DNS-over-TLS port not available

mgdx commented 1 year ago

Describe the bug

DNS-over-TLS doesn't work at all. The default port (853) is not open.

Context

After trying several time to connect my android phone directly to my adguard server unsuccessfully, i tried to look at the port 853. The port is not available.

Steps to reproduce

I try to use it with my android phone.

Go to 'Settings'
Click on 'Network and internet'
and click on 'Private DNS'
Put the domain name of adguard server After that some pop-up will be display to explain that the network connection is down or the server is not reachable.

jazzsnobeatcake commented 1 year ago

@securegh

Androids private DNS feature uses DNS over TLS, not HTTPS. The configuration dialog doesn't even accept forward slashes.

tibs245 commented 1 year ago

Hi there,

I have the same problem. It's because Adguard is not configured with TLS enabled.

When I try to configure it I have 2 problems:

Port 443 is already used (and already configured by Nginx. It's for DNS-over-HTTPS work.
SSL certificates are not accessible

To solve this, I added a new configuration to my NGINX:

In /etc/nginx/conf.d/subdomain.yourdomainname.tld.d/adguard_tls_proxy.dnsconf I added

stream {
    # DoT server for decryption
    server {
        listen 853 ssl;
        ssl_certificate /etc/yunohost/certs/subdomain.yourdomainname.tld/crt.pem;
        ssl_certificate_key /etc/yunohost/certs/subdomain.yourdomainname.tld/key.pem;

        proxy_pass $server_addr:53;

    }
}

And in /etc/nginx/nginx.conf.

include /etc/nginx/conf.d/subdomain.yourdomainname.tld.d/adguard_tls_proxy.dnsconf;

After you need to reload or restart nginx : service nginx restart

With this configuration your DNS-over-TLS should work and the SSL certificate is not be changed to have the same security level and have autorenew.

I hope this helps you.

I will try to include this in package, but I don't know how to edit nginx configuration with good practice of Yunohost

Good day

eldertek commented 1 year ago

Please make this a PR, because really needed by android

mh4ckt3mh4ckt1c4s commented 1 year ago

Hi there, I'm also interested by this feature and I'm willing to contribute to find a way to allow out of the box use of DNS over TLS.

@tibs245 : the solution you offered is working and is nice for using with the existing adguard packaging. However, I do not think it is the best way to add TLS support to the app : imo it is more of a bypass using nginx to listen to the DoT port and forwarding it to the local adguard DNS listener. Doing so is breaking some things into the Adguard WebUI, such as the display of the protocol used and the origin of the request in the logs.

The "good" way to do it would be to use the Adguard configuration directly and let Adguard do the job. I identified several things to address :

Modifying the AdGuardHome.yaml file to allow for DoT (and DoQ by the way)
Modifying the install script to deal with the DoT / DoQ at install (the ports are already opened in the HTTPS configuration, but the config should be dealt with according to the option chosen... or we can just remove the option)
Modifying the package configuration to better explain what the "enable HTTPS" does

YunoHost-Apps / adguardhome_ynh