Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:dns:doh_dnsmasq_https-dns-proxy [2020/05/19 18:53] – [Troubleshooting] thinkchaosdocs:guide-user:services:dns:doh_dnsmasq_https-dns-proxy [2022/09/15 18:01] – [DoH provider] add Issues section account4538
Line 1: Line 1:
-====== DNS over HTTPS with Dnsmasq and https-dns-proxy ======+====== DoH with Dnsmasq and https-dns-proxy ======
 {{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}} {{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
   * This how-to describes the method for setting up [[wp>DNS_over_HTTPS|DNS over HTTPS]] on OpenWrt.   * This how-to describes the method for setting up [[wp>DNS_over_HTTPS|DNS over HTTPS]] on OpenWrt.
-  * It relies on [[docs:guide-user:base-system:dhcp.dnsmasq|Dnsmasq]] and [[https://github.com/aarond10/https_dns_proxy/#https-dns-proxy|https-dns-proxy]] for masking DNS traffic as HTTPS traffic. +  * It relies on [[docs:guide-user:base-system:dhcp.dnsmasq|Dnsmasq]] and [[packages:pkgdata:https-dns-proxy|https-dns-proxy]] for masking DNS traffic as HTTPS traffic. 
-  * Follow [[docs:guide-user:services:dns:start#encryption|DNS encryption]] for alternative methods or use [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.+  * Follow [[docs:guide-user:firewall:fw3_configurations:intercept_dns|DNS hijacking]] to intercept DNS traffic or use [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.
  
 ===== Goals ===== ===== Goals =====
 {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}} {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}}
  
-===== Instructions ===== +===== Command-line instructions ===== 
-Enable split DNS mode to encrypt LAN client DNS traffic assuming that local system traffic does not involve private data+Install the required packages
- +DNS encryption should be enabled automatically.
-Use https-dns-proxy to encrypt DNS traffic. +
-Configure Dnsmasq to forward DNS queries to https-dns-proxy. +
-Enforce DNS encryption for LAN clients to avoid DNS leak.+
  
 <code bash> <code bash>
 # Install packages # Install packages
 opkg update opkg update
-opkg install dnsmasq https-dns-proxy +opkg install https-dns-proxy
- +
-# Enable DNS encryption +
-uci -q delete dhcp.@dnsmasq[0].server +
-DOHPROXY_ADDR="$(uci get https-dns-proxy.@https-dns-proxy[0].listen_addr)" +
-DOHPROXY_PORT="$(uci get https-dns-proxy.@https-dns-proxy[0].listen_port)" +
-DOHPROXY_SERV="${DOHPROXY_ADDR//[][]/}#${DOHPROXY_PORT}" +
-uci add_list dhcp.@dnsmasq[0].server="${DOHPROXY_SERV}" +
- +
-# Enforce DNS encryption for LAN clients +
-uci set dhcp.@dnsmasq[0].noresolv="1" +
-uci commit dhcp +
-/etc/init.d/dnsmasq restart+
 </code> </code>
 +
 +LAN clients should use Dnsmasq as a primary resolver.
 +Dnsmasq forwards DNS queries to https-dns-proxy which encrypts DNS traffic.
  
 ===== Testing ===== ===== Testing =====
Line 42: Line 30:
  
 <code bash> <code bash>
-# Restart the services+# Restart services
 /etc/init.d/log restart; /etc/init.d/dnsmasq restart; /etc/init.d/https-dns-proxy restart /etc/init.d/log restart; /etc/init.d/dnsmasq restart; /etc/init.d/https-dns-proxy restart
  
 # Log and status # Log and status
 logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq
-logread -e https-dns-proxy; netstat -l -n -p | grep -e https_dns+logread -e https-dns; netstat -l -n -p | grep -e https-dns
  
 # Runtime configuration # Runtime configuration
-pgrep -f -a dnsmasq; pgrep -f -a https-dns-proxy+pgrep -f -a dnsmasq; pgrep -f -a https-dns 
 +head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
  
 # Persistent configuration # Persistent configuration
-uci show dhcp; uci show https_dns_proxy+uci show dhcp; uci show https-dns-proxy
 </code> </code>
  
 ===== Extras ===== ===== Extras =====
 ==== Web interface ==== ==== Web interface ====
-Install the necessary packages if you want to manage the settings via web interface.+If you want to manage the settings using web interface
 +Install the necessary packages.
  
 <code bash> <code bash>
Line 64: Line 54:
 opkg update opkg update
 opkg install luci-app-https-dns-proxy opkg install luci-app-https-dns-proxy
 +/etc/init.d/rpcd restart
 </code> </code>
  
-  * Navigate to **[[http://openwrt.lan/|LuCI]] -> Network -> DHCP and DNS** to configure Dnsmasq. +  * Navigate to **LuCI -> Network -> DHCP and DNS** to configure Dnsmasq. 
-  * Navigate to **[[http://openwrt.lan/|LuCI]] -> Services -> HTTPS DNS Proxy** to configure https-dns-proxy.+  * Navigate to **LuCI -> Services -> HTTPS DNS Proxy** to configure https-dns-proxy.
  
 ==== DoH provider ==== ==== DoH provider ====
-https-dns-proxy is configured with Google DNS Cloudflare DNS by default with Google taking precedent+https-dns-proxy is configured with Google DNS and Cloudflare DNS by default. 
-You can change it to another [[wp>Public_recursive_name_server|DoH provider]]. +You can change it to Google DNS or any other [[wp>Public_recursive_name_server|DoH provider]]. 
-Make sure selected provider supports DNSSEC validation if required+Use resolvers supporting DNSSEC validation if necessary
-Specify several servers to improve fault tolerance.+Specify several resolvers to improve fault tolerance.
  
 <code bash> <code bash>
 # Configure DoH provider # Configure DoH provider
 while uci -q delete https-dns-proxy.@https-dns-proxy[0]; do :; done while uci -q delete https-dns-proxy.@https-dns-proxy[0]; do :; done
-uci add https-dns-proxy https-dns-proxy +uci set https-dns-proxy.dns="https-dns-proxy" 
-uci set https-dns-proxy.@https-dns-proxy[-1]=https-dns-proxy +uci set https-dns-proxy.dns.bootstrap_dns="8.8.8.8,8.8.4.4" 
-uci set https-dns-proxy.@https-dns-proxy[-1].bootstrap_dns='1.1.1.1,1.0.0.1' +uci set https-dns-proxy.dns.resolver_url="https://dns.google/dns-query" 
-uci set https-dns-proxy.@https-dns-proxy[-1].resolver_url='https://cloudflare-dns.com/dns-query' +uci set https-dns-proxy.dns.listen_addr="127.0.0.1" 
-uci set https-dns-proxy.@https-dns-proxy[-1].listen_addr='127.0.0.1' +uci set https-dns-proxy.dns.listen_port="5053"
-uci set https-dns-proxy.@https-dns-proxy[-1].listen_port='5053+
-uci set https-dns-proxy.@https-dns-proxy[-1].user='nobody' +
-uci set https-dns-proxy.@https-dns-proxy[-1].group='nogroup' +
-uci set https-dns-proxy.@https-dns-proxy[-1].ipv4_resolvers='1' +
-uci set https-dns-proxy.@https-dns-proxy[-1].verbosity='0'+
 uci commit https-dns-proxy uci commit https-dns-proxy
 /etc/init.d/https-dns-proxy restart /etc/init.d/https-dns-proxy restart
 </code> </code>
  
 +===== Issues =====
 +
 +If you are using the configurable NextDNS.io (paid subscription), that currently cannot be configured in LuCI.
 +
 +Put your private DNS-over-HTTPS resolver endpoint (found in "Setup" in your NextDNS configuration page) into ''option resolver_url'' which is in ''/etc/config/https-dns-proxy''.
  
-==== Local system ==== +LuCI will now erroneously show the wrong resolver in ''Instances'' because it doesn't recognize your private resolver.
-{{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#local_system&noheader&nofooter&noeditbutton}}+
  
 +If you make any changes for https-dns-proxy in LuCI it will overwrite your private resolver so you will need to manually enter it again.
  • Last modified: 2023/12/07 20:04
  • by frollic