Localhost DoT

[marcelloinfoweb]

How could I use the address of where the Adguard home server is installed with DoT?

For example: tls://127.0.0.1 or 127.0.0.1:853

Is it possible?

I would not like to use external services.

[ameshkov]

What exactly are you trying to achieve?

Do you want AdGuard Home to run a DOT DNS server on the localhost? This does not make much sense, there's no point in encrypting a localhost connection.

I would not like to use external services.

If you're talking about upstream servers, you don't have much choice, you will anyway have to do that. You either use a DNS recursor like Quad9, AdGuard DNS, Google DNS, etc. Or you setup a local unbound instance that does the recursion itself. But note that it means that it will connect to external name servers anyway, that's simply how DNS works.

[marcelloinfoweb]

I have configured a server with adguard home and another server with Opnsense, I am forwarding all DNS requests to adguard home, but so I am unable to encrypt.

if i configure the unbound with the tls of the adguard home server, all DNS requests are identified as the firewall.

In unbound I set it to 192.168.1.1 on port 853 and it worked, but it doesn't work in the upstream field of adguard home.

Now you understand me?

[ameshkov]

Now you understand me?

Not entirely. Maybe a diagram would help.

[marcelloinfoweb]

I configured the certification to use HTTPS and DOT on adguard home, in Opnsense in custom no unbound I configured the IP of another machine that is adguard home. my problem is that it doesn't register the individual IPS but the firewall's IP. I decided by configuring nat for another server, so far so good, I just don't have the IPS encrypted by adguard anymore, and I would like to configure adguard home encryption in the upstream field.

[ameshkov]

my problem is that it doesn't register the individual IPS but the firewall's IP

Well, I don't think it would be possible to solve this in your configuration.

As long as AdGuard Home is not the server that accepts clients queries, it simply cannot see the real IP addresses.

[marcelloinfoweb]

my problem is that it doesn't register the individual IPS but the firewall's IP

Well, I don't think it would be possible to solve this in your configuration.

As long as AdGuard Home is not the server that accepts clients queries, it simply cannot see the real IP addresses.

Okay, all those issues I’ve solved. My problem would be to use the encryption service that is already configured on the server itself.

use port 853 locally in the upstream field of adguard home.

[ameshkov]

use port 853 locally in the upstream field of adguard home.

You should use tls://127.0.0.1 then, it's possible of course. But note, that the server should have a valid certificate.

[marcelloinfoweb]

I found that it doesn't work on the same server as Opnsense, you have to have a unique certificate.

Still it didn't work, just simple dns.

This time I'm using the beta version, and still nothing, unfortunately.

[marcelloinfoweb]

Is it possible to use Let's Encrypt certified encryption locally?

[ameshkov]

Is it possible to use Let's Encrypt certified encryption locally?

No, the only way is using a self-signed certificate

[ali2key]

No, the only way is using a self-signed certificate

I encountered a similar problem… But does a self-signed certificate allow you to use DoT or DoH locally? I'm trying to connect to DoH through the Brave built-in option (Use secure DNS) and connect to DoT through the Android built-in DoT client. None of these options work. Self-signed certificate was generated by this command: openssl req -x509 -out service_local.crt -keyout service_local.key \ -newkey rsa:2048 -nodes -sha256 \ -subj '/CN=service.local' -extensions EXT -config <( \ printf "[dn]\nCN=service.local\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:service.local\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")

service.local - my local domain