DNS over HTTPS (DoH) with OpenVPN Client


#1

I followed this excellent article on how to set up DoH on the Raspberry Pi:
https://bendews.com/posts/implement-dns-over-https/
And it appears to work great on the Pi as tested with this command:
dig @127.0.0.1 -p 5053 google.com
My Pi is an OpenVPN client acting as a Gateway for my home network, so in the OpenVPN client.conf file I added this setting:
dhcp-option DNS 127.0.0.1:5053
But it does not appear to be working, as when I do this on my Windows PC using the Pi Gateway, it shows this:
>nslookup all
Server: google-public-dns-a.google.com
Address: 8.8.8.8
How can I test for sure if its working or not, and if its not working, what am I doing wrong?
Thanks!!!


#2

Would you mind to share the output of “ipconfig /all”, your server and client configuration?

Remove all security related information from it


#3

Ok, here are my three devices: Windows PC --> Pi OpenVPN Client / Gateway --> Pi OpenVPN Server.
Raspberry doesn’t have an ‘ipconfig /all’, the closest thing is ‘ifconfig -a’, so I hope it provides enough information:

Windows PC:

Pi OpenVPN Client/Gateway (192.168.3.3):

Pi OpenVPN Server:


#4

More info:
I noticed the 8.8.8.8 and 8.8.4.4 in the DNS address list and realized that it was coming from my pfSense Router assignment on DHCP page.
So I change it to point to 192.168.3.3 for the DNS server:
DNS Servers . . . . . . . . . . . : 192.168.3.3
8.8.8.8
8.8.8.4
So now when I do this, it craps out:
nslookup all
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.3.3

So, clearly that didn’t help. I even tried “192.168.3.3:5053” for the DNS address, but pfSense did not like that at all.

Hmmmmm…


#5

Ok, one last thing and then I’ll stop dicking with it and wait for your advice:
Because 5053 is not the standard DNS port, I changed the CloudFlare service on my Pi OpenVPN Client/Gateway to use the standard port (53) instead:
CLOUDFLARED_OPTS=--port 53 --upstream https://1.1.1.1/dns-query
Then restarted the service:
sudo systemctl restart cloudflared
Then put ‘192.168.3.3’ back in as the primary DNS server in pfSense for that interface.
Blah, still craps out :frowning:
nslookup all
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.3.3


#6

More clues:
I get this error message when I run ‘service cloudflared status’:
"Failed to start the listeners...permission denied"
help…


#7

OK, after finding that “permission denied” error, I changed all the permission to ‘root’ for the app and the service and the configuration file…then rebooted.
Now I don’t get that error anymore, and it shows that port 53 on the OpenVPN Client Pi is being listened to:
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
So I reset the DHCP on the pfSense router to list 192.168.3.3 (the OpenVPN Client Pi/Gateway) as the primary DNS server, but when I do “nslookup all”, it still times out!
Waaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa


#8

This topic was automatically closed after 14 days. New replies are no longer allowed.