DNS over HTTPS on Ubiquity USG

If you wish to run your DNS queries on  over HTTPS to Cloudflare’s 1.1.1.1 using Ubiquity USG,  then read on.

The first step is to compile and install cloudflared. I used a mac and and docker to compile the binary from github.

docker run --rm -v "$PWD":/usr/src/myapp -w /usr/src/myapp -e GOOS=linux -e GOARCH=mips golang bash -c "go get -v github.com/cloudflare/cloudflared/cmd/cloudflared; GOOS=linux GOARCH=mips go build -v -x github.com/cloudflare/cloudflared/cmd/cloudflared"

After compiling – you’ll end up with a file called cloudflared on your local machine. Copy this over to the USG in the /confi/scripts/ folder. You could use SCP, or a GUI based client for Mac like Transmit.

Login to the USG via shell, then change sudo to su . Change permission to make the file executable.

sudo su
chmod +x /config/scripts/cloudflared

Create an auto startup script and place in config/scripts/post-config.d

vi /config/scripts/post-config.d/cloudflare-dns.sh

 

#!/bin/bash

# start DNS proxy to Cloud Flare

/usr/bin/pkill cloudflared

nohup /config/scripts/cloudflared --no-autoupdate --proxy-dns --proxy-dns-port 5053 &>/var/log/cloudflared.log &

Change permission to make the file executable.

chmod +x /config/scripts/post-config.d/cloudflare-dns.sh

Create a new file using a text editor such as TextEdit or Atom on your mac and create the following json file. The structure of a json file is just as important as the words themselves. Incorrect placement of brackets, indentations, line breaks or any other structural element will make the json file invalid. Save it by naming it config.gateway.json

{

        "service": {
                "dns": {
                        "forwarding": {
                                "options": [
                                        "no-resolv",
                                        "strict-order",
                                        "server=127.0.0.1#5053",
                                        "server=1.1.1.1",
                                        "server=1.0.0.1",
                                        "domain=my.domain.com,192.168.1.0/24,local"
                                ]
                        }
                }
        }
}

Now copy this file to your Controller under the following folder (You could use SCP, or a GUI based client for Mac like Transmit. )  – On Cloud Key install the path for the .json file is: /srv/unifi/data/sites/[site name/default]/

Read here for more information on the config.gateway.json file -https://help.ubnt.com/hc/en-us/articles/215458888-UniFi-USG-Advanced-Configuration

Once done, head over to your controller dashboard , select devices, select USG, select config, select manage device, select force provision.

Once the provisioning completes, validate that the DNS on your machine is pointing to the USG IP. Test your DNS by visiting the following IP on your mac.

https://www.cloudflare.com/ssl/encrypted-sni/

 

Screenshot 2018-10-22 at 9.11.24 PM

If doesn’t work delete the 2 lines in red in config.gateway.json and force reprovision. 

EDIT:

So apparently, after a reboot of the USG, I started seeing errors in the logs stating that a secure connection to 1.1.1.1 cannot be made. I first thought the ISP is bloking the connection but later realized that my WAN IP perisited after a reboot.  I tried mutiple combinations, but the following worked

<Kill the process>
ps -ef| grep cloudflared
kill -9 <Process ID of cloudflared from command above>

<remove startup script>
rm -rf /config/scripts/post-config.d/cloudflare-dns.sh

<reboot USG>
<start cloudflared>
nohup /config/scripts/cloudflared --no-autoupdate --proxy-dns --proxy-dns-port 5053 &>/var/log/cloudflared.log &
<validate no errors in /var/log/cloudflared>

<Reset contents of config.gateway.json to the one above - which means if you deleted the text in RED put it back>
<Force provision USG again>
<Test - https://www.cloudflare.com/ssl/encrypted-sni/>
<If it still doenst work, delete 2 RED lines in config.gateway.json>

 

Source

https://community.ubnt.com/t5/UniFi-Routing-Switching/Countering-plaintext-DNS-with-1-1-1-1/td-p/2300769

https://bendews.com/posts/implement-dns-over-https/