Secure DNS service

^{September 18th, 2022}

Provide secure DNS access for clients that do not support DNS-over-TLS (DoT), -HTTPS (DoH), -QUIC (DoQ) or DNSCrypt by installing a DNS proxy:

Download the latest release of the DNSProxy from AdGuard Team https://github.com/AdguardTeam/dnsproxy
If on Ubuntu, create a SystemD service descriptor, e.g. as /etc/systemd/system/dnsproxy.service

[Unit]
Description=Custom wrapper for the DNS Proxy tool
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
ExecStart=/PATH_TO_DNSPROXY/dnsproxy -l YOUR_IP -p 53 -u UPSTREAM_DNS_SERVICE
WorkingDirectory=/PATH_TO_DNSPROXY/
RemainAfterExit=no

[Install]
WantedBy=multi-user.target

Install the service systemctl enable dnsproxy.service
Start the service systemctl start dnsproxy.service
You may need to enable firewall ufw allow from ENABLED_SOURCE to YOUR_IP port 53 proto udp, which is equivalent to ip(6)tables -I INPUT -s ENABLED_SOURCE -d YOUR_IP -p udp --dport 53 -j ACCEPT
For inspirations on a good UPSTREAM_DNS_SERVICE, see Public IP Server on DuckDuckGo

If you provide the service for VPN clients (see the OpenVPN article of mine), you may wish to configure as follows:

YOUR_IP to be an address visible to the VPN clients only
ENABLED_SOURCE to be a network address of potential VPN clients only

Next: IPv6 via OpenVPN

Previous: Soil Moisture Sensors

Main Menu