Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
docker_notes:docker-dns [2024-07-21 Sun wk29 15:38] – [DNS over TLS (DoT)] baumkpdocker_notes:docker-dns [2024-08-31 Sat wk35 17:03] (current) – [Testing DNS] baumkp
Line 130: Line 130:
 ++++ ++++
 =====DNS over TLS (DoT)===== =====DNS over TLS (DoT)=====
 +DNS over TLS encrypts the DNS data so others can not see the specific DNS query and response.  DNSSEC does not prevent viewing of the DNS data, but rather ensure prevent man in the middle attacks.
 +
 +It looks like Bind9 is still working on support for DNS over TLS (DoT) for forwarders. It may work on the current developer release 9.19. 
 +
   *quad9 TLS config data:   *quad9 TLS config data:
     *''9.9.9.9'' ip address     *''9.9.9.9'' ip address
Line 137: Line 141:
  
 ====reference==== ====reference====
 +  *Bind9
     *[[https://bind9.readthedocs.io/en/latest/reference.html#tls-block-grammar|Bind TLS Block Grammar]]     *[[https://bind9.readthedocs.io/en/latest/reference.html#tls-block-grammar|Bind TLS Block Grammar]]
     *[[https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-forwarders|Bind Forwarders Grammar]]     *[[https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-forwarders|Bind Forwarders Grammar]]
-    *[[https://medium.com/nlnetlabs/privacy-using-dns-over-tls-with-the-new-quad9-dns-service-1ff2d2b687c5|Privacy: Using DNS-over-TLS with the Quad9 DNS Service]] +    *[[https://bind9.readthedocs.io/_/downloads/en/latest/pdf/|Bind 9 Administrator Reference Manual]] 
-    *[[https://unix.stackexchange.com/questions/735368/how-to-use-dns-over-tls-with-bind9-forwarders|How to use DNS-over-TLS with BIND9 forwarders]]+  *[[https://medium.com/nlnetlabs/privacy-using-dns-over-tls-with-the-new-quad9-dns-service-1ff2d2b687c5|Privacy: Using DNS-over-TLS with the Quad9 DNS Service]] 
 +  *[[https://unix.stackexchange.com/questions/735368/how-to-use-dns-over-tls-with-bind9-forwarders|How to use DNS-over-TLS with BIND9 forwarders]] 
 +  *[[https://unix.stackexchange.com/questions/756994/enable-tls-on-bind9|Enable TLS on BIND9]] 
 +  *QUAD9 
 +    *[[https://www.quad9.net/|quad9]] 
 +    *[[https://quad9.net/support/faq/|quad9 FAQ]] 
 +  *[[https://dnsprivacy.org/dns_privacy_clients/|DNS Privacy Project - DNS Privacy Clients]] 
 +  *[[https://www.internetsociety.org/blog/2018/12/dns-privacy-in-linux-systemd/|DNS-over-TLS in Linux (systemd)]] 
 +  * 
 +=====Testing DNS===== 
 +My local recursive servers are ''ns1.local.kptree.net'' and ''ns2.local.kptree.net'', which are on separate serves on the local network.  These DNS servers are for local LAN use only and cannot and should not be accessible from outside the LAN. 
 +  *Using ''host'' command: 
 +    *''host -t A ns1.local.kptree.net ns2.local.kptree.net'' - if both local name servers are running to cross check 
 +    *''host -t A ns2.local.kptree.net ns1.local.kptree.net'' - if both local name servers are running to cross check 
 +    *''host -t A google.com ns1.local.kptree.net'' - an external services via local name server 
 +    *''host -t A mail.kptree.net 9.9.9.9'' - remote address to local hosted external services via an external name server 
 +  *Using ''delv'': 
 +    *''delv @ns2.local.kptree.net ns1.local.kptree.net'' - if both local name servers are running to cross check 
 +    *''delv @ns1.local.kptree.net ns2.local.kptree.net'' - if both local name servers are running to cross check 
 +    *''delv @ns2.local.kptree.net google.com''  - an external services via local name server 
 +    *''delv @1.1.1.1 mail.kptree.net'' - remote address to local hosted external services via an external name server 
 +  *Using ''dig'': 
 +    *''dig @ns2.local.kptree.net -p 53 ns1.local.kptree.net any'' 
 +    *''dig @ns2.local.kptree.net -p 53 kptree.net any'' 
 +    *''dig @ns2.local.kptree.net -tAXFR  kptree.net'' gave me the full name list from ns2.local.kptree.net 
 +    *''dig @ns1.local.kptree.net -tAXFR  kptree.net'' gave me the full name list from ns1.local.kptree.net  
 +      *Note that bind9 needs to be setup to allow-transfer from the requesting ip address, I include my LAN address range in the bind9 acl. 
 + 
 +\\ 
 +To find the version of bind9 used, anywhere from the LAN: 
 +  *''nslookup -q=txt -class=CHAOS version.bind ns1.local.kptree.net'' 
 +  *''dig -t txt -c chaos VERSION.BIND @ns1.local.kptree.net''
 =====References===== =====References=====
    *KPTree.net's bare metal implementation of [[linux_router:dns_dhcp|dns - dhcp]], based upon ISC Bind9 and DHCP on Debian 10 <fs xx-small>(was originally Ubuntu)</fs>.    *KPTree.net's bare metal implementation of [[linux_router:dns_dhcp|dns - dhcp]], based upon ISC Bind9 and DHCP on Debian 10 <fs xx-small>(was originally Ubuntu)</fs>.