knb:dohdot_en

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen Revision Vorhergehende Überarbeitung
Nächste Überarbeitung		 Vorhergehende Überarbeitung
knb:dohdot_en [2019/10/20 18:48] awickertknb:dohdot_en [2025/09/10 20:36] (aktuell) t0biii
Zeile 1: Zeile 1:
 {{htmlmetatags>metatag-robots=(index,follow)}} {{htmlmetatags>metatag-robots=(index,follow)}}
-====== DNS-over-HTTPS and DNS-over-TLS support ======+====== DNS-over-HTTPS/-TLS/-QUIC-Support ======
 {{:ffmuc_logo.png?nolink&150|Bild: Freifunk München Logo}} \\ {{:ffmuc_logo.png?nolink&150|Bild: Freifunk München Logo}} \\
-\\ 
-Sep 16, 2019 
 ===== Background  Informations ===== ===== Background  Informations =====
 Surely you've heard of the topic that is currently haunting [[https://www.golem.de/news/wegen-cloudflare-openbsd-deaktiviert-doh-im-firefox-browser-1909-143884.html|IT-News]]. Mozilla will integrate in Firefox [[https://cloudflare.com/|Cloudflare]] as DoH-Server and activate it by default. In itself, it's not a bad idea to encrypt DNS queries so that they can't be read in open networks (like Freifunk). However, it is a thorn in the side of many users and us to use a provider from America by default. Surely you've heard of the topic that is currently haunting [[https://www.golem.de/news/wegen-cloudflare-openbsd-deaktiviert-doh-im-firefox-browser-1909-143884.html|IT-News]]. Mozilla will integrate in Firefox [[https://cloudflare.com/|Cloudflare]] as DoH-Server and activate it by default. In itself, it's not a bad idea to encrypt DNS queries so that they can't be read in open networks (like Freifunk). However, it is a thorn in the side of many users and us to use a provider from America by default.
  
-That's why we have set up a DoH/DoT server for you, which you can for example directly add to Firefox, use via App or combine with another DNS server.+That's why we have set up a DoH/DoT/DoQ server for you, which you can for example directly add to Firefox, use via App or combine with another DNS server
 + 
 +We also registered on the page of the [[https://dnscrypt.info/public-servers/|DNSCrypt-Project]], so that we are automatically added in apps like [[https://apps.apple.com/de/app/dnscloak-secure-dns-client/id1452162351|DNSCloak]] (iOS) or [[https://github.com/DNSCrypt/dnscrypt-proxy|dnscrypt-proxy]].
  
-We also registered on the page of the [[https://dnscrypt.info/public-servers/|DNSCrypt-Project]], so that we can automatically register at the resolvers in the app [[https://apps.apple.com/de/app/dnscloak-secure-dns-client/id1452162351|DNSCloak]] (iOS) or at [[https://github.com/DNSCrypt/dnscrypt-proxy|dnscrypt-proxy]].+===== Addresses & Protocols ===== 
 +Our DNS servers are available both as "normal" [[knb:dns|DNS servers]] (for simpleunencrypted DNS over UDP/TCP), as well as via the following protocols:   
 +  * DNS over TLS ''%%tls://dot.ffmuc.net%%''   
 +  * DNS over HTTPS ''%%https://doh.ffmuc.net/dns-query%%''   
 +  * DNS over HTTP/3 ''%%h3://doh.ffmuc.net/dns-query%%''   
 +  * DNS over QUIC ''%%quic://doq.ffmuc.net%%''     
 +For configuration, please use the following addresses & domains:   
 +  * ''doh.ffmuc.net IPv4: 5.1.66.255 / 185.150.99.255  IPv6: 2001:678:e68:f000:: / 2001:678:ed0:f000::''   
 +  * ''dot.ffmuc.net IPv4: 5.1.66.255 / 185.150.99.255  IPv6: 2001:678:e68:f000:: / 2001:678:ed0:f000::''   
 +  * https://doh.ffmuc.net/dns-query
  
-Addresses: 
-  * ''doh.ffmuc.net - 195.30.94.28 / 2001:608:a01::3'' 
-  * ''dot.ffmuc.net - 195.30.94.28 / 2001:608:a01::3'' 
  
 ===== Firefox ===== ===== Firefox =====
Zeile 46: Zeile 52:
 ==== Android < 9 ==== ==== Android < 9 ====
 If you have an Android system that is older than Android 9, you will need to use other apps. If you have an Android system that is older than Android 9, you will need to use other apps.
-Our current recommendation is "Infra". ([[https://play.google.com/store/apps/details?id=app.intra|PlayStore-Link]]).+Our current recommendation is "Intra". ([[https://play.google.com/store/apps/details?id=app.intra|PlayStore-Link]]).
 \\ \\
 \\ \\
Zeile 64: Zeile 70:
 <code> forward-zone: <code> forward-zone:
         name: "."         name: "."
-        forward-addr: 195.30.94.28@853#dot.ffmuc.net +        forward-addr: 5.1.66.255@853#dot.ffmuc.net 
-        forward-addr: 2001:608:a01::3@853#dot.ffmuc.net+        forward-addr: 2001:678:e68:f000::@853#dot.ffmuc.net
 </code> </code>
 +
 +
 +===== AVM Fritz!Box =====
 +Since Fritz!OS 7.20, it has been possible to configure DoT servers directly in the Fritz!Box.
 +Go to Internet -> Account Information -> DNS-Server. At the bottom field, enter dot.ffmuc.net as the hostname:
 +
 +
 +{{ :knb:fritzbox_dot_settings_en.png?direct&800 |DoT-Settings in FritzBox}}
 +
 +In the Online Monitor, you can now see that the following entries also appear under "DNS servers used":
 +
 +  2001:678:e68:f000:: (DoT-encrypted)
 +  2001:678:ed0:f000:: (DoT-encrypted)
 +  5.1.66.255 (DoT-encrypted)
 +  185.150.99.255 (DoT-encrypted)
 +  
 +For one of the four, it also says "currently used for standard queries – DoT-encrypted".
 +
 +If that is the case, everything is set up correctly.
 +
 +
 +===== Mikrotik / RouterOS =====
 +
 +The main problem here is that the devices do not trust the FFMuc Let’s Encrypt certificate by default.
 +Therefore, we first need to configure the regular DNS, download and install the certificate, and only then can we configure DoH:
 +
 +<code>
 +/ip dns set servers=5.1.66.255,185.150.99.255
 +/tool fetch url=https://letsencrypt.org/certs/isrgrootx1.pem
 +/certificate import file-name=isrgrootx1.pem passphrase=""
 +/ip dns set servers=5.1.66.255,185.150.99.255 use-doh-server=https://doh.ffmuc.net/dns-query verify-doh-cert=yes
 +</code>
 +
 +(The command line instructions are given here. In the GUI, the hierarchy is identical, meaning instead of "/ip dns set" you select the menu item "ip", then the submenu "dns", and set the corresponding values there.)
 +
  
 ===== DNS leak-Test ===== ===== DNS leak-Test =====
-If everything worked out, you can do a [[http://dns-leak.com/|DNSLeak-Test]] and the result should look like this:+If everything worked out, you can do a [[https://dnsleaktest.com/|DNS leak test]] and the result should look like this:
  
-{{ :knb:2019-09-16-doh-success.png?direct&800 |Bild: Ergebnis beim Testen via dns-leak.com}}+{{ :knb:dnsleaktest.png?direct&800 | Bild: Ergebnis beim Testen via dnsleaktest.com }} 
 +(It can also show a different set of IP addresses in the 5.1.66.0/24 IPv4 prefix from our other PoP in Vienna, Austria) 
 + 
 +Additional sites: 
 +  * https://www.dnscheck.tools/ (also checks DNSSEC support of the resolver and IPv6) 
  
 ===== Statistics ===== ===== Statistics =====
 Of course there is also a detailed **[[https://stats.ffmuc.net/d/tlvoghcZk/doh-dot?orgId=1&refresh=1m|Statusseite]]** where you can see all possible statistics about the service. Of course there is also a detailed **[[https://stats.ffmuc.net/d/tlvoghcZk/doh-dot?orgId=1&refresh=1m|Statusseite]]** where you can see all possible statistics about the service.
 +
 +<WRAP center round alert 80%>
 +**Just to say it**: \\
 +\\
 +At Freifunk München, there are no logs that allow any conclusions to be drawn about the use.
 +There are a few general counters: \\
 +\\
 +https://stats.ffmuc.net/d/tlvoghcZk/doh-dot \\
 +\\
 +And we have logs about requests/IP for rate-limits, but they only contain '**//that//**' and not '**//what//**'.
 +
 +</WRAP>
  
 ===== More about this topic ===== ===== More about this topic =====
  • knb/dohdot_en.1571597288.txt.gz
  • Zuletzt geändert: 2020/06/09 17:00
  • (Externe Bearbeitung)