-
Notifications
You must be signed in to change notification settings - Fork 1k
Local DoH
In addition to responding to standard DNS queries, dnscrypt-proxy can also act as a DoH server, and respond to local queries sent over that protocol.
In particular, this means that Firefox can be configured to use it, so that it will accept to enable ESNI without bypassing your DNS proxy.
In order to enable this, the first thing you need is a certificate. Since this is just for local usage, you can use that example one or create your own with:
openssl req -x509 -nodes -newkey rsa:2048 -days 5000 -sha256 -keyout \
localhost.pem -out localhost.pemDuring generating a RSA private key, User will be aksed to answer various questions (vide Country Name, Organization Name, Email Address and so on) - however, mentioned input fields can be empty. Now, localhost.pem file should be copied to, placed in /etc/dnscrypt-proxy/ directory. It's also a good idea to change file owner (only DNSCrypt-Proxy user should have access to such important file etc.):
# chown _dnscrypt-proxy localhost.pem
Please note, that _dnscrypt-proxy is a default user - in Debian GNU/Linux - created during DNSCrypt-Proxy installation process (please check User= option [in:] /lib/systemd/system/dnscrypt-proxy.service file).
Next, edit the configuration file, look for the local_doh section and uncomment the relevant lines:
[local_doh]
listen_addresses = ['127.0.0.1:3000']
path = "/dns-query"
cert_file = "localhost.pem"
cert_key_file = "localhost.pem"Now, dnscrypt-proxy should be restarted. With the settings above, the URL of the local DoH server would be https://127.0.0.1:3000/dns-query. Here is a small exception of the system logs:
[NOTICE] dnscrypt-proxy 2.0.44
[NOTICE] Now listening to https://127.0.0.1:3000/dns-query [DoH]
[INFO] [cloudflare] TLS version: 304 - Protocol: h2 - Cipher suite: 4865
[NOTICE] [cloudflare] OK (DoH) - rtt: 54ms
[NOTICE] Server with the lowest initial latency: cloudflare (rtt: 54ms)
[NOTICE] dnscrypt-proxy is ready - live servers: 1
It is possible, but not recommended, to configure local_doh to listen to outside queries, for example:
[local_doh]
listen_addresses = ['123.456.789.1:3000']
path = "/dns-query"
cert_file = "fullchain.pem"
cert_key_file = "privkey.pem"cert_file and cert_key_file can be generated using Let's Encrypt.
Firefox and Cloudflare are running an experiment called ESNI. ESNI is the name of an obsolete version of ECH (Encrypted ClientHello), a TLS extension to hide the server name in TLS (including HTTPS) connections.
While this may eventually be a significant privacy improvement, it currently has some caveats to be aware of:
- It is a work-in-progress design and has not yet seen significant (or really any) security analysis.
- It hasn't been deployed anywhere, besides an early prototype implemented in Firefox and on Cloudflare servers. Even when using Firefox, ESNI will never be used except when connecting to some websites from Cloudflare customers.
- What has been deployed is still missing an important part to protect against censorship (
GREASE) - Enabling ESNI will trigger an extra DNS query for every single new hostname, even for hosts that don't support ESNI. Every time a query for a host that doesn't support is made, an error will be returned (
NXDOMAIN). - Enabling ESNI in Firefox breaks some websites ("Secure connection failed -
SSL_ERROR_NO_CYPHER_OVERLAP" or "SSL_ERROR_MISSING_ESNI_EXTENSION"). - Keep in mind that ECH doesn't exist yet. What is available is only an experiment run by two companies.
Firefox has a setting to enable ESNI, but for some reason, the web browser ignores it unless it was also configured to bypass your DNS settings.
However, dnscrypt-proxy's local DoH server can be configured in Firefox, so that the ESNI setting will not be ignored.
After having set up the local DoH feature as documented above, open the DoH server full URL (ex: https://127.0.0.1:3000/dns-query) as a regular website with Firefox.
The first time, the web browser will notice that the certificate is self-signed and complain about it. This is expected. Click "Advanced" and "I accept the risks". This is okay, you are only going to connect to your own machine.
Next, type about:config in the URL bar, search for trr and make the following changes:
- Set
network.trr.custom_uriandnetwork.trr.uritohttps://127.0.0.1:3000/dns-query - Set
network.trr.modeto2 - Set
network.security.esni.enabledtotrue - Restart Firefox
You can finally check if the Firefox+Cloudflare ESNI experiment is enabled here (don't pay attention to the "Secure DNS" column, the green mark will only be shown when using Cloudflare).
Note that the actual resolvers don't have to be Cloudflare's, and don't have to use the DoH protocol either. ESNI is perfectly compatible with DNSCrypt and Anonymized DNSCrypt.
In order to revert the changes, set network.trr.mode to 0. Other parameters will then be ignored, so they can be left as-is.
In somecases if you want to run dnscrypt-proxy as a non-root user you'll get the error "[FATAL] listen udp 0.0.0.0:53: bind: permission denied"
to solve this problem you can run the following command and allow dnscrypt to have access to a low level port :
sudo setcap cap_net_bind_service=+ep $(which dnscrypt-proxy)
- Home
- Installation
- Configuration
- Checking that your DNS traffic is encrypted
- Automatic Updates
- Server sources
- Combining blocklists
- Public Blocklist and other configuration files
- Building from source
- Run your own DNSCrypt server in under 10 minutes
- DNS stamps specifications
- Windows Tips
- dnscrypt-proxy in the media
- Planned Features