<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 19.08.24 18:38, Corey Minyard wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAB9gMfpi7f=smgtf3aZsobSAJsJbwUM6i1hCXjTO+wKHuEWbhQ@mail.gmail.com">
<div dir="ltr">
<div dir="ltr">On Mon, Aug 19, 2024 at 8:58 AM Buck Horn via
Dnsmasq-discuss <<a
href="mailto:dnsmasq-discuss@lists.thekelleys.org.uk"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">dnsmasq-discuss@lists.thekelleys.org.uk</a>>
wrote:<br>
</div>
<div class="gmail_quote">
<blockquote class="gmail_quote">It's not entirely clear from
your description, but if your goal would be<br>
to have dnsmasq forward DNS requests to a DoT server, then
dnsmasq can't<br>
do that: It fully supports DNS (port 53 UDP/TCP), but does
not support<br>
DoT (port 853 TCP) at all. You would need a DoT proxy
between dnsmasq<br>
and your DoT server for that use case.<br>
</blockquote>
<div><br>
</div>
<div>That's my overall goal, but I have stunnel which will
take a TCP connection and forward it over TLS. It would be
nice if dnsmasq would support DoT, but I'm ok that it
doesn't. bind doesn't, either.</div>
</div>
</div>
</blockquote>
<p><br>
</p>
<p>I see - so your dnsmasq TCP requirement is introduced by your
choice of stunnel?<br>
<br>
But stunnel isn't a DoT proxy, it is a TLS proxy wrapper, and as
such, would lack UDP support, somewhat naturally employing TCP
only.</p>
<p>A proper DoT proxy would have to support UDP as well as TCP, as
both protocols are mandatory for DNS.</p>
<p>Instead of trying to find some bandaid for dnsmasq, I'd recommend
to consider using a proper DoT/DoX proxy instead (e.g.
AdguardTeam/dnsproxy). Or if you would already happen to run
nginx, I believe that could also be configured to act as DNS to
DoT gateway.</p>
Kind regards,
<p> Buck<br>
<br>
</p>
</body>
</html>