Support for DoT (DNS-over-tls)

guyds

According to this thread DoT support was added in v1.2.0 of the AdGuard package (with Cloudron 6.2).

The Cloudron package documentation however still mentions that DoT is "not yet supported"

Therefore I decided to just try it out and after some fiddling with OpenWRT and stubby in particular I was able to get DoT working.

So I guess Cloudron's AdGuard documentation can use some extra love regarding DNS configuration

girish

@guyds good catch, indeed DoT is supported for a while now. I use it everyday on Android. Fixed - https://docs.cloudron.io/apps/adguard-home/#dot .

guyds

@girish thanks for updating the docs.

On my Android phone (Android 10) I can't get it working for the moment, I get "unable to connect".
But it's definitely an issue on my end since I have it working on my router.
Anyway, it's not a big deal since my phone is behind my router most of the time.

ei8fdb

@girish said in Support for DoT (DNS-over-tls):

indeed DoT is supported for a while now. I use it everyday on Android.

@girish Do you have any advice on setting this up on Android devices? I've been trying but no luck yet. Thanks.

panthrosrevenge

@ei8fdb In the latest release of Android there is an option to specify a private DNS resolver. If your device does not have that option available, the Adguard app acts as a VPN and can provide secure DNS lookups

ei8fdb

@panthrosrevenge said in Support for DoT (DNS-over-tls):

In the latest release of Android there is an option to specify a private DNS resolver.

There is an option but when I try the domain name of my adguard server it won't accept it. Neither the IP I am trying.

If your device does not have that option available, the Adguard app acts as a VPN and can provide secure DNS lookups

I use Firefox which doesn't seem to be supported by the app yet.

panthrosrevenge

@ei8fdb Firefox does take some extra configuration. You have to install a CA cert into the android store via the Adguard app, enable secret options on Firefox app (go to about Firefox and tap logo 5 times), enable use of third party certificates.

For DoT on the Adguard Home side check encryption settings to configure domain names and certificates.

girish

@ei8fdb said in Support for DoT (DNS-over-tls):

@girish Do you have any advice on setting this up on Android devices? I've been trying but no luck yet. Thanks.

So, all I had to do was Settings -> Network & Internet -> Advanced -> Private DNS. There in the'Private DNS provider hostname, I just enter my AdGuard installation hostname like adguard.domain.com . That's pretty much it. Note that you cannot put an IP address here since Android requires the cert name and the hostname to match.

For the above to work:

• In Cloudron dashboard -> Adguard -> Location section. Do you see DNS over TLS (DoT) Port enabled ?

  

• If you are on a home sever, the firewall needs to port forward the above port (853 by default) to the Cloudron VM.

DanTheMan

@girish Thanks Girish for your clear explanation.
One question from my side.
Do you restrict source ip addresses to port:853 in your firewall, from the outside in? Or do you restrict ip addresses in AdGuard?
For security reasons......

Also does port:53 have to opened up as well in the firewall for this to work? Or only port:853?

girish

@DanTheMan said in Support for DoT (DNS-over-tls):

Do you restrict source ip addresses to port:853 in your firewall, from the outside in? Or do you restrict ip addresses in AdGuard?

It's best to restrict source IP in the firewall, if this is possible in your situation. To keep the IP range flexible, you can geo lock the IP range to your region. This does still make it slightly vulnerable. My router (synology) supports geolocking built-in.

For security reasons......
Also does port:53 have to opened up as well in the firewall for this to work? Or only port:853?

Only port 853 is needed.

Port 53 is needed if you use it as a DNS server, which AFAIK Android does not support setting anymore!.

ei8fdb

@girish said in Support for DoT (DNS-over-tls):

If you are on a home sever, the firewall needs to port forward the above port (853 by default) to the Cloudron VM.

Aha! This is probably the reason it's not working. I wasn't aware of that setting. But now I do see it (and its enabled).

I'll forward that port in my firewall. Thanks @girish

khadanja

@girish I'm having the same issue. My Cloudron instance is in the cloud. How to forward port 853 or open?
Also I see this in AdGuard Encryption settings and logs below.

Jul 06 15:37:48 2022/07/06 03:37:48.610611 [error] handling tcp: reading msg: reading len: remote error: tls: unknown certificate authority

girish

@khadanja said in Support for DoT (DNS-over-tls):

@girish I'm having the same issue. My Cloudron instance is in the cloud. How to forward port 853 or open?

This is automatically opened on the server itself. Do you have a Cloud firewall or some security group in front of the server?

It seems the cert is self-signed, are your certs OK on the browser?

khadanja

@girish @girish Issue was DNS proxy option enabled in Cloudflare. Works if I set it to DNS only. Is there any way of making it work with proxy option enabled? I can access the admin interface with Cloudflare proxy enabled but Private DNS doesn’t work on devices.

girish

@khadanja It won't work with cloudflare proxying since cloudflare only proxies http and https.

khadanja

@girish Thanks As a workaround using DoH works with proxy enabled on Android rising Intra app and on iPhone using config profile but looks like Private DNS only supports tls.

khadanja

@girish OpenVPN also doesn’t work with proxying. At the moment I have only AdGuard and OpenVPN installed and DNS server in OpenVPN is set to adguard’s private IP. Works without Cloudflare proxying but issues with proxy turned on.

girish

@khadanja Indeed, OpenVPN uses a custom port and does not run over http(s)