I need a bit of help to get pointed in the right direction. I have a Linksys WRT1900ACS V2 running the davidc502 build and I'm using dnscrypt-proxy V2 to perform DNS over HTTPS to cloudflare DNS servers. All I'd like to do is verify that all DNS requests coming out of my home network are over HTTPS and I'm unsure how to do that. Do I have to use wireshark, for example? That's a complex tool I haven't learned yet. Is there a more straightforward way to do this verification?
If your router dns server does only resolve with dnscrypt proxy, then you could redirect all requests with destination port udp/53 to your router with that firewall rule:
option target 'DNAT'
option src 'lan'
option dest '!lan'
option proto 'udp'
option src_dport '53'
option dest_ip '192.168.1.1'
option dest_port '53'
option name 'All DNS traffic to local resolver'
This means, if a smartphone or whatever in your lan has 184.108.40.206 as dns server, all dns requests (udp port 53) to 220.127.116.11 are redirected to your router local dns server with ip 192.168.1.1.
I'm lazy, and this is I would do:
That works; and also, you can install the tool tcpdump on the router:
opkg install tcpdump
tcpdump -i eth0.2 udp and dst port 53
If any unencrypted DNS requests are using WAN (eth0.2), you will see packets appear.
Hope this helps.
Thanks for the suggestions. I don't think https://www.dnsleaktest.com/ would show if my various smart home gadgets or other computers around the house are using a different DNS, correct? For what it's worth, it shows cloudflare when I run the test, but it doesn't tell me if it is over https or not.
I'll also run tcpdump, but the interface is eth1.2 as I have no eth0.2 on my router. Also, perhaps as a demonstration of my "newbie-ness", I gather I am looking for the ethernet interface that has the external address that my ISP has given me, correct? (that's eth1.2).
I also appreciate the redirect firewall rule and will implement it.
Thanks again for the help.
Add these into "/etc/firewall.user", it will enforce (hijack) every client on NAT to respect router's served DNS.
iptables -t nat -I PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -I PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 53
opkg update ; opkg install iptables-mod-nat-extra for the REDIRECT rules, then restart.
Yes! If your WAN is eth1.2, that's what you'll use:
tcpdump -i eth1.2 udp and dst port 53
This command will show you UDP traffic in any direction with a destination port of 53. Since you don't run a DNS server, this should only show DNS requests you make. If your HTTPS DNS requests work, you will see 0.
When I run
tcpdump on my WAN (eth1.2) for port 53 I see nothing so, good, no DNS traffic on the WAN interface. However, I should have also mentioned I run a VPN client and there in a
tun0 interface for that client. With
tcpdump on the
tun0 interface, I see plenty of DNS traffic on port 53. So, I have a few more questions but let me describe my
dnscrypt-proxy setup and
dnsmasq settings first. I am running version 2.0.14 of dnscrypt-proxy and using cloudflare and cloudflare-ipv6 for the servers. I've done a check with
dnscrypt-proxy -config /etc/config/dnscrypt-proxy.toml -check and it is good. Resolution works when I run
dnscrypt-proxy -resolve google.com. The process is listening to 127.0.0.1:5353. I've got three servers in dnsmasq, 127.0.0.1#5353, 1.1.1, and 18.104.22.168, and I've set strictorder to '1'.
First, given I have a VPN client, do I even need to do DNS-over-HTTPS? (i.e., am I wasting my time here?). Second, is my problem that I provided three servers to dnsmasq, even though I set
strictorder on? Third, is there something else I'm missing in terms of getting this to work properly? Forth, the listen address in
127.0.0.1:5353 whereas the dnsmasq list server is
127.0.0.1#5353; I believe the colon and pound sign are the proper characters to use but please let me know if not.
You may have solved my problem. Using DNS over HTTPS and a VPN may simply be overkill. I suppose the only thing I get if I manage to get DNS-over-HTTPS working in my configuration is that I'll remove my VPN server from seeing my DNS requests.
With respect to using UCI or LuCI wed GUI, I may have modified /etc/config/dhcp directly. Here is the dnsmasq section:
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option nonwildcard '1'
option localservice '1'
option serversfile '/tmp/adb_list.overall'
option noresolv '1'
option allservers '0'
option strictorder '1'
list server '127.0.0.1#5353'
list server '22.214.171.124'
list server '126.96.36.199'
Does anything jump out as improper?
For what its worth, I recently updated from build r7320 to r7493 and all issues I had with verifying DNS was actually done DNS-over-HTTPS have gone away. I don't know why the upgrade in build solved it, but it did.