welcome[bot]
commented
2 years ago Thanks for opening your first issue here 🙋🕵️
Closed eltonajmenezes closed 2 years ago
welcome[bot]
commented
2 years ago Thanks for opening your first issue here 🙋🕵️
trinib
commented
2 years ago @eltonajmenezes It would not show.
Explanation:
Cloudfared tunnel daemon creates outbound-only connections to Cloudflare's edge. This daemon sits between Cloudflare network and your origin. Cloudflare attracts client requests and sends them to you via the daemon(the service)
Dns resolving software like unbound / bind / stubby / powerdns etc automatically advertises itself as the DNS server automatically on Linux using port 53. They provide a combination of a lightweight resolver library that can be run on DNS clients, such as host operating systems or routers, and a resolver daemon process which can run on a local host.
# To get DoH(native), there are ways with dnscrypt or dnsmasq for example. You will need to do some tweaking to get unbound to work with it being both using port 53. There are maybe other ways as well.
eltonajmenezes
commented
2 years ago Thank you @trinib for this explanation. Do you have any articles that you can send my way so that I can achieve this? The main reason why I am asking is when I am out of my home network I want to VPN into my network and achieve the security I setup.
trinib
commented
2 years ago Thank you @trinib for this explanation. Do you have any articles that you can send my way so that I can achieve this? The main reason why I am asking is when I am out of my home network I want to VPN into my network and achieve the security I setup.
correct me if I'm wrong, do want the server side(pi/linux) to have dns security as the client side do?
if so that can be tricky with one of the two sides communicating with ports for traffic, request etc. I don't think I saw a specific guide for that anywhere, I could be wrong.
trinib
commented
2 years ago @eltonajmenezes I think if you want a Linux system that is self-hosting some type of management server ( if that's is your case), it makes more sense to have a second Linux system as a VPN server and the other connected as a client that is hosting something like yunohost, home assistant etc...
eltonajmenezes
commented
2 years ago Thank you @trinib for this explanation. Do you have any articles that you can send my way so that I can achieve this? The main reason why I am asking is when I am out of my home network I want to VPN into my network and achieve the security I setup.
correct me if I'm wrong, do want the server side(pi/linux) to have dns security as the client side do?
if so that can be tricky with one of the two sides communicating with ports for traffic, request etc. I don't think I saw a specific guide for that anywhere, I could be wrong.
@trinib Yes I would like the server side to have security.
As it stands if I connect to my server via a VPN and do a 1.1.1.1/help test then I see DoT is marked Yes!
I would like to have DoH as well.
And unfortunately I don't have any other system(s) I can use.
I have setup my RPI with AdGuard by following your perfect instructions.
But would really like to have the ability to securely route my traffic when I am outside as I do from home.
Hope this makes my ask/query a bit clearer.
trinib
commented
2 years ago @eltonajmenezes Ohhh I now get what you're thinking. You want DoH to show on the server side of things for WireGuard. No! that is not how it works. WireGuard uses an encrypted tunnel between two devices that has it's own IP and DNS security protocols. Running DoH tunnel or resolver, and DoT services on linux has NOTHING to do with a WireGuard connection accessing DoH/DoT security from outside.
You get DoH and DoT security with the VPN by adding it through it's DNS SERVERS, which I stated in guide it might not make much difference using them together(it's optional). WireGuard is good enough for encrypting data from hackers that is using some sort of network sniffing tool or middle man attack. DoH/DoT is more for privacy, security and speed on your home network when browsing websites mostly, also can block websites phishing.
But would really like to have the ability to securely route my traffic when I am outside as I do from home.
And do not worry, your traffic is secure using with or without Unbound or Cloudflare DNS servers alongside it.
eltonajmenezes
commented
2 years ago @eltonajmenezes Ohhh I now get what you're thinking. You want DoH to show on the server side of things for WireGuard. No! that is not how it works. WireGuard uses an encrypted tunnel between two devices that has it's own IP and DNS security protocols. Running DoH tunnel or resolver, and DoT services on linux has NOTHING to do with a WireGuard connection accessing DoH/DoT security from outside.
You get DoH and DoT security with the VPN by adding it through it's DNS SERVERS, which I stated in guide it might not make much difference using them together(it's optional). WireGuard is good enough for encrypting data from hackers that is using some sort of network sniffing tool or middle man attack. DoH/DoT is more for privacy, security and speed on your home network when browsing websites mostly, also can block websites phishing.
But would really like to have the ability to securely route my traffic when I am outside as I do from home.
And do not worry, your traffic is secure using with or without Unbound or Cloudflare DNS servers alongside it.
Thanks for this clarification. Though I read in quite a few places that in some instances you would want to funnel outside traffic into your home network. That's why I was hoping I could have DoH enabled as well so the device would always be subjected to the same thing e.g. AdGuard, unbound etc.
trinib
commented
2 years ago That's why I was hoping I could have DoH enabled as well so the device would always be subjected to the same thing e.g. AdGuard, unbound etc.
If you want it like that maybe I can try to get it to work .. I'll find some guide for now to share, maybe you can get it to work
trinib
commented
2 years ago Ok, I think I might have a way to what you want. First I think there is no way that you can get DoH and DoT to show on the server side cause, these resolving DNS tools all need port 53 to listen openly on systems, firewalls, and clients to transmit DNS queries. What you need is to get DoH client(native) for Linux.
DNSCrypt is a protocol that encrypts, authenticates and optionally anonymizes communications between a DNS client and a DNS resolver. It can forward queries(like stubby) from a local DNS cache. It needs to listen on a different port from the default 53, cause the DNS cache using with Unbound needs to listen on 53.
Here is a guide from archlinux : https://wiki.archlinux.org/title/Dnscrypt-proxy#Local_DNS_cache_configuration (use service method to change ports)
and configure unbound : https://wiki.archlinux.org/title/Dnscrypt-proxy#Unbound
Just know, what you want to accomplish here only make sense if you are actually home physically, browsing websites on the Linux server system.
Thanks for this clarification. Though I read in quite a few places that in some instances you would want to funnel outside traffic into your home network
I think your whole point of view on this, is that you think you are like actually home using a device locally on your network with outside traffic around it. Understand WireGuard just routes to your home network using an encrypted tunnel, in result, making your devices on public networks seems like it's home but actually NOT .. That is one of the main concepts and feature of a VPN(virtual private network) like the paid ones, that change to different country locations(for restrictions) when you are actually not there.
I hope you understand now, DNS security tools on Linux has nothing to do with protecting traffic data from outside to home with WireGuard Tunnel. The DoH/DoT applies only when you add it to WireGuard DNS servers. That client(device) is still in WireGuard tunnel network with all DNS security regardless from Cloudfare1.1.1.1 on Linux server side showing DoH : yes
eltonajmenezes
commented
2 years ago Thank you for this information @trinib
So I read this statement
Just know, what you want to accomplish here only make sense if you are actually home physically, browsing websites on the Linux server system.
I want to also have the DNScrypt to be encrypting traffic of my LAN network through AdGuard. Can this be done and if so how? (I have seen many articles of AdGuard and DNS crypt but I am unsure which is the one I should be using)
Is this a replacement of cloudflared DoH?
trinib
commented
2 years ago yes you can add to adguard it will be 127.0.2.1:53000
is this a replacement of cloudflared DoH?
cloudflare tunneling and resolving are not the same so you can have it installed with dnscrpyt
trinib
commented
2 years ago Also keep in mind devices that is connected to adguard using cloudflare and dnscrpyt both using dns over https and querying traffic can have complicatations. Use one or the other if I was you.
eltonajmenezes
commented
2 years ago yes you can add to adguard it will be
127.0.2.1:53000is this a replacement of cloudflared DoH?
cloudflare tunneling and resolving are not the same so you can have it installed with dnscrpyt
@trinib I have seen this article
https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux
I guess this is similar to what you mentioned right? I.E. installing it locally for the Linux system?
https://wiki.archlinux.org/title/Dnscrypt-proxy#Unbound
And I found these articles
https://blog.cloudflare.com/deploying-gateway-using-a-raspberry-pi-dns-over-https-and-pi-hole/
https://github.com/AdguardTeam/AdGuardHome/wiki/DNSCrypt
https://dev.to/cipherops/using-dnscrypt-with-adguard-home-pi-hole-7j6
In short:
What I would like to do is to have DoH on the Linux system but also have it so that I have DoH for clients working with AdGuard the way that cloudflared DoH is working now And finally uninstall cloudflared DoH because it also throws errors.
Would you be able to clarify how to get this setup? The way you have nicely outlined in your main article? I'm quite new to this. So I don't want to mess up the setup
trinib
commented
2 years ago you can't because of port 53 needed for DNS resolvers.. they cannnot all work on the same port to resolve on 1.1.1.1
eltonajmenezes
commented
2 years ago you can't because of port 53 needed for DNS resolvers.. they cannnot all work on the same port to resolve on 1.1.1.1
@trinib
So how does DoT show them on the client and server side?
And if it's one or the other can you tell me how to properly setup for the client side the way cloudflare for AdGuard is setup now? as that is more important than having the system be DoH only
trinib
commented
2 years ago you can't because of port 53 needed for DNS resolvers.. they cannnot all work on the same port to resolve on 1.1.1.1
@trinib
So how does DoT show them on the client and server side?
And if it's one or the other can you tell me how to properly setup for the client side the way cloudflare for AdGuard is setup now? as that is more important than having the system be DoH only
I guess you did not read FAQ
AdGuard Home is basically a DNS proxy
trinib
commented
2 years ago So how does DoT show them on the client and server side?
because port 53 is a reserved DNS port that listens openly on systems, firewalls, and clients to transmit DNS queries.
eltonajmenezes
commented
2 years ago you can't because of port 53 needed for DNS resolvers.. they cannnot all work on the same port to resolve on 1.1.1.1
@trinib
So how does DoT show them on the client and server side?
And if it's one or the other can you tell me how to properly setup for the client side the way cloudflare for AdGuard is setup now? as that is more important than having the system be DoH only
I guess you did not read FAQ
AdGuard Home is basically a DNS proxy
Forgive me for asking again. I did read that FAQ, but the manner in which you have shown the setup for cloudflare with AdGuard to get DoH; is there a procedure I need to follow to get DNSCRYPT with DoH on AdGuard?
Because I'm sorry but I am quite confused about how to go about this.
trinib
commented
2 years ago you already asked that https://github.com/trinib/AdGuard-WireGuard-Unbound-Cloudflare/issues/28#issuecomment-1115733792 .. there are alot of different ways to achieve these DNS security and it can be confusing for someone new to it.. you need utilize google search, read documents, test and trial like I did. Asking people all the time eliminates your skills in problem solving , trust me.. sometimes think like no one understands it and your the only one learning it. It's a confident learning strategy i made for myself 😎
eltonajmenezes
commented
2 years ago you already asked that https://github.com/trinib/AdGuard-WireGuard-Unbound-Cloudflare/issues/28#issuecomment-1115733792 .. there are alot of different ways to achieve these DNS security and it can be confusing for someone new to it.. you need utilize google search, read documents, test and trial like I did. Asking people all the time eliminates your skills in problem solving , trust me.. sometimes think like no one understands it and your the only one learning it. It's a confident learning strategy i made for myself 😎
@trinib I understand what you mean very clearly. Could you at least guide me on which articles from the ones I found are correct for DoH on AdGuard via DNSCRYPT? Because there are quite a few I found that I listed or is what you suggested the way I can get the DoH for clients?
Operating System
32-bit
Project
Cloudflare
Platform
Linux
Browser
Chrome
Issue
Not working, Other (explain in description)
Issue Description
My Rasperry Pi when testing via 1.1.1.1/help seems to not show that DoH is working Only DoT indicates that it is working But all my client devices are able to correctly show it I even checked the service on the raspberry pi and it is running
This is on my RPI
I have followed these articles https://github.com/trinib/AdGuard-WireG ... TTPS-proxy https://github.com/trinib/AdGuard-WireG ... d-with-doh
To reiterate : All my devices that are on my LAN are able to get the DoH and DoT working.
It's only when I test it on the RPI that runs it and only for DoH that I see this happening.