no it is not. it is a tcp connection.
got a problem buddy your not listening for IPv6 here
Moving forward
No its not Lookup DNS. Its a UDP service. Make sure you are still listening on UDP. Most resolvers cannot handle pushing stuff over TCP by default. They can however hit UDP and the server can force an upgrade to TCP (Bind9 and PowerDNS do this)
For kicks lets try normal DNS. Create a config for 53β¦ open the port and see if you can dig it
on it.
this is all in your strem{} block right? or referenced in the stream block via include ββ;
via include. stored in tcp.d
@Argone let me make my configuration easier to read
My Main NGINX file contains this for the stream cipher setup
## STREAM BLOCK
stream {
log_format proxy '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time "$upstream_addr" '
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
include /etc/nginx/stream.d/*.conf;
error_log off;
access_log /var/log/nginx/streamLog proxy buffer=256k;
ssl_certificate <certpath>/cert.crt;
ssl_certificate_key <certpath>/privkey.key;
ssl_dhparam <certpath>/dhparam.pem;
ssl_trusted_certificate <certpath>/cert.crt;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers !AES128:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp521r1:secp384r1;
access_log off;
My UPSTREAM server configuration for DNS is vanilla
upstream dns {
zone dns 64k;
server 10.31.82.3:53;
}
My Regulard DNS Config inside 00-DNS.conf
# Reg DNS
server {
access_log /var/log/nginx/dns-querylog proxy;
listen 53;
listen 53 udp;
listen [::]:53;
listen [::]:53 udp;
proxy_pass 10.31.85.1:19253;
proxy_connect_timeout 30s;
proxy_responses 1;
preread_timeout 50s;
}
My DoT Config
# DoT server for decryption
server {
access_log /var/log/nginx/dnsOverTLS-querylog proxy;
listen 853 ssl;
listen [::]:853 ssl;
proxy_pass 10.31.85.1:19253;
proxy_connect_timeout 30s;
preread_timeout 50s;
ssl_session_tickets on;
ssl_session_timeout 4h;
ssl_handshake_timeout 30s;
}
My DoH Config
β― cat conf.d/98-dnsDoH.conf
# DoH Port 80
server {
include /etc/nginx/ErrorPages/error_pages.conf; # Error Pages GConf
if ( $request_method !~ ^(GET|POST|HEAD)$ ) {
return 405;
}
listen 80;
listen [::]:80;
server_name <DOMAIN.TLD>;
return 308 https://$server_name$request_uri;
}
# DoH Port 443
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
include /etc/nginx/headers.d/98-dnsDoHHeaders.conf; # Security headers
include /etc/nginx/ErrorPages/error_pages.conf; # Error Pages GConf
server_name <DOMAIN.TLD>;
if ( $request_method !~ ^(GET|POST|HEAD)$ ) {
return 405;
}
location / {
return 400;
}
location /dns-query {
error_page 500 502 503 504;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect off;
proxy_buffering off;
proxy_pass http://dohproxy_backend;
}
}
Headers for DoH
β― cat headers.d/98-dnsDoHHeaders.conf
# DoH Security Headers
add_header Strict-Transport-Security "max-age=94608000; includeSubDomains; preload" always;
ssl_stapling on;
ssl_stapling_verify on;
The file structure is quite simple
β― tree -shugD
.
βββ [root root 4.0K Apr 21 01:23] conf.d
β βββ [root root 1.9K Apr 18 01:20] 00-services.conf
β βββ [root root 642 Apr 18 01:31] 01-themes.conf
β βββ [root root 1.8K Apr 18 01:46] 02-pi-hole.conf
β βββ [root root 1.1K Apr 18 02:00] 03-bitwarden.conf
β βββ [root root 1.5K Apr 18 02:05] 04-nextcloud.conf
β βββ [root root 512 Apr 18 02:07] 05-archives.conf
β βββ [root root 1.7K Apr 18 02:22] 06-jellyfin.conf
β βββ [root root 707 Apr 18 02:25] 07-ntp.conf
β βββ [root root 591 Apr 18 02:27] 08-privatebin.conf
β βββ [root root 460 Apr 18 02:31] 09-osmium.conf
β βββ [root root 654 Apr 18 02:33] 10-gitlab.conf
β βββ [root root 500 Apr 18 02:39] 11-chat.conf
β βββ [root root 426 Apr 18 02:40] 12-jitsi.conf
β βββ [root root 1.7K Apr 18 02:52] 13-office.conf
β βββ [root root 365 Apr 18 02:57] 14-jenkins.conf
β βββ [root root 725 Apr 22 17:59] 15-matrix.conf
β βββ [root root 429 Apr 18 03:10] 16-turn.conf
β βββ [root root 427 Apr 18 03:12] 17-ident.conf
β βββ [root root 992 Apr 18 03:16] 18-slate.conf
β βββ [root root 766 Apr 18 03:18] 19-authdl.conf
β βββ [root root 879 Apr 16 22:00] 98-dnsDoH.conf
β βββ [root root 649 Apr 16 17:53] 999-wildcardcatch.conf
β βββ [root root 403 Apr 18 03:20] 99-vouch.conf
β βββ [root root 136 Apr 13 00:44] php-fpm.conf
βββ [root root 4.0K Apr 21 01:23] default.d
β βββ [root root 1.1K Jul 10 2021] fastcgi.conf.default
β βββ [root root 1007 Jul 10 2021] fastcgi_params.default
β βββ [root root 5.1K Jul 10 2021] mime.types.default
β βββ [root root 2.6K Jul 10 2021] nginx.conf.default
β βββ [root root 473 Apr 13 00:44] php.conf
β βββ [root root 636 Jul 10 2021] scgi_params.default
β βββ [root root 664 Jul 10 2021] uwsgi_params.default
βββ [root root 4.0K Apr 16 12:15] ErrorPages
β βββ [root root 363 Apr 16 14:02] error_pages.conf
β βββ [root root 1.1K Apr 16 13:59] error_pages_content.conf
β βββ [root root 3.8K Apr 16 11:41] HTTP400.html
β βββ [root root 3.8K Apr 16 11:41] HTTP401.html
β βββ [root root 3.8K Apr 16 17:44] HTTP403.html
β βββ [root root 3.8K Apr 16 11:41] HTTP404.html
β βββ [root root 3.8K Apr 16 11:41] HTTP405.html
β βββ [root root 3.9K Apr 16 11:41] HTTP406.html
β βββ [root root 3.8K Apr 16 11:41] HTTP407.html
β βββ [root root 4.1K Apr 16 11:41] HTTP408.html
β βββ [root root 3.9K Apr 16 11:41] HTTP409.html
β βββ [root root 3.9K Apr 16 11:41] HTTP410.html
β βββ [root root 3.8K Apr 16 11:41] HTTP411.html
β βββ [root root 3.8K Apr 16 11:41] HTTP412.html
β βββ [root root 3.8K Apr 16 11:41] HTTP413.html
β βββ [root root 3.8K Apr 16 11:41] HTTP414.html
β βββ [root root 3.8K Apr 16 11:41] HTTP415.html
β βββ [root root 3.8K Apr 16 11:41] HTTP416.html
β βββ [root root 3.8K Apr 16 11:41] HTTP417.html
β βββ [root root 3.7K Apr 16 11:41] HTTP418.html
β βββ [root root 3.8K Apr 16 11:41] HTTP422.html
β βββ [root root 3.8K Apr 16 11:41] HTTP425.html
β βββ [root root 3.8K Apr 16 11:41] HTTP426.html
β βββ [root root 3.8K Apr 16 11:41] HTTP428.html
β βββ [root root 3.8K Apr 16 11:41] HTTP429.html
β βββ [root root 3.9K Apr 16 11:41] HTTP431.html
β βββ [root root 3.9K Apr 16 11:41] HTTP451.html
β βββ [root root 3.8K Apr 16 11:41] HTTP499.html
β βββ [root root 3.9K Apr 16 11:41] HTTP500.html
β βββ [root root 3.9K Apr 16 11:41] HTTP501.html
β βββ [root root 3.8K Apr 16 11:41] HTTP502.html
β βββ [root root 3.9K Apr 16 11:41] HTTP503.html
β βββ [root root 3.9K Apr 16 11:41] HTTP504.html
β βββ [root root 3.8K Apr 16 11:41] HTTP505.html
β βββ [root root 3.9K Apr 16 11:41] HTTP508.html
β βββ [root root 3.9K Apr 16 11:41] HTTP511.html
β βββ [root root 3.8K Apr 16 11:41] HTTP520.html
β βββ [root root 3.8K Apr 16 11:41] HTTP521.html
β βββ [root root 3.8K Apr 16 11:41] HTTP525.html
β βββ [root root 3.8K Apr 16 11:41] HTTP533.html
βββ [root root 1.1K Apr 26 2021] fastcgi.conf
βββ [root root 1.1K Dec 21 06:31] fastcgi.conf.default
βββ [root root 1011 Apr 26 2021] fastcgi_params
βββ [root root 1007 Dec 21 06:31] fastcgi_params.default
βββ [root root 4.0K Jan 22 02:47] headers.d
β βββ [root root 1.5K Apr 30 00:34] 00-servicesHeaders.conf
β βββ [root root 711 Aug 14 2021] 01-themesHeaders.conf
β βββ [root root 851 Jan 23 11:32] 02-pi-holeHeaders.conf
β βββ [root root 831 Dec 9 01:24] 03-bitwardenHeaders.conf
β βββ [root root 1.3K Sep 25 2021] 04-nextcloudHeaders.conf
β βββ [root root 787 Apr 12 01:11] 05-archivesHeaders.conf
β βββ [root root 1.3K Mar 19 00:16] 06-jellyfinHeaders.conf
β βββ [root root 735 Aug 14 2021] 07-ntpHeaders.conf
β βββ [root root 770 Jan 22 02:50] 08-privatebinHeaders.conf
β βββ [root root 764 Aug 14 2021] 09-osmiumHeaders.conf
β βββ [root root 818 Aug 14 2021] 10-giteaHeaders.conf
β βββ [root root 742 Aug 14 2021] 11-chatHeaders.conf
β βββ [root root 742 Oct 8 2021] 12-jitsiHeaders.conf
β βββ [root root 742 Oct 8 2021] 13-officeHeaders.conf
β βββ [root root 742 Oct 8 2021] 14-jenkinsHeaders.conf
β βββ [root root 740 Apr 22 05:21] 15-matrixHeaders.conf
β βββ [root root 742 Oct 8 2021] 16-turnHeaders.conf
β βββ [root root 742 Oct 8 2021] 17-identHeaders.conf
β βββ [root root 743 Oct 12 2021] 18-slateHeaders.conf
β βββ [root root 156 Aug 14 2021] 98-dnsDoHHeaders.conf
β βββ [root root 628 Aug 14 2021] 99-vouchHeaders.conf
βββ [root root 2.8K Dec 21 06:31] koi-utf
βββ [root root 2.2K Dec 21 06:31] koi-win
βββ [root root 17K Apr 16 11:41] LICENSE
βββ [root root 35K Jul 22 2021] mime.types
βββ [root root 5.1K Dec 21 06:31] mime.types.default
βββ [root root 4.0K Apr 16 11:41] NGINX
β βββ [root root 4.0K Apr 16 11:41] ErrorPages
β β βββ [root root 3.8K Apr 16 11:41] HTTP400.html
β β βββ [root root 3.8K Apr 16 11:41] HTTP401.html
β β βββ [root root 3.8K Apr 16 11:41] HTTP403.html
β β βββ [root root 3.8K Apr 16 11:41] HTTP404.html
β β βββ [root root 3.8K Apr 16 11:41] HTTP405.html
β β βββ [root root 3.9K Apr 16 11:41] HTTP406.html
β β βββ [root root 3.8K Apr 16 11:41] HTTP407.html
β β βββ [root root 4.1K Apr 16 11:41] HTTP408.html
β β βββ [root root 3.9K Apr 16 11:41] HTTP409.html
β β βββ [root root 3.9K Apr 16 11:41] HTTP410.html
β β βββ [root root 3.8K Apr 16 11:41] HTTP411.html
β β βββ [root root 3.8K Apr 16 11:41] HTTP412.html
β β βββ [root root 3.8K Apr 16 11:41] HTTP413.html
β β βββ [root root 3.8K Apr 16 11:41] HTTP414.html
β β βββ [root root 3.8K Apr 16 11:41] HTTP415.html
β β βββ [root root 3.8K Apr 16 11:41] HTTP416.html
β β βββ [root root 3.8K Apr 16 11:41] HTTP417.html
β β βββ [root root 3.7K Apr 16 11:41] HTTP418.html
β β βββ [root root 3.8K Apr 16 11:41] HTTP422.html
β β βββ [root root 3.8K Apr 16 11:41] HTTP425.html
β β βββ [root root 3.8K Apr 16 11:41] HTTP426.html
β β βββ [root root 3.8K Apr 16 11:41] HTTP428.html
β β βββ [root root 3.8K Apr 16 11:41] HTTP429.html
β β βββ [root root 3.9K Apr 16 11:41] HTTP431.html
β β βββ [root root 3.9K Apr 16 11:41] HTTP451.html
β β βββ [root root 3.8K Apr 16 11:41] HTTP499.html
β β βββ [root root 3.9K Apr 16 11:41] HTTP500.html
β β βββ [root root 3.9K Apr 16 11:41] HTTP501.html
β β βββ [root root 3.8K Apr 16 11:41] HTTP502.html
β β βββ [root root 3.9K Apr 16 11:41] HTTP503.html
β β βββ [root root 3.9K Apr 16 11:41] HTTP504.html
β β βββ [root root 3.8K Apr 16 11:41] HTTP505.html
β β βββ [root root 3.9K Apr 16 11:41] HTTP508.html
β β βββ [root root 3.9K Apr 16 11:41] HTTP511.html
β β βββ [root root 3.8K Apr 16 11:41] HTTP520.html
β β βββ [root root 3.8K Apr 16 11:41] HTTP521.html
β β βββ [root root 3.8K Apr 16 11:41] HTTP525.html
β β βββ [root root 3.8K Apr 16 11:41] HTTP533.html
β βββ [root root 17K Apr 16 11:41] LICENSE
β βββ [root root 38 Apr 16 11:41] README.md
βββ [root root 5.9K May 16 23:09] nginx.conf
βββ [root root 2.6K Dec 21 06:31] nginx.conf.default
βββ [root root 38 Apr 16 11:41] README.md
βββ [root root 636 Dec 21 06:31] scgi_params
βββ [root root 636 Dec 21 06:31] scgi_params.default
βββ [nginx nginx 4.0K Oct 8 2021] ssl
β βββ [nginx nginx 4.0K Apr 22 00:46] < MY-TLD >
β βββ [nginx nginx 4.4K Oct 8 2021] cert.crt
β βββ [root root 1.7K Apr 22 00:43] cert.pem
β βββ [nginx nginx 2.8K Oct 8 2021] dhparam.pem
β βββ [nginx nginx 288 Oct 8 2021] privkey.key
β βββ [root root 848 Apr 22 00:46] privkey.pem
βββ [root root 4.0K Oct 8 2021] stream.d
β βββ [root root 671 May 16 23:19] 00-dnsTLS.conf
β βββ [root root 98 Mar 18 2021] 01-ntp.conf
β βββ [root root 101 Jul 26 2021] 02-sshbaldr.conf
β βββ [root root 101 Jul 26 2021] 03-sshnanna.conf
β βββ [root root 100 Jul 26 2021] 04-sshodin.conf
β βββ [root root 105 Jul 26 2021] 05-sshheimdallr.conf
β βββ [root root 101 Jul 26 2021] 06-sshsmart.conf
β βββ [root root 96 Sep 22 2021] 07-sshgitlab.conf
β βββ [root root 315 Oct 8 2021] 08-xmpp.conf
βββ [root root 4.0K Jul 10 2021] themes.d
β βββ [root root 4.0K Jul 10 2021] css
β β βββ [root root 4.0K Jul 10 2021] bitwarden
β β β βββ [root root 9.9K Jul 10 2021] base.css
β β β βββ [root root 151 Jul 10 2021] royal.css
β β β βββ [root root 559 Jul 10 2021] vars.css
β β βββ [root root 4.0K Jul 10 2021] jellyfin
β β β βββ [root root 2.4K Jul 10 2021] advanced.css
β β β βββ [root root 15K Jul 10 2021] base.css
β β β βββ [root root 4.6K Jul 10 2021] winterset.css
β β βββ [root root 4.0K Jul 10 2021] pihole
β β βββ [root root 12K Jul 10 2021] base.css
β β βββ [root root 575 Jul 10 2021] glow.css
β βββ [root root 184 Jul 10 2021] themes.conf
βββ [root root 664 Dec 21 06:31] uwsgi_params
βββ [root root 664 Dec 21 06:31] uwsgi_params.default
βββ [root root 3.5K Dec 21 06:31] win-utf
14 directories, 172 files
@Argone Does this help?
We will see.
Im currently upgrading to Fedora 36 on my Edge Proxy so give me some time
@PhaseLockedLoop Adding something like (^|\.)(cn|ru|hk)$
to my Blacklist RegEx Filter on pihole should help keep me from accessing China, Russia, and Hongkong correct? Then I can look up some more ccTLDβs (Country code top-level domain) to block somewhere online right?
yes it would at least those domains it will
Is this a good list to use? I know its a wiki
Yea I didnβt get it working. oof. I donβt really need it. Ill try another time when I am less frustrated. And I will read up on documentation.
Its strange because your configs look correct.
I think it is nginx side or firewall issue.
nearly guaranteeing its a firewall deal⦠It could potentially be SE linux too. Make sure the contexts are right for the nginx proxy. IF you run SELinux
How did you get lets encrypt? to work? i.e. what i did may not have been the proper way. i setup a cert for my primary domain and used those configs for the DoT.
What does your forward-zone look like for the name attribute?
I am not sure what to put in name. I originally did β.β and tried βmywebsite.com.β
Ahh shit thats whatβs up
So you have to have a wildcard cert for DoT
Give me your URL for dot Iβll knot it
I dont have a forward zone. My server is a recursor. It is the forward zone
I meant for DoT.
I dont have one. As I said DoT terminates at NGINX and ingresses as 53 from there to my recursive server