Hi everyone,
I have been using cloudflared for DNS-over-HTTPS for the past 5 years and it’s been working pretty well. One of the reasons for using it was because my ISP was hijacking my DNS queries and changing it to their own DNS server.
However, I saw this news where the proxy-dns feature in cloudflared is being closed and they are asking customers to shift to their WARP client instead.
I want to know what the community is using for encrypted DNS services (DoH, DoT, DoQ)
Thanks :)
they are asking customers to shift to their WARP client instead.
I just use WARP, and just send plain text DNS over it to 1.1.1.1. I believe this is superior to DoT or DoH, because the client don’t have to do any sort of handshake for each request and everything still goes over UDP while still being encrypted. If it’s setup correctly, one.one.one.one/help will say you’re using DNS over WARP.
Actually I’ve got a weird setup where I’ve converted the WARP client to a wireguard profile and I run it on my router, but only route 1.1.1.2 and 1.0.0.2 through WARP. That way I can still traceroute 1.1.1.1 while debugging my network.
my ISP was hijacking my DNS queries and changing it to their own DNS server
Which ISP? Name and shame!
You are most likely using Cloudflared together with pi-Hole.
You may want to check-out AdGuardHome (open source) which has out-of-the-box DOH support.
There is also https://github.com/DNSCrypt/dnscrypt-proxy
I’ve been using Quad9 DoH for a few months now. Very happy with it so far.
Are you trying to send the DNS request through the tunnel?
I use DoH, which sends DNS requests through https. It essentially looks like normal https traffic (encrypted), so your ISP shouldn’t be able to hijack it and no additional tunnels are required. CF supports doh at the usual 1.1.1.1 address, even, if you want to keep using them. Otherwise plenty of other providers support doh, as well.
I personally haven’t looked at all but I don’t fully understand doh. How can you have https before DNS? To get my first query I kind of need to validate through DNS records certificate authority for that site? So to even establish doh you need unencrypted DNS or blind trust of IP?
You’ll need a single DNS request, known as a “bootstrap” request. Your ISP will see a single DNS request to Google or Cloudflare or whatever, then everything after that will just look like normal https traffic.
That said, if your ISP is blocking and denying ALL dns requests for some reason (making the bootstrap request impossible), then you could still define the address locally. At that point, though, the ISP is likely blocking the IP addresses, too, so resolving the address is a bit moot.
Yes you’ll need a way to query the domain of the DoH service in plaintext before using it. In many software you can define “bootstrap DNS addresses” to do exactly that. Or you can hardcode the DoH service’s IPs, which for most upstream providers are almost always the same as their “normal” IPs anyways
You define your dns by IP. you get the cert from that IP and automatically trust it.
The cert for validation the server only validate the hostname. It’s not useful for IP.
Stubby.
There’s Technitium DNS, though I’m not an user hence no strong recommendation on my end.
I have seen this project popping up quite a bit. It seems like this natively supports a lot of encrypted DNS protocols, unlike Pihole. Looks very nice.
Technitium is very powerful and could perfectly handle being a DNS forwarder + DHCP provider for your LAN, replacing both Pihole + cloudflared. Though it does many other things too, which can make the UI overwhelming for starters. But in my opinion if you’d like to fine-tune a lot of things like cache and custom DNS logic (via installable applets), this would be the software for you
Edit: If you want something simpler to replace Pihole + cloudflared, AdGuard Home is pretty good too. It uses dnsproxy under the hood and has a nice UI
For the upstream provider I guess Quad9 is popular enough to give you fairly good geolocated IPs, but also has some sense of privacy. The main thing is to always validate your andwers with DNSSEC as to detect and refuse any DNS tampering attempts
AdGuard’s dnsproxy should fill the bill.
dnsproxy seems really good.
I’m checking their docker release (https://github.com/axeleroy/dnsproxy-docker/)
they have an official build too: https://hub.docker.com/r/adguard/dnsproxy
Since you’re posting in the self hosted community I’ll assume you’re looking for a self hosted alternative.
I’ve been meaning to try out Hickory DNS. I too want to use DoH on my clients, and will use native Android/Firefox options to enable it client side.
Haven’t settled settled on an upstream provider yet, so from Hickory DNS onwards I’ll still need to find something else.
I’ll assume you’re looking for a self hosted alternative
I self-host the
cloudflaredwhich is used by my Pihole as the upstream provider.I shall check out Hickory DNS. Thanks!
Edit: Okay, the application is still in alpha-stage. I’m afraid I can’t use it, but I will be keeping an eye out for it.
