DoH on Cisco IOS XE IOx

Cisco IOS XE does not natively support DoH (other than for/with Umbrella).

For platforms that support IOx, such as in my case an ISR 1k, it is possible to deploy the NextDNS CLI client in a container.

The reason I wanted to implement DoH is to optimise the time it takes to resolve DNS queries by using NextDNS ultralow servers, which are only accessible via their hostnames and only via encrypted protocols such as DoH. NextDNS DNS53 servers are limited to anycast addresses. Of course using DoH also has security and privacy benefits.

The NextDNS DockerHub image cannot be used on IOx as-is because there is default run CMD has not been defined in Dockerfile.

The solution is to download the Dockerfile from the NextDNS Github, adding the CMD configuration in Dockerfile and re-building the image.

IOx documentation can be found at https://developer.cisco.com/docs/iox/introduction-to-iox/

Download NextDNS client and Dockerfile

$ mkdir iox-aarch64-nextdns && cd iox-aarch64-nextdns
$ wget https://github.com/nextdns/nextdns/releases/download/v1.44.3/nextdns_1.44.3_linux_arm64.tar.gz
$ tar -xvzf nextdns_1.44.3_linux_arm64.tar.gz
LICENSE
README.md
nextdns
$ wget https://github.com/nextdns/nextdns/raw/refs/heads/master/Dockerfile

 

Copy

 

Add CMD arguments to Dockerfile so that the NextDNS binary will start when IOx starts the container.

echo 'CMD ["run", "-listen :53", "-profile XXXXXX", "-cache-size 10MB", "-forwarder https://doh.opendns.com/dns-query"]' >> Dockerfile

 

Copy

 

Additional configuration parameters can be configured via /data/package_config.ini, which can be edited via IOx Local Manager or from within the container.

echo 'CMD ["run", "-config-file /data/package_config.ini"]' >> Dockerfile

 

Copy

 

Build and save the container

docker build --platform arm64 -t iox-aarch64-nextdns .
docker save iox-aarch64-nextdns -o iox-aarch64-nextdns.tar

 

Copy

 

Enable IOx and configure IOx networking

iox
!
interface VirtualPortGroup0
 ip address 172.16.11.1 255.255.255.0
 ip nat inside
!

app-hosting appid nextdns
 app-vnic gateway0 virtualportgroup 0 guest-interface 0
  guest-ipaddress 172.16.11.2 netmask 255.255.255.0
 app-default-gateway 172.16.11.1 guest-interface 0
 app-resource profile custom
  cpu 100
  memory 32
  persist-disk 10
name-server0 119.252.95.133
name-server1 144.208.222.195

 

Copy

 

Copy the container to the IOx host

copy scp://user@172.16.1.81/iox-aarch64-nextdns/iox-aarch64-nextdns.tar bootflash:/iox-aarch64-nextdns.tar

 

Copy

 

Install, activate and start the application

app-hosting install appid nextdns package bootflash:/iox-aarch64-nextdns.tar
app-hosting activate appid nextdns
app-hosting start appid nextdns

 

Copy

 

Connect to an application's console if you want to observe the start-up (be quick!)

app-hosting connect appid nextdns console
Connected to appliance. Exit using ^c^c^c
Clear existing connection in case of failure
INFO: 09:34:51 Connected 119.252.95.133:443 (con=26ms tls=116ms, TCP, TLS13)
INFO: 09:34:51 Connected 103.137.12.7:443 (con=14ms tls=48ms, TCP, TLS13)
INFO: 09:34:51 Switching endpoint: https://dns.nextdns.io#103.137.12.7,119.252.95.133

 

Copy

 

Connect to an application's shell for troubleshooting

app-hosting connect appid nextdns session
/ #

 

Copy

 

Configure the NextDNS DoH Proxy as the resolver for the IOS-hosted name server

ip dns view dns-view-primary
domain name-server 172.16.11.2

 

Copy

 

Optionally, change the DHCP-offered DNS servers to point directly to the NextDNS DoH Proxy

ip dhcp pool dhcp-pool-ipv4-vlan1
 dns-server 172.16.11.2

 

Copy

 

Enable HTTPS server to expose Local IOx Manager for easy editing of package_config.ini. Documentation can be found at https://developer.cisco.com/docs/iox/iox-local-manager/

iox(config-if)#ip http secure-server

 

Copy

 

Browse to https://<iox-host>/webui/#/ioxmain