Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:dns:doh_dnsmasq_https-dns-proxy [2019/10/18 06:21] – formatting vgaeteradocs:guide-user:services:dns:doh_dnsmasq_https-dns-proxy [2022/09/15 18:01] – [DoH provider] add Issues section account4538
Line 1: Line 1:
-====== DNS over HTTPS with Dnsmasq and https-dns-proxy ======+====== DoH with Dnsmasq and https-dns-proxy ======
 {{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}} {{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
   * This how-to describes the method for setting up [[wp>DNS_over_HTTPS|DNS over HTTPS]] on OpenWrt.   * This how-to describes the method for setting up [[wp>DNS_over_HTTPS|DNS over HTTPS]] on OpenWrt.
-  * It relies on [[docs:guide-user:base-system:dhcp.dnsmasq|Dnsmasq]] and [[https://github.com/aarond10/https_dns_proxy/#https-dns-proxy|https-dns-proxy]] for masking DNS traffic as HTTPS traffic. +  * It relies on [[docs:guide-user:base-system:dhcp.dnsmasq|Dnsmasq]] and [[packages:pkgdata:https-dns-proxy|https-dns-proxy]] for masking DNS traffic as HTTPS traffic. 
-  * Follow [[docs:guide-user:services:dns:start#encryption|DNS encryption]] for alternative methods or use [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.+  * Follow [[docs:guide-user:firewall:fw3_configurations:intercept_dns|DNS hijacking]] to intercept DNS traffic or use [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.
  
 ===== Goals ===== ===== Goals =====
 {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}} {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}}
  
-===== Instructions ===== +===== Command-line instructions ===== 
-Enable split DNS mode to encrypt LAN client DNS traffic assuming that local system traffic does not involve private data+Install the required packages
- +DNS encryption should be enabled automatically.
-Use https-dns-proxy to encrypt DNS traffic. +
-Configure Dnsmasq to forward DNS queries to https-dns-proxy. +
-Enforce DNS encryption for LAN clients to avoid DNS leak.+
  
 <code bash> <code bash>
 # Install packages # Install packages
 opkg update opkg update
-opkg install dnsmasq https_dns_proxy +opkg install https-dns-proxy
- +
-# Enable DNS encryption +
-uci -q delete dhcp.@dnsmasq[0].server +
-DOHPROXY_ADDR="$(uci get https_dns_proxy.@https_dns_proxy[0].listen_addr)" +
-DOHPROXY_PORT="$(uci get https_dns_proxy.@https_dns_proxy[0].listen_port)" +
-DOHPROXY_SERV="${DOHPROXY_ADDR//[][]/}#${DOHPROXY_PORT}" +
-uci add_list dhcp.@dnsmasq[0].server="${DOHPROXY_SERV}" +
- +
-# Enforce DNS encryption for LAN clients +
-uci set dhcp.@dnsmasq[0].noresolv="1" +
-uci commit dhcp +
-/etc/init.d/dnsmasq restart+
 </code> </code>
 +
 +LAN clients should use Dnsmasq as a primary resolver.
 +Dnsmasq forwards DNS queries to https-dns-proxy which encrypts DNS traffic.
  
 ===== Testing ===== ===== Testing =====
Line 42: Line 30:
  
 <code bash> <code bash>
-# Restart the services +# Restart services 
-/etc/init.d/log restart; /etc/init.d/dnsmasq restart; /etc/init.d/https_dns_proxy restart+/etc/init.d/log restart; /etc/init.d/dnsmasq restart; /etc/init.d/https-dns-proxy restart
  
 # Log and status # Log and status
 logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq
-logread -e https_dns_proxy; netstat -l -n -p | grep -e https_dns+logread -e https-dns; netstat -l -n -p | grep -e https-dns
  
 # Runtime configuration # Runtime configuration
-pgrep -f -a dnsmasq; pgrep -f -a https_dns_proxy+pgrep -f -a dnsmasq; pgrep -f -a https-dns 
 +head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
  
 # Persistent configuration # Persistent configuration
-uci show dhcp; uci show https_dns_proxy+uci show dhcp; uci show https-dns-proxy
 </code> </code>
  
 ===== Extras ===== ===== Extras =====
 ==== Web interface ==== ==== Web interface ====
-Install the necessary packages if you want to manage the settings via web interface.+If you want to manage the settings using web interface
 +Install the necessary packages.
  
 <code bash> <code bash>
 # Install packages # Install packages
 opkg update opkg update
-opkg install luci-app-https_dns_proxy+opkg install luci-app-https-dns-proxy 
 +/etc/init.d/rpcd restart
 </code> </code>
  
-  * Navigate to **[[http://openwrt.lan/|LuCI]] -> Network -> DHCP and DNS** to configure Dnsmasq. +  * Navigate to **LuCI -> Network -> DHCP and DNS** to configure Dnsmasq. 
-  * Navigate to **[[http://openwrt.lan/|LuCI]] -> Services -> HTTPS DNS Proxy** to configure https-dns-proxy.+  * Navigate to **LuCI -> Services -> HTTPS DNS Proxy** to configure https-dns-proxy.
  
 ==== DoH provider ==== ==== DoH provider ====
-https-dns-proxy is configured with Google DNS by default. +https-dns-proxy is configured with Google DNS and Cloudflare DNS by default. 
-You can change it to another [[wp>Public_recursive_name_server|DoH provider]]. +You can change it to Google DNS or any other [[wp>Public_recursive_name_server|DoH provider]]. 
-Make sure selected provider supports DNSSEC validation if required+Use resolvers supporting DNSSEC validation if necessary
-Specify several servers to improve fault tolerance.+Specify several resolvers to improve fault tolerance.
  
 <code bash> <code bash>
 # Configure DoH provider # Configure DoH provider
-while uci -q delete https_dns_proxy.@https_dns_proxy[0]; do :; done +while uci -q delete https-dns-proxy.@https-dns-proxy[0]; do :; done 
-uci set https_dns_proxy.dns="https_dns_proxy+uci set https-dns-proxy.dns="https-dns-proxy
-uci set https_dns_proxy.dns.listen_addr="127.0.0.1+uci set https-dns-proxy.dns.bootstrap_dns="8.8.8.8,8.8.4.4
-uci set https_dns_proxy.dns.listen_port="5053+uci set https-dns-proxy.dns.resolver_url="https://dns.google/dns-query
-uci set https_dns_proxy.dns.user="nobody+uci set https-dns-proxy.dns.listen_addr="127.0.0.1
-uci set https_dns_proxy.dns.group="nogroup+uci set https-dns-proxy.dns.listen_port="5053
-uci set https_dns_proxy.dns.url_prefix="https://cloudflare-dns.com/dns-query?ct=application/dns-json&" +uci commit https-dns-proxy 
-uci commit https_dns_proxy +/etc/init.d/https-dns-proxy restart
-/etc/init.d/https_dns_proxy restart+
 </code> </code>
  
-==== Local system ==== +===== Issues ===== 
-{{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#local_system&noheader&nofooter&noeditbutton}}+ 
 +If you are using the configurable NextDNS.io (paid subscription), that currently cannot be configured in LuCI. 
 + 
 +Put your private DNS-over-HTTPS resolver endpoint (found in "Setup" in your NextDNS configuration page) into ''option resolver_url'' which is in ''/etc/config/https-dns-proxy''
 + 
 +LuCI will now erroneously show the wrong resolver in ''Instances'' because it doesn't recognize your private resolver.
  
 +If you make any changes for https-dns-proxy in LuCI it will overwrite your private resolver so you will need to manually enter it again.
  • Last modified: 2023/12/07 20:04
  • by frollic