Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- knb:dohdot_en [2024/12/28 18:18] – Replace defunkt dns leak test site with dnsleaktest.com dasskelett
+++ knb:dohdot_en [2025/09/08 01:41] (aktuell) – t0biii
@@ Zeile 1: / Zeile 1: @@
 {{htmlmetatags>metatag-robots=(index,follow)}}
-====== DNS-over-HTTPS and DNS-over-TLS support ======
+====== DNS-over-HTTPS/-TLS/-QUIC-Support ======
 {{:ffmuc_logo.png?nolink&150|Bild: Freifunk München Logo}} \\
-\\
-Sep 16, 2019
 ===== Background  Informations =====
 Surely you've heard of the topic that is currently haunting [[https://www.golem.de/news/wegen-cloudflare-openbsd-deaktiviert-doh-im-firefox-browser-1909-143884.html|IT-News]]. Mozilla will integrate in Firefox [[https://cloudflare.com/|Cloudflare]] as DoH-Server and activate it by default. In itself, it's not a bad idea to encrypt DNS queries so that they can't be read in open networks (like Freifunk). However, it is a thorn in the side of many users and us to use a provider from America by default.
-That's why we have set up a DoH/DoT server for you, which you can for example directly add to Firefox, use via App or combine with another DNS server.
+That's why we have set up a DoH/DoT/DoQ server for you, which you can for example directly add to Firefox, use via App or combine with another DNS server.
 We also registered on the page of the [[https://dnscrypt.info/public-servers/|DNSCrypt-Project]], so that we are automatically added in apps like [[https://apps.apple.com/de/app/dnscloak-secure-dns-client/id1452162351|DNSCloak]] (iOS) or [[https://github.com/DNSCrypt/dnscrypt-proxy|dnscrypt-proxy]].
-Addresses:
+===== Addresses & Protocols =====
-  * ''doh.ffmuc.net - IPv4: 5.1.66.255 / 185.150.99.255 IPv6: 2001:678:e68:f000:: / 2001:678:ed0:f000::''
+Our DNS servers are available both as "normal" [[knb:dns|DNS servers]] (for simple, unencrypted DNS over UDP/TCP), as well as via the following protocols:
-  * ''dot.ffmuc.net - IPv4: 5.1.66.255 / 185.150.99.255 IPv6: 2001:678:e68:f000:: / 2001:678:ed0:f000::''
+  * DNS over TLS
+  * DNS over HTTPS
+  * DNS over HTTP/3
+  * DNS over QUIC
+For configuration, please use the following addresses & domains:
+  * ''doh.ffmuc.net - IPv4: 5.1.66.255 / 185.150.99.255  IPv6: 2001:678:e68:f000:: / 2001:678:ed0:f000::''
+  * ''dot.ffmuc.net - IPv4: 5.1.66.255 / 185.150.99.255  IPv6: 2001:678:e68:f000:: / 2001:678:ed0:f000::''
   * https://doh.ffmuc.net/dns-query
 ===== Firefox =====
@@ Zeile 68: / Zeile 73: @@
         forward-addr: 2001:678:e68:f000::@853#dot.ffmuc.net
 </code>
+===== AVM Fritz!Box =====
+Since Fritz!OS 7.20, it has been possible to configure DoT servers directly in the Fritz!Box.
+Go to Internet -> Account Information -> DNS-Server. At the bottom field, enter dot.ffmuc.net as the hostname:
+{{ :knb:fritzbox_dot_settings_en.png?direct&800 |DoT-Settings in FritzBox}}
+In the Online Monitor, you can now see that the following entries also appear under "DNS servers used":
+:678:e68:f000:: (DoT-encrypted)
+:678:ed0:f000:: (DoT-encrypted)
+.1.66.255 (DoT-encrypted)
+.150.99.255 (DoT-encrypted)
+For one of the four, it also says "currently used for standard queries – DoT-encrypted".
+If that is the case, everything is set up correctly.
+===== Mikrotik / RouterOS =====
+The main problem here is that the devices do not trust the FFMuc Let’s Encrypt certificate by default.
+Therefore, we first need to configure the regular DNS, download and install the certificate, and only then can we configure DoH:
+<code>
+/ip dns set servers=5.1.66.255,185.150.99.255
+/tool fetch url=https://letsencrypt.org/certs/isrgrootx1.pem
+/certificate import file-name=isrgrootx1.pem passphrase=""
+/ip dns set servers=5.1.66.255,185.150.99.255 use-doh-server=https://doh.ffmuc.net/dns-query verify-doh-cert=yes
+</code>
+(The command line instructions are given here. In the GUI, the hierarchy is identical, meaning instead of "/ip dns set" you select the menu item "ip", then the submenu "dns", and set the corresponding values there.)
 ===== DNS leak-Test =====