DNS over HTTPS: enabling, padding, live. Great success!


OK, turns out this was easier than I thought.

I added this line on my router (running Lede 17.04). I did this via Luci, but you can just edit the /etc/opkg/distfeeds.conf file too.

src/gz reboot_packages https://downloads.openwrt.org/snapshots/packages/arm_cortex-a9_vfpv3/packages/

to my package source list. I then did 'opkg install stubby'.

In /etc/stubby/stubby.yml, I added (see https://getdnsapi.net/documentation/manpages/stubby/ for docs)

upstream_recursive_servers:
# IPv4 addresses 
# The 1.1.1.1 Cloudflare Servers
 - address_data: 1.1.1.1
 tls_auth_name: "cloudflare-dns.com"
 tls_pubkey_pinset:
 - digest: "sha256"
 value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
 - address_data: 1.0.0.1
 tls_auth_name: "cloudflare-dns.com"
 tls_pubkey_pinset:
 - digest: "sha256" 
 value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
 
# IPv6 addresses 
# The 1.1.1.1 Cloudflare Servers 
 - address_data: 2606:4700:4700::1111
 tls_auth_name: "cloudflare-dns.com"
 tls_pubkey_pinset: 
 - digest: "sha256" 
 value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
 - address_data: 2606:4700:4700::1001
 tls_auth_name: "cloudflare-dns.com"
 tls_pubkey_pinset: 
 - digest: "sha256"
 value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=

I then added

server '127.0.0.1#5453'
noresolv '1'

in /etc/config/dhcp.

And then I was set.

One thing that is nice to see, the cloudflare DNS does 'padding'. This means you cannot easily infer from the encrypted TCP packet size what the domain-name is.

# dig -p 5453 @127.0.0.1 foobar1.com

; <<>> DiG 9.11.2-P1 <<>> -p 5453 @127.0.0.1 foobar1.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 15256
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1536
; PAD: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ("............................................................................................................................................................................................................................................................................................................................................................")
;; QUESTION SECTION:
;foobar1.com.			IN	A

;; AUTHORITY SECTION:
com.			900	IN	SOA	a.gtld-servers.net. nstld.verisign-grs.com. 1522697188 1800 900 604800 86400

;; Query time: 100 msec
;; SERVER: 127.0.0.1#5453(127.0.0.1)
;; WHEN: Mon Apr 02 15:26:43 EDT 2018
;; MSG SIZE  rcvd: 471
4 comments on “DNS over HTTPS: enabling, padding, live. Great success!
  1. db illucent says:

    Thank You very much for detailed tutorial. I’m also experimenting with DNS TLS and searched to add cloudflare new 1.1.1.1 into stubby.yaml. Noticed significant increase in speed with even changing my router’s primary DNS settings to 1.1.1.1.

  2. That is the config I have on my laptop (Mac). Has worked quite well this week. Need to put it into my home network next.
    -mike.

  3. The only thing I find odd, is that you are using the same value’s for the hash of the certificate — it appears to work. When I pulled the values to create the config, the 1.1.1.1 server returned a different value, which doesn’t work.

    mdundas@HGMacBookPro:~$ !835
    openssl s_client -servername 1.1.1.1 -connect 1.1.1.1:443 | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
    depth=0 C = US, O = Cisco Systems Inc., OU = DeviceSSL (WebAuth), CN = 1.1.1.1
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 C = US, O = Cisco Systems Inc., OU = DeviceSSL (WebAuth), CN = 1.1.1.1
    verify return:1
    y7GHKo7Jnl8X4QnOZR8GoM95IchLLdKNnhAuq2gCz7k=
    ^C
    mdundas@HGMacBookPro:~$ !836
    openssl s_client -servername 1.0.0.1 -connect 1.0.0.1:443 | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
    depth=2 C = US, O = DigiCert Inc, OU = http://www.digicert.com, CN = DigiCert Global Root CA
    verify return:1
    depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
    verify return:1
    depth=0 C = US, ST = CA, L = San Francisco, O = “Cloudflare, Inc.”, CN = *.cloudflare-dns.com
    verify return:1
    yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
    ^C
    mdundas@HGMacBookPro:~$

  4. db db says:

    The pin is shown below:

    $ kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com donbowman.ca
    ;; DEBUG: Querying for owner(donbowman.ca.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
    ;; DEBUG: TLS, imported 148 system certificates
    ;; DEBUG: TLS, received certificate hierarchy:
    ;; DEBUG: #1, C=US,ST=CA,L=San Francisco,O=Cloudflare\, Inc.,CN=*.cloudflare-dns.com
    ;; DEBUG: SHA-256 PIN: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
    ;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
    ;; DEBUG: SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
    ;; DEBUG: TLS, skipping certificate PIN check
    ;; DEBUG: TLS, The certificate is trusted.
    ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
    ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 17638 ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

Leave a Reply

Your email address will not be published. Required fields are marked *

*