Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] DNS over HTTPS with Unbound (or?)
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
shimitar
Guru
Guru


Joined: 23 Nov 2003
Posts: 334
Location: Italy, Torino

PostPosted: Tue Sep 17, 2024 7:10 am    Post subject: [SOLVED] DNS over HTTPS with Unbound (or?) Reply with quote

Hi all,
i have a fully working Unbound resolver setup on my home network, it works perfectly on port 53 (udp&tcp) and also provides DNS over TLS for upstream.

Now since it seems that Android no matter what will use DNS over HTTPS, bypassing by resolver, when connected to the home WiFi, i would like to also enable DoH for Unbound, but i am not very sure on what to do.

Unbound documentation is very limited. I also have NGINX on my server, so port 443 is currently busy, so i decided to setup unbound on port 4443 instead, then use NGINX to proxy the DoH endpoint.

I have created the certs and added:
Code:

        interface: 127.0.0.1@4443
        https-port: 4443
        tls-service-key: "/etc/unbound/certs/mydomain.key"
        tls-service-pem: "/etc/unbound/certs/mydomain.pem"


to my unbound.conf, and restarted.

I cannot make it work it in any way, i have even installed "dog" (https://github.com/ogham/dog) from sources, and it cannot find a valid dns server (DoH) on my 4443 port (hwich _is_ open).

Also i was looking for some NGINX configuration for the reverse proxying, but with not much success either. It's not clear to me if the certs needs to be applied to NGINX or to Unbound, and how it would play exactly.

Anybody running Unbound with DoH and a reverse proxy?
_________________
Willy Gardiol
willy@gardiol.org


Last edited by shimitar on Tue Sep 17, 2024 9:12 am; edited 1 time in total
Back to top
View user's profile Send private message
nicop
Tux's lil' helper
Tux's lil' helper


Joined: 10 Apr 2014
Posts: 103

PostPosted: Tue Sep 17, 2024 8:01 am    Post subject: Reply with quote

A common configuration is to use the resolver without DoH/DoT and leave a DNS proxy do that stuff, for example DNSDIST. This also allows easier ACL management (example https://blog.apnic.net/2020/02/28/how-to-deploy-dot-and-doh-with-dnsdist/)
Back to top
View user's profile Send private message
shimitar
Guru
Guru


Joined: 23 Nov 2003
Posts: 334
Location: Italy, Torino

PostPosted: Tue Sep 17, 2024 9:12 am    Post subject: Reply with quote

Thanks!
your comment pointed me in the right direction...

It seems i managed to get it working.

I had to configure my NGINX proxy like this:
Code:

location /dns-query {
        if ( $request_method !~ ^(GET|POST|HEAD)$ ) {
                return 501;
        }
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_redirect off;
        proxy_buffering off;
        grpc_pass grpc://127.0.0.1:4443;
}


because normal proxy don't support HTTP2 upstream.

And disable HTTPS on downstream Unbound like this:
Code:

        interface: 127.0.0.1@4443
        https-port: 4443
#        tls-service-key: "/etc/unbound/certs/mydomain.key" remove certs, as they are not needed
#       tls-service-pem: "/etc/unbound/certs/mydomain.pem"
        http-notls-downstream: yes


And... it worked!
_________________
Willy Gardiol
willy@gardiol.org
Back to top
View user's profile Send private message
nicop
Tux's lil' helper
Tux's lil' helper


Joined: 10 Apr 2014
Posts: 103

PostPosted: Tue Sep 17, 2024 10:31 am    Post subject: Reply with quote

Good !

shimitar wrote:

location /dns-query {
if ( $request_method !~ ^(GET|POST|HEAD)$ ) {
return 501;
}
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect off;
proxy_buffering off;
grpc_pass grpc://127.0.0.1:4443;
}


My two cents : use an upstream instead of grpc_pass alone. It allows to pass additional parameters in the upstream block (https://www.f5.com/company/blog/nginx/avoiding-top-10-nginx-configuration-mistakes#upstream-groups)

shimitar wrote:

because normal proxy don't support HTTP2 upstream.


You could use
Code:
proxy_http_version 1.1;
Back to top
View user's profile Send private message
shimitar
Guru
Guru


Joined: 23 Nov 2003
Posts: 334
Location: Italy, Torino

PostPosted: Tue Sep 17, 2024 10:40 am    Post subject: Reply with quote

Unbound requires http2, http 1.1 won't work.

As for the upstream, yes, its a good idea.
_________________
Willy Gardiol
willy@gardiol.org
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum