Verified Commit eb4f04a0 authored by Elias Ojala's avatar Elias Ojala
Browse files

DNS-over-TLS with Haproxy

parent d562ea84
......@@ -67,6 +67,69 @@ curl https://YOUR_SERVER/robots.txt --header "User-Agent: YisouSpider" -I
0 */3 * * * cd /etc/haproxy/useragent-blocklist && git pull
```
## Check configuration
```bash
sudo haproxy -c -- /etc/haproxy/haproxy.cfg
```
## DNS-over-TLS
```bash
listen dns
bind :::853 v4v6 tfo ssl crt /etc/haproxy/certs
mode tcp
server unbound 127.0.0.1:53
```
Try with the following command:
```bash
kdig -d @SERVER_HOSTNAME_OR_IP +tls-ca +tls-host=TLS_HOSTNAME whoami.v4.powerdns.org
```
It should return your DNS resolver's outgoing IP address as result.
Example result:
```console
$ kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com whoami.v4.powerdns.org
;; DEBUG: Querying for owner(whoami.v4.powerdns.org.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 128 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG: SHA-256 PIN: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG: SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 64512
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1452 B; ext-rcode: NOERROR
;; PADDING: 57 B
;; QUESTION SECTION:
;; whoami.v4.powerdns.org. IN A
;; ANSWER SECTION:
whoami.v4.powerdns.org. 60 IN A 141.101.106.121
;; Received 128 B
;; Time 2019-04-22 06:32:56 EEST
;; From 1.1.1.1@853(TCP) in 166.6 ms
```
### Further reading
* [Pi-hole ja DNS over TLS -välityspalvelin HaProxy:llä](https://mt-tech.fi/pi-hole-ja-dns-over-tls-valityspalvelin-haproxylla/) (in Finnish)
<!--
## Docker
Coming soon
\ No newline at end of file
Coming soon
-->
\ No newline at end of file
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment