DNS-over-HTTPS and DNS-over-TLS support
Sep 16, 2019
Background Informations
Surely you've heard of the topic that is currently haunting IT-News. Mozilla will integrate in Firefox Cloudflare as DoH-Server and activate it by default. In itself, it's not a bad idea to encrypt DNS queries so that they can't be read in open networks (like Freifunk). However, it is a thorn in the side of many users and us to use a provider from America by default.
That's why we have set up a DoH/DoT server for you, which you can for example directly add to Firefox, use via App or combine with another DNS server.
We also registered on the page of the DNSCrypt-Project, so that we are automatically added in apps like DNSCloak (iOS) or dnscrypt-proxy.
Addresses:
doh.ffmuc.net - IPv4: 5.1.66.255 / 185.150.99.255 IPv6: 2001:678:e68:f000:: / 2001:678:ed0:f000::
dot.ffmuc.net - IPv4: 5.1.66.255 / 185.150.99.255 IPv6: 2001:678:e68:f000:: / 2001:678:ed0:f000::
Firefox
The settings in Firefox can be made conveniently via the interface. Detailed instructions can also be found directly at mozilla.org at: https://wiki.mozilla.org/Trusted_Recursive_Resolver For the German-speaking user there is also a detailed explanation/guide in Privacy Manual!
Enter about:preferences#general
in the address bar and follow the screenshots. For the network settings you have to scroll down.
Here we select userdefined
in the dropdown field [ Use provider v ] we enter the value \
https://doh.ffmuc.net/dns-query
into the field [ Custom ].
Alternatively, the configuration can be done directly after entering the „address“ about:config
. The corresponding options can be found after entering the search option network.trr.
DNSCloak (iOS)
Android
Android 9
In Android (from Android 9) you go to your „Settings“ to „Wi-Fi & Internet“. Below is a field „Private DNS“. If you click on it the following dialog will appear:
After you have clicked on „Save“, „dot.ffmuc.net“ appears in the overview:
Android < 9
If you have an Android system that is older than Android 9, you will need to use other apps.
Our current recommendation is „Intra“. (PlayStore-Link).
You can select the „DNS-over-HTTPS server“ to configure the settings.
There you enter https://doh.ffmuc.net/dns-query
as „User-defined server URL“:
When you activate it, it can look like this:
Unbound
If you are using unbound as your resolver, adding a DoT server is very easy. You add the following to your „normal“ configuration:
forward-zone: name: "." forward-addr: 5.1.66.255@853#dot.ffmuc.net forward-addr: 2001:678:e68:f000::@853#dot.ffmuc.net
DNS leak-Test
If everything worked out, you can do a DNSLeak-Test and the result should look like this:
Statistics
Of course there is also a detailed Statusseite where you can see all possible statistics about the service.
Just to say it:
At Freifunk München, there are no logs that allow any conclusions to be drawn about the use.
There are a few general counters:
https://stats.ffmuc.net/d/tlvoghcZk/doh-dot
And we have logs about requests/IP for rate-limits, but they only contain 'that' and not 'what'.
More about this topic
If you want to know more about this topic, the following talks are recommended: