knb:dohdot_en

DNS-over-HTTPS and DNS-over-TLS support

Bild: Freifunk München Logo

Sep 16, 2019

Surely you've heard of the topic that is currently haunting IT-News. Mozilla will integrate in Firefox Cloudflare as DoH-Server and activate it by default. In itself, it's not a bad idea to encrypt DNS queries so that they can't be read in open networks (like Freifunk). However, it is a thorn in the side of many users and us to use a provider from America by default.

That's why we have set up a DoH/DoT server for you, which you can for example directly add to Firefox, use via App or combine with another DNS server.

We also registered on the page of the DNSCrypt-Project, so that we are automatically added in apps like DNSCloak (iOS) or dnscrypt-proxy.

Addresses:

  • doh.ffmuc.net - IPv4: 5.1.66.255 / 185.150.99.255 IPv6: 2001:678:e68:f000:: / 2001:678:ed0:f000::
  • dot.ffmuc.net - IPv4: 5.1.66.255 / 185.150.99.255 IPv6: 2001:678:e68:f000:: / 2001:678:ed0:f000::

The settings in Firefox can be made conveniently via the interface. Detailed instructions can also be found directly at mozilla.org at: https://wiki.mozilla.org/Trusted_Recursive_Resolver For the German-speaking user there is also a detailed explanation/guide in Privacy Manual!

Enter about:preferences#general in the address bar and follow the screenshots. For the network settings you have to scroll down.

Picture: Firefox menuepoint settings

Here we select userdefined in the dropdown field [ Use provider v ] we enter the value \
https://doh.ffmuc.net/dns-query into the field [ Custom ].

Picture: Firefox menuepoint settings

Alternatively, the configuration can be done directly after entering the „address“ about:config. The corresponding options can be found after entering the search option network.trr.

Picture: Firefox menuepoint settings

Under iOS you install the app DNSCloak and select the FFMUC servers via search:

Picture: settingoptions on DNSCloak

In Android (from Android 9) you go to your „Settings“ to „Wi-Fi & Internet“. Below is a field „Private DNS“. If you click on it the following dialog will appear:

Picture: “settings” do “Wi-Fi & Internet” under Android 9

After you have clicked on „Save“, „dot.ffmuc.net“ appears in the overview:

Picture: “settings” do “Wi-Fi & Internet” under Android 9

If you have an Android system that is older than Android 9, you will need to use other apps. Our current recommendation is „Intra“. (PlayStore-Link).

You can select the „DNS-over-HTTPS server“ to configure the settings.
There you enter https://doh.ffmuc.net/dns-query as „User-defined server URL“:

Picture: Settingoptions on “Infra” App under Android

When you activate it, it can look like this:

Picture: detailed view on activeded connection on “Infra” App under Android

If you are using unbound as your resolver, adding a DoT server is very easy. You add the following to your „normal“ configuration:

 forward-zone:
        name: "."
        forward-addr: 5.1.66.255@853#dot.ffmuc.net
        forward-addr: 2001:678:e68:f000::@853#dot.ffmuc.net

If everything worked out, you can do a DNSLeak-Test and the result should look like this:

Bild: Ergebnis beim Testen via dns-leak.com

Of course there is also a detailed Statusseite where you can see all possible statistics about the service.

Just to say it:

At Freifunk München, there are no logs that allow any conclusions to be drawn about the use. There are a few general counters:

https://stats.ffmuc.net/d/tlvoghcZk/doh-dot

And we have logs about requests/IP for rate-limits, but they only contain 'that' and not 'what'.

If you want to know more about this topic, the following talks are recommended:

  • knb/dohdot_en.txt
  • Zuletzt geändert: 2022/03/01 19:43
  • von awickert