Corey Minyard wrote on 2024-08-19 12:38pm:
On Mon, Aug 19, 2024 at 1:56 PM Buck Horn via Dnsmasq-discuss
<dnsmasq-discuss@lists.thekelleys.org.uk> wrote:
On 19.08.24 18:38, Corey Minyard wrote:
On Mon, Aug 19, 2024 at 8:58 AM Buck Horn via Dnsmasq-discuss
<dnsmasq-discuss@lists.thekelleys.org.uk> wrote:
It's not entirely clear from your description, but if your goal would be
to have dnsmasq forward DNS requests to a DoT server, then dnsmasq can't
do that: It fully supports DNS (port 53 UDP/TCP), but does not support
DoT (port 853 TCP) at all. You would need a DoT proxy between dnsmasq
and your DoT server for that use case.
That's my overall goal, but I have stunnel which will take a TCP connection and
forward it over TLS. It would be nice if dnsmasq would support DoT, but I'm ok
that it doesn't. bind doesn't, either.
I see - so your dnsmasq TCP requirement is introduced by your choice of
stunnel?
But stunnel isn't a DoT proxy, it is a TLS proxy wrapper, and as such, would
lack UDP support, somewhat naturally employing TCP only.
A proper DoT proxy would have to support UDP as well as TCP, as both protocols
are mandatory for DNS.
Instead of trying to find some bandaid for dnsmasq, I'd recommend to consider
using a proper DoT/DoX proxy instead (e.g. AdguardTeam/dnsproxy). Or if you
would already happen to run nginx, I believe that could also be configured to
act as DNS to DoT gateway.
Ah, that's what I was looking for. I searched and for some reason
these didn't show up, I got some things that were woefully inadequate.
One of these should do what I'm looking for.
Thanks,
-corey
Kind regards,
Buck
You could just run unbound on the box where you are trying to run
dnsmasq and let unbound do the forwarding. It easily supports DoT (and a
bunch of other protocols).
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
