| View previous topic :: View next topic |
| Author |
Message |
shimitar
Guru
Joined: 23 Nov 2003
Posts: 331
Location: Italy, Torino
|
 Posted: Tue Sep 17, 2024 7:10 am Post subject: [SOLVED] DNS over HTTPS with Unbound (or?) |
 |
|
Hi all,
i have a fully working Unbound resolver setup on my home network, it works perfectly on port 53 (udp&tcp) and also provides DNS over TLS for upstream.
Now since it seems that Android no matter what will use DNS over HTTPS, bypassing by resolver, when connected to the home WiFi, i would like to also enable DoH for Unbound, but i am not very sure on what to do.
Unbound documentation is very limited. I also have NGINX on my server, so port 443 is currently busy, so i decided to setup unbound on port 4443 instead, then use NGINX to proxy the DoH endpoint.
I have created the certs and added:
| Code: |
interface: 127.0.0.1@4443
https-port: 4443
tls-service-key: "/etc/unbound/certs/mydomain.key"
tls-service-pem: "/etc/unbound/certs/mydomain.pem"
|
to my unbound.conf, and restarted.
I cannot make it work it in any way, i have even installed "dog" (https://github.com/ogham/dog) from sources, and it cannot find a valid dns server (DoH) on my 4443 port (hwich _is_ open).
Also i was looking for some NGINX configuration for the reverse proxying, but with not much success either. It's not clear to me if the certs needs to be applied to NGINX or to Unbound, and how it would play exactly.
Anybody running Unbound with DoH and a reverse proxy?
_________________
Willy Gardiol
willy@gardiol.org
Last edited by shimitar on Tue Sep 17, 2024 9:12 am; edited 1 time in total |
|
| Back to top |
|
 |
nicop
Tux's lil' helper
Joined: 10 Apr 2014
Posts: 87
|
|
| Back to top |
|
|
shimitar
Guru
Joined: 23 Nov 2003
Posts: 331
Location: Italy, Torino
|
| Posted: Tue Sep 17, 2024 9:12 am Post subject: |
|
|
Thanks!
your comment pointed me in the right direction...
It seems i managed to get it working.
I had to configure my NGINX proxy like this:
| Code: |
location /dns-query {
if ( $request_method !~ ^(GET|POST|HEAD)$ ) {
return 501;
}
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect off;
proxy_buffering off;
grpc_pass grpc://127.0.0.1:4443;
}
|
because normal proxy don't support HTTP2 upstream.
And disable HTTPS on downstream Unbound like this:
| Code: |
interface: 127.0.0.1@4443
https-port: 4443
# tls-service-key: "/etc/unbound/certs/mydomain.key" remove certs, as they are not needed
# tls-service-pem: "/etc/unbound/certs/mydomain.pem"
http-notls-downstream: yes
|
And... it worked!
_________________
Willy Gardiol
willy@gardiol.org |
|
| Back to top |
|
|
nicop
Tux's lil' helper
Joined: 10 Apr 2014
Posts: 87
|
| Posted: Tue Sep 17, 2024 10:31 am Post subject: |
|
|
Good !
| shimitar wrote: |
location /dns-query {
if ( $request_method !~ ^(GET|POST|HEAD)$ ) {
return 501;
}
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect off;
proxy_buffering off;
grpc_pass grpc://127.0.0.1:4443;
}
|
My two cents : use an upstream instead of grpc_pass alone. It allows to pass additional parameters in the upstream block (https://www.f5.com/company/blog/nginx/avoiding-top-10-nginx-configuration-mistakes#upstream-groups)
| shimitar wrote: |
because normal proxy don't support HTTP2 upstream.
|
You could use | Code: | | proxy_http_version 1.1; |
|
|
| Back to top |
|
|
shimitar
Guru
Joined: 23 Nov 2003
Posts: 331
Location: Italy, Torino
|
| Posted: Tue Sep 17, 2024 10:40 am Post subject: |
|
|
Unbound requires http2, http 1.1 won't work.
As for the upstream, yes, its a good idea.
_________________
Willy Gardiol
willy@gardiol.org |
|
| Back to top |
|
|
|
Networking & Security
