avatarLife-is-short--so--enjoy-it

Summary

The article discusses securing DNS requests from AdGuard to upstream DNS servers using DNS-over-HTTPS (DoH) for enhanced privacy and security.

Abstract

The author of the article explains the importance of encrypting DNS requests to protect privacy, especially when these requests are transmitted over the internet. Initially, the author used plain text DNS servers like Cloudflare DNS, Google DNS, and Quad9. Recognizing the security risks, the author transitioned to using DoH endpoints provided by these same DNS servers to ensure the DNS queries are encrypted. The article also compares DoT (DNS over TLS) with DoH, ultimately favoring DoH for its ability to blend DNS queries with regular HTTPS traffic, thus offering more privacy. Although acknowledging a slight performance hit due to the encryption overhead, the author deems the trade-off acceptable for the privacy benefits. The article concludes by hinting at a future post discussing the use of Unbound DNS.

Opinions

  • The author believes that securing DNS requests is crucial for privacy, particularly for requests that traverse the internet.
  • DoH is preferred over DoT for its privacy advantages, as it masks DNS queries within HTTPS traffic, making them less visible to network administrators.
  • Despite the slight decrease in performance due to encryption, the privacy gains are considered worthwhile.
  • The author values the simplicity of using domain names for upstream DNS servers, even though it requires an initial DNS resolution, because AdGuard's caching mitigates potential slowdowns.
  • The author plans to explore the use of Unbound DNS in a future post, suggesting a particular interest or advantage in this DNS solution.

HomeLab: AdGuard: How to Secure DNS requests to Upstream DNS servers

The DNS requests to Upstream DNS can be secured to protect our privacy.

How to Secure DNS requests to Upstream DNS

Intro

Like I described in the previous post, I wanted to secure the DNS requests from AdGuard to the upstream DNS.

Since my AdGuard runs in my Private Network, I don’t need to setup the “Encryption setting” in AdGuard to encrypt the DNS requests between my computer and AdGuard.

However, since the DNS requests from AdGuard to the upstream DNS go through Internet, the DNS requests should be encrypted.

High Level: DNS resolution when AdGuard exists

upstream DNS servers I used before

I mainly used the IP of DNS servers ( Cloudflare DNS, Google DNS, and Quad9 ).

It was just simple and it was what I used to set in /etc/resolve.conf in Linux.

  • 1.1.1.1: Quad9 DNS
  • 8.8.8.8: Google DNS
  • 9.9.9.9: Cloudflare DNS

With these upstream DNS servers, the DNS requests from AdGuard to those DNS servers are a plain text. It’s not secure.

AdGuard: upstream DNS servers

How to Secure DNS requests to Upstream DNS

The DNS requests can be secured by replacing the list of upstream DNS servers with the TLS or HTTPS endpoints DNS servers.

The list of DNS servers can be found here.

In my case, I picked the DNS-over-HTTPS endpoints of those DNS severs I used to use.

AdGuard: upstream DNS servers with DNS-over-HTTPS

DoT ( DNS over TLS ) vs. DoH ( DNS over HTTPS )?

Based on what I read on the Cloudflare post, the DoT is simpler to block and manage and the DoH is more secure since it is mixed with the typical HTTPS traffic.

I picked DoH ( DNS over HTTPS )

from a privacy perspective, DoH is arguably preferable. With DoH, DNS queries are hidden within the larger flow of HTTPS traffic. This gives network administrators less visibility but provides users with more privacy. — https://www.cloudflare.com/learning/dns/dns-over-tls/

Performance Concern In DoT and DoH

First, to resolve the domain name of upstream DNS servers ( because they starts with domain name ), DNS servers are required 😐. In AdGuard, these DNS servers are called “Bootstrap DNS servers”. If the IP based upstream DNS servers are used ( e.g. 1.1.1.1 ), then the “Bootstrap DNS servers” is not necessary.

Since AdGuard will cache the DNS, the DNS requests for the upstream DNS servers won’t slow down much.

AdGuard: Bootstrap DNS servers.

Second, DoT and DoH spend extra time to encrypt the DNS requests, so they are slightly slower than the plain DNS requests.

Overall, the DoT and DoH are little slower than the DNS plain.

The screenshot below is one I caught after I replaced with DNS-over-HTTPS upstream servers. The DNS-over-HTTPS is slightly slower than DNS plain.

AdGuard: Performance difference between DNS Plain and DNS over HTTPS

Next Post about AdGuard

In the next post, I will talk about why I decided to use Unbound DNS in my Local DNS.

Rerferences

Adguard
Security
DNS
Homelab
Recommended from ReadMedium
avatarcheetooh
🚀 Enhancing My Homelab with Docker, Portainer, Traefik Proxy, and Nginx Proxy Manager 🖥️

My homelab setup with Docker, Portainer, Traefik Proxy and overcoming specific challenges with Nginx Proxy Manager.

4 min read
avatarHarendra
11 Open-Source SaaS Killer — Selfhost With Docker

Selfhost Supabase, Grafana, Uptime Kuma, NocoDB, Dokku, Appwrite, N8N, Redash, Jitsi, Plausible and Nextcloud with docker

6 min read
avatarDmitrii Eliuseev
You Can Still Use a Pager in 2023

How a Raspberry Pi will help you resurrect this classic communications device

12 min read
avatarMohit Vaswani
9 Unique Mac Apps That will Shock you

There are tons of Mac apps that you’re unaware of that can change the way you work.

5 min read
avatarDylan Cooper
Google to Replace C++ with Rust in Android, Rewriting Firmware in Rust is Too Easy?

Google recently rewrote the protected virtual machine firmware within the Android virtualization framework using the Rust programming…

8 min read
avatarNikhil Taneja
Self-Hosting Applications on Raspberry Pi 5

Introduction

7 min read