That's why I was hoping I could have DoH enabled as well so the device would always be subjected to the same thing e.g. AdGuard, unbound etc.

If you want it like that maybe I can try to get it to work .. I'll find some guide for now to share, maybe you can get it to work

from adguard-wireguard-unbound-dnscrypt.

So how does DoT show them on the client and server side?

because port 53 is a reserved DNS port that listens openly on systems, firewalls, and clients to transmit DNS queries.

from adguard-wireguard-unbound-dnscrypt.

Thanks for opening your first issue here 🙋🕵️

from adguard-wireguard-unbound-dnscrypt.

@eltonajmenezes It would not show.
Explanation:

Cloudfared tunnel daemon creates outbound-only connections to Cloudflare's edge. This daemon sits between Cloudflare network and your origin. Cloudflare attracts client requests and sends them to you via the daemon(the service)

Dns resolving software like unbound / bind / stubby / powerdns etc automatically advertises itself as the DNS server automatically on Linux using port 53. They provide a combination of a lightweight resolver library that can be run on DNS clients, such as host operating systems or routers, and a resolver daemon process which can run on a local host.

To get DoH(native), there are ways with dnscrypt or dnsmasq for example. You will need to do some tweaking to get unbound to work with it being both using port 53. There are maybe other ways as well.

from adguard-wireguard-unbound-dnscrypt.

Thank you @trinib for this explanation.
Do you have any articles that you can send my way so that I can achieve this?
The main reason why I am asking is when I am out of my home network I want to VPN into my network and achieve the security I setup.

from adguard-wireguard-unbound-dnscrypt.

Thank you @trinib for this explanation.
Do you have any articles that you can send my way so that I can achieve this?
The main reason why I am asking is when I am out of my home network I want to VPN into my network and achieve the security I setup.

correct me if I'm wrong, do want the server side(pi/linux) to have dns security as the client side do?

if so that can be tricky with one of the two sides communicating with ports for traffic, request etc. I don't think I saw a specific guide for that anywhere, I could be wrong.

from adguard-wireguard-unbound-dnscrypt.

@eltonajmenezes I think if you want a Linux system that is self-hosting some type of management server ( if that's is your case), it makes more sense to have a second Linux system as a VPN server and the other connected as a client that is hosting something like yunohost, home assistant etc...

from adguard-wireguard-unbound-dnscrypt.

Thank you @trinib for this explanation.
Do you have any articles that you can send my way so that I can achieve this?
The main reason why I am asking is when I am out of my home network I want to VPN into my network and achieve the security I setup.

correct me if I'm wrong, do want the server side(pi/linux) to have dns security as the client side do?

if so that can be tricky with one of the two sides communicating with ports for traffic, request etc. I don't think I saw a specific guide for that anywhere, I could be wrong.

@trinib
Yes I would like the server side to have security.

As it stands if I connect to my server via a VPN and do a 1.1.1.1/help test then I see DoT is marked Yes!

I would like to have DoH as well.

And unfortunately I don't have any other system(s) I can use.

I have setup my RPI with AdGuard by following your perfect instructions.

But would really like to have the ability to securely route my traffic when I am outside as I do from home.

Hope this makes my ask/query a bit clearer.

from adguard-wireguard-unbound-dnscrypt.

@eltonajmenezes Ohhh I now get what you're thinking. You want DoH to show on the server side of things for WireGuard. No! that is not how it works. WireGuard uses an encrypted tunnel between two devices that has it's own IP and DNS security protocols. Running DoH tunnel or resolver, and DoT services on linux has NOTHING to do with a WireGuard connection accessing DoH/DoT security from outside.

You get DoH and DoT security with the VPN by adding it through it's DNS SERVERS, which I stated in guide it might not make much difference using them together(it's optional). WireGuard is good enough for encrypting data from hackers that is using some sort of network sniffing tool or middle man attack. DoH/DoT is more for privacy, security and speed on your home network when browsing websites mostly, also can block websites phishing.

But would really like to have the ability to securely route my traffic when I am outside as I do from home.

And do not worry, your traffic is secure using with or without Unbound or Cloudflare DNS servers alongside it.

from adguard-wireguard-unbound-dnscrypt.

@eltonajmenezes Ohhh I now get what you're thinking. You want DoH to show on the server side of things for WireGuard. No! that is not how it works. WireGuard uses an encrypted tunnel between two devices that has it's own IP and DNS security protocols. Running DoH tunnel or resolver, and DoT services on linux has NOTHING to do with a WireGuard connection accessing DoH/DoT security from outside.

You get DoH and DoT security with the VPN by adding it through it's DNS SERVERS, which I stated in guide it might not make much difference using them together(it's optional). WireGuard is good enough for encrypting data from hackers that is using some sort of network sniffing tool or middle man attack. DoH/DoT is more for privacy, security and speed on your home network when browsing websites mostly, also can block websites phishing.

But would really like to have the ability to securely route my traffic when I am outside as I do from home.

And do not worry, your traffic is secure using with or without Unbound or Cloudflare DNS servers alongside it.

Thanks for this clarification. Though I read in quite a few places that in some instances you would want to funnel outside traffic into your home network.
That's why I was hoping I could have DoH enabled as well so the device would always be subjected to the same thing e.g. AdGuard, unbound etc.

from adguard-wireguard-unbound-dnscrypt.

Ok, I think I might have a way to what you want. First I think there is no way that you can get DoH and DoT to show on the server side cause, these resolving DNS tools all need port 53 to listen openly on systems, firewalls, and clients to transmit DNS queries. What you need is to get DoH client(native) for Linux.

DNSCrypt is a protocol that encrypts, authenticates and optionally anonymizes communications between a DNS client and a DNS resolver. It can forward queries(like stubby) from a local DNS cache. It needs to listen on a different port from the default 53, cause the DNS cache using with Unbound needs to listen on 53.

Here is a guide from archlinux : https://wiki.archlinux.org/title/Dnscrypt-proxy#Local_DNS_cache_configuration (use service method to change ports)
and configure unbound : https://wiki.archlinux.org/title/Dnscrypt-proxy#Unbound

Just know, what you want to accomplish here only make sense if you are actually home physically, browsing websites on the Linux server system.

Thanks for this clarification. Though I read in quite a few places that in some instances you would want to funnel outside traffic into your home network

I think your whole point of view on this, is that you think you are like actually home using a device locally on your network with outside traffic around it. Understand WireGuard just routes to your home network using an encrypted tunnel, in result, making your devices on public networks seems like it's home but actually NOT .. That is one of the main concepts and feature of a VPN(virtual private network) like the paid ones, that change to different country locations(for restrictions) when you are actually not there.

I hope you understand now, DNS security tools on Linux has nothing to do with protecting traffic data from outside to home with WireGuard Tunnel. The DoH/DoT applies only when you add it to WireGuard DNS servers. That client(device) is still in WireGuard tunnel network with all DNS security regardless from Cloudfare1.1.1.1 on Linux server side showing DoH : yes

from adguard-wireguard-unbound-dnscrypt.

Thank you for this information @trinib

So I read this statement

Just know, what you want to accomplish here only make sense if you are actually home physically, browsing websites on the Linux server system.

I want to also have the DNScrypt to be encrypting traffic of my LAN network through AdGuard.
Can this be done and if so how?
(I have seen many articles of AdGuard and DNS crypt but I am unsure which is the one I should be using)

Is this a replacement of cloudflared DoH?

from adguard-wireguard-unbound-dnscrypt.

yes you can add to adguard it will be 127.0.2.1:53000

is this a replacement of cloudflared
DoH?

cloudflare tunneling and resolving are not the same so you can have it installed with dnscrpyt

from adguard-wireguard-unbound-dnscrypt.

Also keep in mind devices that is connected to adguard using cloudflare and dnscrpyt both using dns over https and querying traffic can have complicatations. Use one or the other if I was you.

from adguard-wireguard-unbound-dnscrypt.

yes you can add to adguard it will be 127.0.2.1:53000

is this a replacement of cloudflared
DoH?

cloudflare tunneling and resolving are not the same so you can have it installed with dnscrpyt

@trinib
I have seen this article

https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux

I guess this is similar to what you mentioned right? I.E. installing it locally for the Linux system?

https://wiki.archlinux.org/title/Dnscrypt-proxy#Unbound

And I found these articles

https://blog.cloudflare.com/deploying-gateway-using-a-raspberry-pi-dns-over-https-and-pi-hole/

https://github.com/AdguardTeam/AdGuardHome/wiki/DNSCrypt

https://dev.to/cipherops/using-dnscrypt-with-adguard-home-pi-hole-7j6

In short:

What I would like to do is to have DoH on the Linux system but also have it so that I have DoH for clients working with AdGuard the way that cloudflared DoH is working now
And finally uninstall cloudflared DoH because it also throws errors.

Would you be able to clarify how to get this setup? The way you have nicely outlined in your main article? I'm quite new to this. So I don't want to mess up the setup

from adguard-wireguard-unbound-dnscrypt.

you can't because of port 53 needed for DNS resolvers.. they cannnot all work on the same port to resolve on 1.1.1.1

from adguard-wireguard-unbound-dnscrypt.

you can't because of port 53 needed for DNS resolvers.. they cannnot all work on the same port to resolve on 1.1.1.1

@trinib

So how does DoT show them on the client and server side?

And if it's one or the other can you tell me how to properly setup for the client side the way cloudflare for AdGuard is setup now? as that is more important than having the system be DoH only

from adguard-wireguard-unbound-dnscrypt.

you can't because of port 53 needed for DNS resolvers.. they cannnot all work on the same port to resolve on 1.1.1.1

@trinib

So how does DoT show them on the client and server side?

And if it's one or the other can you tell me how to properly setup for the client side the way cloudflare for AdGuard is setup now? as that is more important than having the system be DoH only

I guess you did not read FAQ

AdGuard Home is basically a DNS proxy

from adguard-wireguard-unbound-dnscrypt.

you can't because of port 53 needed for DNS resolvers.. they cannnot all work on the same port to resolve on 1.1.1.1

@trinib

So how does DoT show them on the client and server side?

And if it's one or the other can you tell me how to properly setup for the client side the way cloudflare for AdGuard is setup now? as that is more important than having the system be DoH only

I guess you did not read FAQ

AdGuard Home is basically a DNS proxy

Forgive me for asking again.
I did read that FAQ, but the manner in which you have shown the setup for cloudflare with AdGuard to get DoH; is there a procedure I need to follow to get DNSCRYPT with DoH on AdGuard?

Because I'm sorry but I am quite confused about how to go about this.

from adguard-wireguard-unbound-dnscrypt.

you already asked that #28 (comment) .. there are alot of different ways to achieve these DNS security and it can be confusing for someone new to it.. you need utilize google search, read documents, test and trial like I did. Asking people all the time eliminates your skills in problem solving , trust me.. sometimes think like no one understands it and your the only one learning it. It's a confident learning strategy i made for myself 😎

from adguard-wireguard-unbound-dnscrypt.

you already asked that #28 (comment) .. there are alot of different ways to achieve these DNS security and it can be confusing for someone new to it.. you need utilize google search, read documents, test and trial like I did. Asking people all the time eliminates your skills in problem solving , trust me.. sometimes think like no one understands it and your the only one learning it. It's a confident learning strategy i made for myself 😎

@trinib
I understand what you mean very clearly.
Could you at least guide me on which articles from the ones I found are correct for DoH on AdGuard via DNSCRYPT? Because there are quite a few I found that I listed or is what you suggested the way I can get the DoH for clients?

from adguard-wireguard-unbound-dnscrypt.