Encrypted DNS makes user tracking more difficult for service providers.
Different approaches exist
It would be nice to set this up in VyOS and let clients use VyOS as their DNS forwarder (announce automatically via DHCP) instead of manually configuring every client manually.
Cloudflare has a free implementation if you need some servers to test.
Most tutorials I found use "unbound" as DNS cache/forwarder.
There is no way to signal DOH (DNS over HTTP/S) via dhcp.
DOH and DOT is supported in latest dnsdist packages see https://dnsdist.org/ and https://mailman.powerdns.com/pipermail/dnsdist/2018-August/000466.html.
It should also be a good idea to include dnsdist into vyos for dns cacheing and loadbalancing.
pdns recursor is from the same people who writes dnsdist.
There are three products wirh diffrent scopes:
pdns-server = Authoritive DNS Server
pdns-recursor = Recursive DNS Server
dnsdist = Loadbalancer, Filter, Cache
The normal setup would be
INTERNET/USER --> DNSDIST (anycast) -- > some pdns-recursor|pdns-server
This is why they implement things like DOH and DOT at first in dnsdist and later on to the other products.
Most ISP's use anycast DNS systems this means you have only one or two IPv4/IPv6 addresses for their users. Cause most resolver libs are not good in handling multiple servers
and errors on one of them. Also you don't want have more pdns-recursors as needed cause you only get good dns performance with massive cacheing. See:
There is no mechanism to distribute caches between recursor instances. So don't create to many recursor instances better a few big and distribute dnsdist in front of them as anycast.
So from my point of view it would be for many setups helpfull to have dnsdist and recursor in vyos so that the user can choose what he need.
Just adding a suggestion since cloudflared (argo tunnel) is open source : https://github.com/cloudflare/cloudflared
Cloudflared can be setup to create a local resolver that forwards upstream DNS queries over https via a yaml configuration
proxy-dns: true proxy-dns-port: 53 proxy-dns-address: 127.0.0.1 proxy-dns-upstream: - https://1.1.1.1/dns-query - https://1.0.0.1/dns-query
then current dns forwarding can be set to use it
set service dns forwarding listen-address 192.0.2.1 set service dns forwarding name-server 127.0.0.1
cloudflared would have to be packaged and a module written to pass arguments like:
set service dns-encryption upstream https://1.1.1.1/dns-query
I've used the following script to get the argo tunnel running and encrypting dns, i then use 127.0.0.1 as the system nameserver and as the dns forwarder's only upstream nameserver. Works well so far but the integration is lacking with the vyos config
#!/bin/bash #run as root curl -OJ https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.deb dpkg -i ./cloudflared-stable-linux-amd64.deb mkdir /etc/cloudflared echo "proxy-dns: true proxy-dns-port: 53 proxy-dns-address: 127.0.0.1 proxy-dns-upstream: - https://1.1.1.1/dns-query - https://1.0.0.1/dns-query" | > /etc/cloudflared/config.yml cloudflared service install systemctl enable cloudflared systemctl start cloudflared
Wait, Argo tunnel uses Cloudflare's WARP VPN system, which under the hood is basically wireguard...