DNS requests exposed to ISP

[yunti]

Thanks for sharing this setup. Just a quick question with the router (or client setups) it looks like dns requests are unencrypted from the router to the hosted dns server, after that they are encrypted to 1.1.1.1? So it looks like an isp will still be able to see plaintext dns request before they are encrypted further down the chain.

Currently I have my dns requests going to my docker based openvpn server and then onto 1.1.1.1 with dhcp-option DNS 1.1.1.1 in he.ovpn config. This I think keeps the dns requests from my isp but are unencrypted from the vpn to Cloudflare.

Is there a way for the vpn to pass dns requests over to the cloudfare-dns-server container so that dns requests coming from the router are encrypted over the vpn tunnel and then encrypted by dns over tls?

(My router doesn’t have open firmware so it doesn’t support dns over tls from router direct to cloudflare which would be an alternative way to set things up)

[wei]

That is the correct behavior. For the first question, you will need to run the docker image in your home network lets say on a raspberry pi at ip 192.168.1.10 port 53. Then you can configure your router to use this dns server.

For the OpenVPN question, you just need to run the docker image on the server, configure it to be accessible from clients, then make it the default dns server.

The key is that the routing to the docker image should not leave your network since its just plain unencrypted dns queries.

[yunti]

Ah thanks that makes a lot more sense. I thought the use case was a cloud hosted dns server.

(I was struggling before to understand in your diagramme why the dns servers request went back through the router to cloudflare - but now viewing it as a local network it makes sense).

Am I correct in thinking that my routers vpn client sends the dns requests encrypted over the vpn tunnel to the hosted vpn server? (currently tested ok for dns leaks - but that's hard to know if the dns requests are just redirected from the vpn server - and potentially still sent in plain text to the vpn server)

If the dns requests are encrypted, then rather than setting up a ras. pi locally (or similar) - I would rather have the dns server hosted with the vpn - as that is a better setup for me.

[qdm12]

Hi yunti.

Thanks for your interest! And thanks to wei for helping out!

From what I understand, you should have your vpn server use the dns container.

You can also use it on your client side so that your client's ISP can't see to what domain you tunnel to, but that's essentially for paranoids.

I'll update the diagrams to show it as a local area network.