In this article
DNSFilter supports DNS-over-TLS (DoT) in our Roaming Clients and DNS Relay, allowing for encryption and privacy of DNS traffic.
Enabling DoT has shown to fix issues related to:
- Roaming Clients or Relays intermittently going offline
- When Roaming Clients or Relays are installed, no websites resolve or open
- Filtering Policies fail to block or allow websites as expected
Once enabled, DoT sends the original client requests through a secure TLS channel on port 853 instead of the common port 53 used for unencrypted DNS communication. This prevents attackers from seeing or manipulating information about the DNS request, and creates a constant connection between DNSFilter and the device.
In the event of a failover or communication issue, the Roaming Client will resort to resolving using port 53 UDP or TCP.
The DNSFilter DNS-over-TLS hostnames are:
- dns1.dnsfilter.com
- dns2.dnsfilter.com
Implementation details
These featured are supported by this implementation:
- TLS Versions 1.3
- RFC-7828
- TCP_FastOpen
- TCP_FalseStart
Windows Roaming Client
- Install the Windows Roaming Client
- Create a registry key value to set tcp-tls as the preferred connection method
-
reg add "HKLM\Software\DNSFilter\Agent" /v UpstreamOrder /d "tcp-tls,udp,tcp" /f
-
reg add "HKLM\Software\DNSAgent\Agent" /v UpstreamOrder /d "tcp-tls,udp,tcp" /f
-
- Restart the Roaming Client to apply these settings
macOS Roaming Client
- Open the
daemon.conf
file - Enter this command:
-
sudo nano /Library/Application\ Support/DNSFilter\ Agent/daemon.conf
-
sudo nano /Library/Application\ Support/DNS\ Agent/daemon.conf
-
- Set the
upstream_order
(snippet below) at the top of the config file
# Desired upstream use order, defaults to "udp", "tcp", "tcp-tls", set only one to disable the others upstream_order = [ "tcp-tls", "udp", "tcp" ]
# - Restart the Roaming Client:
-
Stop command:
sudo launchctl unload /Library/LaunchDaemons/com.dnsfilter.agent.macos.helper.plist
Start command:
sudo launchctl load -w /Library/LaunchDaemons/com.dnsfilter.agent.macos.helper.plist
-
Stop command:
sudo launchctl unload /Library/LaunchDaemons/io.netalerts.agent.macos.helper.plist
Start command:
sudo launchctl load -w /Library/LaunchDaemons/io.netalerts.agent.macos.helper.plist
-
iOS Roaming Client
With iOS agent version 1.0.8 and higher, DoT is enabled by default, no longer requiring the end-user to configure manually.
Manually update all devices
Follow these steps for any older versions or to change this option. This enables/disables DoT on all devices that use the dnsfilter.mobileconfig file.
- Open the dnsfilter.mobileconfig file
- Set the
dns_over_tls_enabled key
in the<dict>
section:
<key>dns_over_tls_enabled</key> <true/>
- Restart the agents to apply these changes
Manually update a single device
To disable DoT on a single device, open the Roaming Client app Settings and select/unselect Enable DNS over TLS. Restart the agent to apply the change.
DNS Relay
Set the upstream_order
(snippet below) at the top of the relay.conf file. If making this update after deployment, restart the Relay to apply the change.
# Desired upstream use order, defaults to "udp", "tcp", "tcp-tls", set only one to disable the others upstream_order = [ "tcp-tls", "udp", "tcp" ]
#
Single-line settings / parameters (such as upstream_order) must be placed before the [xyz] TOML Tables—it cannot be placed at the bottom of the file or it will automatically become part of the last TOML Table.
Forwarder/Stub support
A typical setup for DNS-over-TLS is to configure a LAN DNS Server to act as a forwarder, wrapping LAN queries into secure packets.
Below are some example software configurations.
Knot Resolver
Specific instructions for Knot Resolver will depend on the local configuration and operating system. See Knot Resolver’s documentation for specific instruction. This blog post might also be helpful.
To implement TLS forwarding, in the policy modules section, we use policy.TLS_FORWARD:
✍️ The target of ca_file= may not be needed or may differ.
modules = { 'policy' } policy.TLS_FORWARD({ {'103.247.36.36', hostname='dns1.dnsfilter.com', ca_file='/etc/knot-resolver/tlsca.crt'} {'103.247.37.37', hostname='dns2.dnsfilter.com', ca_file='/etc/knot-resolver/tlsca.crt'} }) #This signifies the end of the { 'policy' } section
Stubby + Unbound
A dual-Docker solution, where Unbound is used as a DNS-caching forwarder, and Stubby is used as a DNS-over-TLS transport server between Unbound and DNSFilter. This combines the caching powers of Unbound with the high-performing DNS-over-TLS implantation that Stubby provides.
Link to the GitHub Project.
Stubby (Standalone)
In the upstream_recursive_servers: section of stubby.yaml:
upstream_recursive_servers: - address_data: 103.247.36.36 tls_auth_name: "dns1.dnsfilter.com" - address_data: 103.247.37.37 tls_auth_name: "dns2.dnsfilter.com"
Unbound (Standalone)
The default DNS forwarder in the open-source firewalls IPFire and pfSense.
Performance Warning
DNS-over-TLS performance in Unbound is relatively poor. About 8–10 queries per second is our suggested maximum, so only low-traffic networks are suggested. Consider using Knot Resolver or the Stubby + Unbound Docker solution.
In the unbound.conf file, ensure the following is set in the server: section. DNSFilter must be the only two forwarder addresses configured.
ssl-upstream: yes name: "." forward-addr: 103.247.36.36@853 forward-addr: 103.247.37.37@853
Comments
0 comments
Please sign in to leave a comment.