Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
Lelux.fi
Wiki
Commits
ec4d426c
Verified
Commit
ec4d426c
authored
Jul 05, 2019
by
Elias Ojala
Browse files
Major set of updates
parent
380c9155
Changes
5
Hide whitespace changes
Inline
Side-by-side
dns/dot/index.md
View file @
ec4d426c
...
...
@@ -5,6 +5,8 @@ permalink: /dns-over-tls/
*
[
Resolvers that support DNS-over-TLS
](
../resolvers.md#dns-over-tls
)
For making your own resolver using Haproxy, see
[
this
](
../../haproxy.md#dns-over-tls
)
## Linux
*
[
Unbound
](
unbound-linux.md
)
(
Linux
)
...
...
@@ -21,4 +23,4 @@ Use the integrated Private DNS feature.
### Other Android versions
*
[
Nebulo
](
https://smokescreen.app/
)
(
<
a href="https://t.me/joinchat/I54nRleveRGP8IPmcIdySg" rel="nofollow"
>
Telegram group
</a>
)
\ No newline at end of file
*
[
Nebulo
](
https://smokescreen.app/
)
(
<
a href="https://t.me/joinchat/I54nRleveRGP8IPmcIdySg" rel="nofollow"
>
Telegram group
</a>
)
dns/dot/unbound-linux.md
View file @
ec4d426c
...
...
@@ -5,6 +5,8 @@ permalink: /dns-over-tls/unbound/linux/
Filename
`/etc/unbound/unbound.conf`
### Debian
```
# Unbound configuration file for Debian.
#
...
...
@@ -27,10 +29,47 @@ forward-zone:
forward-addr: 91.239.100.100@853#anycast.censurfridns.dk
forward-addr: 185.95.218.42@853#dns.digitale-gesellschaft.ch
forward-addr: 146.185.167.43@853#dot.securedns.eu
forward-addr: 37.252.185.232@443#dot1.appliedprivacy.net
```
### Arch
**DNSSEC checking is disabled due to it not working. Please help me if you find a fix.**
```
server:
use-syslog: yes
do-daemonize: no
username: "unbound"
directory: "/etc/unbound"
# TODO: fix DNSSEC check
# trust-anchor-file: trusted-key.key
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 91.239.100.100@853#anycast.censurfridns.dk
forward-addr: 185.95.218.42@853#dns.digitale-gesellschaft.ch
forward-addr: 146.185.167.43@853#dot.securedns.eu
forward-addr: 37.252.185.232@443#dot1.appliedprivacy.net
```
See
[
list of resolvers that support DNS-over-TLS
](
../resolvers.md#dns-over-tls
)
## Setting unbound as system resolver
```
bash
echo
"nameserver 127.0.0.1"
|
sudo tee
/etc/resolv.conf
&&
sudo
chattr +i /etc/resolv.conf
```
This sets
`127.0.0.1`
as nameserver and locks the file (
`chattr +i`
). To unlock the file, run
`chattr -i /etc/resolv.conf`
## Captive portals
As captive portals don't allow DNS-over-TLS, you need to reset your DNS to the network's own.
## Further reading
*
[
Actually secure DNS over TLS in Unbound
](
https://www.ctrl.blog/entry/unbound-tls-forwarding
)
\ No newline at end of file
*
[
Actually secure DNS over TLS in Unbound
](
https://www.ctrl.blog/entry/unbound-tls-forwarding
)
dns/resolvers.md
View file @
ec4d426c
---
title
:
DNS resolvers
permalink
:
/dns/resolvers
permalink
:
/dns/resolvers
/
---
## Plaintext
...
...
@@ -9,7 +9,7 @@ permalink: /dns/resolvers
*
[
UncensoredDNS
](
https://blog.uncensoreddns.org/dns-servers/
)
(
Denmark
+ United States)
*
[
Digitalcourage
](
https://digitalcourage.de/support/zensurfreier-dns-server
)
(
Germany
)
*
[
CZ.NIC ODVR
](
https://www.nic.cz/odvr/
)
(
Czechia
)
*
[
DNSWarden
](
https://dnswarden.com/
)
(
**
Note:
only
port 5353 for plaintext
**
, Germany)
*
[
DNSWarden
](
https://dnswarden.com/
)
(
Note:
port 53 for adblock plaintext,
port 5353 for
non-adblock
plaintext, Germany)
*
[
Snopyta.org
](
https://snopyta.org/
)
(
Germany
)
*
[
IPredator
](
https://ipredator.se/page/services#service_dns
)
(
Sweden
)
*
[
Cryptostorm
](
https://cryptostorm.is/dns.txt
)
(
international,
mainly Europe and United States)
...
...
@@ -24,11 +24,7 @@ permalink: /dns/resolvers
*
[
Appliedprivacy.net
](
https://appliedprivacy.net/de/services/dns/
)
(
Austria
)
*
[
CZ.NIC ODVR
](
https://www.nic.cz/odvr/
)
(
Czechia
)
*
[
DNSWarden
](
https://dnswarden.com/
)
(
Germany
)
My own:
*
[
resolver1.lelux.fi
](
https://resolver1.lelux.fi/
)
(
France
)
*
[
resolver2.lelux.fi
](
https://resolver2.lelux.fi/
)
(
Luxembourg
)
*
[
Lelux.fi
](
https://lelux.fi/resolver/
)
(
France
+ Luxembourg)
Guides for using DNS-over-TLS can be found from
[
here
](
dot/index.md
)
.
...
...
@@ -53,4 +49,4 @@ More DNSCrypt resolvers can be found [here](https://github.com/dyne/dnscrypt-pro
## Further reading
*
[
On Firefox moving DNS to a third party
](
https://blog.powerdns.com/2018/09/04/on-firefox-moving-dns-to-a-third-party/
)
on PowerDNS Blog
*
[
The big DNS Privacy Debate at FOSDEM
](
https://blog.powerdns.com/2019/02/07/the-big-dns-privacy-debate-at-fosdem/
)
on PowerDNS Blog
\ No newline at end of file
*
[
The big DNS Privacy Debate at FOSDEM
](
https://blog.powerdns.com/2019/02/07/the-big-dns-privacy-debate-at-fosdem/
)
on PowerDNS Blog
haproxy.md
View file @
ec4d426c
...
...
@@ -212,32 +212,37 @@ sudo haproxy -c -- /etc/haproxy/haproxy.cfg
listen dns
bind
:::853 v4v6 tfo ssl crt /etc/haproxy/certs
mode tcp
server
unbound
127.0.0.1:53
server
resolver
127.0.0.1:53
```
You may replace
`127.0.0.1:53`
with address of your resolver. I recommend using
[
Unbound
](
https://nlnetlabs.nl/projects/unbound/about/
)
as resolver.
Try with the following command:
```
bash
kdig
-d
@SERVER_HOSTNAME
_OR_IP
+tls-ca +tls-host
=
TLS
_HOSTNAME
whoami.v4.powerdns.org
export
SERVER_HOSTNAME
=
"resolver2.lelux.fi"
&&
kdig
-d
@
$
SERVER_HOSTNAME
+tls-ca +tls-host
=
$SERVER_HOSTNAME
+tls-sni
=
$SERVER
_HOSTNAME
whoami.v4.powerdns.org
```
Replace
`resolver2.lelux.fi`
with your resolver address. You may replace
`@$SERVER_HOSTNAME`
with
`@ipaddress`
(replace
`ipaddress`
).
It should return your DNS resolver's outgoing IP address as result.
Example result:
```
console
$
kdig
-d
@
resolver
1
.lelux.fi
+tls-ca +tls-host
=
resolver1.lelux.fi
whoami.v4.powerdns.org
;
;
DEBUG: Querying
for
owner
(
whoami.v4.powerdns.org.
)
, class
(
1
)
,
type
(
1
)
, server
(
resolver
1
.lelux.fi
)
, port
(
853
)
, protocol
(
TCP
)
;
;
DEBUG: TLS, imported 1
28
system certificates
$
export
SERVER_HOSTNAME
=
"
resolver
2
.lelux.fi
"
&&
kdig
-d
@
$SERVER_HOSTNAME
+tls-ca +tls-host
=
$SERVER_HOSTNAME
+tls-sni
=
$SERVER_HOSTNAME
whoami.v4.powerdns.org
;
;
DEBUG: Querying
for
owner
(
whoami.v4.powerdns.org.
)
, class
(
1
)
,
type
(
1
)
, server
(
resolver
2
.lelux.fi
)
, port
(
853
)
, protocol
(
TCP
)
;
;
DEBUG: TLS, imported 1
54
system certificates
;
;
DEBUG: TLS, received certificate hierarchy:
;
;
DEBUG:
#1, CN=resolver
1
.lelux.fi
;
;
DEBUG: SHA-256 PIN:
2aPeuRroX59Lr5V6Zdd/rM9aok+aB3vL93HgApKT0Kc
=
;
;
DEBUG:
#1, CN=resolver
2
.lelux.fi
;
;
DEBUG: SHA-256 PIN:
bC5Vi0G8FqvFrf9TgNtJomNLDxG58tEj/mlWX6oOt+E
=
;
;
DEBUG:
#2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
;
;
DEBUG: SHA-256 PIN: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg
=
;
;
DEBUG: TLS, skipping certificate PIN check
;
;
DEBUG: TLS, The certificate is trusted.
;
;
TLS session
(
TLS1.2
)
-
(
ECDHE-SECP256R1
)
-
(
RSA-SHA512
)
-
(
AES-256-GCM
)
;
;
->>HEADER
<<-
opcode
: QUERY; status: NOERROR; id:
53307
;
;
->>HEADER
<<-
opcode
: QUERY; status: NOERROR; id:
10983
;
; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;
;
EDNS PSEUDOSECTION:
...
...
@@ -247,11 +252,11 @@ $ kdig -d @resolver1.lelux.fi +tls-ca +tls-host=resolver1.lelux.fi whoami.v4.po
;
;
whoami.v4.powerdns.org. IN A
;
;
ANSWER SECTION:
whoami.v4.powerdns.org. 60 IN A
51.158.160.192
whoami.v4.powerdns.org. 60 IN A
104.244.79.229
;
;
Received 67 B
;
;
Time 2019-0
4
-2
2
0
7:35:00
EEST
;
;
From
51.158.160.192
@853
(
TCP
)
in
65.4
ms
;
;
Time 2019-0
6
-2
5
0
5:24:15
EEST
;
;
From
104.244.79.229
@853
(
TCP
)
in
264.6
ms
```
### Further reading
...
...
@@ -264,4 +269,4 @@ whoami.v4.powerdns.org. 60 IN A 51.158.160.192
Coming soon
-->
\ No newline at end of file
-->
wireguard.md
View file @
ec4d426c
...
...
@@ -61,6 +61,7 @@ umask 077; wg genkey | tee privatekey | wg pubkey > publickey
[Interface]
PrivateKey = PRIVATE_KEY
Address = 10.x.x.x/x
#DNS = 10.x.x.x, 10.x.x.x # optional, would recommend only if you set AllowedIPs to 0.0.0.0/0
[Peer]
PublicKey = Server_Public_Key
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment