This tutorial shows you how to configure your own DNS via an HTTPS (DoH) to Ubuntu converter with a DNS dist, so that your DNS queries are encrypted and protected from prying eyes.
What is DNS over HTTPS and why is it important?
The Domain Name System (DNS) is responsible for converting domain names into IP addresses. It was designed in 1987 without taking into account security or confidentiality. DNS queries are not encrypted by default. They are sent to the telegram in plain text and can be used by the agents. For example, the Great Wall of China (GFW) uses a technique called DNS cache poison to censor the Chinese Internet. (They also use other methods not covered by this Article).
GFW checks every DNS request sent to a DNS server outside China. Since normal text-based DNS is based on UDP, which is a connectionless protocol, the GFW can spoof both the IP client and the IP server. When the GFW finds a domain name in its block list, it changes the DNS response. For example, if a Chinese Internet user wants to visit google.com, GFW will redirect the user’s DNS resolver to the IP address located in China instead of Google’s actual IP address. The DNS resolver then sends the spoofed IP address back to the user’s computer so that the user cannot visit google.com.
HTTPS is a standard method for encrypting HTTP plain text web pages. If you use DNS over HTTPS (DoH), your DNS queries are encrypted so that third parties cannot see them.
Why use a separate resolver?
There are already some public DNS resolvers, such as 1.1.1 and 9.9.9, that support DNS over HTTPS, so you can use them if you don’t have the skills or time to manage your own system. As of version 61 of Firefox, you can enable DNS over HTTPS in your browser settings, which is a big step forward for security and privacy on the Internet. Firefox uses the default Cloudflare resolver (1.1.1). However, some people claim that this allows Cloudflare to collect information about Firefox users. They seem to trust their supplier more than Cloudflare. But I think if you’re paranoid about privacy, you should run your own DoH solver so that neither Cloudflare nor your ISP can spy on you.
DoH vs. DoT
In addition to DNS over HTTPS, there is another protocol that focuses on encrypting DNS queries. This is called DNS over TLS (DoT). Previously I wrote a manual about the use of DNS by TLS on the Ubuntu desktop, but now I switch to DNS by HTTPS.
For people in despotic countries with strict Internet censorship, such as China, it is more cost effective to use the Ministry of Health as the Ministry of Commerce. Indeed, DoT works on TCP port 853, which can easily be blocked by the national firewall. DoH runs on TCP port 443, the default port for HTTPS sites. This makes DoH super difficult to block, because if TCP port 443 is blocked, almost all HTTPS sites will be blocked as well. My DoH resolver runs on a VPS (Virtual Private Server) outside of China, and the Grand Firewall cannot intercept my DNS queries. I can even hide the IP address of my DoH resolver behind the CDN (Content Delivery Network) of Cloudflare.
Another advantage of the Ministry of Health is that web applications can access DNS information via the APIs of existing browsers, so no backend resolver is needed.
Ministry of Health Support for Primary DNS– Resellers
Actually, I prefer to run the DoH resolver with a DNSdist who has added DoH support in version 1.4.0. The latest current version 1.5. It has an official warehouse for Debian, Raspbian, Ubuntu and CentOS. The DNSdist is a DNS load balancer that can forward DNS requests to the DNS resolver of the backend. No matter which DNS resolver you use, with DNSdist you can manage your own DoH server. The DNSdist is developed by the PowerDNS command.
Requirements
It is assumed that a DNS resolver is running on your Ubuntu server. You can use any DNS resolver (BIND, Node resolver, Unbound…) I personally use BIND.
Once your DNS resolver is ready to use, follow the instructions below.
Step 1: Installation of DNSdist on a Ubuntu server
It is recommended to install DNSdist on Ubuntu from the upstream repository to have the latest stable version. You must first create a source list file for the DNSdist.
Ubuntu 20.04
echo deb [arch=amd64] http://repo.powerdns.com/ubuntu focal-dnsdist-15 main | sudo tee /etc/apt/sources.list.d/pdns.list
Ubuntu 18.04
echo deb [arch=amd64] http://repo.powerdns.com/ubuntu bionic-dnsdist-15 main | sudo tee /etc/apt/sources.list.d/pdns.list
Ubuntu 16.04
echo deb [arch=amd64] http://repo.powerdns.com/ubuntu xenial-dnsdist-15 main | sudo tee /etc/apt/sources.list.d/pdns.list
We then create a preference file for the DNSdist to link the package, so that we don’t accidentally install the DNSdist from another repository.
sudo nano /etc/apt/preferences.d/dnsdist
Add the following lines to the folder.
Packaging: dnsdist*
Pin : Origin repo.powerdns.com
pin priority : 600
Save the file and close it. Then run the following command to import the public key of PowerDNS so that the APT package manager can check the compatibility of the software packages downloaded from this repository
https://repo.powerdns.com/FD380FBB-pub.asc | add sudo apt-key –
Then update the storage list and install DNSdist.
sudo apt update
sudo apt install dnsdist
By default DNSdist tries to bind to port 53. Since you have an existing DNS resolver like BIND listening on port 53, the dnsdist.service will not start.
Since we only install a DoH resolver and don’t care about DNS load balancing, we can configure DNSdist to listen on another port. Edit the DNSdist configuration file.
sudo nano /etc/dnsdist/dnsdist.conf
This file has no content. In the meantime, simply add the following line to this file to make DNSdist listen on TCP and UDP port 5353 and not on port 53.
setLocal(127.0.0.1:5353)
Save the file and close it. Then restart DNSdist.
sudo systemctl dnsdist Herstarting
Check his condition.
systematic review of the status quo
It must be active (in operation).
Step 2: Installing the Encryption Client (Certbot) on Ubuntu Server
DNS over HTTPS requires the installation of server-side TLS certificates. We obtain and install the certificate and then encrypt it. The advantage of using the Let’s Encrypt certificate is that it is free, easy to configure and trusted by client programs.
Run the following commands to install the Let’s Encrypt (certbot) client from the default Ubuntu repository.
install sudo apt certbot
To check the version number, do the following
certbottic version
Taking samples:
certbot 0,40,0
Step 3: Obtain a trusted TLS certificate withencryption .
I recommend using a standalone plugin or webroot to get the TLS certificate for dnsdist.
Stand-alone module
If you don’t have a web server on the Ubuntu server, you can use a stand-alone plugin to get a TLS certificate from Let’s Encrypt. Create a DNS-A record for the subdomain (doh.example.com) and then execute the following command
sudo certbot certonly –standalone — challenges http –agree-tos –email [email protected] -d doh.example.com
True:
As you can see on the following screenshot, I have successfully received the certificate.
Using the webroot plugin
If your Ubuntu server has a web server that listens on ports 80 and 443, it is advisable to use the Webroot plugin to get the certificate because the Webroot plugin works with almost all web servers and we don’t need to install the certificate on the web server.
You must first create a virtual host for doh.example.com.
Apache
If you’re using Apache, then
sudo nano /etc/apache2/sites-available/doh.example.com.conf
And add the following lines to the file.
Server name doh.example.com
Reload document /var/wwwww/nsdist.
Save the file and close it. Then create a root folder.
mkdir ship /var/www/nsdist
Install www-data (Apache user) as owner of the web root.
sudo chown www-data:www-data /var/www/dnsdist -R
Activate this virtual host.
sudo a2ensite doh.example.com
Restart Apache to put the changes into effect.
sudo systemctl restart apache2
Once you have created and enabled the virtual host, run the following command to obtain the Let’s encryption with the Webroot plugin certificate
sudo certbot certonly –webroot –agree-tos –email [email protected] -d doh.example.com -w /var/www/dnsdist
Nginh
If you’re using Nginx.
sudo nano /etc/nginx/conf.d/doh.example.com.conf
Add the following lines to the folder.
server {
listen 80 ;
server_name doh.example.com ;
root /var/www/nsdist/ ;
Location ~ /.known/acme-challenge {
allows everything;
}
}
Save the file and close it. Then create a root folder.
µdir ship -p /var/www/nsdist
Install www-data (Nginx user) as owner of the web root.
sudo chown www-data:www-data /var/www/dnsdist -R
Restart Nginx to make the changes take effect.
sudo systemctl restart nginx
Once you have created and enabled the virtual host, run the following command to obtain the Let’s encryption with the Webroot plugin certificate
sudo certbot certonly –webroot –agree-tos –email [email protected] -d doh.example.com -w /var/www/dnsdist
Step 4: Engage Ministry of Health in DNSdist
Edit the DNSdist configuration file.
sudo nano /etc/dnsdist/dnsdist.conf
Add the following lines to the folder.
— Allow requests from all IP addresses
addACL (‘0.0.0.0/0’)
— Add a DoH resolver that listens on port 443 of all
addDOHLocal(0.0.0).0:443, /etc/letsencrypt/live/doh.example.com/fullchain.pem, /etc/letsencrypt/live/doh.example.com/privkey.pem, { / }, { doTCP=correct, reusePort=correct, tcpFastOpenSize=0 }).
— the following resolver
newServer ({Address=127.0.0.1:53,qps=5, Name=Resolver1})
Save the file and close it. DNSdist runs as user _dnsdist, so we must allow user _dnsdist to read the TLS certificate with the following commands.
sudo apt set acl
sudo setfacl -R -m u:_dnsdist:rx /etc/letsencrypt/
Then check the syntax of the configuration file.
sudo dnsdist –check-configure
If the syntax is correct, restart DNSdist.
sudo systemctl dnsdist Herstarting
Note that the DNSdist will not restart if the web server is listening on TCP port 443. You can temporarily stop the web server. At the end of this article I will explain how the web server and DNSdist can use TCP port 443 at the same time.
Step 5: Setting the DoH in the Firefox web browser
Go to Settings -> General and scroll down to configure the network settings. Enable DNS via HTTPS and install your own DoH resolver.
We can then refine the Ministry of Health configuration by going to the about:config tab in Firefox.
Network.trr.mode
The default setting for network.trr.mode in Firefox is 2, i.e. if the DoH query fails, Firefox forwards the DNS query to the host system. I still want to use the DoH resolver, so change the network.trr.mode to 3 so that the host resolver is not used. This way, we can easily check whether your DoH dissolver works.
network.trr.allow-rfc1918
By default, this value is set to false, i.e. if the DNS response contains private IP addresses, it will be considered a false response and will not be used. If you use the answer policy field in BIND, if you have multiple host names that refer to private IP addresses, set this value to true.
network.trr.bootstrapaddress
Firefox must find the IP address of the Ministry of Health in order to send DNS queries. You can enter the IP address in this field to delete this first request.
Test
Now enter the domain name, for example linuxbabe.com, in the address bar of Firefox. If the website loads normally, it’s a good sign that the resolver is working in your Ministry of Health. Then go to the terminal console of your DNS server and check the DNS request logs. I use BIND, so I type the following command to check the DNS request log
Ubuntu 20.04
sudo journalctl -eu name
Ubuntu 18.04
sudo journalctl -eu bind9
As you can see in the BIND protocol below, Firefox has requested the following areas.
The query protocol above tells me that my DNS-on-HTTPS resolver works. When I stop the BIND resolver (sudo systemctl stop), Firefox tells me it can’t find this page. And when I run BIND, the website reloads.
Simultaneous use of port 443 by DNSdist and web server
The DNS-to-HTTPS converter must be connected to port 443. If you already have an Apache/Nginx listening on port 443, DNSdist cannot bind to port 443. Normally a port can only be used by one process. However, we can use HAproxy (High Availability Proxy) and SNI (Server Name Indication) to force DNSdist and Apache/Nginx to use port 443 at the same time.
DNSdist configuration
Edit the DNSdist configuration file.
sudo nano /etc/dnsdist/dnsdist.conf
Change the interception address of the Ministry of Health to 127.0.0.1.
addDOHLocal(127.0.0.1:443, /etc/letsencrypt/live/doh.example.com/fullchain.pem, /etc/letsencrypt/live/doh.example.com/privkey.pem, { / }, { doTCP=true, reusePort=true, tcpFastOpenSize=0 }).
Save the file and close it. Then restart DNSdist.
sudo systemctl dnsdist Herstarting
Nginx configuration
If you use Nginx, change the server block file.
sudo nano /etc/nginx/conf.d/example.com.conf
Look for the following statement in the SSL server block.
Listen to 443 ssl;
Trade them in for
Listen to 127.0.0.2:443 ssl
This time we let it listen to 127.0.0.2:443 because 127.0.0.1:443 is already occupied by the DNSdist. Save the file and close it. The main file nginx configuration /etc/nginx/nginx.conf and the default server block /etc/nginx/sites-enabled/default may contain the default vhost eavesdropping at 443, so you may need to edit this file as well.
Then restart the Nginx.
sudo systemctl restart nginx
Configuring Apache
If you are using the Apache web server, edit the virtual host file.
sudo nano /etc/apache2/sites-enabled/example.com.conf
In the SSL virtual host, change
The…
This time we let it listen to 127.0.0.2:443 because 127.0.0.1:443 is already occupied by the DNSdist. Save the file and close it. Then edit the /etc/apache2/ports.conf file.
sudo nano /etc/apache2/ports.conf
Edit.
Listen to 443.
The…
Listen to 127.0.0.2:443
Save the file and close it. Restart Apache.
sudo systemctl restart apache2
HAProxy configuration
Install HAproxy now.
sudo apt install gaproxia
First HAProxy
sudo systemctl start gaproxy
Edit the configuration file.
ship nano /etc/haproxy/haproxy.cfg
If you are using Nginx, copy the following lines and paste them at the end of the file. Replace 12.34.56.78 with the public IP address of your server. Replace doh.example.com with the domain name used by DNSdist and www.example.com with the domain name used by your web server.
frontend https
bind 12.34.56.78:443
mode tcp
tcp request inspect-delay 5s
tcp request tcprequest accept content if { req_ssl_hello_type 1 }
use_backend dnsdist if { req_ssl_sni -i doh.example.com }
use_backend nginx if { req_ssl_sni -i www.example.com }
use_backend nginx if { req_ssl_sni -i example.com }
Standard dnsdist_backend
dnsdist
Backend mode tcp
Option ssl-hello-chk Server
dnsdist 127.0.0.1:443
nginx
backend mode tcp
option ssl-hello-chk
server nginx 127.0.0.2:443 check
If you are using Apache, copy and paste the following lines at the end of Replace 12.34.56.78 with the public IP address of your server. Replace doh.example.com with the domain name used by DNSdist and www.example.com with the domain name used by your web server.
frontend https
bind 12.34.56.78:443
mode tcp
tcp request inspect-delay 5s
tcp request tcprequest accept content if { req_ssl_hello_type 1 }
use_backend dnsdist if { req_ssl_sni -i doh.example.com }
use_backend apache if { req_ssl_sni -i www.example.com }
use_backend apache if { req_ssl_sni -i example.com }
Défaut dnsdist_backend
dnsdist
Backend mode tcp
Option ssl-hello-chk Server
dnsdist 127.0.0.1:443
Apache
Mode backend tcp
Option ssl-hello-chk
Serveur Apache 127.0.0.2:443 Vérifier
Enregistrez et fermez le fichier. Ensuite, redémarrez HAproxy.
yawnroxy to redress the sudoctl system
In the ci-dessus configuration, we have used the SNI (Server Name Indication) function in TLS to distinguish the VPN traffic of the HTTPS normal traffic.
You can tester this regulation with the outil openssl. Execute several of the following commands first.
echo | openssl s_client – connect votre serveur IP:443 | grep subject
We do not have a specific name of server in the ci-dessus command, so HAproxy always transmits the request to the backend by default (DNSdist) and sends its certificate to the client. Ensuite, execute the two following commands.
echo | openssl s_client -servername www.example.com -connect your-server-IP:443 | grep subject
echo | openssl s_client -server name doh.example.com – connect your server IP:443 | grep subject
We have now specified a server name in the commands so that HAproxy will send the requests according to the SNI rules we have defined.
When renewing the certificate of your site Let’s encrypt the certificate of your site, it is recommended to use the http-01 call instead of the tls-alpn-01 call, because the HAproxy on port 443 listens to the public IP address and can disrupt the renewal process.
sudo certbot renewal-prefred-challenges http-01
Packaging
I hope this tutorial has helped you configure the DNS-to-HTTPS converter from Nginx to Ubuntu. As always, if you find this message useful, subscribe to our free newsletter for more tips and tricks. Take care of yourself.
Evaluate this training manual.
On second thought: 0 Average : 0]
bash scripting tutorial pdf,bash script course free,class in bash script,bash tutorialspoint,learn bash the hard way,bash scripting examples,linux system programming youtube,bash scripting full course 3 hours,ubuntu course,how to install django in ubuntu,linux system programming examples,what is kubernetes youtube,linux tutorial w3school,linux tutorial for beginners pdf,unix tutorial pdf,unix tutorial geeksforgeeks,linux basic concepts,linux operating system for beginners,www cyberciti biz faq,nixcraft twitter,nixcraft linux,nixcraft shell scripting tutorial,nixcraft facebook,cybercity bash,ryans tutorials linux,linux line commands,mastering terminal commands,how to master linux,prompt in linux,file system navigation in linux,linux shell beginners guide,bash scripting tutorial w3schools,bash scripting cheat sheet,tldp bash beginners,bash basics,learn bash,python shell scripting tutorial