User Tools

Site Tools


Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
en:public:dns_knot_misc [2017/11/03 19:17]
vcunat add a part: Forwarding or not?
en:public:dns_knot_misc [2018/05/20 13:53] (current)
jirka
Line 38: Line 38:
  
 **Speed**: the difference is highly dependent on the particular network setup and the queries, IMHO.  Note that local DNSSEC validation kills a part of the speed advantage of forwarding (maybe a significant one), because a single answer from a resolver won't contain all information to verify the whole chain from the root (or to verify that the chain is broken at some point and the record is correctly unsigned). **Speed**: the difference is highly dependent on the particular network setup and the queries, IMHO.  Note that local DNSSEC validation kills a part of the speed advantage of forwarding (maybe a significant one), because a single answer from a resolver won't contain all information to verify the whole chain from the root (or to verify that the chain is broken at some point and the record is correctly unsigned).
 +
 +==== Using DNS over TLS or HTTPS ====
 +
 +Since Turris OS > 3.9.6 (more specifically,​ knot version >= 2.0.0) there is option to use encryption for DNS queries. This doesnt work well with **Forwarding DNS** option enabled. Related forum thread is [[https://​forum.turris.cz/​t/​using-dns-over-tls-or-https/​6996|here]]. Tutorial shows example with Cloudflare servers.
 +
 +
 +**1)** Make sure, that Turris OS have required version of knot (>= 2.0.0):
 +<​code>​
 +opkg list-installed | grep knot-resolver
 +</​code>​
 +
 +**2)** Make sure, that forwarding DNS queries to ISP is disabled. File ''/​etc/​config/​resolver''​
 +<​code>​
 +forward_upstream '​0'​
 +</​code>​
 +
 +**3)** Take care about needed Cloudflare certificate
 +<​code>​
 +wget https://​www.digicert.com/​CACerts/​DigiCertECCSecureServerCA.crt
 +openssl x509 -inform der -in DigiCertECCSecureServerCA.crt -out /​etc/​ssl/​certs/​DigiCertECCSecureServerCA.pem
 +rm DigiCertECCSecureServerCA.pem
 +</​code>​
 +
 +**4)** Tell knot resolver to use Cloudflare DNS's.
 +
 +Create ''/​etc/​kresd/​custom.conf''​
 +<file python /​etc/​kresd/​custom.conf>​
 +policy.add(policy.all(
 +      policy.TLS_FORWARD({
 +          {'​1.1.1.1',​ hostname='​cloudflare-dns.com',​ ca_file='/​etc/​ssl/​certs/​DigiCertECCSecureServerCA.pem'​},​
 +          {'​1.0.0.1',​ hostname='​cloudflare-dns.com',​ ca_file='/​etc/​ssl/​certs/​DigiCertECCSecureServerCA.pem'​}
 +      })
 +))
 +</​file>​
 +
 +Then add 
 +<​code>​
 +option include_config '/​etc/​kresd/​custom.conf'​
 +</​code>​
 +to the at the end of the config resolver ‘kresd’ section in file ''/​etc/​config/​resolver''​
 +
 +**5)** restart resolver
 +''/​etc/​init.d/​resolver restart''​
 +
 +All done. Turris should be using dns over tls via Cloudflare’s 1.1.1.1. To test result use [[http://​dnsleaktest.com|dnsleaktest]],​ only entries from Cloudflare should be returned.