Ask AI: Running a DoH or DoT Resolver on an Alternative Port – Step by Step Instructions

Mark E. Jeftovic

This is a raw ChatGPT output, model 4o which is an addendum to our post on the Malaysian government blocking DNS services from outside the country.

It has not been tested but is supplied here to provide a stark example of just how easy it now is to use existing technology to circumvent government edicts that reflect stone-age thinking.

Running DoH DoT Resolver

September 8, 2024
This conversation may reflect the link creator’s personalized data, which isn’t shared and can meaningfully change how the model responds.
You said:
How would I run a DoH or DoT resolver on an alternative port to and make that available to external clients
ChatGPT said:

To run a DNS over HTTPS (DoH) or DNS over TLS (DoT) resolver on an alternative port and make it available to external clients, follow these steps. For both DoH and DoT, you’ll need to configure a DNS server (like BIND or Unbound) and an application-level service for HTTPS (such as NGINX for DoH or native TLS support for DoT). Here’s a high-level guide for both:

DNS over HTTPS (DoH)

  1. Install and Configure a DNS Resolver (e.g., Unbound)
    • Ensure that Unbound is installed on your server.
    • Configure Unbound to listen for DNS queries.
    • Example Unbound config for listening on a local IP:
      bash
      server:
  interface: 127.0.0.1@5353  # Alternative port 5353 for internal queries
  access-control: 0.0.0.0/0 allow
  2. Configure NGINX as a Proxy for DoH on an Alternative Port
    • Install NGINX if not already installed.
    • Edit the NGINX config to use an alternative port (e.g., 8443) and proxy requests to your Unbound server.

    Example NGINX config:

    nginx
    server {
    listen 8443 ssl;
    server_name your_domain_or_ip;

    ssl_certificate /etc/nginx/ssl/cert.pem;
    ssl_certificate_key /etc/nginx/ssl/key.pem;

    location /dns-query {
        proxy_pass http://127.0.0.1:5353;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}
    • Ensure SSL certificates are properly configured. You can use Let’s Encrypt for certificates.
  3. Firewall Configuration
    • Open the alternative port on your firewall to allow external access. For example, to open port 8443 on Ubuntu:
      bash
      sudo ufw allow 8443/tcp
  4. Client Configuration
    • Clients that want to connect to your DoH server need to point to your server’s domain/IP on the specified port (e.g., 
      https://your_domain_or_ip:8443/dns-query

      ).

DNS over TLS (DoT)

  1. Install and Configure Unbound for DNS over TLS
    • In Unbound’s configuration, set the port to an alternative (e.g., 8533) and configure TLS settings.

    Example Unbound config:

    bash
    server:
  do-tcp: yes
  tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
  interface: 0.0.0.0@8533  # Alternative port 8533
  access-control: 0.0.0.0/0 allow

tls-service-key: "/etc/unbound/ssl/server.key"
tls-service-pem: "/etc/unbound/ssl/server.pem"
  2. Open the Alternative Port on the Firewall
    • Open the alternative DoT port (e.g., 8533):
      bash
      sudo ufw allow 8533/tcp
  3. Client Configuration
    • Clients need to configure their DoT clients to connect to your domain/IP using the custom port ( 
      your_domain_or_ip:8533

      ).

General Steps for Both:

  • SSL Certificates: Ensure you have valid SSL/TLS certificates for both DoH and DoT, as encrypted communication is a core aspect.
  • Port Forwarding (if behind NAT): If your server is behind a router or firewall, configure port forwarding to allow external traffic on the alternative ports.
  • Testing: Use tools like dig or curl for DoH and kdig or drill for DoT to test the DNS resolution over your configured ports.

Let me know if you need more detailed instructions for a specific step!

You said:
How would you configure, say a Macbook Pro to use some external DoT resolver on an alternate port
ChatGPT said:

To configure a MacBook Pro to use an external DNS over TLS (DoT) resolver on an alternate port, you can’t directly configure macOS to use DoT through its system settings, but you can achieve this using the following methods:

Method 1: Use a Local Stub Resolver (like Unbound) as a Proxy

In this method, you’ll set up a local resolver (like Unbound) to act as a proxy on your MacBook. This local resolver will forward DNS queries to the external DoT resolver on the alternative port.

Steps:

  1. Install Unbound on Your MacBook:
    • Use Homebrew to install Unbound:
      bash
      brew install unbound
  2. Configure Unbound to Forward DNS Queries to the External DoT Resolver on the Alternative Port:
    • Edit the Unbound configuration file, typically found at /usr/local/etc/unbound/unbound.conf. If the file doesn’t exist, you may need to create it.
    • Add the following configuration to forward all DNS queries to the external DoT resolver on the alternative port (replace EXTERNAL_RESOLVER_IP and ALTERNATIVE_PORT with actual values):
      bash
      server:
  # Listen on localhost, port 53
  interface: 127.0.0.1
  access-control: 127.0.0.0/8 allow
  do-not-query-localhost: no

forward-zone:
  name: "."
  forward-tls-upstream: yes
  forward-addr: EXTERNAL_RESOLVER_IP@ALTERNATIVE_PORT

      Example for forwarding DNS queries to a DoT server at 1.1.1.1 on port 8533:

      bash
      forward-addr: 1.1.1.1@8533
  3. Start Unbound:
    • Start the Unbound service using Homebrew:
      bash
      sudo brew services start unbound
  4. Set macOS to Use Unbound as the DNS Resolver:
    • Go to System Preferences > Network.
    • Select your network interface (e.g., Wi-Fi or Ethernet) and click Advanced.
    • Go to the DNS tab and remove any existing DNS entries.
    • Add 127.0.0.1 as your DNS server (since Unbound is running locally on your MacBook and forwarding queries).
  5. Verify Your Setup:
    • You can test the setup by running:
      bash
      dig @127.0.0.1 example.com
    • This will show whether your local Unbound is correctly resolving DNS queries using the external DoT resolver.

Method 2: Use a VPN or Proxy Service Supporting DoT

Some VPN or DNS proxy services offer native support for DoT, and they may allow you to specify the external DoT resolver and port. If you prefer a simpler solution, you can search for a VPN or DNS proxy service that provides this functionality.

Method 3: Use a Custom Script (with dig or drill)

Alternatively, if you don’t want to run a local resolver, you can create a script that performs DNS lookups using kdig, drill, or dig and passes the queries to the external DoT resolver on the alternative port. However, this wouldn’t change the system-wide DNS behavior—it would only apply to queries you run via the script.

For example, using kdig (part of the knot-dnsutils package):

  1. Install knot-dnsutils via Homebrew:
    bash
    brew install knot-dnsutils
  2. Use kdig to query the external DoT resolver on the alternative port:
    bash
    kdig @EXTERNAL_RESOLVER_IP +tls-ca +tls-port=ALTERNATIVE_PORT example.com

Conclusion:

Method 1 using Unbound is the most reliable and system-wide solution for configuring your MacBook to use an external DoT resolver on an alternate port. It sets up a local DNS proxy that forwards requests securely via DoT to the specified external resolver.

Let me know if you need additional details on any of these steps!

Leave a Reply

Your email address will not be published. Required fields are marked *