy.@https-dns-proxy[0]; do :; done 
-uci set https_dns_proxy.dns="https_dns_proxy+uci set https-dns-proxy.dns="https-dns-proxy
-uci set https_dns_proxy.dns.listen_addr="127.0.0.1+uci set https-dns-proxy.dns.bootstrap_dns="8.8.8.8,8.8.4.4
-uci set https_dns_proxy.dns.listen_port="5053+uci set https-dns-proxy.dns.resolver_url="https://dns.google/dns-query
-uci set https_dns_proxy.dns.user="nobody+uci set https-dns-proxy.dns.listen_addr="127.0.0.1
-uci set https_dns_proxy.dns.group="nogroup+uci set https-dns-proxy.dns.listen_port="5053
-uci set https_dns_proxy.dns.url_prefix="https://cloudflare-dns.com/dns-query?ct=application/dns-json&" +uci commit https-dns-proxy 
-uci commit https_dns_proxy +/etc/init.d/https-dns-proxy restart
-/etc/init.d/https_dns_proxy restart+
 </code> </code>
  
-==== Local system ==== +===== Issues ===== 
-{{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#local_system&noheader&nofooter&noeditbutton}}+ 
 +If you are using the configurable NextDNS.io (paid subscription), that currently cannot be configured in LuCI. 
 + 
 +Put your private DNS-over-HTTPS resolver endpoint (found in "Setup" in your NextDNS configuration page) into ''option resolver_url'' which is in ''/etc/config/https-dns-proxy''
 + 
 +LuCI will now erroneously show the wrong resolver in ''Instances'' because it doesn't recognize your private resolver.
  
 +If you make any changes for https-dns-proxy in LuCI it will overwrite your private resolver so you will need to manually enter it again.
  • Last modified: 2023/12/07 20:04
  • by frollic