DoT not working properly

[aberthil]

Operating System

Raspberry Pi

Architecture

64-bit

Platform

Linux

Project

Stubby

Browser

Firefox

Issue

Not working

Issue Description

I have DoH working but not DoT see picture

I have configured unbound and stubby as described in your detailed process, but no luck there. If I look at the unbound log, I get:

alexis@raspberrypi:~ $ sudo tail -f /var/log/dnscrypt-proxy/query.log [2024-10-06 15:04:44] 127.0.0.1 105.152.8.17.in-addr.arpa PTR NXDOMAIN 22ms cloudflare [2024-10-06 15:04:45] 127.0.0.1 ocsp.digicert.com HTTPS PASS 18ms cloudflare [2024-10-06 15:04:45] 127.0.0.1 ocsp.digicert.com A PASS 21ms cloudflare [2024-10-06 15:04:45] 127.0.0.1 fp2e7a.wpc.phicdn.net HTTPS PASS 17ms cloudflare [2024-10-06 15:04:45] 127.0.0.1 108.211.229.192.in-addr.arpa PTR NXDOMAIN 15ms cloudflare [2024-10-06 15:04:55] 127.0.0.1 googlehosted.l.googleusercontent.com A PASS 20ms cloudflare [2024-10-06 15:04:55] 127.0.0.1 apidata.googleusercontent.com HTTPS PASS 54ms cloudflare [2024-10-06 15:04:55] 127.0.0.1 apidata.googleusercontent.com A PASS 53ms cloudflare [2024-10-06 15:04:55] 127.0.0.1 edge.gycpi.b.yahoodns.net A PASS 56ms cloudflare [2024-10-06 15:04:55] 127.0.0.1 8.88.147.69.in-addr.arpa PTR PASS 45ms cloudflare [2024-10-06 15:04:55] 127.0.0.1 googlehosted.l.googleusercontent.com HTTPS PASS 46ms cloudflare [2024-10-06 15:04:55] 127.0.0.1 129.189.250.142.in-addr.arpa PTR PASS 42ms cloudflare [2024-10-06 15:04:55] 127.0.0.1 97.164.217.172.in-addr.arpa PTR PASS 17ms cloudflare ^C alexis@raspberrypi:~ $ sudo tail -f /var/log/unbound.log [1728251326] unbound[837136:0] warning: subnetcache: prefetch is set but not working for data originating from the subnet module cache. [1728251326] unbound[837136:0] info: start of service (unbound 1.17.1). [1728251340] unbound[837136:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0) [1728251340] unbound[837136:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0) [1728251343] unbound[837136:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0) [1728251343] unbound[837136:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0) [1728252285] unbound[837136:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0) [1728252285] unbound[837136:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0) [1728252285] unbound[837136:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0) [1728252285] unbound[837136:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)

What do you suggest to do to fix the issue and get DoT to work?

In Adguard, I have setup the DNS as: 127.0.0.1:53 127.0.0.1:5333 127.0.0.1:8053 127.0.0.1:5053

[aberthil]

[aberthil]

Found the issue, you can close this one, by the way, if we want to add Using DNS over WARP, any recommendations?

[trinib]

Found the issue, you can close this one, by the way, if we want to add Using DNS over WARP, any recommendations?

Ok. Warp is like a VPN . Here is a guide . let me know if it works🙏 I'll add to guide.

Cloudflare WARP Installation Guide for Linux

This guide provides detailed instructions on how to install Cloudflare WARP on Linux. Cloudflare WARP is a service that improves internet privacy, security, and performance by routing traffic through Cloudflare's global network.

Installation

Follow the steps below to install Cloudflare WARP on your Linux machine.

Step 1: Add Cloudflare WARP Repository

For Debian/Ubuntu-based systems:

1. Open a terminal and update your system:

   sudo apt update && sudo apt upgrade

2. Add the Cloudflare GPG key:

   sudo apt install curl
   curl https://pkg.cloudflareclient.com/pubkey.gpg | sudo tee /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg > /dev/null

3. Add the Cloudflare WARP repository:

   echo "deb [signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflare-client.list

4. Update the package list and install Cloudflare WARP:

   sudo apt update
   sudo apt install cloudflare-warp

For Fedora-based systems:

1. Add the Cloudflare WARP repository and install the client:

   sudo dnf config-manager --add-repo https://pkg.cloudflareclient.com/cloudflare-warp.repo
   sudo dnf install cloudflare-warp

Step 2: Register and Activate WARP

1. Register Cloudflare WARP:

   sudo warp-cli register

2. Connect to Cloudflare WARP:

   sudo warp-cli connect

3. (Optional) Set WARP to always start on boot:

   sudo warp-cli enable-always-on

Step 3: Verify WARP Status

To check the status of WARP and ensure it is working correctly:

warp-cli status

[aberthil]

OK I will try it, but one more question before I start, how tdo I configure AdGuard Home to use it? Is there a port for the upstream DNS like in the case of the other ones: 127.0.0.1:53 127.0.0.1:5333 127.0.0.1:8053 127.0.0.1:5053

[trinib]

Github issues will be dead soon 😂 @aberthil use AI chats bro. Will explain any and anything 1000 times better than me or anyone. This is what I got from chatgpt.

Both WARP clients (Linux and app-based) establish their own independent, secure tunnels to Cloudflare's network. Here's a breakdown of how it works:

1. Independent WARP Connections:

   WARP on Linux: When you install and enable WARP on a Linux machine using warp-cli, the system routes all internet traffic from that machine through Cloudflare's secure network. This helps mask your IP, encrypts your traffic, and improves performance via Cloudflare's backbone.

   WARP App on Other Devices: Similarly, when you install the WARP app on a phone or another computer, that device creates a separate encrypted tunnel to Cloudflare. It operates similarly to the Linux setup, providing privacy and routing traffic through Cloudflare.

2. How They Work Together:

   While both the Linux WARP client and the WARP apps on other devices don't connect to each other directly, they all benefit from the same secure Cloudflare network. Each device (whether it's a Linux machine or a mobile phone running the WARP app) independently routes traffic through Cloudflare. The devices do not need to share a direct connection.

Ask AI more about these 2 methods

Method 1 - Create a Cloudflare Tunnel

Authenticate with Cloudflare

You need to create a Cloudflare Tunnel and authenticate it with your Cloudflare account.

Run the following command to log in and authenticate cloudflared with your Cloudflare account:

cloudflared tunnel login

This will open a URL in your browser for Cloudflare authentication. Select your domain (if you're hosting your services under a domain).

2.2 Create the Tunnel

Next, create a new tunnel:

cloudflared tunnel create <TUNNEL_NAME>

Replace with a name of your choice for the tunnel. 2.3 Configure the Tunnel to Run on a Specific Port

To make the tunnel accessible, configure it to route traffic to a specific service or port:

cloudflared tunnel route dns <TUNNEL_NAME> <DOMAIN>

For example, if you want to route DNS traffic, it could look like this:

cloudflared tunnel route dns mytunnel example.com

---

Method 2 - Cloudflare Zero Trust Account

Step 1: Create a Cloudflare Zero Trust Account

• Go to the Cloudflare Zero Trust dashboard and create an account (if you don’t have one).
• Once you're logged in, follow the instructions to set up Cloudflare for Teams for your network.

Step 2: Set Up a Private Network in Cloudflare Zero Trust

• In the Zero Trust dashboard, go to Access > Tunnels.
• Set up a private network and configure the network you want to tunnel through Cloudflare’s network using WireGuard.
• Install the Cloudflare Tunnel daemon (cloudflared) on your server or network you want to secure.
• Configure your private network and make it available via the tunnel.

Step 3: Generate WireGuard Configuration

• Go to Settings > Network.
• Find the WireGuard configuration section and generate a WireGuard configuration file.
• Download the configuration file to use with your WireGuard client.

[aberthil]

Understood, this basically saya that all traffic out will be sent over the vpn which can be an issue if the server hosts other services, right? In that case, the best would be to have a dedicated AdGuard server with the VPN, now it has pro and con, the main pro is obviously the fact that it is the most secure way to achieve DNS….

Now, still one last question, what do you put as upstream DNS then, just 1.1.1.1, 1.0.0.1 ?

Thank you

On Oct 13, 2024, at 7:20 AM, ☣┌͜∩͜┐͜(͜◣͜_͜◢͜)͜┌͜∩͜┐☣ @.***> wrote:

Github issues will be dead soon 😂 @aberthil https://github.com/aberthil use AI chats bro. Will explain any and anything 1000 times better than me or anyone. This is what I got from chatgpt. https://chatgpt.com/ Both WARP clients (Linux and app-based) establish their own independent, secure tunnels to Cloudflare's network. Here's a breakdown of how it works:

Independent WARP Connections:

WARP on Linux: When you install and enable WARP on a Linux machine using warp-cli, the system routes all internet traffic from that machine through Cloudflare's secure network. This helps mask your IP, encrypts your traffic, and improves performance via Cloudflare's backbone.

WARP App on Other Devices: Similarly, when you install the WARP app on a phone or another computer, that device creates a separate encrypted tunnel to Cloudflare. It operates similarly to the Linux setup, providing privacy and routing traffic through Cloudflare.

How They Work Together:

While both the Linux WARP client and the WARP apps on other devices don't connect to each other directly, they all benefit from the same secure Cloudflare network. Each device (whether it's a Linux machine or a mobile phone running the WARP app) independently routes traffic through Cloudflare. The devices do not need to share a direct connection.

Ask AI more about these 2 methods

Method 1 - Create a Cloudflare Tunnel

Authenticate with Cloudflare

You need to create a Cloudflare Tunnel and authenticate it with your Cloudflare account.

Run the following command to log in and authenticate cloudflared with your Cloudflare account:

cloudflared tunnel login This will open a URL in your browser for Cloudflare authentication. Select your domain (if you're hosting your services under a domain).

2.2 Create the Tunnel

Next, create a new tunnel:

cloudflared tunnel create Replace with a name of your choice for the tunnel. 2.3 Configure the Tunnel to Run on a Specific Port

To make the tunnel accessible, configure it to route traffic to a specific service or port:

cloudflared tunnel route dns For example, if you want to route DNS traffic, it could look like this:

cloudflared tunnel route dns mytunnel example.com Method 2 - Cloudflare Zero Trust Account

Step 1: Create a Cloudflare Zero Trust Account

Go to the Cloudflare Zero Trust dashboard and create an account (if you don’t have one). Once you're logged in, follow the instructions to set up Cloudflare for Teams for your network. Step 2: Set Up a Private Network in Cloudflare Zero Trust

In the Zero Trust dashboard, go to Access > Tunnels. Set up a private network and configure the network you want to tunnel through Cloudflare’s network using WireGuard. Install the Cloudflare Tunnel daemon (cloudflared) on your server or network you want to secure. Configure your private network and make it available via the tunnel. Step 3: Generate WireGuard Configuration

Go to Settings > Network. Find the WireGuard configuration section and generate a WireGuard configuration file. Download the configuration file to use with your WireGuard client. — Reply to this email directly, view it on GitHub https://github.com/trinib/AdGuard-WireGuard-Unbound-DNScrypt/issues/80#issuecomment-2408998764, or unsubscribe https://github.com/notifications/unsubscribe-auth/AR476WP4BV3S2GMVNMX57JDZ3J6UDAVCNFSM6AAAAABPOWQ76SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMBYHE4TQNZWGQ. You are receiving this because you were mentioned.

[trinib]

I don't know what setup you have. You just adding cloudflare public dns to adguard ?

[aberthil]

I followed all your instructions so indeed I have: 127.0.0.1:53 127.0.0.1:5333 127.0.0.1:8053 127.0.0.1:5053

And in the config files used the Cloudflare DNS

On Oct 13, 2024, at 9:10 AM, ☣┌͜∩͜┐͜(͜◣͜_͜◢͜)͜┌͜∩͜┐☣ @.***> wrote:

I don't know what setup you have. You just adding cloudflare public dns to adguard ?

— Reply to this email directly, view it on GitHub https://github.com/trinib/AdGuard-WireGuard-Unbound-DNScrypt/issues/80#issuecomment-2409034826, or unsubscribe https://github.com/notifications/unsubscribe-auth/AR476WKJJUPMXGKG6XA3MH3Z3KLO5AVCNFSM6AAAAABPOWQ76SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMBZGAZTIOBSGY. You are receiving this because you were mentioned.

[aberthil]

OK I did try a few things here to see if I could make it work…

First, I install it following these: https://pkg.cloudflareclient.com/ Then I install the tunnel and connect, check the status:

@.:/etc/resolvconf $ warp-cli status Status update: Connected @.:/etc/resolvconf $

I then check the settings: @.***:/etc/resolvconf $ warp-cli settings Merged configuration: (derived) Always On: true (default) Switch Locked: false (user set) Mode: Warp (not set) WARP tunnel protocol: WireGuard (default) Disabled for Wifi: false (default) Disabled for Ethernet: false (not set) Resolve via: cloudflare-dns.com @ [162.159.36.1, 2606:4700:4700::1111] (not set) qlog logging: Disabled (default) Onboarding: true (api defaults) Exclude mode, with hosts/ips: 10.0.0.0/8 100.64.0.0/10 169.254.0.0/16 172.16.0.0/12 192.0.0.0/24 192.168.0.0/16 224.0.0.0/24 240.0.0.0/4 239.255.255.250/32 255.255.255.255/32 fe80::/10 fd00::/8 ff01::/16 ff02::/16 ff03::/16 ff04::/16 ff05::/16 fc00::/7 17.249.0.0/16 17.252.0.0/16 17.57.144.0/22 17.188.128.0/18 17.188.20.0/23 2620:149:a44::/48 2403:300:a42::/48 2403:300:a51::/48 2a01:b740:a42::/48

(default) Fallback domains: intranet internal private localdomain domain lan home host corp local localhost home.arpa invalid test (not set) Daemon Teams Auth: false (default) Disable Auto Fallback: false (not set) Allow Updates: true

So it is all up and running, however I can not seems to get connection to the cloudflare dns tunel…



So the question is what needs to be contfigured so that the DNS requests go over the tunnel, what do I need to configure either locally on the raspberry pie or on Adguard to get the DNS traffic to use the tunnel which is up and running here….

Alexis

On Oct 13, 2024, at 7:20 AM, ☣┌͜∩͜┐͜(͜◣͜_͜◢͜)͜┌͜∩͜┐☣ @.***> wrote:

Github issues will be dead soon 😂 @aberthil https://github.com/aberthil use AI chats bro. Will explain any and anything 1000 times better than me or anyone. This is what I got from chatgpt. https://chatgpt.com/ Both WARP clients (Linux and app-based) establish their own independent, secure tunnels to Cloudflare's network. Here's a breakdown of how it works:

Independent WARP Connections:

WARP on Linux: When you install and enable WARP on a Linux machine using warp-cli, the system routes all internet traffic from that machine through Cloudflare's secure network. This helps mask your IP, encrypts your traffic, and improves performance via Cloudflare's backbone.

WARP App on Other Devices: Similarly, when you install the WARP app on a phone or another computer, that device creates a separate encrypted tunnel to Cloudflare. It operates similarly to the Linux setup, providing privacy and routing traffic through Cloudflare.

How They Work Together:

While both the Linux WARP client and the WARP apps on other devices don't connect to each other directly, they all benefit from the same secure Cloudflare network. Each device (whether it's a Linux machine or a mobile phone running the WARP app) independently routes traffic through Cloudflare. The devices do not need to share a direct connection.

Ask AI more about these 2 methods

Method 1 - Create a Cloudflare Tunnel

Authenticate with Cloudflare

You need to create a Cloudflare Tunnel and authenticate it with your Cloudflare account.

Run the following command to log in and authenticate cloudflared with your Cloudflare account:

cloudflared tunnel login This will open a URL in your browser for Cloudflare authentication. Select your domain (if you're hosting your services under a domain).

2.2 Create the Tunnel

Next, create a new tunnel:

cloudflared tunnel create Replace with a name of your choice for the tunnel. 2.3 Configure the Tunnel to Run on a Specific Port

To make the tunnel accessible, configure it to route traffic to a specific service or port:

cloudflared tunnel route dns For example, if you want to route DNS traffic, it could look like this:

cloudflared tunnel route dns mytunnel example.com Method 2 - Cloudflare Zero Trust Account

Step 1: Create a Cloudflare Zero Trust Account

Go to the Cloudflare Zero Trust dashboard and create an account (if you don’t have one). Once you're logged in, follow the instructions to set up Cloudflare for Teams for your network. Step 2: Set Up a Private Network in Cloudflare Zero Trust

In the Zero Trust dashboard, go to Access > Tunnels. Set up a private network and configure the network you want to tunnel through Cloudflare’s network using WireGuard. Install the Cloudflare Tunnel daemon (cloudflared) on your server or network you want to secure. Configure your private network and make it available via the tunnel. Step 3: Generate WireGuard Configuration

Go to Settings > Network. Find the WireGuard configuration section and generate a WireGuard configuration file. Download the configuration file to use with your WireGuard client. — Reply to this email directly, view it on GitHub https://github.com/trinib/AdGuard-WireGuard-Unbound-DNScrypt/issues/80#issuecomment-2408998764, or unsubscribe https://github.com/notifications/unsubscribe-auth/AR476WP4BV3S2GMVNMX57JDZ3J6UDAVCNFSM6AAAAABPOWQ76SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMBYHE4TQNZWGQ. You are receiving this because you were mentioned.