knb:dohdot_en

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen Revision Vorhergehende Überarbeitung
Nächste Überarbeitung		 Vorhergehende Überarbeitung
knb:dohdot_en [2022/03/01 19:43] awickertknb:dohdot_en [2025/09/08 01:41] (aktuell) t0biii
Zeile 1: Zeile 1:
 {{htmlmetatags>metatag-robots=(index,follow)}} {{htmlmetatags>metatag-robots=(index,follow)}}
-====== DNS-over-HTTPS and DNS-over-TLS support ======+====== DNS-over-HTTPS/-TLS/-QUIC-Support ======
 {{:ffmuc_logo.png?nolink&150|Bild: Freifunk München Logo}} \\ {{:ffmuc_logo.png?nolink&150|Bild: Freifunk München Logo}} \\
-\\ 
-Sep 16, 2019 
 ===== Background  Informations ===== ===== Background  Informations =====
 Surely you've heard of the topic that is currently haunting [[https://www.golem.de/news/wegen-cloudflare-openbsd-deaktiviert-doh-im-firefox-browser-1909-143884.html|IT-News]]. Mozilla will integrate in Firefox [[https://cloudflare.com/|Cloudflare]] as DoH-Server and activate it by default. In itself, it's not a bad idea to encrypt DNS queries so that they can't be read in open networks (like Freifunk). However, it is a thorn in the side of many users and us to use a provider from America by default. Surely you've heard of the topic that is currently haunting [[https://www.golem.de/news/wegen-cloudflare-openbsd-deaktiviert-doh-im-firefox-browser-1909-143884.html|IT-News]]. Mozilla will integrate in Firefox [[https://cloudflare.com/|Cloudflare]] as DoH-Server and activate it by default. In itself, it's not a bad idea to encrypt DNS queries so that they can't be read in open networks (like Freifunk). However, it is a thorn in the side of many users and us to use a provider from America by default.
  
-That's why we have set up a DoH/DoT server for you, which you can for example directly add to Firefox, use via App or combine with another DNS server.+That's why we have set up a DoH/DoT/DoQ server for you, which you can for example directly add to Firefox, use via App or combine with another DNS server.
  
 We also registered on the page of the [[https://dnscrypt.info/public-servers/|DNSCrypt-Project]], so that we are automatically added in apps like [[https://apps.apple.com/de/app/dnscloak-secure-dns-client/id1452162351|DNSCloak]] (iOS) or [[https://github.com/DNSCrypt/dnscrypt-proxy|dnscrypt-proxy]]. We also registered on the page of the [[https://dnscrypt.info/public-servers/|DNSCrypt-Project]], so that we are automatically added in apps like [[https://apps.apple.com/de/app/dnscloak-secure-dns-client/id1452162351|DNSCloak]] (iOS) or [[https://github.com/DNSCrypt/dnscrypt-proxy|dnscrypt-proxy]].
  
-Addresses: +===== Addresses & Protocols ===== 
-  * ''doh.ffmuc.net - IPv4: 5.1.66.255 / 185.150.99.255 IPv6: 2001:678:e68:f000:: / 2001:678:ed0:f000::'' +Our DNS servers are available both as "normal" [[knb:dns|DNS servers]] (for simple, unencrypted DNS over UDP/TCP), as well as via the following protocols:   
-  * ''dot.ffmuc.net - IPv4: 5.1.66.255 / 185.150.99.255 IPv6: 2001:678:e68:f000:: / 2001:678:ed0:f000::''+  * DNS over TLS   
 +  * DNS over HTTPS   
 +  * DNS over HTTP/  
 +  * DNS over QUIC   
 +For configuration, please use the following addresses & domains:   
 +  * ''doh.ffmuc.net - IPv4: 5.1.66.255 / 185.150.99.255  IPv6: 2001:678:e68:f000:: / 2001:678:ed0:f000::''   
 +  * ''dot.ffmuc.net - IPv4: 5.1.66.255 / 185.150.99.255  IPv6: 2001:678:e68:f000:: / 2001:678:ed0:f000::''  
   * https://doh.ffmuc.net/dns-query   * https://doh.ffmuc.net/dns-query
 +
  
 ===== Firefox ===== ===== Firefox =====
Zeile 68: Zeile 73:
         forward-addr: 2001:678:e68:f000::@853#dot.ffmuc.net         forward-addr: 2001:678:e68:f000::@853#dot.ffmuc.net
 </code> </code>
 +
 +
 +===== AVM Fritz!Box =====
 +Since Fritz!OS 7.20, it has been possible to configure DoT servers directly in the Fritz!Box.
 +Go to Internet -> Account Information -> DNS-Server. At the bottom field, enter dot.ffmuc.net as the hostname:
 +
 +
 +{{ :knb:fritzbox_dot_settings_en.png?direct&800 |DoT-Settings in FritzBox}}
 +
 +In the Online Monitor, you can now see that the following entries also appear under "DNS servers used":
 +
 +  2001:678:e68:f000:: (DoT-encrypted)
 +  2001:678:ed0:f000:: (DoT-encrypted)
 +  5.1.66.255 (DoT-encrypted)
 +  185.150.99.255 (DoT-encrypted)
 +  
 +For one of the four, it also says "currently used for standard queries – DoT-encrypted".
 +
 +If that is the case, everything is set up correctly.
 +
 +
 +===== Mikrotik / RouterOS =====
 +
 +The main problem here is that the devices do not trust the FFMuc Let’s Encrypt certificate by default.
 +Therefore, we first need to configure the regular DNS, download and install the certificate, and only then can we configure DoH:
 +
 +<code>
 +/ip dns set servers=5.1.66.255,185.150.99.255
 +/tool fetch url=https://letsencrypt.org/certs/isrgrootx1.pem
 +/certificate import file-name=isrgrootx1.pem passphrase=""
 +/ip dns set servers=5.1.66.255,185.150.99.255 use-doh-server=https://doh.ffmuc.net/dns-query verify-doh-cert=yes
 +</code>
 +
 +(The command line instructions are given here. In the GUI, the hierarchy is identical, meaning instead of "/ip dns set" you select the menu item "ip", then the submenu "dns", and set the corresponding values there.)
 +
  
 ===== DNS leak-Test ===== ===== DNS leak-Test =====
-If everything worked out, you can do a [[http://dns-leak.com/|DNSLeak-Test]] and the result should look like this:+If everything worked out, you can do a [[https://dnsleaktest.com/|DNS leak test]] and the result should look like this: 
 + 
 +{{ :knb:dnsleaktest.png?direct&800 | Bild: Ergebnis beim Testen via dnsleaktest.com }} 
 +(It can also show a different set of IP addresses in the 5.1.66.0/24 IPv4 prefix from our other PoP in Vienna, Austria)
  
-{{ :knb:2019-09-16-doh-success.png?direct&800 |Bild: Ergebnis beim Testen via dns-leak.com}}+Additional sites: 
 +  * https://www.dnscheck.tools/ (also checks DNSSEC support of the resolver and IPv6) 
  
 ===== Statistics ===== ===== Statistics =====
  • knb/dohdot_en.1646163817.txt.gz
  • Zuletzt geändert: 2022/03/01 19:43
  • von awickert