Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
docker_notes:docker-dns [2024-07-21 Sun wk29 13:23] – [bind9 docker image] baumkpdocker_notes:docker-dns [2024-08-31 Sat wk35 17:03] (current) – [Testing DNS] baumkp
Line 15: Line 15:
   *[[https://askubuntu.com/questions/311053/how-to-make-ip-forwarding-permanent|How to make IP forwarding permanent?]]   *[[https://askubuntu.com/questions/311053/how-to-make-ip-forwarding-permanent|How to make IP forwarding permanent?]]
  
-=====Bind9 Control=====+=====Bind9 Controls=====
   *''/usr/sbin/named -f -4'' to start the isc-bind9 application called named,    *''/usr/sbin/named -f -4'' to start the isc-bind9 application called named, 
-    *''-f'' to run in foreground+    *''-f'' to run in foreground (needed for running with s6)
     *''-4'' to run ipv4 only     *''-4'' to run ipv4 only
   *''rndc stop'' to stop named  <fc #ff0000>- need to implement this in S6</fc>   *''rndc stop'' to stop named  <fc #ff0000>- need to implement this in S6</fc>
Line 130: Line 130:
 ++++ ++++
 =====DNS over TLS (DoT)===== =====DNS over TLS (DoT)=====
 +DNS over TLS encrypts the DNS data so others can not see the specific DNS query and response.  DNSSEC does not prevent viewing of the DNS data, but rather ensure prevent man in the middle attacks.
  
 +It looks like Bind9 is still working on support for DNS over TLS (DoT) for forwarders. It may work on the current developer release 9.19. 
 +
 +  *quad9 TLS config data:
 +    *''9.9.9.9'' ip address
 +    *''dns.quad9.net'' dns name
 +    *''sha256'' 
 +    *''%%echo | openssl s_client -connect '9.9.9.9:853' 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64%%'' to get the SPKI key for quad9
 +
 +====reference====
 +  *Bind9
 +    *[[https://bind9.readthedocs.io/en/latest/reference.html#tls-block-grammar|Bind TLS Block Grammar]]
 +    *[[https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-forwarders|Bind Forwarders Grammar]]
 +    *[[https://bind9.readthedocs.io/_/downloads/en/latest/pdf/|Bind 9 Administrator Reference Manual]]
 +  *[[https://medium.com/nlnetlabs/privacy-using-dns-over-tls-with-the-new-quad9-dns-service-1ff2d2b687c5|Privacy: Using DNS-over-TLS with the Quad9 DNS Service]]
 +  *[[https://unix.stackexchange.com/questions/735368/how-to-use-dns-over-tls-with-bind9-forwarders|How to use DNS-over-TLS with BIND9 forwarders]]
 +  *[[https://unix.stackexchange.com/questions/756994/enable-tls-on-bind9|Enable TLS on BIND9]]
 +  *QUAD9
 +    *[[https://www.quad9.net/|quad9]]
 +    *[[https://quad9.net/support/faq/|quad9 FAQ]]
 +  *[[https://dnsprivacy.org/dns_privacy_clients/|DNS Privacy Project - DNS Privacy Clients]]
 +  *[[https://www.internetsociety.org/blog/2018/12/dns-privacy-in-linux-systemd/|DNS-over-TLS in Linux (systemd)]]
 +  *
 +=====Testing DNS=====
 +My local recursive servers are ''ns1.local.kptree.net'' and ''ns2.local.kptree.net'', which are on separate serves on the local network.  These DNS servers are for local LAN use only and cannot and should not be accessible from outside the LAN.
 +  *Using ''host'' command:
 +    *''host -t A ns1.local.kptree.net ns2.local.kptree.net'' - if both local name servers are running to cross check
 +    *''host -t A ns2.local.kptree.net ns1.local.kptree.net'' - if both local name servers are running to cross check
 +    *''host -t A google.com ns1.local.kptree.net'' - an external services via local name server
 +    *''host -t A mail.kptree.net 9.9.9.9'' - remote address to local hosted external services via an external name server
 +  *Using ''delv'':
 +    *''delv @ns2.local.kptree.net ns1.local.kptree.net'' - if both local name servers are running to cross check
 +    *''delv @ns1.local.kptree.net ns2.local.kptree.net'' - if both local name servers are running to cross check
 +    *''delv @ns2.local.kptree.net google.com''  - an external services via local name server
 +    *''delv @1.1.1.1 mail.kptree.net'' - remote address to local hosted external services via an external name server
 +  *Using ''dig'':
 +    *''dig @ns2.local.kptree.net -p 53 ns1.local.kptree.net any''
 +    *''dig @ns2.local.kptree.net -p 53 kptree.net any''
 +    *''dig @ns2.local.kptree.net -tAXFR  kptree.net'' gave me the full name list from ns2.local.kptree.net
 +    *''dig @ns1.local.kptree.net -tAXFR  kptree.net'' gave me the full name list from ns1.local.kptree.net 
 +      *Note that bind9 needs to be setup to allow-transfer from the requesting ip address, I include my LAN address range in the bind9 acl.
 +
 +\\
 +To find the version of bind9 used, anywhere from the LAN:
 +  *''nslookup -q=txt -class=CHAOS version.bind ns1.local.kptree.net''
 +  *''dig -t txt -c chaos VERSION.BIND @ns1.local.kptree.net''
 =====References===== =====References=====
    *KPTree.net's bare metal implementation of [[linux_router:dns_dhcp|dns - dhcp]], based upon ISC Bind9 and DHCP on Debian 10 <fs xx-small>(was originally Ubuntu)</fs>.    *KPTree.net's bare metal implementation of [[linux_router:dns_dhcp|dns - dhcp]], based upon ISC Bind9 and DHCP on Debian 10 <fs xx-small>(was originally Ubuntu)</fs>.