Generating DNS Stamps
Encrypted DNS support was added to Ubiquiti’s UniFi Network service in a recent update. I was excited to finally have this feature appear in the UI rather than having to run 3rd party scripts to get this to work. However DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) were strangely absent from the ‘Custom DNS’ field options, instead a DNS Stamp starting with sdns://aBcDeFgG was shown. So how do you create a DNS Stamp for your own upstream encrypted DNS server?
What is a DNS Stamp?
Put simply, a DNS Stamp encodes all details required to connect to a secure DNS server in a single string.
Pre-requisites
In order to generate a DNS Stamp, you will require a DNS Provider that supports DNS-over-HTTPS (DoH). I am using NextDNS for this, but any DoH provider will work here.
Generating a DNS Stamp
For the DNS Stamp Generation, you can use DNSCrypt’s DNS Stamp Generator.
In the examples we will use NextDNS. If you are using NextDNS, you will require your unique six-character ID which can be obtained by visiting your NextDNS Dashboard and signing in. Your ID is unique per profile (the drop down at the top next to the NextDNS banner), and is displayed under the Endpoints section. Your DoH should look like https://dns.nextdns.io/aBc123
- Open DNSCrypt’s DNS Stamp Generator in your web browser.
- Set the following
- Protocol: DNS-over-HTTPS (DoH)
- IP Address: leave blank
- Host name: dns.nextdns.io (note that we don’t include the https protocol string)
- Hashes: leave blank
- Path: *your six character unique ID provided by NextDNS. e.g: aBc123. Don’t forget the preceding /.
- Optional: if you want to include a Device ID (useful in NextDNS if you want to log what specific devices are querying) add /device_name to the end of the path. E.g:
aBc123/Router
- Optional: if you want to include a Device ID (useful in NextDNS if you want to log what specific devices are querying) add /device_name to the end of the path. E.g:
- DNSSEC: Checked
- No Filter: Unchecked
- No Logs: Unchecked
- Your DNS Stamp should be displayed at the top right under Stamp. Save this.
Decoding an existing DNS Stamp
- Open NextDNS Dashboard in your web browser and log in
- Scroll down Setup Guide and choose Routers
- Scroll down again until you see DNSCrypt
- Copy the stamp string, starting with
sdns://
- Open DNSCrypt’s DNS Stamp Generator in your web browser.
- Paste your
sdns://string into the Stamp field at the top right. This will decode your sdns string and allow you to inspect its content.- Optional: if you want to include a Device ID (useful in NextDNS if you want to log what specific devices are querying) add /device_name to the end of the path. E.g:
aBc123/Router
- Optional: if you want to include a Device ID (useful in NextDNS if you want to log what specific devices are querying) add /device_name to the end of the path. E.g:
Applying DNS String
UniFi Network
- Open your UniFi Network Console
- Select the site you want to configure
- Navigate to Security > Protection
- Under Encrypted DNS, select Custom
Enter your desired Server Name and enter the DNS Stamp generated in the last section. Choose ‘Add’.
AdGuard Home
If you use Adguard home as your DNS server then use the following steps
- Access your AdGuard Home instance in your web browser
- Navigate to Settings > DNS Settings
- Under Upstream DNS servers paste your
sdns://string
Alternatively just paste your DoT (tls://) or DoH (https://) string(s) in here and don’t use DNS Stamps at all… Much easier!
Conclusions
DNS Stamps seem to be fairly redundant. At least for most setups. As NextDNS pointed out on the UniFi community forum:
It feels like they are leaking an implementation detail of their choice of underlaying software (dnscrypt-proxy).
So DNS Stamps are redundant in most software and you can just use the DoT or DoH URIs? However, DoH stamps are still useful to know about and if you're using a Unifi UDM Pro appliance you still need to use them.