Support for DoT (DNS-over-tls)
-
@ei8fdb said in Support for DoT (DNS-over-tls):
@girish Do you have any advice on setting this up on Android devices? I've been trying but no luck yet. Thanks.
So, all I had to do was Settings -> Network & Internet -> Advanced -> Private DNS. There in the
'Private DNS provider hostname
, I just enter my AdGuard installation hostname likeadguard.domain.com
. That's pretty much it. Note that you cannot put an IP address here since Android requires the cert name and the hostname to match.For the above to work:
-
In Cloudron dashboard -> Adguard -> Location section. Do you see
DNS over TLS (DoT) Port
enabled ? -
If you are on a home sever, the firewall needs to port forward the above port (853 by default) to the Cloudron VM.
-
-
@girish Thanks Girish for your clear explanation.
One question from my side.
Do you restrict source ip addresses to port:853 in your firewall, from the outside in? Or do you restrict ip addresses in AdGuard?
For security reasons......Also does port:53 have to opened up as well in the firewall for this to work? Or only port:853?
-
@DanTheMan said in Support for DoT (DNS-over-tls):
Do you restrict source ip addresses to port:853 in your firewall, from the outside in? Or do you restrict ip addresses in AdGuard?
It's best to restrict source IP in the firewall, if this is possible in your situation. To keep the IP range flexible, you can geo lock the IP range to your region. This does still make it slightly vulnerable. My router (synology) supports geolocking built-in.
For security reasons......
Also does port:53 have to opened up as well in the firewall for this to work? Or only port:853?Only port 853 is needed.
Port 53 is needed if you use it as a DNS server, which AFAIK Android does not support setting anymore!.
-
@girish said in Support for DoT (DNS-over-tls):
If you are on a home sever, the firewall needs to port forward the above port (853 by default) to the Cloudron VM.
Aha! This is probably the reason it's not working. I wasn't aware of that setting. But now I do see it (and its enabled).
I'll forward that port in my firewall. Thanks @girish
-
@girish I'm having the same issue. My Cloudron instance is in the cloud. How to forward port 853 or open?
Also I see this in AdGuard Encryption settings and logs below.
Jul 06 15:37:48 2022/07/06 03:37:48.610611 [error] handling tcp: reading msg: reading len: remote error: tls: unknown certificate authority -
@khadanja said in Support for DoT (DNS-over-tls):
@girish I'm having the same issue. My Cloudron instance is in the cloud. How to forward port 853 or open?
This is automatically opened on the server itself. Do you have a Cloud firewall or some security group in front of the server?
It seems the cert is self-signed, are your certs OK on the browser?
-