Q: DNS - DoH and DoT?

Hi

Is it possible to configure / run DoH and DoT at the same time?
I would like to use a 3rd party DNS service.

eg.
DNS-over-HTTPS: https://dns..com/z4kn7n4*
DNS-over-TLS: z4kn7n4*.dns.
.com

If so, please advise on how to do this in luci if possible?
Thanks

@vgaetera , Thanks for the info, I have read read up on that
I have https-dns-proxy and luci-app-https-dns-proxy installed on my RPi4 from the community build. When I try to add a DNS provider, I see that there isn't an option for custom provider, all the options are pre-configured.
I have looked at the user guide:

I see that there is an option to change the DNS provider through CLI; Is it safe to assume that if I replace the DNS address/ resolver info in cli commands to my provider, will it work?

eg;

# Configure DoH provider
while uci -q delete https-dns-proxy.@https-dns-proxy[0]; do :; done
uci set https-dns-proxy.dns="https-dns-proxy"
uci set https-dns-proxy.dns.bootstrap_dns="76.76.xxx.xxx,76.76.xxx.xxx"
uci set https-dns-proxy.dns.resolver_url="" https://dns.xyz.com/z4kxnxxn4"
uci set https-dns-proxy.dns.listen_addr="127.0.0.1"
uci set https-dns-proxy.dns.listen_port="5053"
uci commit https-dns-proxy
/etc/init.d/https-dns-proxy restart

I have tried to configure DoT and DoH on separate attempts, but I was not successful.
I have tried using these guide:

Can someone please advise on a step by step tutorial on how to configure DoT or DoH?
I am trying to use either one:
DoH: https://freedns.controld.com/p0
or
DoT: p0.freedns.controld.com

Both DoT and DoH work for me with the resolvers you mentioned:

# Stop services
/etc/init.d/dnsmasq stop
/etc/init.d/stubby stop
/etc/init.d/https-dns-proxy stop

# Install packages
opkg update
opkg install dnsmasq stubby

# Enable DNS encryption
uci -q delete dhcp.@dnsmasq[0].server
uci get stubby.global.listen_address \
| sed -e "s/\s/\n/g;s/@/#/g" \
| while read -r STUBBY_SERV
do uci add_list dhcp.@dnsmasq[0].server="${STUBBY_SERV}"
done

# Enforce DNS encryption for LAN clients
/etc/init.d/dnsmasq stop
uci set dhcp.@dnsmasq[0].noresolv="1"
uci commit dhcp
/etc/init.d/dnsmasq start

# Configure DoT provider
while uci -q delete stubby.@resolver[0]; do :; done
uci set stubby.dns="resolver"
uci set stubby.dns.address="76.76.2.11"
uci set stubby.dns.tls_auth_name="p0.freedns.controld.com"
uci commit stubby
/etc/init.d/stubby restart

# Install packages
opkg update
opkg install dnsmasq https-dns-proxy

# Configure DoH provider
while uci -q delete https-dns-proxy.@https-dns-proxy[0]; do :; done
uci set https-dns-proxy.dns="https-dns-proxy"
uci set https-dns-proxy.dns.bootstrap_dns="76.76.2.11"
uci set https-dns-proxy.dns.resolver_url="https://freedns.controld.com/p0"
uci set https-dns-proxy.dns.listen_addr="127.0.0.1"
uci set https-dns-proxy.dns.listen_port="5053"
uci commit https-dns-proxy
/etc/init.d/https-dns-proxy restart

# Testing
nslookup example.org 127.0.0.1#5453
nslookup example.org 127.0.0.1#5053
nslookup example.org 127.0.0.1
2 Likes

@vgaetera - Thank you very much for your assistance, I did a factory reset and configured DoH, it is working, but I see a big amount of notifications in the System Log related to possible DNS rebind attack.
I use Dual WAN, so wan and wanb interface DNS is set to 127.0.0.1.
Should I add DNS 127.0.0.1 to LAN interface or leave it blank?

1 Like

Specify this DNS for both WAN interfaces:

1 Like

@vgaetera - Okay, do you mean for WAN, WANB and LAN or just WAN and WANB?
I have tried the DNS 76.76.2.XXX on both WAN interfaces and with / without it on LAN interface.

AFTER REBOOT:
nslookup from windows pc:

nslookup openwrt.org 127.0.0.1#5053
*** Can't find server address for '127.0.0.1#5053':
Server:  CyberXXWrt.lan
Address:  192.168.1.1

Non-authoritative answer:
Name:    openwrt.org
Addresses:  2a03:b0c0:3:d0::1af1:1
          139.59.209.225

nslookup from within openwrt"

Server:		76.76.2.XXX
Address:	76.76.2.XXX#53

Non-authoritative answer:
Name:	openwrt.org
Address: 139.59.209.225
Name:	openwrt.org
Address: 2a03:b0c0:3:d0::1af1:1

I get lots of entries in System Log:

Fri Apr 16 12:59:00 2021 daemon.warn dnsmasq[5818]: possible DNS-rebind attack detected: analytics.shopify.com
Fri Apr 16 12:59:00 2021 daemon.warn dnsmasq[5818]: possible DNS-rebind attack detected: settings.data.microsoft.com
Fri Apr 16 12:59:02 2021 daemon.notice miniupnpd[12783]: private/reserved address checking is ignore
Fri Apr 16 12:59:02 2021 daemon.notice miniupnpd[12783]: private/reserved address checking is ignore
Fri Apr 16 12:59:06 2021 daemon.warn dnsmasq[5818]: possible DNS-rebind attack detected: settings-win.data.microsoft.com
Fri Apr 16 12:59:11 2021 daemon.notice miniupnpd[12783]: private/reserved address checking is ignore
Fri Apr 16 12:59:11 2021 daemon.notice miniupnpd[12783]: private/reserved address checking is ignore
Fri Apr 16 12:59:15 2021 daemon.warn dnsmasq[5818]: possible DNS-rebind attack detected: in.wzrkt.com
Fri Apr 16 12:59:16 2021 daemon.warn dnsmasq[5818]: possible DNS-rebind attack detected: beacons.gcp.gvt2.com
Fri Apr 16 12:59:18 2021 daemon.warn dnsmasq[5818]: possible DNS-rebind attack detected: settings-win.data.microsoft.com
Fri Apr 16 12:59:21 2021 daemon.warn dnsmasq[5818]: possible DNS-rebind attack detected: analytics.shopify.com
Fri Apr 16 12:59:23 2021 daemon.warn dnsmasq[5818]: possible DNS-rebind attack detected: settings-win.data.microsoft.com
Fri Apr 16 12:59:26 2021 daemon.warn dnsmasq[5818]: possible DNS-rebind attack detected: events.gfe.nvidia.com
Fri Apr 16 12:59:27 2021 daemon.warn dnsmasq[5818]: possible DNS-rebind attack detected: v10.events.data.microsoft.com
Fri Apr 16 12:59:42 2021 daemon.warn dnsmasq[5818]: possible DNS-rebind attack detected: analytics.shopify.com
Fri Apr 16 13:00:03 2021 daemon.warn dnsmasq[5818]: possible DNS-rebind attack detected: analytics.shopify.com
Fri Apr 16 13:00:16 2021 daemon.warn dnsmasq[5818]: possible DNS-rebind attack detected: beacons.gvt2.com
Fri Apr 16 13:00:20 2021 daemon.warn dnsmasq[5818]: possible DNS-rebind attack detected: onesignal.com
Fri Apr 16 13:00:21 2021 daemon.warn dnsmasq[5818]: possible DNS-rebind attack detected: onesignal.com
Fri Apr 16 13:00:24 2021 daemon.warn dnsmasq[5818]: possible DNS-rebind attack detected: analytics.shopify.com
Fri Apr 16 13:00:40 2021 daemon.warn dnsmasq[5818]: possible DNS-rebind attack detected: in.wzrkt.com
Fri Apr 16 13:00:45 2021 daemon.warn dnsmasq[5818]: possible DNS-rebind attack detected: analytics.shopify.com
Fri Apr 16 13:01:06 2021 daemon.warn dnsmasq[5818]: possible DNS-rebind attack detected: analytics.shopify.com
Fri Apr 16 13:01:06 2021 daemon.warn dnsmasq[5818]: possible DNS-rebind attack detected: mail-ads.google.com
Fri Apr 16 13:01:15 2021 daemon.err uhttpd[4377]: luci: failed login on / for root from 192.168.1.5
Fri Apr 16 13:01:16 2021 daemon.warn dnsmasq[5818]: possible DNS-rebind attack detected: beacons.gvt2.com

This is what the GUI looks like:

Configure resolvers only for upstream interfaces.

There's a relevant thread: DNS Rebind Attack?

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.