Verified Commit ec4d426c authored by Elias Ojala's avatar Elias Ojala
Browse files

Major set of updates

parent 380c9155
......@@ -5,6 +5,8 @@ permalink: /dns-over-tls/
* [Resolvers that support DNS-over-TLS](../resolvers.md#dns-over-tls)
For making your own resolver using Haproxy, see [this](../../haproxy.md#dns-over-tls)
## Linux
* [Unbound](unbound-linux.md) (Linux)
......@@ -21,4 +23,4 @@ Use the integrated Private DNS feature.
### Other Android versions
* [Nebulo](https://smokescreen.app/) (<a href="https://t.me/joinchat/I54nRleveRGP8IPmcIdySg" rel="nofollow">Telegram group</a>)
\ No newline at end of file
* [Nebulo](https://smokescreen.app/) (<a href="https://t.me/joinchat/I54nRleveRGP8IPmcIdySg" rel="nofollow">Telegram group</a>)
......@@ -5,6 +5,8 @@ permalink: /dns-over-tls/unbound/linux/
Filename `/etc/unbound/unbound.conf`
### Debian
```
# Unbound configuration file for Debian.
#
......@@ -27,10 +29,47 @@ forward-zone:
forward-addr: 91.239.100.100@853#anycast.censurfridns.dk
forward-addr: 185.95.218.42@853#dns.digitale-gesellschaft.ch
forward-addr: 146.185.167.43@853#dot.securedns.eu
forward-addr: 37.252.185.232@443#dot1.appliedprivacy.net
```
### Arch
**DNSSEC checking is disabled due to it not working. Please help me if you find a fix.**
```
server:
use-syslog: yes
do-daemonize: no
username: "unbound"
directory: "/etc/unbound"
# TODO: fix DNSSEC check
# trust-anchor-file: trusted-key.key
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 91.239.100.100@853#anycast.censurfridns.dk
forward-addr: 185.95.218.42@853#dns.digitale-gesellschaft.ch
forward-addr: 146.185.167.43@853#dot.securedns.eu
forward-addr: 37.252.185.232@443#dot1.appliedprivacy.net
```
See [list of resolvers that support DNS-over-TLS](../resolvers.md#dns-over-tls)
## Setting unbound as system resolver
```bash
echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf && sudo chattr +i /etc/resolv.conf
```
This sets `127.0.0.1` as nameserver and locks the file (`chattr +i`). To unlock the file, run `chattr -i /etc/resolv.conf`
## Captive portals
As captive portals don't allow DNS-over-TLS, you need to reset your DNS to the network's own.
## Further reading
* [Actually secure DNS over TLS in Unbound](https://www.ctrl.blog/entry/unbound-tls-forwarding)
\ No newline at end of file
* [Actually secure DNS over TLS in Unbound](https://www.ctrl.blog/entry/unbound-tls-forwarding)
---
title: DNS resolvers
permalink: /dns/resolvers
permalink: /dns/resolvers/
---
## Plaintext
......@@ -9,7 +9,7 @@ permalink: /dns/resolvers
* [UncensoredDNS](https://blog.uncensoreddns.org/dns-servers/) (Denmark + United States)
* [Digitalcourage](https://digitalcourage.de/support/zensurfreier-dns-server) (Germany)
* [CZ.NIC ODVR](https://www.nic.cz/odvr/) (Czechia)
* [DNSWarden](https://dnswarden.com/) (**Note: only port 5353 for plaintext**, Germany)
* [DNSWarden](https://dnswarden.com/) (Note: port 53 for adblock plaintext, port 5353 for non-adblock plaintext, Germany)
* [Snopyta.org](https://snopyta.org/) (Germany)
* [IPredator](https://ipredator.se/page/services#service_dns) (Sweden)
* [Cryptostorm](https://cryptostorm.is/dns.txt) (international, mainly Europe and United States)
......@@ -24,11 +24,7 @@ permalink: /dns/resolvers
* [Appliedprivacy.net](https://appliedprivacy.net/de/services/dns/) (Austria)
* [CZ.NIC ODVR](https://www.nic.cz/odvr/) (Czechia)
* [DNSWarden](https://dnswarden.com/) (Germany)
My own:
* [resolver1.lelux.fi](https://resolver1.lelux.fi/) (France)
* [resolver2.lelux.fi](https://resolver2.lelux.fi/) (Luxembourg)
* [Lelux.fi](https://lelux.fi/resolver/) (France + Luxembourg)
Guides for using DNS-over-TLS can be found from [here](dot/index.md).
......@@ -53,4 +49,4 @@ More DNSCrypt resolvers can be found [here](https://github.com/dyne/dnscrypt-pro
## Further reading
* [On Firefox moving DNS to a third party](https://blog.powerdns.com/2018/09/04/on-firefox-moving-dns-to-a-third-party/) on PowerDNS Blog
* [The big DNS Privacy Debate at FOSDEM](https://blog.powerdns.com/2019/02/07/the-big-dns-privacy-debate-at-fosdem/) on PowerDNS Blog
\ No newline at end of file
* [The big DNS Privacy Debate at FOSDEM](https://blog.powerdns.com/2019/02/07/the-big-dns-privacy-debate-at-fosdem/) on PowerDNS Blog
......@@ -212,32 +212,37 @@ sudo haproxy -c -- /etc/haproxy/haproxy.cfg
listen dns
bind :::853 v4v6 tfo ssl crt /etc/haproxy/certs
mode tcp
server unbound 127.0.0.1:53
server resolver 127.0.0.1:53
```
You may replace `127.0.0.1:53` with address of your resolver. I recommend using [Unbound](https://nlnetlabs.nl/projects/unbound/about/) as resolver.
Try with the following command:
```bash
kdig -d @SERVER_HOSTNAME_OR_IP +tls-ca +tls-host=TLS_HOSTNAME whoami.v4.powerdns.org
export SERVER_HOSTNAME="resolver2.lelux.fi" && kdig -d @$SERVER_HOSTNAME +tls-ca +tls-host=$SERVER_HOSTNAME +tls-sni=$SERVER_HOSTNAME whoami.v4.powerdns.org
```
Replace `resolver2.lelux.fi` with your resolver address. You may replace `@$SERVER_HOSTNAME` with `@ipaddress` (replace `ipaddress`).
It should return your DNS resolver's outgoing IP address as result.
Example result:
```console
$ kdig -d @resolver1.lelux.fi +tls-ca +tls-host=resolver1.lelux.fi whoami.v4.powerdns.org
;; DEBUG: Querying for owner(whoami.v4.powerdns.org.), class(1), type(1), server(resolver1.lelux.fi), port(853), protocol(TCP)
;; DEBUG: TLS, imported 128 system certificates
$ export SERVER_HOSTNAME="resolver2.lelux.fi" && kdig -d @$SERVER_HOSTNAME +tls-ca +tls-host=$SERVER_HOSTNAME +tls-sni=$SERVER_HOSTNAME whoami.v4.powerdns.org
;; DEBUG: Querying for owner(whoami.v4.powerdns.org.), class(1), type(1), server(resolver2.lelux.fi), port(853), protocol(TCP)
;; DEBUG: TLS, imported 154 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, CN=resolver1.lelux.fi
;; DEBUG: SHA-256 PIN: 2aPeuRroX59Lr5V6Zdd/rM9aok+aB3vL93HgApKT0Kc=
;; DEBUG: #1, CN=resolver2.lelux.fi
;; DEBUG: SHA-256 PIN: bC5Vi0G8FqvFrf9TgNtJomNLDxG58tEj/mlWX6oOt+E=
;; DEBUG: #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
;; DEBUG: SHA-256 PIN: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 53307
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 10983
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
......@@ -247,11 +252,11 @@ $ kdig -d @resolver1.lelux.fi +tls-ca +tls-host=resolver1.lelux.fi whoami.v4.po
;; whoami.v4.powerdns.org. IN A
;; ANSWER SECTION:
whoami.v4.powerdns.org. 60 IN A 51.158.160.192
whoami.v4.powerdns.org. 60 IN A 104.244.79.229
;; Received 67 B
;; Time 2019-04-22 07:35:00 EEST
;; From 51.158.160.192@853(TCP) in 65.4 ms
;; Time 2019-06-25 05:24:15 EEST
;; From 104.244.79.229@853(TCP) in 264.6 ms
```
### Further reading
......@@ -264,4 +269,4 @@ whoami.v4.powerdns.org. 60 IN A 51.158.160.192
Coming soon
-->
\ No newline at end of file
-->
......@@ -61,6 +61,7 @@ umask 077; wg genkey | tee privatekey | wg pubkey > publickey
[Interface]
PrivateKey = PRIVATE_KEY
Address = 10.x.x.x/x
#DNS = 10.x.x.x, 10.x.x.x # optional, would recommend only if you set AllowedIPs to 0.0.0.0/0
[Peer]
PublicKey = Server_Public_Key
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment