Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:dns:doh_dnsmasq_https-dns-proxy [2020/06/15 19:50] – [Instructions] vgaeteradocs:guide-user:services:dns:doh_dnsmasq_https-dns-proxy [2022/09/15 18:01] – [DoH provider] add Issues section account4538
Line 1: Line 1:
-====== DNS over HTTPS with Dnsmasq and https-dns-proxy ======+====== DoH with Dnsmasq and https-dns-proxy ======
 {{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}} {{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
   * This how-to describes the method for setting up [[wp>DNS_over_HTTPS|DNS over HTTPS]] on OpenWrt.   * This how-to describes the method for setting up [[wp>DNS_over_HTTPS|DNS over HTTPS]] on OpenWrt.
-  * It relies on [[docs:guide-user:base-system:dhcp.dnsmasq|Dnsmasq]] and [[https://github.com/openwrt/packages/tree/master/net/https-dns-proxy/files#dns-over-https-proxy-https-dns-proxy|https-dns-proxy]] for masking DNS traffic as HTTPS traffic. +  * It relies on [[docs:guide-user:base-system:dhcp.dnsmasq|Dnsmasq]] and [[packages:pkgdata:https-dns-proxy|https-dns-proxy]] for masking DNS traffic as HTTPS traffic. 
-  * Follow [[docs:guide-user:services:dns:start#encryption|DNS encryption]] for alternative methods or use [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.+  * Follow [[docs:guide-user:firewall:fw3_configurations:intercept_dns|DNS hijacking]] to intercept DNS traffic or use [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.
  
 ===== Goals ===== ===== Goals =====
 {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}} {{section>docs:guide-user:services:dns:dnscrypt_dnsmasq_dnscrypt-proxy#goals&noheader&nofooter&noeditbutton}}
  
-===== Instructions ===== +===== Command-line instructions ===== 
-Install the packages and DNS encryption should be configured automatically.+Install the required packages
 +DNS encryption should be enabled automatically.
  
 <code bash> <code bash>
 # Install packages # Install packages
 opkg update opkg update
-opkg install dnsmasq https-dns-proxy+opkg install https-dns-proxy
 </code> </code>
  
-LAN clients and local system should use Dnsmasq as a primary resolver.+LAN clients should use Dnsmasq as a primary resolver.
 Dnsmasq forwards DNS queries to https-dns-proxy which encrypts DNS traffic. Dnsmasq forwards DNS queries to https-dns-proxy which encrypts DNS traffic.
- 
  
 ===== Testing ===== ===== Testing =====
Line 30: Line 30:
  
 <code bash> <code bash>
-# Restart the services+# Restart services
 /etc/init.d/log restart; /etc/init.d/dnsmasq restart; /etc/init.d/https-dns-proxy restart /etc/init.d/log restart; /etc/init.d/dnsmasq restart; /etc/init.d/https-dns-proxy restart
  
 # Log and status # Log and status
 logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq
-logread -e https-dns-proxy; netstat -l -n -p | grep -e https-dns+logread -e https-dns; netstat -l -n -p | grep -e https-dns
  
 # Runtime configuration # Runtime configuration
-pgrep -f -a dnsmasq; pgrep -f -a https-dns-proxy+pgrep -f -a dnsmasq; pgrep -f -a https-dns 
 +head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
  
 # Persistent configuration # Persistent configuration
Line 46: Line 47:
 ===== Extras ===== ===== Extras =====
 ==== Web interface ==== ==== Web interface ====
-Install the necessary packages if you want to manage the settings via web interface.+If you want to manage the settings using web interface
 +Install the necessary packages.
  
 <code bash> <code bash>
Line 52: Line 54:
 opkg update opkg update
 opkg install luci-app-https-dns-proxy opkg install luci-app-https-dns-proxy
 +/etc/init.d/rpcd restart
 </code> </code>
  
-  * Navigate to **[[http://openwrt.lan/|LuCI]] -> Network -> DHCP and DNS** to configure Dnsmasq. +  * Navigate to **LuCI -> Network -> DHCP and DNS** to configure Dnsmasq. 
-  * Navigate to **[[http://openwrt.lan/|LuCI]] -> Services -> HTTPS DNS Proxy** to configure https-dns-proxy.+  * Navigate to **LuCI -> Services -> HTTPS DNS Proxy** to configure https-dns-proxy.
  
 ==== DoH provider ==== ==== DoH provider ====
 https-dns-proxy is configured with Google DNS and Cloudflare DNS by default. https-dns-proxy is configured with Google DNS and Cloudflare DNS by default.
-You can change it Google DNS or any other [[wp>Public_recursive_name_server|DoH provider]]. +You can change it to Google DNS or any other [[wp>Public_recursive_name_server|DoH provider]]. 
-Make sure the provider supports DNSSEC validation if required+Use resolvers supporting DNSSEC validation if necessary
-Specify several servers to improve fault tolerance.+Specify several resolvers to improve fault tolerance.
  
 <code bash> <code bash>
Line 75: Line 78:
 </code> </code>
  
 +===== Issues =====
 +
 +If you are using the configurable NextDNS.io (paid subscription), that currently cannot be configured in LuCI.
 +
 +Put your private DNS-over-HTTPS resolver endpoint (found in "Setup" in your NextDNS configuration page) into ''option resolver_url'' which is in ''/etc/config/https-dns-proxy''.
 +
 +LuCI will now erroneously show the wrong resolver in ''Instances'' because it doesn't recognize your private resolver.
 +
 +If you make any changes for https-dns-proxy in LuCI it will overwrite your private resolver so you will need to manually enter it again.
  • Last modified: 2023/12/07 20:04
  • by frollic