search

TuxInvader / nginx-dns

Sample Configuration for DNS over HTTPS (DoH/DoT gateway) and GSLB with NGINX
BSD 2-Clause "Simplified" License
194 stars 47 forks source link

Not routing DNS-UDP queries to DNS over TLS server. #7

Open ethicalmohit opened 3 years ago

ethicalmohit commented 3 years ago

I am trying to accept dns queries on Nginx listening on UDP port and using nginx as a gateway to get a response from the public dns resolver with TLS port i.e. 8.8.8.8:853.

Configuration:

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
error_log /var/log/nginx/error.log info;
events {
    worker_connections 768;
    # multi_accept on;
}

stream {

    # DoT upstream pool
    upstream dot {
        zone dot 64k;
        server 8.8.8.8:853;
    }
    # DNS server for upstream encryption
    server {
        listen 53;
        proxy_ssl on;
        proxy_pass dot;
        proxy_responses 1;
        proxy_timeout 1s;
     }
    server {
        listen 53 udp;
        proxy_ssl on;
        proxy_pass dot;
    }
}

It is working when I am trying to get a response with kdig over tcp.

kdig @0.0.0.0 facebook.com A +tcp +short
157.240.13.35

But with UDP, It is timing out.

kdig @0.0.0.0 facebook.com A +notcp
;; WARNING: response timeout for 0.0.0.0@53(UDP)

Nginx Status: 

tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      3225669/nginx: mast
udp        0      0 0.0.0.0:53              0.0.0.0:*                           3225669/nginx: mast

I am not sure if it is because of proxy_ssl on directive?

I want Nginx to listen on UDP/53 and route requests to the DNSoverTLS server.

TuxInvader commented 3 years ago

Hi,

Unfortunately the stream module does not support mixing UDP and TCP services. So there's no way to accept a UDP request and forward on over TCP. If this changes in the future, then I'll update this project to include support.

Cheers