• Archives
  • Categories
  • Own SmartDNS with HAproxy and DNSmasq

    2018 - 09.15

    Already in my article “Chromecast with Zattoo and Unblock-Us” I wrote about how to connect so called “SmartDNS” services with OpenWrt routers. In this article I would like to deal with how to configure and set up such a service on your own server. The service should make it possible that I don’t have to use my OpenVPN account to access Netflix and Zattoo in Switzerland. I already described the basic setup of my server in the article “Configuring Ubuntu OpenVPN Server”.

    What is SmartDNS and what do I need it for?

    SmartDNS refers to services such as Unblock Us, Unotelly or Tunlr. There are many more, you can compare them at http://Smartdnscomparison.com/. They offer their own DNS server, which redirects certain domains to a so-called reverse proxy, which then retrieves these contents. This leads to the fact that the reverse proxy’s IP address is also used by the retrieval of the reverse proxy. Since the reverse proxy is located in a different target country, you can also retrieve content that is blocked in your own country. So if you do not live in the EU, but want to use Zattoo and Netflix, you can do this by redirecting via the reverse proxy server. The following screenshot shows how Zattoo, Netflix and wieistmeineip.de determine their own location in Switzerland, while the website meine-aktuelle-ip.de displays the correct location “Qatar”. The latter is not loaded via the reverse proxy, the first three are.

    Advantages and disadvantages of SmartDNS compared to VPN

    VPN connections always send absolutely all network data via the encrypted VPN connection. You can also be selective here, as I described in my article about simultaneous VPN connections, but you have to go through IP address by IP address. The advantages of video streaming via reverse proxy with SmartDNS compared to VPN are the following.

    • Faster than VPN because no additional data is transferred
    • Less CPU power required, as no encryption is used
    • No additional software required on the router
    • Rarely blocked by firewalls and packet inspection

    The main advantage over VPN is speed. A connection via reverse proxy is simply significantly faster and can transport larger amounts of data, since no additional VPN header data needs to be transmitted. If you don’t use Chromecast or other limited devices, then this also works with normal routers from home use without adapted systems like OpenWrt. However, the enormous speed advantage is also paid for with the following disadvantages.

    • More complex configuration requires firewall, proxy and DNS configuration.
    • Higher maintenance effort, because domains have to be maintained
    • Lower security, because data is usually transmitted unencrypted

    After weighing up the advantages and disadvantages, you should decide which technology to use. In many cases it is recommended to use VPN as well as SmartDNS with reverse proxy. This is also the case with me, since I live in a country where there are acceptable Internet connections with up to 100 Mbit/s, but hardly any services and providers. Here I use SmartDNS for the Netflix video and Zattoo TV streaming and Asterisk via OpenVPN for IP telephone services as well as online banking and some other sensitive services.

    For the installation we first need a server at the desired location. For me it is a server in Zurich. Of course you can also use one in the USA, Great Britain or Austria, depending on which services you want to use. On this server we need the software HAproxy for the reverse proxy and DNSmasq for the DNS server. In this manual I use Ubuntu 14.04 as my operating system.

    Install and configure DNSmasq

    The DNS server DNSmasq can already be found in the Ubuntu repository and can therefore be installed directly with the following command.

    The configuration of DNSmasq can be found in the path “/etc/dnsmasq.conf” and is kept relatively simple. All domains that we want to redirect to our reverse proxy are registered there. For Zattoo and Netflix I entered the following DNS address information at the end of the file. Of course you have to replace the IP address “192.168.1.1” with the IP address of the server you are using. A DNS query of the DNSmasq server with the following command also resolves the domain to the given IP address.

    Installation and configuration of HAproxy

    Configuring HAproxy is a bit more complicated and is also a bit complicated because of the many domains to use. This starts with the fact that Ubuntu 14.04 only has HAproxy version 1.4 on board, but version 1.5 is required for this purpose. We have to add a new repository and install the more recent HAproxy version, which is done quickly with the following commands.

    Below we create the configuration file. It becomes extremely clumsy with time, because HAproxy is actually a load balancer and we have to define all target systems for HTTP as well as HTTPS. The IP address “192.168.1.1” has to be replaced with the IP address of your own system. As an example, I have removed Zattoo and Netflix and for the sake of readability only created www.wieistmeineip.de as an example.

    Create HAproxy configuration via script

    As mentioned before, creating the configuration for HAproxy is extremely tedious due to the large number of entries. Therefore it is recommended to use a script for this. My PHP script looks like this.

    Automatically update firewall rules via script

    I have set up dynamic DNS on my router so that my network at home has a dynamic IP address, but a static hostname (e.g. “dyndns.org“). Information about this can be found on DynDNS.org and in the manual of your own router. The following script runs every hour on my server.

    Conclusion about SmartDNS with HAproxy and DNSmasq

    The server configuration is quite complex, which is also due to the lack of security functions in HAproxy. However, it must be mentioned that HAproxy was not originally intended for this application. The performance of this solution is excellent and allows maximum bandwidth. The limitation by the CPU of the source system, in my case the router with 700 Mhz, is almost completely omitted compared to OpenVPN. Moreover, the solution does not exclude OpenVPN, but can be operated parallel to it. A considerable disadvantage of the high configuration effort is that you have to be familiar with network technologies including the protocols HTTP, SSL, TCP/IP and DNS. Good Linux knowledge is also a mandatory requirement. If you don’t have this knowledge, you should plan considerably more time for the configuration and get the necessary reading. Otherwise I can only recommend the solution to everyone.

    Comments are closed.