I installed smartdns and the Luci SmartDNS interface extension from opkg. Now, I am trying to configure my smartdns so that it utilizes DoH (DNS of HTTP), and DoT (DNS over TLS). Now, I want the cloudflare results of https://one.one.one.one/help/ to indicate that I am indeed using SmartDNS with DoT and DoH.
How exactly (step by step settings) does one go about configuring smartDNS in the Lucy Interface to utilize cloudflare's DNS addresses with DoH and DoT?
No idea why you would need both, but if you're OK with only DoH, there's https://openwrt.org/docs/guide-user/services/dns/doh_dnsmasq_https-dns-proxy
@vgaetera Could you please fix the linked wiki page -- the whole Issues section is no longer accurate with the release of new WebUI. Not sure who else has permission to edit wiki right now.
Everyone who's got a wiki account.
I can delete the section once I get home/tomorrow.
whole Issues section commented out.
That link is to DoH with Dnsmasq, I'm looking specifically for instructions with SmartDNS. Why aren't such instructions provided in an OpenWRT Wiki or something? Any ideas on getting this working?
EDIT: Also, the DoH with DNSmasq instructions you provided don't make any Mention of Cloudflare. I'm specifically trying to use cloudflares servers when using DoH. Do you know how to accomplish this? Any other recommendations?
Unless i misunderstand you, installing HTTPS-DNS- proxy with its LuCi app will give you what you want. I do this and send DoH queries to Cloudflare and Quad9. You have many options to xhoose from in LuCi
Are you talking about the service smartdnsproxy.com?
The whole point of that service is that for certain sites it resolves to one of their proxy servers instead of to the real site. This is at odds with the secure DNS which is supposed to ensure that names are always resolved to the real sites.
It appears that smartDNS servers only operate as unencrypted ordinary DNS. Thus there's no such thing as SmartDNS DoH.
I'm talking about the smartdns and luci-app-smartdns packages on OpenWRT. I'm not sure how they work on OpenWRT, but on DDWRT the built in SmartDNS packages automatically select either DoT or DoH for your DNS queries after inputing Cloudflares Server addresses. Thus, on DDWRT Smart DNS automatically encrypts your DNS traffic using Cloudflare's servers. However, you have to tell SmartDNS (in ddwrt), that you want Cloudflare to be your DNS provider first.
For example, in DDWRT's Services Tab, under SmartDNS Resolver, there is an option to enable the SmartDNS Resolver, and then in the additional Options of the SmartDNS section I have the following lines:
log-file /tmp/smartdns.log
log-level warn
# CLOUDFLARE - DNS over TLS (DoT)
server-tls 1.1.1.2:853
server-tls 1.0.0.2:853
# CLOUDFLARE - DNS over HTTPS (DoH)
server-https https://1.1.1.2/dns-query
server-https https://1.0.0.2/dns-query
With these settings in place on my DDWRT Router, the web address https://1.1.1.1/help looks like this:
I am looking for the same feature in OpenWRT which according to the packages I listed, is an available feature in OpenWRT. I want to tell OpenWRT to use Cloudflare's servers for SmartDNS. However, I just have no idea how to configure it to use Cloudflare's servers to encrypt dns queries using DoT and DoH.
Do you have any idea how SmartDNS works on OpenWRT and could you possibly provide me with a similar setup to my DDWRT SmartDNS settings/features?
I'm at a loss.
Some things are perhaps covered in the official docs:
# /etc/config/smartdns
config smartdns
option enabled '1'
option server_name 'smartdns'
option port '6053'
option auto_set_dnsmasq '1'
option tcp_server '1'
option ipv6_server '1'
option bind_device '1'
option dualstack_ip_selection '1'
option serve_expired '1'
option cache_persist '1'
option resolve_local_hostnames '1'
option force_https_soa '1'
option rr_ttl_min '600'
option seconddns_port '6553'
option seconddns_tcp_server '1'
option old_port '6053'
option old_enabled '1'
option old_auto_set_dnsmasq '1'
config domain-rule
config server
option enabled '1'
option name 'Cloudflare DoH'
option ip 'https://1.1.1.1:443/dns-query'
option type 'https'
config server
option enabled '1'
option name 'Cloudflare DoT'
option ip '1.1.1.1'
option port '853'
option type 'tls'
TLS certificates cannot be signed to an IP number, only a DNS name. For secure DNS to validate the server's certificate it is necessary to know the server by name, e.g. one-one-one-one, dns9.quad9.net or dns.google (which is 8.8.8.8).
This raises a catch-22 that a standard unencrypted DNS server must also be available to the system to initially look up the IP of the secure server.
If you want to use DOH3 with a cache, you can use the ControlD CLI
The posted configuration does exactly what the OP wants.
Sorry @viniribeirossa , I didn't mean to reply to your post
I don't understand if I could do both whats in the picture and on the command line, just do whats in the picture, or just do whats on the command line. The reason is, I set it up how it is in the picture and it started working. However, after I added the /etc/config/smartdns via ssh, the router stopped all Luci connections and became ssh only.
Which should set of instructions should I use? Luci Photo, or /etc/config/smartdns? Or BOTH?
Thanks
Does this apply to SmartDNS? What exactly does this mean now? I'm confused.
Could you please elaborate on this? Does this make smartDNS inneffective?
Can you explain this some more, and possibly post a way to mitigate this problem?
Can you explain this further and possibly post a solution that mitigates this problem? How big of a problem is it anyways?