DNS over HTTPS/TLS Configuration

DNS over HTTPS/TLS Configuration

Overview

The Pimeleon router implements secure DNS resolution using multiple protocols:

  • DNS over HTTPS (DoH) - Encrypts DNS queries over HTTPS
  • DNS over TLS (DoT) - Encrypts DNS queries over TLS
  • DNSCrypt - Authenticated encryption for DNS queries

DNSCrypt-Proxy Implementation

Primary secure DNS resolver running on port 5054, providing encrypted upstream resolution for DNS filtering.

Key Features

  • Multiple upstream providers (Cloudflare, Quad9)
  • DNSSEC validation required for all queries
  • IPv4 focus with selective IPv6 support
  • P2 load balancing strategy for optimal performance
  • Built-in caching with 4096 entry capacity

Security Enhancements

  • Bootstrap resolvers prevent DNS hijacking during startup
  • System DNS ignored to prevent leaks
  • DNSSEC validation prevents DNS spoofing
  • Authenticated encryption protects query privacy

Caching Strategy

Aggressive caching reduces upstream queries and improves response times:

  • Minimum TTL: 40 minutes for positive responses
  • Maximum TTL: 24 hours
  • Negative caching: 1-10 minutes for NXDOMAIN responses

Integration Architecture

Flow: Client → DNS Filter:53 → DNSCrypt-proxy:5054 → Encrypted upstream resolvers

DNS filtering handles local blocking, while DNSCrypt-proxy ensures secure upstream resolution.

Anonymized DNS Features

Tor integration routes sensitive queries through anonymized relays, providing additional privacy for specific domains or query types.

.onion Domain Support

Special handling directs .onion queries to local Tor DNS resolver, enabling access to hidden services.

Monitoring and Diagnostics

Query Logging

Selective logging captures DNS queries while filtering out noise from DNSSEC-related queries (DNSKEY, NS records).

Performance Monitoring

  • 2.5 second timeout prevents hanging queries
  • Info-level logging provides operational visibility
  • Bootstrap fallback ensures service continuity

Operational Benefits

  1. Privacy Protection: End-to-end encryption prevents ISP monitoring
  2. Security Enhancement: DNSSEC validation blocks DNS poisoning
  3. Performance Optimization: Local caching reduces latency
  4. Reliability Assurance: Multiple providers with automatic failover
  5. Anonymity Option: Tor routing for sensitive queries

Maintenance Tasks

  • Server lists auto-update from official DNSCrypt repositories
  • Certificate validation using cryptographic signatures
  • Log rotation prevents disk space exhaustion
  • Regular connectivity testing to upstream providers

Service Dependencies

  • DNS filter upstream configuration points to DNSCrypt-proxy
  • BIND integration for local DNS zones
  • Tor DNS resolver for .onion domain support
  • SSL certificate infrastructure for DoH endpoints
ON THIS PAGE
Overview
DNSCrypt-Proxy Implementation
Integration Architecture
Anonymized DNS Features
Monitoring and Diagnostics
Operational Benefits
Maintenance Tasks
Service Dependencies