User Tools

Site Tools


Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
en:public:dns_knot_misc [2018/05/20 13:53]
jirka
en:public:dns_knot_misc [2018/07/24 18:46] (current)
vcunat There's no DNS over HTTPS in knot-resolver
Line 39: Line 39:
 **Speed**: the difference is highly dependent on the particular network setup and the queries, IMHO.  Note that local DNSSEC validation kills a part of the speed advantage of forwarding (maybe a significant one), because a single answer from a resolver won't contain all information to verify the whole chain from the root (or to verify that the chain is broken at some point and the record is correctly unsigned). **Speed**: the difference is highly dependent on the particular network setup and the queries, IMHO.  Note that local DNSSEC validation kills a part of the speed advantage of forwarding (maybe a significant one), because a single answer from a resolver won't contain all information to verify the whole chain from the root (or to verify that the chain is broken at some point and the record is correctly unsigned).
  
-==== Using DNS over TLS or HTTPS ====+==== Using DNS over TLS ====
  
 Since Turris OS > 3.9.6 (more specifically,​ knot version >= 2.0.0) there is option to use encryption for DNS queries. This doesnt work well with **Forwarding DNS** option enabled. Related forum thread is [[https://​forum.turris.cz/​t/​using-dns-over-tls-or-https/​6996|here]]. Tutorial shows example with Cloudflare servers. Since Turris OS > 3.9.6 (more specifically,​ knot version >= 2.0.0) there is option to use encryption for DNS queries. This doesnt work well with **Forwarding DNS** option enabled. Related forum thread is [[https://​forum.turris.cz/​t/​using-dns-over-tls-or-https/​6996|here]]. Tutorial shows example with Cloudflare servers.
Line 58: Line 58:
 wget https://​www.digicert.com/​CACerts/​DigiCertECCSecureServerCA.crt wget https://​www.digicert.com/​CACerts/​DigiCertECCSecureServerCA.crt
 openssl x509 -inform der -in DigiCertECCSecureServerCA.crt -out /​etc/​ssl/​certs/​DigiCertECCSecureServerCA.pem openssl x509 -inform der -in DigiCertECCSecureServerCA.crt -out /​etc/​ssl/​certs/​DigiCertECCSecureServerCA.pem
-rm DigiCertECCSecureServerCA.pem+rm DigiCertECCSecureServerCA.crt
 </​code>​ </​code>​
  
Line 84: Line 84:
 All done. Turris should be using dns over tls via Cloudflare’s 1.1.1.1. To test result use [[http://​dnsleaktest.com|dnsleaktest]],​ only entries from Cloudflare should be returned. All done. Turris should be using dns over tls via Cloudflare’s 1.1.1.1. To test result use [[http://​dnsleaktest.com|dnsleaktest]],​ only entries from Cloudflare should be returned.
  
 +
 +==== Interactive command console ====
 +
 +All "​configuration"​ and other commands can also be entered into knot-resolver'​s interactive read-eval-print-loop console.
 +  * ssh to the router
 +  * enter knot-resolver CLI via ''​socat - /​tmp/​kresd/​tty/​*''​
 +  * enter the "​commands",​ e.g. ''​cache.clear()''​ -- see [[http://​knot-resolver.readthedocs.io/​en/​stable/​daemon.html#​configuration-reference | upstream documentation]]
 +  * ''​ctrl+d''​ to exit the CLI