Encrypt DNS requests to WAN

Hello everyone,

I’m currently trying to setup VyOS (1.4-Rolling-202308220020 - pretty much as an edge-firewall for a smaller site) to encrypt it’s outgoing DNS-requests.

Not talking about the communication between clients in the LAN and the VyOS-Router itself, but rather the router sending and forwarding requests to it’s specified public name-servers (Quad9,1.1.1.1 etc.).

To my understanding, the following command is used for the communication between the LAN and VyOS:?
set service dns forwarding dnssec as it states “to clients” multiple times and I’m also still seeing cleartext DNS-requests being sent to the WAN.

Also, under set system name-server there is no option to configure anything DNSSEC related, where it would surely fit the most…

Couldn’t find anything in the forums, vyos.dev, docs etc. either… Am I missing something?

Kind regards

Hello,

DNSSEC is not for encrypting the DNS request, it is used for making the DNS data itself more secure by using digital signatures based on public key cryptography. With DNSSEC, it’s not DNS queries and responses themselves that are cryptographically signed, but rather DNS data itself is signed by the owner of the data.

What I did to achieve what you describe above is spinning up a specialized PiHole instance with preconfigured DoH to Cloudflare.

I am using the following docker image: azamserver/pihole-doh

I am just lazy and using someone else’s work here, but you are of course welcome to create your own image for this purpose.

The container configuration:

container {
     name pihole {
         environment DNS1 {
             value 127.0.0.1#5053
         }
         environment TZ {
             value <Your Timezone>
         }
         environment WEBPASSWORD {
             value <SuperSecretPassword123>
         }
         image azamserver/pihole-doh:latest
         network con_net {
             address 10.1.0.9
         }
         port dns_udp {
             destination 53
             protocol udp
             source 5353
         }
         port web_mgmt_tcp {
             destination 80
             protocol tcp
             source 8080
         }
         volume pihole_config {
             destination /etc/pihole/
             source /config/podman/pihole/config
         }
         volume pihole_dnsmasq {
             destination /etc/dnsmasq.d/
             source /config/podman/pihole/dnsmasq
         }
         volume pihole_log {
             destination /var/log/pihole/
             source /config/podman/pihole/log
         }
     }
     network con_net {
         prefix 10.1.0.0/24
     }
 }

Note: Persistent Volumes are optional, I am using local DNS function for all my internal DNS records and I of course want that to be persistent. If you do not need this feature you can ignore the volume mapping.

I decided not to use any container capabilities/permissions and I am doing a port mapping for what I want to have. The web_mgmt_tcp is optional, and the source port for dns_udp can be anything over the privileges ports (>1024).

I have then configured DNS forwarding and all my internal clients are using a VyOS VLAN interface as their DNS server:

service {
   dns {
       forwarding {
           allow-from <Required field, specify your desired range of allowed IPs>
           cache-size 0
           listen-address <Your DNS listen Address>
           name-server 127.0.0.1 {
               port 5353
           }
       }
   }
}

This would also of course require SNAT rules for your container network to allow PiHole to reach out to cloudflare for lookups.

Note: If you are using zone based firewall you need to add the container network interface to your desired zone!

Thank you for the detailed response and the clarification!

Then I’ll probably just wait until it is officially supported, not really a big fan of running my own containers or software etc. on such crucial devices… But thanks again for the info & effort!

No problem!

VyOS is first and foremost a routing platform, and secondly a firewall platform. Features such as DNS servers or other features that you might see on other platforms will likely never be natively integrated with VyOS. This is to my understanding the philosophy of VyOS and also my understand of why they implemented Podman to be able to run containers so people can run any services they want.

VyOS is based on debian, however VyOS is considered a software appliance and while technically possible it is not supported to install packages from debian software repositories because it may cause issues with VyOS itself. This is why we can run containers because it does not affect system binaries.

The summary of this text is that I do not think this will ever become a officially supported feature, and the approach I describe above is “supported”, however not natively without using a container.

If you are curious VyOS has a public roadmap available: https://roadmap.vyos.io/

What it can do when it comes to encryption is to setup an encrypted vpn-tunnel elsewhere for example through wireguard and then either select that only DNS-requests are sent through this tunnel (identified by udp and tcp dstport 53) or select that ALL traffic should be pushed through this tunnel.

That is for the usecase that you want to hide dns-queries from your current provider.

I get your view/idea of the project, but don’t 100% agree with it tbh.

I’ve been following the project for “only” about a year now (reading through new and old tasks on vyos.dev almost daily) and I agree with your sight to 90+%…

The main focus is obviously to build a router instead of a NGFW, DNS-Server, WAF, (Reverse-)Proxy, etc. No question. But there have been many features implemented and are on the road-map aswell as in the works, that don’t make too much sense to me then tbh. For example integration of IPD/S (Suricata), Web-Proxy, UPNP, WiFi… I’m not saying anything against them, but this is rather an indicator for me, that there is always room for atleast some features/improvements in areas, as long as they are needed by the customers (and comunity) and make someone sense to have on the system.
Especially if you only need a basic WiFi connection for whatever reason for example and otherwise have to buy a seperate AP etc…

And the ability, to encrypt DNS-requests (that VyOS itself generates!!) is in my opinion not a unrealistic feature from what I’ve seen over the past years at all tbh… In my opinion, it could rather be a crucial security feature for almost every system in the internet nowadays… (especially because of MITM etc.)

No critique etc. just my point of view (especially of security) though…

Hello again,

I agree that there is always a possibility for the VyOS team to add features natively based on community and customer feedback, however I would say the features you mention are more enterprise oriented like IDP/IPS. Running a DNS server on your router is not common at all in the enterprise world, perhaps for small businesses but that is not enterprise by scale. I am doing it at home because it is very convenient, and I do have quite a few hypervisor servers, but my use case is that I want to be able to turn them off whenever I feel like it.

The approach @Apachez mentioned above using a VPN protocol will achieve the same thing if it is your provider you want to hide your queries from. This is actually what I am doing using Mullvad Wireguard VPN provider.

The good thing with VyOS is that you can make your own proposals from feature requests to design suggestions to the actual sourcecode needed to fulfill those request(s).

Make sure to register them at https://vyos.dev

Personally I think it would be a great feature to include DNS-server similar to how DHCP-server is already included. Handy for offline networks where internet is not an option. But also for the case where you need a DNS-server but dont want to have to learn all the details of configure bind9 (or dnsmasq, powerdns, unbound etc) properly along with maintaining an OS-installation.

Since VyOS has this great “cisco-like” config as frontend it will be much easier to use that to setup and configure a DNS-resolver or authorititive DNS-server than to learn all the actual config needed to make bind9 run properly (not to mention that you wont have to deal with the operatingsystem itself since updates will arrive as an iso file).

The drawback is of course how this frontend should look like without blocking all the possibilities bind9 brings you when you configure it manually by yourself. Then of course once the templates have been created for this regarding op-mode and config-mode this must be maintained over time.

Which gives that if the VyOS maintainers themselves doesnt have DNS-server on medium or high priority there is a great risk that once VyOS 1.5 is released then the DNS server feature might get broken.

The workaround is as mentioned to use encrypted VPN-tunnel to send the traffic elsewhere or install your own container to let the VyOS box whatever you want it to do. For example a bind9 container - you will still need to learn the bind9 syntax but everything else (OS installation itself along with all config except dns) will be taken care of by VyOS.

Like you already said, maybe “DNS-Server” will be a feature at some point… However I also don’t see it as a needy feature right now… Imo the “DNS-Forwarding”-option is already good enough for most usecases, where VyOS is configured as router or “lite-firewall” etc… Also as mentioned, this would probably put high amount of work on top of the project/maintainers to make stable and feature-rich, which should be used to improve other parts of the system right now instead imo…

Before the original post I’ve already thought about the options that both of you have mentioned, aswell as of a few others in this specific situation (AdGuard on RPi, Configuring DoH on a WS DC, etc.)… But in this specific case/environment, the possible problems that can be caused aswell as the maintanence and effort in general, probably isn’t worth it… Also simple “set system name-server prefer-secure” or “set sytem name-server 9.9.9.9 dot” etc. would’ve been perfect…

EDIT:

While doing some more research on Github, I’ve found a commit from march this year, which allows to use a custom port when specifying a forwarding name-server: dns: T5113: Support custom port for name-server forwarders by indrajitr · Pull Request #1914 · vyos/vyos-1x · GitHub

eg. set service dns forwarding name-server 9.9.9.9 port 853

This then automatically uses an encrypted connection.

Also, there already is a task open for this topic, which I was unable to find until now… ⚓ T2195 Support for encrypted DNS: dnscrypt, DoH, DoT, anonymized DNS

Still thanks for your effort and good input.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.