AdguardTeam / dnsproxy

Simple DNS proxy with DoH, DoT, DoQ and DNSCrypt support
Apache License 2.0
2.47k stars 249 forks source link

Fallback-servers with DoH/DoT? #250

Closed iJorgen closed 2 years ago

iJorgen commented 2 years ago

Is it possible to setup DoH or DoT on the fallback-servers or only unencrypted queries is possible?

ameshkov commented 2 years ago

Hi! Any type of resolver may be a fallback

iJorgen commented 2 years ago

I found in the code that it is possible, but you need to specify the DoH/DoT servers by using IP (since DNS-resolution don't work) so it won't work for me since I need to specify a custom URL for DoH/DoT including my configuration-id.

Will go with unencrypted DNS for my fallback-server, since it's the last chance to get an answer when upstream-servers fails.

ameshkov commented 2 years ago

Could it be that you mean bootstrap servers and not fallback servers?

iJorgen commented 2 years ago

Aaah, you are correct. It was under "Bootstrap" I read that. :-)

// Validate the bootstrap resolver. It must be either a plain DNS resolver. // Or a DoT/DoH resolver with an IP address (not a hostname).

Do fallback servers use the Bootstrap servers to resolve, if all upstream-servers are failing? I mean if I specified "tls://dns.adguard-dns.com" under fallback and all upstream-servers are down. How does it resolve "dns.adguard-dns.com" then?!

samlux04 commented 2 years ago

Aaah, you are correct. It was under "Bootstrap" I read that. :-)

// Validate the bootstrap resolver. It must be either a plain DNS resolver. // Or a DoT/DoH resolver with an IP address (not a hostname).

Do fallback servers use the Bootstrap servers to resolve, if all upstream-servers are failing? I mean if I specified "tls://dns.adguard-dns.com" under fallback and all upstream-servers are down. How does it resolve "dns.adguard-dns.com" then?!

Bootstrap always used to resolve all DNS host in upstream and fallback. Just to get an IP for DNS to connect to. All client request will use upstream or fallback. There will be a time when ttl expire for the upstream and fallback hostname. It will use bootstrap again to get the new IP.

bootstrap:
  - "tls://1.0.0.1"
  - "https://1.1.1.1/dns-query"
  - "https://8.8.8.8/dns-query"
upstream:
  - "tls://dns.adguard.com"
  - "quic://dns.nextdns.io"
fallback:
  - "tls://doh.tiar.app"
  - "https://1.1.1.1/dns-query' # just in case when other down

If you use adguard it has an anycast address. You can just use it so it don't need bootstrap.

upstream:
  - "quic://94.140.14.14"
  - "tls://94.140.15.15"
  - "https://94.140.15.15/dns-query"
iJorgen commented 2 years ago

Bootstrap always used to resolve all DNS host in upstream and fallback. Just to get an IP for DNS to connect to. All client request will use upstream or fallback. There will be a time when ttl expire for the upstream and fallback hostname. It will use bootstrap again to get the new IP.

Thanks a lot for your explanation and samples!! Now it begins to fall in place how bootstrap, fallback and upstream works together.

iJorgen commented 2 years ago

I just figured out why I experienced issues using Bootstrap-servers over DoH/DoT. When I tested my config and started DNSproxy from CLI it worked every time, but not during a reboot. The reason was my specified time-servers (pool.ntp.org and time.cloudflare.com) in the router needs DNS to resolve, but to resolve over DoH/DoT the router must have the correct time. Moment 22...

Now I specified a few NTP-servers using their IP-address and it boots perfect each time. Maybe not "best practice" to use specified IP-addresses, but I can live with that to get more secure DNS...