New Member
Posts: 4
Registered: ‎11-16-2016
Kudos: 1085

Countering plaintext DNS with 1.1.1.1

Hi all,

 

Cloudflare just today openly published their DNS resolvers, using the magic IPs 1.1.1.1 and 1.0.0.1:

 

https://blog.cloudflare.com/announcing-1111/

https://blog.cloudflare.com/dns-resolver-1-1-1-1/

 

This is not only great because they have the decent policy on not storing or selling user data, a global multicast network with presence in >150 data centers, or being among the very few entitites to already supporting TLS 1.3. They also support encrypted DNS queries using DNS-over-TLS as well as DNS-over-HTTPS. Both are great, because your ISP today can to basically the same thing as your DNS resolver: collect & sell all the websites everyone visits.

 

However, only Google has been so far able to encrypt their DNS traffic, using Android and/or Chrome. To counter this, I added two feature requests to support encrypted DNS queries to protect entire networks without having to wait for OS vendors to implement this - it would be great if you could upvote any of them, or both (since they use two different mechansisms):

 

https://community.ubnt.com/t5/UniFi-Feature-Requests/Support-DNS-over-TLS/idi-p/2300760

https://community.ubnt.com/t5/UniFi-Feature-Requests/Support-DNS-over-HTTPS/idi-p/2300758

New Member
Posts: 6
Registered: ‎04-29-2014
Kudos: 2

Re: Countering plaintext DNS with 1.1.1.1

There is a the beginings of a how-to here to get this working here:

 

https://bendews.com/posts/implement-dns-over-https/

 

I took that and got things working by doing the following:

 

- build MIPS version of cloudflared, I used docker:

 

docker run --rm -v "$PWD":/usr/src/myapp -w /usr/src/myapp -e GOOS=linux -e GOARCH=mips golang bash -c "go get -v github.com/cloudflare/cloudflared/cmd/cloudflared; GOOS=linux GOARCH=mips go build -v -x github.com/cloudflare/cloudflared/cmd/cloudflared"

- copy the MIPS cloudflared into /config/scripts/ on USG
- make sure it's executable: chmod +x /config/scripts/cloudflared
- create a startup script in /config/scripts/post-config.d, mine looks like:

================== cloudflare-dns.sh =======================


#!/bin/bash

# start DNS proxy to Cloud Flare

/usr/bin/pkill cloudflared

nohup /config/scripts/cloudflared --no-autoupdate --proxy-dns --proxy-dns-port 5053 &>/var/log/cloudflared.log &


- make sure startup script is executable: chmod +x /config/scripts/post-config.d/cloudflare-dns.sh
- add a custom config.gateway.json file on your controller so DNS config carries over on provisioning, here is what the relevant section of mine is:
============================== config.gateway.json =================


{

"service": {
"dns": {
"forwarding": {
"options": [
"no-resolv",
"strict-order",
"server=127.0.0.1#5053",
"server=1.1.1.1",
"server=1.0.0.1",
"domain=my.domain.com,192.168.1.0/24,local"
]
}
}
}
}


- make sure the domain name in the file is the same as the one in Settings -> Network -> edit -> Domain Name, and the IP range matches as well.
- force a reprovision of your USG and reboot it to make sure everything starts up correctly

 

Few random notes:
- supposedly everything in /config/scripts survives a firmware upgrade so that's why I picked that location
- scripts in /config/scripts/post-config.d seem to run on boot
- since you're using no-resolv, resolv.conf won't be read at all, so you need to manually set domain name for short names to work
- I added direct connections to cloudflare's DNS servers as 2nd and 3rd, but use strict-order so they will only be used if there is a problem with the DoH proxy
- the log file flag to cloudflared doesn't seem to work when using it for dns-proxy so need to use redirect to capture log info
- haven't done anything about log rotation yet, but cloudflared doesn't seem to chatty