knb:dohdot_en

Dies ist eine alte Version des Dokuments!

DNS-over-HTTPS/-TLS/-QUIC-Support

Bild: Freifunk München Logo

Background Informations

Surely you've heard of the topic that is currently haunting IT-News. Mozilla will integrate in Firefox Cloudflare as DoH-Server and activate it by default. In itself, it's not a bad idea to encrypt DNS queries so that they can't be read in open networks (like Freifunk). However, it is a thorn in the side of many users and us to use a provider from America by default.

That's why we have set up a DoH/DoT/DoQ server for you, which you can for example directly add to Firefox, use via App or combine with another DNS server.

We also registered on the page of the DNSCrypt-Project, so that we are automatically added in apps like DNSCloak (iOS) or dnscrypt-proxy.

Addresses & Protocols

Our DNS servers are available both as „normal“ DNS servers (for simple, unencrypted DNS over UDP/TCP), as well as via the following protocols:

  • DNS over TLS
  • DNS over HTTPS
  • DNS over HTTP/3
  • DNS over QUIC

For configuration, please use the following addresses & domains:

  • doh.ffmuc.net - IPv4: 5.1.66.255 / 185.150.99.255 IPv6: 2001:678:e68:f000:: / 2001:678:ed0:f000::
  • dot.ffmuc.net - IPv4: 5.1.66.255 / 185.150.99.255 IPv6: 2001:678:e68:f000:: / 2001:678:ed0:f000::
  • https://doh.ffmuc.net/dns-query

Firefox

The settings in Firefox can be made conveniently via the interface. Detailed instructions can also be found directly at mozilla.org at: https://wiki.mozilla.org/Trusted_Recursive_Resolver For the German-speaking user there is also a detailed explanation/guide in Privacy Manual!

Enter about:preferences#general in the address bar and follow the screenshots. For the network settings you have to scroll down.

Picture: Firefox menuepoint settings

Here we select userdefined in the dropdown field [ Use provider v ] we enter the value \
https://doh.ffmuc.net/dns-query into the field [ Custom ].

Picture: Firefox menuepoint settings

Alternatively, the configuration can be done directly after entering the „address“ about:config. The corresponding options can be found after entering the search option network.trr.

Picture: Firefox menuepoint settings

DNSCloak (iOS)

Under iOS you install the app DNSCloak and select the FFMUC servers via search:

Picture: settingoptions on DNSCloak

Android

Android 9

In Android (from Android 9) you go to your „Settings“ to „Wi-Fi & Internet“. Below is a field „Private DNS“. If you click on it the following dialog will appear:

Picture: “settings” do “Wi-Fi & Internet” under Android 9

After you have clicked on „Save“, „dot.ffmuc.net“ appears in the overview:

Picture: “settings” do “Wi-Fi & Internet” under Android 9

Android < 9

If you have an Android system that is older than Android 9, you will need to use other apps. Our current recommendation is „Intra“. (PlayStore-Link).

You can select the „DNS-over-HTTPS server“ to configure the settings.
There you enter https://doh.ffmuc.net/dns-query as „User-defined server URL“:

Picture: Settingoptions on “Infra” App under Android

When you activate it, it can look like this:

Picture: detailed view on activeded connection on “Infra” App under Android

Unbound

If you are using unbound as your resolver, adding a DoT server is very easy. You add the following to your „normal“ configuration: 

 forward-zone:
        name: "."
        forward-addr: 5.1.66.255@853#dot.ffmuc.net
        forward-addr: 2001:678:e68:f000::@853#dot.ffmuc.net

AVM Fritz!Box

Since Fritz!OS 7.20, it has been possible to configure DoT servers directly in the Fritz!Box. Go to Internet → Account Information → DNS-Server. At the bottom field, enter dot.ffmuc.net as the hostname:

DoT-Settings in FritzBox

In the Online Monitor, you can now see that the following entries also appear under „DNS servers used“: 

2001:678:e68:f000:: (DoT-encrypted)
2001:678:ed0:f000:: (DoT-encrypted)
5.1.66.255 (DoT-encrypted)
185.150.99.255 (DoT-encrypted)

For one of the four, it also says „currently used for standard queries – DoT-encrypted“.

If that is the case, everything is set up correctly.

Mikrotik / RouterOS

The main problem here is that the devices do not trust the FFMuc Let’s Encrypt certificate by default. Therefore, we first need to configure the regular DNS, download and install the certificate, and only then can we configure DoH: 

/ip dns set servers=5.1.66.255,185.150.99.255
/tool fetch url=https://letsencrypt.org/certs/isrgrootx1.pem
/certificate import file-name=isrgrootx1.pem passphrase=""
/ip dns set servers=5.1.66.255,185.150.99.255 use-doh-server=https://doh.ffmuc.net/dns-query verify-doh-cert=yes

(The command line instructions are given here. In the GUI, the hierarchy is identical, meaning instead of „/ip dns set“ you select the menu item „ip“, then the submenu „dns“, and set the corresponding values there.)

DNS leak-Test

If everything worked out, you can do a DNS leak test and the result should look like this:

Bild: Ergebnis beim Testen via dnsleaktest.com (It can also show a different set of IP addresses in the 5.1.66.0/24 IPv4 prefix from our other PoP in Vienna, Austria)

Additional sites:

Statistics

Of course there is also a detailed Statusseite where you can see all possible statistics about the service.

Just to say it:

At Freifunk München, there are no logs that allow any conclusions to be drawn about the use. There are a few general counters:

https://stats.ffmuc.net/d/tlvoghcZk/doh-dot

And we have logs about requests/IP for rate-limits, but they only contain 'that' and not 'what'.

More about this topic

If you want to know more about this topic, the following talks are recommended:

links

back to WIKI-Startpage

  • knb/dohdot_en.1757294356.txt.gz
  • Zuletzt geändert: 2025/09/08 01:19
  • von t0biii