The latest articles on DEV Community by xeptore (@xeptore). https://dev.to/xeptore https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3303419%2F4289bdba-3af1-4a21-9c2e-3fabc372585b.png https://dev.to/xeptore en xeptore Sun, 29 Jun 2025 08:42:20 +0000 https://dev.to/xeptore/wireguard-dov-dns-over-vpn-ell https://dev.to/xeptore/wireguard-dov-dns-over-vpn-ell <h2> Why? </h2> <p>To preserve DNS privacy, and prevent sniffing/spoofing, which is a common technique used by ISPs to restrict internet access in countries like mine, we can tunnel DNS traffic through WireGuard and use a remote, private, and trusted DNS server. Keep in my that this will <strong>only tunnel DNS traffic</strong>.</p> <h2> Setup </h2> <p>In this guide, I'll use <a href="https://github.com/AdguardTeam/dnsproxy/" rel="noopener noreferrer">Adguard dnsproxy</a> as the DNS resolver, which is easy to setup and get it to work. Of course you can use any DNS server of your choice. Some alternatives that I can remember are (in no specific order):</p> <ul> <li><a href="https://github.com/DNSCrypt/dnscrypt-proxy" rel="noopener noreferrer">dnscrypt-proxy</a></li> <li><a href="https://coredns.io/" rel="noopener noreferrer">CoreDNS</a></li> <li><a href="https://nlnetlabs.nl/projects/unbound/about/" rel="noopener noreferrer">Unbound</a></li> </ul> <h2> WireGuard Server Config </h2> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="c"># wgdns.conf </span>[<span class="n">Interface</span>] <span class="n">PrivateKey</span> = <span class="n">server_prv</span> <span class="n">Address</span> = <span class="m">10</span>.<span class="m">3</span>.<span class="m">3</span>.<span class="m">1</span>/<span class="m">24</span> <span class="n">Address</span> = <span class="m">10</span>.<span class="m">0</span>.<span class="m">0</span>.<span class="m">1</span>/<span class="m">32</span> <span class="n">ListenPort</span> = <span class="m">64539</span> <span class="n">MTU</span> = <span class="m">1280</span> [<span class="n">Peer</span>] <span class="n">PublicKey</span> = <span class="n">client_pub</span> <span class="n">PresharedKey</span> = <span class="n">psk</span> <span class="n">AllowedIPs</span> = <span class="m">10</span>.<span class="m">3</span>.<span class="m">3</span>.<span class="m">2</span>/<span class="m">32</span> </code></pre> </div> <p>Subnet <code>10.3.3.0/24</code> is used for WireGuard peers, and <code>10.0.0.1/32</code> will be assigned to the DNS server.</p> <h2> WireGuard Client Config </h2> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code>[<span class="n">Interface</span>] <span class="n">PrivateKey</span> = <span class="n">client_prv</span> <span class="n">Address</span> = <span class="m">10</span>.<span class="m">3</span>.<span class="m">3</span>.<span class="m">2</span>/<span class="m">32</span> <span class="n">MTU</span> = <span class="m">1280</span> <span class="n">DNS</span> = <span class="m">10</span>.<span class="m">0</span>.<span class="m">0</span>.<span class="m">1</span> [<span class="n">Peer</span>] <span class="n">PublicKey</span> = <span class="n">server_pub</span> <span class="n">PresharedKey</span> = <span class="n">psk</span> <span class="n">AllowedIPs</span> = <span class="m">10</span>.<span class="m">0</span>.<span class="m">0</span>.<span class="m">1</span>/<span class="m">32</span> <span class="n">PersistentKeepalive</span> = <span class="m">15</span> <span class="n">Endpoint</span> = <span class="n">server_ip</span>:<span class="m">64539</span> </code></pre> </div> <h2> dnsproxy </h2> <p>Download and extract the <a href="https://github.com/AdguardTeam/dnsproxy/releases/latest/" rel="noopener noreferrer">latest release</a> of <code>dnsproxy</code>, and spin it up:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./dnsproxy <span class="se">\</span> <span class="nt">--cache</span> <span class="se">\</span> <span class="nt">--ipv6-disabled</span> <span class="se">\</span> <span class="nt">--pending-requests-enabled</span> <span class="se">\</span> <span class="nt">--refuse-any</span> <span class="se">\</span> <span class="nt">--udp-buf-size</span><span class="o">=</span>4096 <span class="se">\</span> <span class="nt">-l</span> 10.0.0.1 <span class="se">\</span> <span class="nt">-p</span> 53 <span class="se">\</span> <span class="nt">-u</span> udp://1.1.1.1:53 <span class="se">\</span> <span class="nt">-u</span> udp://1.0.0.1:53 </code></pre> </div> <p>Or with equivalent config file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># config.yaml</span> <span class="na">cache</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">ipv6-disabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">pending-requests-enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">refuse-any</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">udp-buf-size</span><span class="pi">:</span> <span class="m">4096</span> <span class="na">listen-addrs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">10.0.0.1</span> <span class="na">listen-ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="m">53</span> <span class="na">upstream</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">udp://1.1.1.1:53</span> <span class="pi">-</span> <span class="s">udp://1.0.0.1:53</span> </code></pre> </div> <h2> Firewall Rules </h2> <ul> <li> <p>Allow WireGuard inbound connections:<br> </p> <pre class="highlight shell"><code>ufw rule allow <span class="k">in </span>on eth0 proto udp to SERVER_PUBLIC_IP/32 port 64539 comment <span class="s1">'WireGuard Inbound'</span> </code></pre> <p>Where <code>eth0</code> is the public-facing network interface of the server.</p> </li> <li> <p>Allow WireGuard peers to query DNS server:<br> </p> <pre class="highlight shell"><code>ufw rule allow <span class="k">in </span>on wgdns proto udp from 10.3.3.0/24 to 10.0.0.0/24 port 53 comment <span class="s1">'WireGuard DNS'</span> </code></pre> <p>Where <code>wgdns</code> is the name of WireGuard interface.</p> </li> </ul> <h2> Limitations </h2> <p>Spinning up the <code>dnsproxy</code> server(s) should happen after WireGuard interface is up as IP(s) are not available otherwise. One solution for having a separate DNS interface is to use the <code>dummy</code> network kernel module like the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ip <span class="nb">link </span>add dummy0 <span class="nb">type </span>dummy ip addr add 10.0.0.1/32 dev dummy0 ip <span class="nb">link set </span>dummy0 mtu 1280 up </code></pre> </div> <p>If <code>dummy</code> module isn't already enabled:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>modprobe dummy </code></pre> </div> <p>Note: This is not persistent against reboots. Ask ChatGPT for ways to make it so.</p> <h2> Moving Forward </h2> <ul> <li> <p>You can spin up multiple <code>dnsproxy</code> servers on different IPs. In order for peers to access it, you'll need to:</p> <ul> <li>Assign a new IP to the DNS interface (<code>wgdns</code> or <code>dummy0</code>)</li> <li>Apply the respective firewall rule</li> <li>Update both <code>DNS</code>, and <code>AllowedIPs</code> of peers to match the new DNS server IP</li> </ul> </li> <li><p>You can use port-forwarded UDP, or TCP (DoH, or DoT for example) ports instead of local process to escape network restrictions (e.g., by using tools like <a href="https://github.com/rathole-org/rathole/" rel="noopener noreferrer">rathole</a>)</p></li> </ul> <h2> Bonus </h2> <p>dnsproxy Systemd service template: <a href="https://github.com/xeptore/gist/blob/main/systemd/dnsproxy@.service" rel="noopener noreferrer">https://github.com/xeptore/gist/blob/main/systemd/dnsproxy@.service</a></p> wireguard dns privacy vpn