Verifying DNS traffic is over HTTPS

I need a bit of help to get pointed in the right direction. I have a Linksys WRT1900ACS V2 running the davidc502 build and I'm using dnscrypt-proxy V2 to perform DNS over HTTPS to cloudflare DNS servers. All I'd like to do is verify that all DNS requests coming out of my home network are over HTTPS and I'm unsure how to do that. Do I have to use wireshark, for example? That's a complex tool I haven't learned yet. Is there a more straightforward way to do this verification?

Thanks

If your router dns server does only resolve with dnscrypt proxy, then you could redirect all requests with destination port udp/53 to your router with that firewall rule:

config redirect
	option target 'DNAT'
	option src 'lan'
	option dest '!lan'
	option proto 'udp'
	option src_dport '53'
	option dest_ip '192.168.1.1'
	option dest_port '53'
	option name 'All DNS traffic to local resolver'

This means, if a smartphone or whatever in your lan has 8.8.8.8 as dns server, all dns requests (udp port 53) to 8.8.8.8 are redirected to your router local dns server with ip 192.168.1.1.

1 Like

I'm lazy, and this is I would do:
https://www.dnsleaktest.com/

That works; and also, you can install the tool tcpdump on the router:

opkg update
opkg install tcpdump
tcpdump -i eth0.2 udp and dst port 53

If any unencrypted DNS requests are using WAN (eth0.2), you will see packets appear.

Hope this helps.

1 Like

Thanks for the suggestions. I don't think https://www.dnsleaktest.com/ would show if my various smart home gadgets or other computers around the house are using a different DNS, correct? For what it's worth, it shows cloudflare when I run the test, but it doesn't tell me if it is over https or not.

I'll also run tcpdump, but the interface is eth1.2 as I have no eth0.2 on my router. Also, perhaps as a demonstration of my "newbie-ness", I gather I am looking for the ethernet interface that has the external address that my ISP has given me, correct? (that's eth1.2).

I also appreciate the redirect firewall rule and will implement it.

Thanks again for the help.

Add these into "/etc/firewall.user", it will enforce (hijack) every client on NAT to respect router's served DNS.

iptables -t nat -I PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -I PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 53

opkg update ; opkg install iptables-mod-nat-extra for the REDIRECT rules, then restart.

1 Like

Yes! If your WAN is eth1.2, that's what you'll use:

tcpdump -i eth1.2 udp and dst port 53

This command will show you UDP traffic in any direction with a destination port of 53. Since you don't run a DNS server, this should only show DNS requests you make. If your HTTPS DNS requests work, you will see 0.

When I run tcpdump on my WAN (eth1.2) for port 53 I see nothing so, good, no DNS traffic on the WAN interface. However, I should have also mentioned I run a VPN client and there in a tun0 interface for that client. With tcpdump on the tun0 interface, I see plenty of DNS traffic on port 53. So, I have a few more questions but let me describe my dnscrypt-proxy setup and dnsmasq settings first. I am running version 2.0.14 of dnscrypt-proxy and using cloudflare and cloudflare-ipv6 for the servers. I've done a check with dnscrypt-proxy -config /etc/config/dnscrypt-proxy.toml -check and it is good. Resolution works when I run dnscrypt-proxy -resolve google.com. The process is listening to 127.0.0.1:5353. I've got three servers in dnsmasq, 127.0.0.1#5353, 1.1.1, and 1.0.0.1, and I've set strictorder to '1'.

First, given I have a VPN client, do I even need to do DNS-over-HTTPS? (i.e., am I wasting my time here?). Second, is my problem that I provided three servers to dnsmasq, even though I set strictorder on? Third, is there something else I'm missing in terms of getting this to work properly? Forth, the listen address in dnscrypt-proxy.toml is 127.0.0.1:5353 whereas the dnsmasq list server is 127.0.0.1#5353; I believe the colon and pound sign are the proper characters to use but please let me know if not.

Thanks again!

  • If your only concern is that your ISP can see your DNS requests, then yes - you are wasting your time, as the requests now go over the tunnel.
    :wink:
  • Are you using the UCI or LuCI web GUI to make these configs???

You may have solved my problem. Using DNS over HTTPS and a VPN may simply be overkill. I suppose the only thing I get if I manage to get DNS-over-HTTPS working in my configuration is that I'll remove my VPN server from seeing my DNS requests.

With respect to using UCI or LuCI wed GUI, I may have modified /etc/config/dhcp directly. Here is the dnsmasq section:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option nonwildcard '1'
	option localservice '1'
	option serversfile '/tmp/adb_list.overall'
	option noresolv '1'
	option allservers '0'
	option strictorder '1'
	list server '127.0.0.1#5353'
	list server '1.1.1.1'
	list server '1.0.0.1'

Does anything jump out as improper?

Slim

All,

For what its worth, I recently updated from build r7320 to r7493 and all issues I had with verifying DNS was actually done DNS-over-HTTPS have gone away. I don't know why the upgrade in build solved it, but it did.