5

I'm using pihole with an upstream DNS server of Quad9 DoH. The upstream DNS and the pihole are configured with docker via a docker-compose.yml file, with the upstream DoH server using the cloudflared service.

version: "3.5"
networks:
   network-pihole:
     name: "dns-pihole"
     driver: bridge
     ipam:
       driver: default
       config:
         - subnet: 192.10.0.0/24    #Internal Docker Network between pihole and wirguard, bridged
  
  cloudflared:
    image: crazymax/cloudflared:latest
    container_name: cloudflared
    ports:
      - '5053:5053/udp'
      - '5053:5053/tcp'
    environment:
      - "TZ=Europe/Budapest"
      - "TUNNEL_DNS_UPSTREAM=https://9.9.9.9/dns-query,https://149.112.112.112/dns-query"
      # - "TUNNEL_DNS_UPSTREAM=https://1.1.1.1/dns-query,https://1.0.0.1/dns-query"
    restart: unless-stopped
    networks:
      network-pihole:
        ipv4_address: 192.10.0.2

  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "80:80/tcp"
      - "443:443/tcp"
    environment:
      - "TZ=Europe/London"
      - "PIHOLE_DNS_=192.10.0.2#5053"
    dns:
      - 127.0.0.1
      - 9.9.9.9
    # Volumes store your data between container upgrades
    volumes:
      - "./etc-pihole/:/etc/pihole/"
      - "./etc-dnsmasq.d/:/etc/dnsmasq.d/"
    cap_add:
      - NET_ADMIN
    restart: unless-stopped
    networks:
      network-pihole:
        ipv4_address: 192.10.0.3

Within the cloudflared service under environment:. I set the TUNNEL_DNS_UPSTREAM= settings to https://9.9.9.9/dns-query,https://149.112.112.112/dns-query. And the pihole service under dns: to 9.9.9.9.

Everything works great, however when I browse to this and this cloudflare checker it says I'm not using dns over https / secure dns:

enter image description here enter image description here

However if I use cloudflares DoH I set the TUNNEL_DNS_UPSTREAM= settings to TUNNEL_DNS_UPSTREAM=https://1.1.1.1/dns-query,https://1.0.0.1/dns-query and the pihole service under dns: to 1.1.1.1, then run the two cloudflare tests again, it now says: Using DNS over HTTPS (DoH) yes and a green tick for secure dns.

I'm not sure why these tests don't work for Quad9 DoH. Is there another way to verify that I am using Quad9 DoH?

I'm not even sure if I could use wireshark to look at packets to see if dns queries are encryprted? I'm very new to wirehshark so if that was a method of verifying Quad9 DoH then I'm not sure what i'd be looking for.

Improve this question

3 Answers 3

Reset to default
6

Everything works great, however when I browse to this and this cloudflare checker it says I'm not using dns over https / secure dns:

The Cloudflare checker has no way of knowing whether you're using DNS over HTTPS or not in general. The only thing it knows is whether you're using Cloudflare DoH services specifically.

The way this checker works is that Cloudflare has set up its servers to respond differently to certain domains depending on how the query was made. The webpage can't actually know what your DNS setup is, but instead it queries a few special domains that only 1.1.1.1 will recognize.

For example, if you ask 1.1.1.1 about the name is-cf.help.every1dns.net, you'll get a successful reply, but if you ask any other DNS server about the same name, it will say that the domain doesn't exist. (Similarly, the is-dot subdomain will only give you results if the query arrived via DoT, and is-doh will only respond through DoH.)

But all those magic subdomains are Cloudflare-specific – if you ask e.g. 9.9.9.9 about any of them, it will just always say that the domain doesn't exist, because from the global DNS point of view it indeed does not.

I'm not even sure if I could use wireshark to look at packets to see if dns queries are encryprted? I'm very new to wirehshark so if that was a method of verifying Quad9 DoH then I'm not sure what i'd be looking for.

Start with filtering for packets sent to the configured DNS server. For example, if you've configured DNS servers 1.1.1.1 + 1.0.0.1, and a DoH URL of https://1.1.1.1/dns-query, then you should filter the capture for those two IP addresses.

  • Capture filter (libpcap syntax): host 1.1.1.1 or 1.0.0.1

    The same syntax is used for IPv6, e.g. host 1.1.1.1 or 2606:4700:4700::1111.

  • Display filter (Wireshark syntax): ip.addr == 1.1.1.1 || ip.addr == 1.0.0.1

    For IPv6, the syntax is ipv6.addr == 2606:4700:4700::1111.

Cleartext DNS will be instantly recognizable as, well, cleartext DNS – Wireshark will show you the actual contents of each query and response.

Meanwhile both DoH and DoT will show up as TLS packets. Both use the same kind of TLS, and the main way to distinguish them is to look at the TCP port number: if you're using DoT, you will see a connection to the dedicated "DNS over TLS" port 853, while DoH uses the same port 443 as HTTPS in general.

(It's not just the port number – DoH literally puts the queries inside HTTP requests, while DoT doesn't. You won't see this in Wireshark, due it being TLS-encrypted, but it doesn't matter for your purposes anyway.)

Note that because DoH is indistinguishable from regular HTTPS (such as visiting the https:/­/1.1.1.1 website in a browser), the presence of TLS packets on port 443 doesn't mean much – it's also the absence of cleartext DNS packets on port 53 that you additionally need to pay attention to.

Improve this answer
0
1

You are trying to determine whether the pihole upstreams are DoH. Your browser, however, are probably doing plain old UDP queries against the pihole.

In this scenario, the Cloudflare checkers can only assess you setup reliably if your DNS queries are being sent to their servers. They can do this, for instance, by making you browser query for some randomly generated subdomain string and then checking whether their servers received a query for that subdomain over DoH. But they can't do that if you are sending your DNS queries to servers they don't control.

Improve this answer
3
  • Is there another way to check?
    – SneakyShrike
    Commented Mar 5, 2022 at 14:38
  • The only way I can think of right now is to watch the traffic on the machine responsible for the upstream queries.
    – Hermógenes Oliveira
    Commented Mar 5, 2022 at 14:43
  • Well, see the answer that @user1686 just posted for a much more detailed rundown.
    – Hermógenes Oliveira
    Commented Mar 5, 2022 at 14:48
0

Quad9 specifically has two verification methods:

  1. https://on.quad9.net/
  2. dig +short txt proto.on.quad9.net.

The former only tells you whether you are using Quad9 or not, the latter (docs) will respond with the protocol you are using.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .