Verified Commit ebbc56ab authored by Elias Ojala's avatar Elias Ojala
Browse files

DNS-over-TLS with Knot Resolver

parent 58bed37e
......@@ -9,16 +9,9 @@ permalink: /dns/adblocking
You can find list of DNS resolvers [here](resolvers.md).
* [UncensoredDNS](https://blog.uncensoreddns.org/dns-servers/) (Denmark + USA)
* [DNS.WATCH](https://dns.watch/) (Germany)
* [SecureDNS](https://securedns.eu/) (Netherlands, **only DoH, [DoT](dot/index.md) and DNSCrypt** which are currently not supported by Blokada/Pi-hole*)
* [Digitale Gesellschaft DNS](https://www.digitale-gesellschaft.ch/dns) (Switzerland, **only DoH and [DoT](dot/index.md)** which are currently not supported by Blokada/Pi-hole*)
\* = Not supported out of the box, requires [DoH client](pihole-doh.md).
You can also run your own resolver with [Unbound](https://nlnetlabs.nl/projects/unbound/about/), very [easy to setup](https://docs.pi-hole.net/guides/unbound/) (only port has to be changed when used with Pi-hole).
You may also want to use [DNS-over-TLS with Unbound](dot/unbound-linux.md).
You may also want to use DNS-over-TLS with [Knot Resolver](dot/knot-linux.md) and [Unbound](dot/unbound-linux.md).
### Hosts lists
......
......@@ -8,6 +8,7 @@ permalink: /dns-over-tls/
## Linux
* [Unbound](unbound-linux.md) (Linux)
* [Knot Resolver](knot-linux.md) (Linux, works easily on Raspbian as well)
## Android
......
---
title: DNS-over-TLS on Knot Resolver
permalink: /dns-over-tls/knot-resolver/linux/
---
Install [knot-resolver](https://packages.debian.org/stretch-backports/knot-resolver).
On Raspbian, add this to `/etc/apt/sources.list`:
```
deb https://ftp.acc.umu.se/debian/ stretch-backports main
```
You may have to add Debian signing keys.
## Setting port
Knot Resolver works on easily Raspbian `stretch` as well, so if you use [Pi-hole](../adblocking.md) (you should) you have to change the port.
```bash
sudo systemctl edit kresd.socket
```
Paste this content to the file:
```
[Socket]
ListenDatagram=127.0.0.1:9153
ListenStream=127.0.0.1:9153
```
After saving and exiting, `sudo systemctl restart kresd@1`
`dig SOA @127.0.0.1 -p 9153` should return an valid answer.
## DNS-over-TLS
Add this to `/etc/knot-resolver/kresd.conf`:
```
require 'math'
math.randomseed(os.time())
tls_bundle='/etc/ssl/certs/ca-certificates.crt'
dns_providers = {
{ -- Digitalcourage
{'46.182.19.48',
hostname='dns2.digitalcourage.de', ca_file=tls_bundle}
},
{ -- Digitale Gesellschaft
{'185.95.218.42',
hostname='dns.digitale-gesellschaft.ch', ca_file=tls_bundle}
},
{ -- UncensoredDNS
{'91.239.100.100',
hostname='anycast.censurfridns.dk', ca_file=tls_bundle},
{'89.233.43.71',
hostname='unicast.censurfridns.dk', ca_file=tls_bundle}
}
}
policy.add(function (request, query)
return policy.TLS_FORWARD(dns_providers[math.random(1, #dns_providers)])
end)
```
## Further reading
* [Knot Resolver 3.2.1 Documentation - Network Configuration](https://knot-resolver.readthedocs.io/en/v3.2.1/daemon.html#network-configuration)
* [How to randomize DNS resolver selection in Knot Resolver](https://www.ctrl.blog/entry/kresd-random-dns-forwarding.html)
\ No newline at end of file
......@@ -27,7 +27,7 @@ global
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
defaults
# enables: tcplog so disabled
# enables tcplog so disabled
# log global
mode http
# option httplog
......@@ -226,7 +226,7 @@ It should return your DNS resolver's outgoing IP address as result.
Example result:
```console
$ kdig -d @resolver1.lelux.fi +tls-ca +tls-host=resolver1.lelux.fi +tls-sni=resolver1.lelux.fi whoami.v4.powerdns.org
$ kdig -d @resolver1.lelux.fi +tls-ca +tls-host=resolver1.lelux.fi whoami.v4.powerdns.org
;; DEBUG: Querying for owner(whoami.v4.powerdns.org.), class(1), type(1), server(resolver1.lelux.fi), port(853), protocol(TCP)
;; DEBUG: TLS, imported 128 system certificates
;; DEBUG: TLS, received certificate hierarchy:
......
......@@ -15,6 +15,7 @@ permalink: /
* [Mastodon](mastodon.md)
* [DNS-over-TLS](dns/dot/index.md)
* [Unbound](dns/dot/unbound-linux.md) (Linux)
* [Knot Resolver](dns/dot/knot-linux.md) (Linux)
* [XMPP](xmpp/index.md)
### Tips
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment