DNS over TLS with a Hostname instead of IP

Good day all,

Apologies if this has been asked and I have missed it, but can anyone point me to a good tutorial on how to set up DNS over TLS but using a hostname instead of an IP address. I have seen a heap of stuff which talks about using IP addresses and then verifying the certificate / hostname but not alot around when there is a hostname instead of an IP address.

Some context, I have started to use Cloudflare Gateway to filter the DNS queries and remove some of the more malicious items. I prefer Cloudflare Gateway because you can decide and dynamically update which areas you want to filter and not but the issue I have is that the service does not work entirely well when you have Dynamic IP addresses.

At home its not a problem, so I can use their server IP addresses and in the portal say this is my static IP address and it works well however, I also want to set this up on my travel router which would change its IP address on a regular basis. To get around this Cloudflare have the ability to work with a hostname which is unique to your connection and you don't need to update to say this is my IP which would be great, but I can't see anything that really describes using a hostname as the server address rather than the specific IP4 or IP6 address.

I can get this working via DNS over HTTPS using the DNS over HTTPS proxy but I am not a huge fan of this way, and ideally id love to get DNS over TLS working instead, but using the hostname rather than the static addresses.

If it helps, I am using LUCI openwrt-19.07 branch.

Many thanks!

I don't know if it will solve your problem, however assigning a dynamic IP to a static name is what ddns does for a living.

Thanks for the suggestion,

Cloudflare gateway dont have a dynamic dns client for their system yet so i need to specifically reference the unique hostname they generate for the dns over tls service or the dns over https service (which is how it identifies the system).

I do use a few dynamic dns services but they dont suit this application, also because part of this is to set up on my travel router where the IP will change daily.

They do from what I can see. Or it doesn't work with your usecase?

It is a really confusing system but the dynamic DNS that cloudflare offers is for their domain service, not specifically their gateway DNS filtering service. So to be honest it is a combination of the fact that they don't have an updater for the DNS filtering service, and also that dynamic update does not fit the usecase.

The DNS filtering service can work a few different ways, one way is you set the source IP address of the network and you can just reference their server IP addresses, their service checks your IP address and then knows which rules it should assign when DNS requests come in. I use this in my normal home network and it works fine. Another way is you can use the cloudflared daemon as a DOH server, or the third way is you can use their DNS over TLS or DNS over HTTPS servers however, when you use these options you need to reference a hostname which is a unique name, something like randomstring.cloudflare-gateway.com and this way it does not matter what your WAN IP address is (or if it is constantly changing) because the random string they assign is the unique identifier.

I do have this working using DNS over HTTPS proxy, would just prefer to use DNS over TLS if possible however, almost every tutorial I have seen references a DNS server by IP address rather than a hostname (which I get why, just not sure how to get around that).


1 Like

check this FAQ for a comparison between DoH and DoT