[Dnsmasq-discuss] Forwarding UDP requests to TCP, some other concerns

[list-dnsmasq-discuss at box559.com]

Corey Minyard wrote on 2024-08-19 12:38pm:
> On Mon, Aug 19, 2024 at 1:56 PM Buck Horn via Dnsmasq-discuss
> <dnsmasq-discuss at lists.thekelleys.org.uk> wrote:
>>
>> On 19.08.24 18:38, Corey Minyard wrote:
>>
>> On Mon, Aug 19, 2024 at 8:58 AM Buck Horn via Dnsmasq-discuss <dnsmasq-discuss at lists.thekelleys.org.uk> wrote:
>>>
>>> It's not entirely clear from your description, but if your goal would be
>>> to have dnsmasq forward DNS requests to a DoT server, then dnsmasq can't
>>> do that: It fully supports DNS (port 53 UDP/TCP), but does not support
>>> DoT (port 853 TCP) at all. You would need a DoT proxy between dnsmasq
>>> and your DoT server for that use case.
>>
>>
>> That's my overall goal, but I have stunnel which will take a TCP connection and forward it over TLS.  It would be nice if dnsmasq would support DoT, but I'm ok that it doesn't.  bind doesn't, either.
>>
>>
>> I see -  so your dnsmasq TCP requirement is introduced by your choice of stunnel?
>>
>> But stunnel isn't a DoT proxy, it is a TLS proxy wrapper, and as such, would lack UDP support, somewhat naturally employing TCP only.
>>
>> A proper DoT proxy would have to support UDP as well as TCP, as both protocols are mandatory for DNS.
>>
>> Instead of trying to find some bandaid for dnsmasq, I'd recommend to consider using a proper DoT/DoX proxy instead (e.g. AdguardTeam/dnsproxy). Or if you would already happen to run nginx, I believe that could also be configured to act as DNS to DoT gateway.
> 
> Ah, that's what I was looking for.  I searched and for some reason
> these didn't show up, I got some things that were woefully inadequate.
> One of these should do what I'm looking for.
> 
> Thanks,
> 
> -corey
> 
>>
>> Kind regards,
>>
>>         Buck

You could just run unbound on the box where you are trying to run 
dnsmasq and let unbound do the forwarding. It easily supports DoT (and a 
bunch of other protocols).