I need a bit of help to get pointed in the right direction. I have a Linksys WRT1900ACS V2 running the davidc502 build and I'm using dnscrypt-proxy V2 to perform DNS over HTTPS to cloudflare DNS servers. All I'd like to do is verify that all DNS requests coming out of my home network are over HTTPS and I'm unsure how to do that. Do I have to use wireshark, for example? That's a complex tool I haven't learned yet. Is there a more straightforward way to do this verification?
Thanks
If your router dns server does only resolve with dnscrypt proxy, then you could redirect all requests with destination port udp/53 to your router with that firewall rule:
config redirect
option target 'DNAT'
option src 'lan'
option dest '!lan'
option proto 'udp'
option src_dport '53'
option dest_ip '192.168.1.1'
option dest_port '53'
option name 'All DNS traffic to local resolver'
This means, if a smartphone or whatever in your lan has 8.8.8.8 as dns server, all dns requests (udp port 53) to 8.8.8.8 are redirected to your router local dns server with ip 192.168.1.1.
1 Like
I'm lazy, and this is I would do:
https://www.dnsleaktest.com/
That works; and also, you can install the tool tcpdump on the router:
opkg update
opkg install tcpdump
tcpdump -i eth0.2 udp and dst port 53
If any unencrypted DNS requests are using WAN (eth0.2), you will see packets appear.
Hope this helps.
1 Like
Thanks for the suggestions. I don't think https://www.dnsleaktest.com/ would show if my various smart home gadgets or other computers around the house are using a different DNS, correct? For what it's worth, it shows cloudflare when I run the test, but it doesn't tell me if it is over https or not.
I'll also run tcpdump, but the interface is eth1.2 as I have no eth0.2 on my router. Also, perhaps as a demonstration of my "newbie-ness", I gather I am looking for the ethernet interface that has the external address that my ISP has given me, correct? (that's eth1.2).
I also appreciate the redirect firewall rule and will implement it.
Thanks again for the help.
Add these into "/etc/firewall.user", it will enforce (hijack) every client on NAT to respect router's served DNS.
iptables -t nat -I PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -I PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 53
opkg update ; opkg install iptables-mod-nat-extra
for the REDIRECT rules, then restart.
1 Like
Yes! If your WAN is eth1.2, that's what you'll use:
tcpdump -i eth1.2 udp and dst port 53
This command will show you UDP traffic in any direction with a destination port of 53. Since you don't run a DNS server, this should only show DNS requests you make. If your HTTPS DNS requests work, you will see 0.
When I run tcpdump
on my WAN (eth1.2) for port 53 I see nothing so, good, no DNS traffic on the WAN interface. However, I should have also mentioned I run a VPN client and there in a tun0
interface for that client. With tcpdump
on the tun0
interface, I see plenty of DNS traffic on port 53. So, I have a few more questions but let me describe my dnscrypt-proxy
setup and dnsmasq
settings first. I am running version 2.0.14 of dnscrypt-proxy and using cloudflare and cloudflare-ipv6 for the servers. I've done a check with dnscrypt-proxy -config /etc/config/dnscrypt-proxy.toml -check
and it is good. Resolution works when I run dnscrypt-proxy -resolve google.com
. The process is listening to 127.0.0.1:5353. I've got three servers in dnsmasq, 127.0.0.1#5353, 1.1.1, and 1.0.0.1, and I've set strictorder to '1'.
First, given I have a VPN client, do I even need to do DNS-over-HTTPS? (i.e., am I wasting my time here?). Second, is my problem that I provided three servers to dnsmasq, even though I set strictorder
on? Third, is there something else I'm missing in terms of getting this to work properly? Forth, the listen address in dnscrypt-proxy.toml
is 127.0.0.1:5353
whereas the dnsmasq list server is 127.0.0.1#5353
; I believe the colon and pound sign are the proper characters to use but please let me know if not.
Thanks again!
You may have solved my problem. Using DNS over HTTPS and a VPN may simply be overkill. I suppose the only thing I get if I manage to get DNS-over-HTTPS working in my configuration is that I'll remove my VPN server from seeing my DNS requests.
With respect to using UCI or LuCI wed GUI, I may have modified /etc/config/dhcp directly. Here is the dnsmasq section:
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option nonwildcard '1'
option localservice '1'
option serversfile '/tmp/adb_list.overall'
option noresolv '1'
option allservers '0'
option strictorder '1'
list server '127.0.0.1#5353'
list server '1.1.1.1'
list server '1.0.0.1'
Does anything jump out as improper?
Slim
All,
For what its worth, I recently updated from build r7320 to r7493 and all issues I had with verifying DNS was actually done DNS-over-HTTPS have gone away. I don't know why the upgrade in build solved it, but it did.