Run Your Own DNS over HTTPS (DoH) Resolver on Ubuntu with DNSdist

This tutorial shows you how to configure your own DNS via an HTTPS (DoH) to Ubuntu converter with a DNS dist, so that your DNS queries are encrypted and protected from prying eyes.

What is DNS over HTTPS and why is it important?

The Domain Name System (DNS) is responsible for converting domain names into IP addresses. It was designed in 1987 without taking into account security or confidentiality. DNS queries are not encrypted by default. They are sent to the telegram in plain text and can be used by the agents. For example, the Great Wall of China (GFW) uses a technique called DNS cache poison to censor the Chinese Internet. (They also use other methods not covered by this Article).

GFW checks every DNS request sent to a DNS server outside China. Since normal text-based DNS is based on UDP, which is a connectionless protocol, the GFW can spoof both the IP client and the IP server. When the GFW finds a domain name in its block list, it changes the DNS response. For example, if a Chinese Internet user wants to visit google.com, GFW will redirect the user’s DNS resolver to the IP address located in China instead of Google’s actual IP address. The DNS resolver then sends the spoofed IP address back to the user’s computer so that the user cannot visit google.com.

HTTPS is a standard method for encrypting HTTP plain text web pages. If you use DNS over HTTPS (DoH), your DNS queries are encrypted so that third parties cannot see them.

Why use a separate resolver?

There are already some public DNS resolvers, such as 1.1.1 and 9.9.9, that support DNS over HTTPS, so you can use them if you don’t have the skills or time to manage your own system. As of version 61 of Firefox, you can enable DNS over HTTPS in your browser settings, which is a big step forward for security and privacy on the Internet. Firefox uses the default Cloudflare resolver (1.1.1). However, some people claim that this allows Cloudflare to collect information about Firefox users. They seem to trust their supplier more than Cloudflare. But I think if you’re paranoid about privacy, you should run your own DoH solver so that neither Cloudflare nor your ISP can spy on you.

DoH vs. DoT

In addition to DNS over HTTPS, there is another protocol that focuses on encrypting DNS queries. This is called DNS over TLS (DoT). Previously I wrote a manual about the use of DNS by TLS on the Ubuntu desktop, but now I switch to DNS by HTTPS.

For people in despotic countries with strict Internet censorship, such as China, it is more cost effective to use the Ministry of Health as the Ministry of Commerce. Indeed, DoT works on TCP port 853, which can easily be blocked by the national firewall. DoH runs on TCP port 443, the default port for HTTPS sites. This makes DoH super difficult to block, because if TCP port 443 is blocked, almost all HTTPS sites will be blocked as well. My DoH resolver runs on a VPS (Virtual Private Server) outside of China, and the Grand Firewall cannot intercept my DNS queries. I can even hide the IP address of my DoH resolver behind the CDN (Content Delivery Network) of Cloudflare.

Another advantage of the Ministry of Health is that web applications can access DNS information via the APIs of existing browsers, so no backend resolver is needed.

Ministry of Health Support for Primary DNS– Resellers

BIND will support the Ministry of Health in version 9.17, which is still under development. Ubuntu Deposits 20.04 and 20.10 with BIND 9.16.
Node Resolver supports DoH as of version 4.0.0. The latest version is 5.11. It has an official warehouse for Debian, Ubuntu, CentOS, Fedora.
Aid from the Ministry of Health not related to version 1.12.0.
The PowerDNS recorder does not currently support the Ministry of Health.

Actually, I prefer to run the DoH resolver with a DNSdist who has added DoH support in version 1.4.0. The latest current version 1.5. It has an official warehouse for Debian, Raspbian, Ubuntu and CentOS. The DNSdist is a DNS load balancer that can forward DNS requests to the DNS resolver of the backend. No matter which DNS resolver you use, with DNSdist you can manage your own DoH server. The DNSdist is developed by the PowerDNS command.

Requirements

It is assumed that a DNS resolver is running on your Ubuntu server. You can use any DNS resolver (BIND, Node resolver, Unbound…) I personally use BIND.

Once your DNS resolver is ready to use, follow the instructions below.

Step 1: Installation of DNSdist on a Ubuntu server

It is recommended to install DNSdist on Ubuntu from the upstream repository to have the latest stable version. You must first create a source list file for the DNSdist.

Ubuntu 20.04

echo deb [arch=amd64] http://repo.powerdns.com/ubuntu focal-dnsdist-15 main | sudo tee /etc/apt/sources.list.d/pdns.list

Ubuntu 18.04

echo deb [arch=amd64] http://repo.powerdns.com/ubuntu bionic-dnsdist-15 main | sudo tee /etc/apt/sources.list.d/pdns.list

Ubuntu 16.04

echo deb [arch=amd64] http://repo.powerdns.com/ubuntu xenial-dnsdist-15 main | sudo tee /etc/apt/sources.list.d/pdns.list

We then create a preference file for the DNSdist to link the package, so that we don’t accidentally install the DNSdist from another repository.

sudo nano /etc/apt/preferences.d/dnsdist

Add the following lines to the folder.

Packaging: dnsdist*
Pin : Origin repo.powerdns.com
pin priority : 600

Save the file and close it. Then run the following command to import the public key of PowerDNS so that the APT package manager can check the compatibility of the software packages downloaded from this repository

https://repo.powerdns.com/FD380FBB-pub.asc | add sudo apt-key –

Then update the storage list and install DNSdist.

sudo apt update

sudo apt install dnsdist

By default DNSdist tries to bind to port 53. Since you have an existing DNS resolver like BIND listening on port 53, the dnsdist.service will not start.

Since we only install a DoH resolver and don’t care about DNS load balancing, we can configure DNSdist to listen on another port. Edit the DNSdist configuration file.

sudo nano /etc/dnsdist/dnsdist.conf

This file has no content. In the meantime, simply add the following line to this file to make DNSdist listen on TCP and UDP port 5353 and not on port 53.

setLocal(127.0.0.1:5353)

Save the file and close it. Then restart DNSdist.

sudo systemctl dnsdist Herstarting

Check his condition.

systematic review of the status quo

It must be active (in operation).

Step 2: Installing the Encryption Client (Certbot) on Ubuntu Server

DNS over HTTPS requires the installation of server-side TLS certificates. We obtain and install the certificate and then encrypt it. The advantage of using the Let’s Encrypt certificate is that it is free, easy to configure and trusted by client programs.

Run the following commands to install the Let’s Encrypt (certbot) client from the default Ubuntu repository.

install sudo apt certbot

To check the version number, do the following

certbottic version

Taking samples:

certbot 0,40,0

Step 3: Obtain a trusted TLS certificate withencryption .

I recommend using a standalone plugin or webroot to get the TLS certificate for dnsdist.

Stand-alone module

If you don’t have a web server on the Ubuntu server, you can use a stand-alone plugin to get a TLS certificate from Let’s Encrypt. Create a DNS-A record for the subdomain (doh.example.com) and then execute the following command

sudo certbot certonly –standalone — challenges http –agree-tos –email [email protected] -d doh.example.com

True:

in an incomparable way: Get the certificate, but don’t install it.
–…autonomous: Use the stand-alone plugin to get a certificate.
-preference – http problems : Make an http-01 call to test our domain, which will use port 80
-I agree. -I agree: Accept that we encrypt the terms of use.
— …e-mail: The email address is used to register and restore your account.
-d : Enter your domain name.

As you can see on the following screenshot, I have successfully received the certificate.

Using the webroot plugin

If your Ubuntu server has a web server that listens on ports 80 and 443, it is advisable to use the Webroot plugin to get the certificate because the Webroot plugin works with almost all web servers and we don’t need to install the certificate on the web server.

You must first create a virtual host for doh.example.com.

Apache

If you’re using Apache, then

sudo nano /etc/apache2/sites-available/doh.example.com.conf

And add the following lines to the file.

Server name doh.example.com

Reload document /var/wwwww/nsdist.

Save the file and close it. Then create a root folder.

mkdir ship /var/www/nsdist

Install www-data (Apache user) as owner of the web root.

sudo chown www-data:www-data /var/www/dnsdist -R

Activate this virtual host.

sudo a2ensite doh.example.com

Restart Apache to put the changes into effect.

sudo systemctl restart apache2

Once you have created and enabled the virtual host, run the following command to obtain the Let’s encryption with the Webroot plugin certificate

sudo certbot certonly –webroot –agree-tos –email [email protected] -d doh.example.com -w /var/www/dnsdist

Nginh

If you’re using Nginx.

sudo nano /etc/nginx/conf.d/doh.example.com.conf

Add the following lines to the folder.

server {
listen 80 ;
server_name doh.example.com ;

root /var/www/nsdist/ ;

Location ~ /.known/acme-challenge {
allows everything;
}
}

Save the file and close it. Then create a root folder.

µdir ship -p /var/www/nsdist

Install www-data (Nginx user) as owner of the web root.

sudo chown www-data:www-data /var/www/dnsdist -R

Restart Nginx to make the changes take effect.

sudo systemctl restart nginx

Once you have created and enabled the virtual host, run the following command to obtain the Let’s encryption with the Webroot plugin certificate

sudo certbot certonly –webroot –agree-tos –email [email protected] -d doh.example.com -w /var/www/dnsdist

Step 4: Engage Ministry of Health in DNSdist

Edit the DNSdist configuration file.

sudo nano /etc/dnsdist/dnsdist.conf

Add the following lines to the folder.

— Allow requests from all IP addresses
addACL (‘0.0.0.0/0’)

— Add a DoH resolver that listens on port 443 of all
addDOHLocal(0.0.0).0:443, /etc/letsencrypt/live/doh.example.com/fullchain.pem, /etc/letsencrypt/live/doh.example.com/privkey.pem, { / }, { doTCP=correct, reusePort=correct, tcpFastOpenSize=0 }).

— the following resolver
newServer ({Address=127.0.0.1:53,qps=5, Name=Resolver1})

Save the file and close it. DNSdist runs as user _dnsdist, so we must allow user _dnsdist to read the TLS certificate with the following commands.

sudo apt set acl

sudo setfacl -R -m u:_dnsdist:rx /etc/letsencrypt/

Then check the syntax of the configuration file.

sudo dnsdist –check-configure

If the syntax is correct, restart DNSdist.

sudo systemctl dnsdist Herstarting

Note that the DNSdist will not restart if the web server is listening on TCP port 443. You can temporarily stop the web server. At the end of this article I will explain how the web server and DNSdist can use TCP port 443 at the same time.

Step 5: Setting the DoH in the Firefox web browser

Go to Settings -> General and scroll down to configure the network settings. Enable DNS via HTTPS and install your own DoH resolver.

We can then refine the Ministry of Health configuration by going to the about:config tab in Firefox.

Network.trr.mode

The default setting for network.trr.mode in Firefox is 2, i.e. if the DoH query fails, Firefox forwards the DNS query to the host system. I still want to use the DoH resolver, so change the network.trr.mode to 3 so that the host resolver is not used. This way, we can easily check whether your DoH dissolver works.

network.trr.allow-rfc1918

By default, this value is set to false, i.e. if the DNS response contains private IP addresses, it will be considered a false response and will not be used. If you use the answer policy field in BIND, if you have multiple host names that refer to private IP addresses, set this value to true.

network.trr.bootstrapaddress

Firefox must find the IP address of the Ministry of Health in order to send DNS queries. You can enter the IP address in this field to delete this first request.

Test

Now enter the domain name, for example linuxbabe.com, in the address bar of Firefox. If the website loads normally, it’s a good sign that the resolver is working in your Ministry of Health. Then go to the terminal console of your DNS server and check the DNS request logs. I use BIND, so I type the following command to check the DNS request log

Ubuntu 20.04

sudo journalctl -eu name

Ubuntu 18.04

sudo journalctl -eu bind9

As you can see in the BIND protocol below, Firefox has requested the following areas.

www.linuxbabe.com : my website
fonts.gstatic.com : This is for the Google fonts on my website.
cdn.shareaholic.net Exchange widget on my website
newsletter.linuxbabe.com: my self-managed email marketing platform.
translate.google.com : Translate the Google widget on my website

The query protocol above tells me that my DNS-on-HTTPS resolver works. When I stop the BIND resolver (sudo systemctl stop), Firefox tells me it can’t find this page. And when I run BIND, the website reloads.

Simultaneous use of port 443 by DNSdist and web server

The DNS-to-HTTPS converter must be connected to port 443. If you already have an Apache/Nginx listening on port 443, DNSdist cannot bind to port 443. Normally a port can only be used by one process. However, we can use HAproxy (High Availability Proxy) and SNI (Server Name Indication) to force DNSdist and Apache/Nginx to use port 443 at the same time.

DNSdist configuration

Edit the DNSdist configuration file.

sudo nano /etc/dnsdist/dnsdist.conf

Change the interception address of the Ministry of Health to 127.0.0.1.

addDOHLocal(127.0.0.1:443, /etc/letsencrypt/live/doh.example.com/fullchain.pem, /etc/letsencrypt/live/doh.example.com/privkey.pem, { / }, { doTCP=true, reusePort=true, tcpFastOpenSize=0 }).

Save the file and close it. Then restart DNSdist.

sudo systemctl dnsdist Herstarting

Nginx configuration

If you use Nginx, change the server block file.

sudo nano /etc/nginx/conf.d/example.com.conf

Look for the following statement in the SSL server block.

Listen to 443 ssl;

Trade them in for

Listen to 127.0.0.2:443 ssl

This time we let it listen to 127.0.0.2:443 because 127.0.0.1:443 is already occupied by the DNSdist. Save the file and close it. The main file nginx configuration /etc/nginx/nginx.conf and the default server block /etc/nginx/sites-enabled/default may contain the default vhost eavesdropping at 443, so you may need to edit this file as well.

Then restart the Nginx.

sudo systemctl restart nginx

Configuring Apache

If you are using the Apache web server, edit the virtual host file.

sudo nano /etc/apache2/sites-enabled/example.com.conf

In the SSL virtual host, change

The…

This time we let it listen to 127.0.0.2:443 because 127.0.0.1:443 is already occupied by the DNSdist. Save the file and close it. Then edit the /etc/apache2/ports.conf file.

sudo nano /etc/apache2/ports.conf

Edit.

Listen to 443.

The…

Listen to 127.0.0.2:443

Save the file and close it. Restart Apache.

sudo systemctl restart apache2

HAProxy configuration

Install HAproxy now.

sudo apt install gaproxia

First HAProxy

sudo systemctl start gaproxy

Edit the configuration file.

ship nano /etc/haproxy/haproxy.cfg

If you are using Nginx, copy the following lines and paste them at the end of the file. Replace 12.34.56.78 with the public IP address of your server. Replace doh.example.com with the domain name used by DNSdist and www.example.com with the domain name used by your web server.

frontend https
bind 12.34.56.78:443
mode tcp
tcp request inspect-delay 5s
tcp request tcprequest accept content if { req_ssl_hello_type 1 }

use_backend dnsdist if { req_ssl_sni -i doh.example.com }
use_backend nginx if { req_ssl_sni -i www.example.com }
use_backend nginx if { req_ssl_sni -i example.com }

Standard dnsdist_backend

dnsdist
Backend mode tcp
Option ssl-hello-chk Server
dnsdist 127.0.0.1:443

nginx
backend mode tcp
option ssl-hello-chk
server nginx 127.0.0.2:443 check

If you are using Apache, copy and paste the following lines at the end of Replace 12.34.56.78 with the public IP address of your server. Replace doh.example.com with the domain name used by DNSdist and www.example.com with the domain name used by your web server.

frontend https
bind 12.34.56.78:443
mode tcp
tcp request inspect-delay 5s
tcp request tcprequest accept content if { req_ssl_hello_type 1 }

use_backend dnsdist if { req_ssl_sni -i doh.example.com }
use_backend apache if { req_ssl_sni -i www.example.com }
use_backend apache if { req_ssl_sni -i example.com }

Défaut dnsdist_backend

dnsdist
Backend mode tcp
Option ssl-hello-chk Server
dnsdist 127.0.0.1:443

Apache
Mode backend tcp
Option ssl-hello-chk
Serveur Apache 127.0.0.2:443 Vérifier

Enregistrez et fermez le fichier. Ensuite, redémarrez HAproxy.

yawnroxy to redress the sudoctl system

In the ci-dessus configuration, we have used the SNI (Server Name Indication) function in TLS to distinguish the VPN traffic of the HTTPS normal traffic.

Si doh.example.com se trouve dans le message d’accueil TLS du client, HAProxy transférer le trafic vers le backend de DNSdist.
Si www.example.com se trouve dans le message d’accueil TLS du client, HAProxy redirige le trafic vers le backend Apache/nginx.
Si le client ne spécifie pas de nom de serveur dans le client TLS hello, HAproxy utilise le backend par défaut (DNSdist).

You can tester this regulation with the outil openssl. Execute several of the following commands first.

echo | openssl s_client – connect votre serveur IP:443 | grep subject

We do not have a specific name of server in the ci-dessus command, so HAproxy always transmits the request to the backend by default (DNSdist) and sends its certificate to the client. Ensuite, execute the two following commands.

echo | openssl s_client -servername www.example.com -connect your-server-IP:443 | grep subject

echo | openssl s_client -server name doh.example.com – connect your server IP:443 | grep subject

We have now specified a server name in the commands so that HAproxy will send the requests according to the SNI rules we have defined.

When renewing the certificate of your site Let’s encrypt the certificate of your site, it is recommended to use the http-01 call instead of the tls-alpn-01 call, because the HAproxy on port 443 listens to the public IP address and can disrupt the renewal process.

sudo certbot renewal-prefred-challenges http-01

Packaging

I hope this tutorial has helped you configure the DNS-to-HTTPS converter from Nginx to Ubuntu. As always, if you find this message useful, subscribe to our free newsletter for more tips and tricks. Take care of yourself.

Evaluate this training manual.

On second thought: 0 Average : 0]

Related Tags:

bash scripting tutorial pdf,bash script course free,class in bash script,bash tutorialspoint,learn bash the hard way,bash scripting examples,linux system programming youtube,bash scripting full course 3 hours,ubuntu course,how to install django in ubuntu,linux system programming examples,what is kubernetes youtube,linux tutorial w3school,linux tutorial for beginners pdf,unix tutorial pdf,unix tutorial geeksforgeeks,linux basic concepts,linux operating system for beginners,www cyberciti biz faq,nixcraft twitter,nixcraft linux,nixcraft shell scripting tutorial,nixcraft facebook,cybercity bash,ryans tutorials linux,linux line commands,mastering terminal commands,how to master linux,prompt in linux,file system navigation in linux,linux shell beginners guide,bash scripting tutorial w3schools,bash scripting cheat sheet,tldp bash beginners,bash basics,learn bash,python shell scripting tutorial

Related Tags:

You Might Also Like

If You Don’t Have A SASE Cloud Service, You Don’t Have SASE At All

How to Check If a Port Is in Use in Linux – Linux Hint

Embedded Nautilus Terminal Plugin Adds Configurable Toggle Shortcut And Colors