DNS over HTTPS in VyOS

Categories: dns cloudflare firewall

VyOS is using PowerDNS recurser for DNS forwarding. Unfortunately it’s not possible to make encrypted DNS queries from it, so here’s a work around with cloudflared tunnel as a DNS Proxy

1. Log in to vyos as root and create a directory in /etc for cloudflared

ssh [email protected] # Change the ip to your routers ip
[email protected]:~$ conf
[email protected]# sudo -s
[email protected]# mkdir /etc/cloudflared

2. Install cloudflared

[email protected]# wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
[email protected]# dpkg -i cloudflared-linux-amd64.deb

3. Configure cloudflared

[email protected]# cloudflared tunnel login
[email protected]# cloudflared tunnel create vyos
# This will create a tunnel-id.json file with your cloudflare credentials.

echo "
tunnel: <YOUR-TUNNEL-ID>
credentials-file: /etc/cloudflared/<YOUR-TUNNEL-ID>.json

proxy-dns: true
proxy-dns-port: 53
proxy-dns-address: 127.0.0.1
proxy-dns-upstream:
 - https://cloudflare-dns.com/dns-query
 - https://security.cloudflare-dns.com/dns-query # Blocks Malware
 - https://family.cloudflare-dns.com/dns-query # Blocks Malware and Adult Content
 - https://dns.quad9.net/dns-query
 - https://dns.google/dns-query
 - https://doh.opendns.com/dns-query
 - https://doh.familyshield.opendns.com/dns-query # This is their familyshield with adult content filtering
" > /etc/cloudflared/config.yml

[email protected]# cloudflared service Install
[email protected]# systemctl enable --now cloudflared.service
You can choose the proxy-dns-upstream server of your liking. I have listed a few of the public resolvers with support for DoH (RFC 8484)

4. Configure VyOS to use the dns-proxy

[email protected]# set system name-server 127.0.0.1
[email protected]# delete system name-server x.x.x.x # This is optional and is needed if your system is already configured to use a dns resolver
[email protected]# commit
[email protected]# save

5. Verify it’s working

[email protected]# dig google.com

; <<>> DiG 9.16.27-Debian <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 444
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 91031139f2dce048 (echoed)
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		217	IN	A	142.251.9.101
google.com.		217	IN	A	142.251.9.102
google.com.		217	IN	A	142.251.9.100
google.com.		217	IN	A	142.251.9.139
google.com.		217	IN	A	142.251.9.138
google.com.		217	IN	A	142.251.9.113

;; Query time: 43 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Oct 03 10:45:01 CEST 2022
;; MSG SIZE  rcvd: 207
As shown above, VyOS is now using port 53 on localhost for dns resolution