DNS Proxy Configuration Issues
So, my goal here is to enforce DNS over HTTPS within my local network for DNS queries. I was under the assumption that Omada added support by way of proxying DNS results and forwarding them to a specified DNS server. That said, I am running two local instances of Adguard Home DNS setup with (properly verified via Lets Encrypt) SSL certs via certmanager. Everything thing is properly configured on my end. No issues with certs therein or anything like that. As devices that support DNS over HTTPS work great. That said, I would like my whole network to use it, if possible.
When I go to specify the custom DNS server with my proper domain name, nothing on my network is resolving via HTTPS. Everything is still in the same plaintext DNS. I am using: https:// adguard. local. xxxxx. com/dns-query . Am I missing something in the further configuration? Documentation seems a bit scarce from what I see as this is a newish feature. Here is a screenshot:
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @rb5network
Thanks for posting in our business forum.
So, we support DoH. You've put the URL. But it is still plain text in LAN?
Here's my question, have you Wireshark and checked if this is actually working on WAN? Is DNS traffic on 443 or DoH now?
For the LAN in plain text, try this, set up your Windows computer with DoH with your local AdG. Wireshark and check if your PC is on DoH or not.
- Copy Link
- Report Inappropriate Content
@Clive_A Thanks for the reply! Yes, it was still resolving to plain text DNS. And when placing the DNS LAN options to auto/DHCP it wouldn't resolve whatsoever. It works perfectly when I use Windows's DNS over HTTPS settings. But, of course, I would prefer this function to be allocated at the network level! So, I was on the phone with support and they had to get information from the engineers I believe. According to them, the DNS Proxy feature only works with publicly facing DNS servers. Apparently DNS Proxy will not work with local DNS servers via LAN whatsoever. Must be coming from WAN.
Unaware of the technological hurdles and work that go into integrating DoT, DoH, and/or DNS over QUIC into Omada networking gear, but this really would be an amazing feature to have.
Have you heard from the engineers if this is a feature that has already been looked at or is potentially in the works?
- Copy Link
- Report Inappropriate Content
Hi @rb5network
Thanks for posting in our business forum.
rb5network wrote
@Clive_A Thanks for the reply! Yes, it was still resolving to plain text DNS. And when placing the DNS LAN options to auto/DHCP it wouldn't resolve whatsoever. It works perfectly when I use Windows's DNS over HTTPS settings. But, of course, I would prefer this function to be allocated at the network level! So, I was on the phone with support and they had to get information from the engineers I believe. According to them, the DNS Proxy feature only works with publicly facing DNS servers. Apparently DNS Proxy will not work with local DNS servers via LAN whatsoever. Must be coming from WAN.
Unaware of the technological hurdles and work that go into integrating DoT, DoH, and/or DNS over QUIC into Omada networking gear, but this really would be an amazing feature to have.
Have you heard from the engineers if this is a feature that has already been looked at or is potentially in the works?
The problem is, that this is the upstream query. It does not affect the LAN. It is about the from your WAN to the public DNS servers.
If you use AdG and Pi-hole or any kind of DNS servers like it, you will get the same result. This is the place where you fill in the upstream DNS servers. It is not about the LAN.
If you need to encrypt the LAN, you gotta set up the DoH or DoT on the devices individually unless DoH and DoT replace the current DNS(53) which is in plain text. Or there is no way we can force it to be DoH or DoT.
This is the reason here. It is not a matter of whether we implement it. It is about whether your device takes DoH or DoT beyond the traditional DNS(53).
Not to mention, if your LAN is secure, LAN DoH is not necessary. That function mainly focuses on the encryption from the NAT to the public DNS servers.
- Copy Link
- Report Inappropriate Content
@Clive_A So there is a technological issue with serving DNS over HTTPS through Omada/DHCP like traditional plain text? I take it encryption must be setup by clients if that is the case? I just want to understand the issues. I saw online that there's a tool kit for Unifi that technically supports DNS over HTTPS at the router level, and others are in the works for official support. But, I'm totally unaware of the engineering/backend work needed for that.
As someone who works in cybersecurity, I would disagree that DoT isn't worth it behind a firewall tbh. I still think securing local web pages with HTTPS (you all do this with the Omada software!) and other forms of network encryption is a good thing.
- Copy Link
- Report Inappropriate Content
Hi @rb5network
Thanks for posting in our business forum.
rb5network wrote
@Clive_A So there is a technological issue with serving DNS over HTTPS through Omada/DHCP like traditional plain text? I take it encryption must be setup by clients if that is the case? I just want to understand the issues. I saw online that there's a tool kit for Unifi that technically supports DNS over HTTPS at the router level, and others are in the works for official support. But, I'm totally unaware of the engineering/backend work needed for that.
As someone who works in cybersecurity, I would disagree that DoT isn't worth it behind a firewall tbh. I still think securing local web pages with HTTPS (you all do this with the Omada software!) and other forms of network encryption is a good thing.
I mean it is upstream encryption. Which is from your WAN IP to query a domain to the upstream server. This is encrypted.
In your LAN, this is still plain text and using UDP 53.
If you need this to be encrypted, it should be set on your client which they must support DoH or DoT. They don't support it and if you force this on them, they'll simply show up as "no Internet". This is my point. You cannot force the server to assign the DoH to your local clients as you don't know if they are all capable of that.
What about the IoT? Do they support encrypted DNS servers? Nope. So this is not about the locals. It is about the WAN, upstream.
UBNT supports that, what would be the name? It applies to the LAN? Not upstream? Do you have any docs for me so I can take a look at how they do?
I totally get your point that you want this to be LAN side. But, it has to be manually set individually.
Android, Private DNS.
iOS, you have to install a profile to use encrypted DNS.
Windows, you set the DoH or DoT.
There are docs anywhere, you can take a look.
For example:
- Copy Link
- Report Inappropriate Content
Information
Helpful: 1
Views: 922
Replies: 5