User Tools

Site Tools


Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
en:public:dns_knot_misc [2018/05/20 13:53]
jirka
en:public:dns_knot_misc [2018/12/12 13:53] (current)
phil [Negative trust anchors]
Line 13: Line 13:
 ==== Negative trust anchors ==== ==== Negative trust anchors ====
  
-When a domain'​s DNSSEC causes problems, you often want to access it without turning ​of validation for other domains. ​ At knot-resolver level this is simple config line, e.g.:+When a domain'​s DNSSEC causes problems, you often want to access it without turning ​off validation for other domains. ​ At knot-resolver level this is simple config line, e.g.:
  
 ''​trust_anchors.negative = { '​mabanque.bnpparibas'​ }''​ ''​trust_anchors.negative = { '​mabanque.bnpparibas'​ }''​
Line 39: Line 39:
 **Speed**: the difference is highly dependent on the particular network setup and the queries, IMHO.  Note that local DNSSEC validation kills a part of the speed advantage of forwarding (maybe a significant one), because a single answer from a resolver won't contain all information to verify the whole chain from the root (or to verify that the chain is broken at some point and the record is correctly unsigned). **Speed**: the difference is highly dependent on the particular network setup and the queries, IMHO.  Note that local DNSSEC validation kills a part of the speed advantage of forwarding (maybe a significant one), because a single answer from a resolver won't contain all information to verify the whole chain from the root (or to verify that the chain is broken at some point and the record is correctly unsigned).
  
-==== Using DNS over TLS or HTTPS ====+==== Using DNS over TLS ====
  
-Since Turris OS > 3.9.6 (more specifically, ​knot version >= 2.0.0) there is option to use encryption for DNS queries. This doesnt work well with **Forwarding DNS** option enabled. Related forum thread is [[https://​forum.turris.cz/​t/​using-dns-over-tls-or-https/​6996|here]]. Tutorial shows example with Cloudflare servers.+=== Setup in Turris OS 3.11 and higher === 
 + 
 +Turris 3.11 and higher ship several preconfigured DNS over TLS setups, reducing the number of steps required to configure encryption for DNS.   
 + 
 +**1)** Revert any custom DNS over TLS setup you may have had before Turris OS 3.11. 
 + 
 +**2)** Modify the ''/​etc/​config/​resolver''​ file with this change in the ''​config resolver '​common'​ ''​ section to enable forwarding of DNS requests. Forwarding now works properly with DNS over TLS in 3.11 and up. 
 +<code> 
 +option forward_upstream '​1'​ 
 +</​code>​ 
 + 
 +**3)** Check the ''/​etc/​resolver/​dns_servers''​ directory and select from one of the preconfigured DNS services. Modify the ''/​etc/​config/​resolver''​ file adding a line to the ''​config resolver '​common'​ ''​ section to add your choice of service. In this case we are adding Cloudflare. 
 +<​code>​ 
 +option forward_custom '​99_cloudflare'​ 
 +</​code>​ 
 + 
 +**4)** Restart the resolver by running ''/​etc/​init.d/​resolver restart''​ 
 + 
 +Your router should be using DNS over TLS. To test use [[http://​dnsleaktest.com|the dnsleaktest site]], only entries from your selected DNS service should be returned. 
 + 
 +More detailed documentation on the DNS over TLS configuration may be found [[https://​gitlab.labs.nic.cz/​turris/​turris-os-packages/​blob/​test/​net/​resolver-conf/​README.md|here]]. 
 + 
 + 
 +=== Setup in Turris OS 3.9.6 through 3.10.8 === 
 + 
 +Turris OS 3.9.6 through 3.10.8 introduced ​knot version >= 2.0.0 with the option to use encryption for DNS queries. This doesnt work well with **Forwarding DNS** option enabled. Related forum thread is [[https://​forum.turris.cz/​t/​using-dns-over-tls-or-https/​6996|here]]. Tutorial shows example with Cloudflare servers.
  
  
Line 58: Line 83:
 wget https://​www.digicert.com/​CACerts/​DigiCertECCSecureServerCA.crt wget https://​www.digicert.com/​CACerts/​DigiCertECCSecureServerCA.crt
 openssl x509 -inform der -in DigiCertECCSecureServerCA.crt -out /​etc/​ssl/​certs/​DigiCertECCSecureServerCA.pem openssl x509 -inform der -in DigiCertECCSecureServerCA.crt -out /​etc/​ssl/​certs/​DigiCertECCSecureServerCA.pem
-rm DigiCertECCSecureServerCA.pem+rm DigiCertECCSecureServerCA.crt
 </​code>​ </​code>​
  
Line 84: Line 109:
 All done. Turris should be using dns over tls via Cloudflare’s 1.1.1.1. To test result use [[http://​dnsleaktest.com|dnsleaktest]],​ only entries from Cloudflare should be returned. All done. Turris should be using dns over tls via Cloudflare’s 1.1.1.1. To test result use [[http://​dnsleaktest.com|dnsleaktest]],​ only entries from Cloudflare should be returned.
  
 +
 +==== Interactive command console ====
 +
 +All "​configuration"​ and other commands can also be entered into knot-resolver'​s interactive read-eval-print-loop console.
 +  * ssh to the router
 +  * enter knot-resolver CLI via ''​socat - /​tmp/​kresd/​tty/​*''​
 +  * enter the "​commands",​ e.g. ''​cache.clear()''​ -- see [[http://​knot-resolver.readthedocs.io/​en/​stable/​daemon.html#​configuration-reference | upstream documentation]]
 +  * ''​ctrl+d''​ to exit the CLI