Hi everyone
I'm looking for some assistance with setting up Adguard Home with Treafik. I would like Treafik to handle all connections to Adguard including DoT. I have tried may different configuration options but I cannot get DOT traffic to work, udp 53 is working as expected
This works for DoH
#http:
# routers:
# doh:
# rule: "Host(`dns.domain.gtld`)"
# service: "doh"
# entryPoints: ["websecure"]
# tls: {}
# services:
# doh:
# loadBalancer:
# servers:
# - url: "https://dns1.domain.gtld/dns-query"
# - url: "https://dns2.domain.gtld/dns-query"
dns.domain.gtld is public DNS
whils dns1||dns2 is dns rewrites internal. this will expose DoH server with 2 or more backbones
Thanks for your reply. What about DoT, were you able to get that to work?
http:
routers:
dot:
rule: "HostSNI(`dns.domain.gtld`)"
service: "dot"
entryPoints: ["dot"]
tls: {}
services:
dot:
loadBalancer:
servers:
- url: "tcp://dns1.domain.gtld:853"
- url: "tcp://dns2.domain.gtld:853"
should work but this willgive you single point of failure in traefik
Thanks, quick question though, since dot is a TLS connection wouldn't that be considered a TCP connection, not HTTP?
true, so not sure if it would work. you need to let Trafeik listen to 853 atleast, ill set up in a lab and try
global:
checkNewVersion: true
sendAnonymousUsage: false
log:
level: DEBUG
api:
dashboard: true
insecure: true
entryPoints:
web:
address: ":80" # HTTP entry point
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443" # HTTPS entry point
http2:
maxConcurrentStreams: 42
http3:
advertisedPort: 443
transport:
lifeCycle:
requestAcceptGraceTimeout: 42s
graceTimeOut: 42s
respondingTimeouts:
readTimeout: 42s
writeTimeout: 42s
idleTimeout: 42s
dot:
address: ":853" # DoT entry point
providers:
docker:
exposedByDefault: false
file:
directory: /etc/traefik
watch: true
middlewares:
hsts:
headers:
customResponseHeaders:
Strict-Transport-Security: "max-age=31536000; includeSubDomains"
http:
routers:
doh:
rule: "Host(`doh.domain.pw`)"
service: "doh"
entryPoints:
- websecure
tls: {}
services:
doh:
loadBalancer:
servers:
- url: "https://dns1.domain.pw/dns-query"
- url: "https://dns2.domain.pw/dns-query"
tcp:
routers:
dot:
rule: "HostSNI(`dot.domain.pw`)"
service: "dot"
entryPoints:
- dot
tls: {}
services:
dot:
loadBalancer:
servers:
- address: "dns1.domain.pw:853"
- address: "dns2.domain.pw:853"
tls:
stores:
default:
defaultCertificate:
certFile: /etc/traefik/fullchain.cer
keyFile: /etc/traefik/domain.pw.key
this works. and makes a tcp router.
this gives a weird warning on endpoint for tcp router ill see if i can find where to fix it but i just tested this and works
Your config seems "dirty" 
You are mixing static and dynamic config in the same file. This can work as long as there is no overlap.
Usually static config goes into traefik.yml and dynamic config in a different file, loaded with providers.file.
1 Like
frankelstein works but yes it's dirty. Tbh I had chatgpt write first thing then I fixed part of it
I appreciate your help, this worked!
1 Like
Hi, could you send the entire final configuration? I've been struggling with this problem for a long time ;/
Whole config is ontop there check post check post 7
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.