In this article
DNSFilter supports DNS-over-TLS (DoT) in our Roaming Clients and DNS Relay, allowing for encryption and privacy of DNS traffic.
DoT channels the original client requests through a secure TLS channel on port 853 instead of the common port 53 used for unencrypted DNS communication. This prevents attackers from seeing or manipulating information about the DNS request.
The DNSFilter DNS-over-TLS hostnames are:
- dns1.dnsfilter.com
- dns2.dnsfilter.com
⚡️ Important Final Step
Restart the Roaming Client after completing the applicable agent update below in order for DNS-over-TLS to take effect.
Implementation details
Feature | Supported |
---|---|
TLS Versions | 1.3 |
RFC-7828 | Yes |
TCP_FastOpen | Yes |
TCP_FalseStart | Yes |
Windows Roaming Client
- Install the Windows Roaming Client
- Create a registry key value to set tcp-tls as the preferred connection method
-
reg add "HKLM\Software\DNSFilter\Agent" /v UpstreamOrder /d "tcp-tls,udp,tcp" /f
-
reg add "HKLM\Software\DNSAgent\Agent" /v UpstreamOrder /d "tcp-tls,udp,tcp" /f
-
macOS Roaming Client
- Open the
daemon.conf
file - Enter this command:
-
sudo nano /Library/Application\ Support/DNSFilter\ Agent/daemon.conf
-
sudo nano /Library/Application\ Support/DNS\ Agent/daemon.conf
-
- Set the
upstream_order
(snippet below) at the top of the config file
# Desired upstream use order, defaults to "udp", "tcp", "tcp-tls", set only one to disable the others upstream_order = [ "tcp-tls", "udp", "tcp" ]
# - Restart the Roaming Client:
-
Stop command:
sudo launchctl unload /Library/LaunchDaemons/com.dnsfilter.agent.macos.helper.plist
Start command:
sudo launchctl load -w /Library/LaunchDaemons/com.dnsfilter.agent.macos.helper.plist
-
Stop command:
sudo launchctl unload /Library/LaunchDaemons/io.netalerts.agent.macos.helper.plist
Start command:
sudo launchctl load -w /Library/LaunchDaemons/io.netalerts.agent.macos.helper.plist
-
iOS Roaming Client
With version 1.0.8 or newer DoT is enabled by default on the iOS Roaming Client, no longer requiring the end-user to configure manually.
Manually update all devices
Follow these steps for any older versions or to change this option. This enables/disables DoT on all devices that use the dnsfilter.mobileconfig file.
- Open the dnsfilter.mobileconfig file
- Set the
dns_over_tls_enabled key
in the<dict>
section:<key>dns_over_tls_enabled</key> <true/>
Manually update one device
To disable DoT on a single device, open the Roaming Client app Settings and select/unselect Enable DNS over TLS.
DNS Relay
Set the upstream_order
(snippet below) at the top of the relay.conf file
# Desired upstream use order, defaults to "udp", "tcp", "tcp-tls", set only one to disable the others
upstream_order = [ "tcp-tls", "udp", "tcp" ]
#
Single-line settings / parameters (such as upstream_order) must be placed before the [xyz] TOML Tables – it cannot be placed at the bottom of the file (or else it will automatically become part of the last TOML Table.
Forwarder/Stub support
A typical setup for DNS-over-TLS is to configure a LAN DNS Server to act as a forwarder, wrapping LAN queries into secure packets.
Below are some example software configurations:
Knot Resolver
Specific instructions for Knot Resolver will depend on the local configuration and operating system. See Knot Resolver’s documentation regarding TLS forwarding for more. This blog post might also be helpful.
To implement TLS forwarding, in the policy modules section, we use policy.TLS_FORWARD:
The target of ca_file= may not be needed or may differ.
modules = { 'policy' }
policy.TLS_FORWARD({
{'103.247.36.36', hostname='dns1.dnsfilter.com', ca_file='/etc/knot-resolver/tlsca.crt'}
{'103.247.37.37', hostname='dns2.dnsfilter.com', ca_file='/etc/knot-resolver/tlsca.crt'} })
#This signifies the end of the { 'policy' } section
Stubby + Unbound
A dual-Docker solution, where Unbound is used as a DNS-caching forwarder, and Stubby is used as a DNS-over-TLS transport server between Unbound and DNSFilter. This combines the caching powers of Unbound with the high-performing DNS-over-TLS implantation that Stubby provides.
Link to the GitHub Project.
Stubby (Standalone)
In the upstream_recursive_servers: section of stubby.yaml:
upstream_recursive_servers:
- address_data: 103.247.36.36
tls_auth_name: "dns1.dnsfilter.com"
- address_data: 103.247.37.37
tls_auth_name: "dns2.dnsfilter.com"
Unbound (Standalone)
The default DNS forwarder in the open-source firewalls IPFire and pfSense.
Performance Warning
DNS-over-TLS performance in Unbound is relatively poor. About 8–10 queries per second is our suggested maximum, so only low-traffic networks are suggested. Consider using Knot Resolver or the Stubby + Unbound Docker solution.
In the unbound.conf file, ensure the following is set in the server: section. DNSFilter must be the only two forwarder addresses configured.
ssl-upstream: yes
name: "."
forward-addr: 103.247.36.36@853
forward-addr: 103.247.37.37@853
Comments
0 comments
Please sign in to leave a comment.