Running a DNS over HTTPS Client to encrypt all home DNS traffic
With DNS over HTTPS (Secure DNS), nobody listening on the wire can see the DNS queries you make when you are browsing the Internet.
If you haven’t setup Secure DNS, do it today.
What is Secure DNS
Traditionally, DNS queries are sent in plaintext. Anyone listening on the Internet can see which websites you are connecting to.
To ensure your DNS queries remain private, you should use a resolver that supports secure DNS transport such as DNS over HTTPS (DoH) or DNS over TLS (DoT).
DoH providers
- Cloudflare
- Cleanbrowsing
- Comcast
- DNS.SB
- OpenDNS
- Quad9
Problem
A lot of home routers do not support DoH by default, you can change router’s DNS setting to point different DNS server but can not use secure DNS directly.
To solve this problem, one way is run a local DNS agent to proxy all the DNS queries through DoH or DoT.
The agent listen on DNS port 53 to receive incoming DNS query, here the query can come from router.
I use a Raspberrypi to host DoH client agent. Cloudflare provide a DoH client agent cloudflared.
Install cloudflared
Download cloudflared
Download the latest version of cloudflared:
$ wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-arm.tgz
--2020-03-06 16:44:52-- https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-arm.tgz
Resolving bin.equinox.io (bin.equinox.io)... 34.235.56.240, 34.201.246.51, 34.192.78.186, ...
Connecting to bin.equinox.io (bin.equinox.io)|34.235.56.240|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17677329 (17M) [application/octet-stream]
Saving to: ‘cloudflared-stable-linux-arm.tgz’
cloudflared-stable-linux-arm. 100%[=================================================>] 16.86M 5.03MB/s in 4.1s
2020-03-06 16:44:58 (4.10 MB/s) - ‘cloudflared-stable-linux-arm.tgz’ saved [17677329/17677329]
unzip, it only include one binary file cloudflare:
$ tar zxvf cloudflared-stable-linux-arm.tgz
cloudflared
Note
Should not use .deb package provide by Cloudflare for Raspberrypi,
it will failed to install:
$ sudo apt install ./cloudflared-stable-linux-arm.deb
Reading package lists... Done
Building dependency tree
Reading state information... Done
Note, selecting 'cloudflared:arm' instead of './cloudflared-stable-linux-arm.deb'
The following NEW packages will be installed:
cloudflared:arm
0 upgraded, 1 newly installed, 0 to remove and 5 not upgraded.
Need to get 0 B/17.3 MB of archives.
After this operation, 37.0 MB of additional disk space will be used.
Get:1 cloudflared-stable-linux-arm.deb cloudflared arm 2020.2.1 [17.3 MB]
dpkg: error processing archive cloudflared-stable-linux-arm.deb (--unpack):
package architecture (arm) does not match system (armhf)
Errors were encountered while processing:
cloudflared-stable-linux-arm.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)
Check cloudflared version:
$ ./cloudflared --version
cloudflared version 2020.2.1 (built 2020-02-27-1710 UTC)
Config cloudflared
Create a config file name /usr/local/etc/cloudflared/config.yml,
the content as following:
logfile: /var/log/cloudflared.log
proxy-dns: true
proxy-dns-address: 0.0.0.0
proxy-dns-port: 53
proxy-dns-upstream:
- https://1.1.1.1/dns-query
- https://1.0.0.1/dns-query
Note
Useproxy-dns-address: 0.0.0.0 to allow DoH client agent receive incoming DNS query.
The default is 127.0.0.1 which only receive DNS query from localhost.
Install as a service
Install as a service to allow startup after reboot:
$ sudo ./cloudflared service install
INFO[0000] Failed to copy user configuration. Before running the service, ensure that /etc/cloudflared contains two files, cert.pem and config.yml error="open /usr/local/etc/cloudflared/cert.pem: no such file or directory"
Note: error=open /usr/local/etc/cloudflared/cert.pem: no such file or directory
You may see this error during install as service.
To solve this issue, copy /etc/cloudflared/cert.pem to /usr/local/etc/cloudflared/cert.pem:
$ sudo cp /etc/cloudflared/cert.pem /usr/local/etc/cloudflared/cert.pem
Then re-run install:
$ sudo ./cloudflared service install
INFO[0000] Copied /usr/local/etc/cloudflared/config.yml to /etc/cloudflared/config.yml
INFO[0000] Using Systemd
ERRO[0001] systemctl: Created symlink /etc/systemd/system/multi-user.target.wants/cloudflared.service → /etc/systemd/system/cloudflared.service.
INFO[0001] systemctl daemon-reload
Note: Configuration file /etc/cloudflared/config.yml must contain entries for the tunnel to run and its associated credentials
You may see this error with newer version of cloudflared (e.g. 2020.12.0)
Configuration file /etc/cloudflared/config.yml must contain entries for the tunnel to run and its associated credentials:
tunnel: TUNNEL-UUID
credentials-file: CREDENTIALS-FILE
To solve this issue, workaround with --legacy:
sudo ./cloudflared service install --legacy
After service installed, the config file copied to /etc/cloudflared/config.yml.
Future change config should change /etc/cloudflared/config.yml directly.
Enable cloudflared service
$ sudo systemctl enable cloudflared
$ sudo systemctl start cloudflared
$ systemctl status cloudflared
● cloudflared.service - Argo Tunnel
Loaded: loaded (/etc/systemd/system/cloudflared.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2020-03-06 17:42:52 UTC; 4h 51min ago
Main PID: 5735 (cloudflared)
Tasks: 14 (limit: 1772)
Memory: 12.3M
CGroup: /system.slice/cloudflared.service
└─5735 /home/pi/sbin/cloudflared --config /etc/cloudflared/config.yml --origincert /etc/cloudflared/cert.pem --no-autoupdate
Mar 06 17:42:52 pi3 systemd[1]: Starting Argo Tunnel...
Mar 06 17:42:52 pi3 cloudflared[5735]: time="2020-03-06T17:42:52Z" level=info msg="Version 2020.2.1"
Mar 06 17:42:52 pi3 cloudflared[5735]: time="2020-03-06T17:42:52Z" level=info msg="GOOS: linux, GOVersion: go1.12.7, GoArch: arm"
Mar 06 17:42:52 pi3 cloudflared[5735]: time="2020-03-06T17:42:52Z" level=info msg=Flags config=/etc/cloudflared/config.yml logfile=/var/log/cloudflared.log no-autoupdate=true origincert=/etc/cloudflared/cert.pem proxy-dns=true proxy
Mar 06 17:42:52 pi3 cloudflared[5735]: time="2020-03-06T17:42:52Z" level=info msg="Adding DNS upstream" url="https://1.1.1.1/dns-query"
Mar 06 17:42:52 pi3 cloudflared[5735]: time="2020-03-06T17:42:52Z" level=info msg="Adding DNS upstream" url="https://1.0.0.1/dns-query"
Mar 06 17:42:52 pi3 cloudflared[5735]: time="2020-03-06T17:42:52Z" level=info msg="Starting DNS over HTTPS proxy server" addr="dns://0.0.0.0:53"
Mar 06 17:42:52 pi3 cloudflared[5735]: time="2020-03-06T17:42:52Z" level=info msg="Starting metrics server" addr="127.0.0.1:32417"
Test cloudflared
Use dig to query DNS through cloudflared, you should get success DNS response:
$ dig +short @127.0.0.1 google.com AAAA
2607:f8b0:4007:800::200e
$ dig +short @127.0.0.1 google.com A
216.58.217.206
Set up router
Once DoH client agent set successfully, then change router’s setting, let it DNS server point to Raspberrypi. That’s it.
You can test it through Cloudflare test page.
Setup browser to use DoH
If DoH is setup properly on router, there is no need setup browser, otherwise you can also setup browser to use DoH explicitly.
Chrome
Chrome 78 start support DoH, you can enable it through chrome://flags/#dns-over-https:
Secure DNS lookups
Enables DNS over HTTPS. When this feature is enabled, your browser may try to use a secure HTTPS connection to look up the addresses of websites and other web resources. – Mac, Windows, Chrome OS, Android
#dns-over-https
Firefox
In about:config, search network.trr.mode and set it value to 2.
network.trr.mode
The resolver mode. You should not change the mode manually, instead use the UI in the Network Settings section of about:preferences
- 0 - Off (default). use standard native resolving only (don’t use TRR at all)
- 1 - Reserved (used to be Race mode)
- 2 - First. Use TRR first, and only if the name resolve fails use the native resolver as a fallback.
- 3 - Only. Only use TRR, never use the native resolver. Up to FF >= 73, this mode also requires the bootstrapAddress pref to be set. Starting with Firefox 74, setting the bootstrap address is no longer mandatory - the browser will simply bootstrap itself using regular DNS, unless the DoH server domain can’t be resolved. The native resolver will still be used for portal detection and telemetry (Bug 1593873)
- 4 - Reserved (used to be Shadow mode)
- 5 - Off by choice. This is the same as 0 but marks it as done by choice and not done by default.
see https://wiki.mozilla.org/Trusted_Recursive_Resolver#network.trr.mode
Appendix
cloudflared command line help
$ cloudflared --help
NAME:
cloudflared - Cloudflare's command-line tool and agent
USAGE:
cloudflared [global options] command [command options] origin-url
VERSION:
2020.2.1 (built 2020-02-27-1710 UTC)
DESCRIPTION:
cloudflared connects your machine or user identity to Cloudflare's global network.
You can use it to authenticate a session to reach an API behind Access, route web traffic to this machine,
and configure access control.
COMMANDS:
update Update the agent if a new version exists
version Print the version
proxy-dns Run a DNS over HTTPS proxy server.
service Manages the Argo Tunnel system service
help, h Shows a list of commands or help for one command
Access (BETA):
access access <subcommand>
Tunnel:
tunnel Make a locally-running web service accessible over the internet using Argo Tunnel.
GLOBAL OPTIONS:
--help, -h show help (default: false)
--version, -v, -V Print the version (default: false)
COPYRIGHT:
(c) 2020 Cloudflare Inc.
Your installation of cloudflared software constitutes a symbol of your signature indicating that you accept
the terms of the Cloudflare License (https://developers.cloudflare.com/argo-tunnel/license/),
Terms (https://www.cloudflare.com/terms/) and Privacy Policy (https://www.cloudflare.com/privacypolicy/).
cloudflared command line help for proxy-dns
$ cloudflared proxy-dns --help
NAME:
cloudflared proxy-dns - Run a DNS over HTTPS proxy server.
USAGE:
cloudflared proxy-dns [command options]
OPTIONS:
--metrics value Listen address for metrics reporting. (default: "localhost:") [$TUNNEL_METRICS]
--address value Listen address for the DNS over HTTPS proxy server. (default: "localhost") [$TUNNEL_DNS_ADDRESS]
--port value Listen on given port for the DNS over HTTPS proxy server. (default: 53) [$TUNNEL_DNS_PORT]
--upstream value Upstream endpoint URL, you can specify multiple endpoints for redundancy. (default: "https://1.1.1.1/dns-query", "https://1.0.0.1/dns-query") [$TUNNEL_DNS_UPSTREAM]
--help, -h show help (default: false)
Related pages:
- Jailbreak iPhone 8 iOS 16.2 with palera1n and use frida dump to decrypt ipa
- Use frida and objection to penetration test iOS app security
- OpenSSL CSR Examples: Self Signed Certificate and How to Start Test TLS/SSL Server/Client
- testssl.sh examples command line tool check server TLS/SSL (weak) ciphers and detect TLS/SSL vulnerabilities
- ECDSA signature verify in kotlin and Golang
- Test TLS Connection Ciphers TLS Version and Certificate with OpenSSL Command Line
- Secure Squid Proxy Server
References
- https://developers.cloudflare.com/1.1.1.1/dns-over-https/cloudflared-proxy/
- https://developers.cloudflare.com/argo-tunnel/downloads/
- https://www.chromium.org/developers/dns-over-https
- https://wiki.mozilla.org/Trusted_Recursive_Resolver
OmniLock - Block / Hide App on iOS
Block distractive apps from appearing on the Home Screen and App Library, enhance your focus and reduce screen time.
DNS Firewall for iOS and Mac OS
Encrypted your DNS to protect your privacy and firewall to block phishing, malicious domains, block ads in all browsers and apps