Differences

This shows you the differences between two versions of the page.

--- docker_notes:docker-dns [2024-07-21 Sun wk29 15:38] – [DNS over TLS (DoT)] baumkp
+++ docker_notes:docker-dns [2025-08-17 Sun wk33 10:27] (current) – [Linux setup to forward packets] baumkp
@@ Line 5: / Line 5: @@
 =====Linux setup to forward packets=====
+<color #ed1c24>[This probably needs to be moved and consolidated elsewhere and then highlevel only reference here]</color>
 The main router must be set to forward packets!
-The ability to forward packets must be set / allowed, edit or add the following parameters in ''sudo vim /etc/sysctl.conf'':
+It would seem that as of Debian 13 the ''/etc/sysctl.conf'' file is not longer used, and is deleted on upgrade, including any user changes.  Instead overrides must be copied into *.conf files in /etc/sysctl.d/. Normally user conf files in *.d directories are not affected by upgrades.
-  *net.ipv4.ip_forward = 1
-  *net.ipv4.conf.all.proxy_arp = 1
+The command ''sudo sysctl -a | less'' can be used to list all current kernel parameters and their current setting, or ''sudo sysctl net.ipv4.ip_forward'' to list a specific one.
-  * ''sudo sysctl net.ipv6.conf.all.forwarding=1'' similar for ipv6
-After applying these changes reboot or apply setting using ''sudo sysctl -p /etc/sysctl.conf''
+++++sudo vim /etc/sysctl.d/ip_forward.conf|
+<code>net.ipv4.ip_forward = 1
+net.ipv4.conf.all.proxy_arp = 1
+net.ipv6.conf.all.forwarding=1</code>
+++++
+After applying these changes reboot or apply setting using ''sudo sysctl -p /etc/sysctl.d/ip_forward.conf'' (Note that ''sudo sysctl -p'' defaults to using ''/etc/sysctl.conf'' and will error if this file is not available.)
+  * ''sudo sysctl -w net.ipv6.conf.all.forwarding=1'' will immediately set this parameter, but it will not be permanent and lost on reboot.
+The boot systemctl reads the following configuration files to adjust kernel parameters at boot:
+  */etc/sysctl.d/*.conf
+  */run/sysctl.d/*.conf
+  */usr/local/lib/sysctl.d/*.conf
+  */usr/lib/sysctl.d/*.conf
+  */lib/sysctl.d/*.conf
 ====References====
+  *[[https://thequickadvisor.com/is-ip-forwarding-required-for-docker/|Is IP forwarding required for Docker?]] (It would seem yes.)
   *[[https://askubuntu.com/questions/311053/how-to-make-ip-forwarding-permanent|How to make IP forwarding permanent?]]
+  *[[http://linux-ip.net/html/index.html|Guide to IP Layer Network Administration with Linux]]
+  *[[https://linuxize.com/post/sysctl-command-in-linux/|Sysctl Command in Linux]]
+  *[[https://commandmasters.com/commands/sysctl-linux/|How to Use the Command 'sysctl' (with Examples)]]
+  *[[https://load-balancer.inlab.net/knowledge-base/how-to-deal-with-arp-problems-on-linux/|How to deal with ARP-Problems on Linux]]
+  *[[https://undercodetesting.com/understanding-arp-and-nat-core-networking-protocols-for-cybersecurity/|Understanding ARP and NAT: Core Networking Protocols for Cybersecurity]]
+  *[[https://documentation.ubuntu.com/server/how-to/wireguard-vpn/on-an-internal-system/|WireGuard on an internal system (peer-to-site)]]
 =====Bind9 Controls=====
@@ Line 130: / Line 154: @@
 ++++
 =====DNS over TLS (DoT)=====
+DNS over TLS encrypts the DNS data so others can not see the specific DNS query and response.  DNSSEC does not prevent viewing of the DNS data, but rather ensure prevent man in the middle attacks.
+It looks like Bind9 is still working on support for DNS over TLS (DoT) for forwarders. It may work on the current developer release 9.19.
   *quad9 TLS config data:
     *''9.9.9.9'' ip address
@@ Line 135: / Line 163: @@
     *''sha256''
     *''%%echo | openssl s_client -connect '9.9.9.9:853' 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64%%'' to get the SPKI key for quad9
 ====reference====
+  *Bind9
     *[[https://bind9.readthedocs.io/en/latest/reference.html#tls-block-grammar|Bind TLS Block Grammar]]
     *[[https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-forwarders|Bind Forwarders Grammar]]
-    *[[https://medium.com/nlnetlabs/privacy-using-dns-over-tls-with-the-new-quad9-dns-service-1ff2d2b687c5|Privacy: Using DNS-over-TLS with the Quad9 DNS Service]]
+    *[[https://bind9.readthedocs.io/_/downloads/en/latest/pdf/|Bind 9 Administrator Reference Manual]]
-    *[[https://unix.stackexchange.com/questions/735368/how-to-use-dns-over-tls-with-bind9-forwarders|How to use DNS-over-TLS with BIND9 forwarders]]
+  *[[https://medium.com/nlnetlabs/privacy-using-dns-over-tls-with-the-new-quad9-dns-service-1ff2d2b687c5|Privacy: Using DNS-over-TLS with the Quad9 DNS Service]]
+  *[[https://unix.stackexchange.com/questions/735368/how-to-use-dns-over-tls-with-bind9-forwarders|How to use DNS-over-TLS with BIND9 forwarders]]
+  *[[https://unix.stackexchange.com/questions/756994/enable-tls-on-bind9|Enable TLS on BIND9]]
+  *QUAD9
+    *[[https://www.quad9.net/|quad9]]
+    *[[https://quad9.net/support/faq/|quad9 FAQ]]
+  *[[https://dnsprivacy.org/dns_privacy_clients/|DNS Privacy Project - DNS Privacy Clients]]
+  *[[https://www.internetsociety.org/blog/2018/12/dns-privacy-in-linux-systemd/|DNS-over-TLS in Linux (systemd)]]
+  *
+=====Testing DNS=====
+My local recursive servers are ''ns1.local.kptree.net'' and ''ns2.local.kptree.net'', which are on separate serves on the local network.  These DNS servers are for local LAN use only and cannot and should not be accessible from outside the LAN.
+  *Using ''host'' command:
+    *''host -t A ns1.local.kptree.net ns2.local.kptree.net'' - if both local name servers are running to cross check
+    *''host -t A ns2.local.kptree.net ns1.local.kptree.net'' - if both local name servers are running to cross check
+    *''host -t A google.com ns1.local.kptree.net'' - an external services via local name server
+    *''host -t A mail.kptree.net 9.9.9.9'' - remote address to local hosted external services via an external name server
+  *Using ''delv'':
+    *''delv @ns2.local.kptree.net ns1.local.kptree.net'' - if both local name servers are running to cross check
+    *''delv @ns1.local.kptree.net ns2.local.kptree.net'' - if both local name servers are running to cross check
+    *''delv @ns2.local.kptree.net google.com''  - an external services via local name server
+    *''delv @1.1.1.1 mail.kptree.net'' - remote address to local hosted external services via an external name server
+  *Using ''dig'':
+    *''dig @ns2.local.kptree.net -p 53 ns1.local.kptree.net any''
+    *''dig @ns2.local.kptree.net -p 53 kptree.net any''
+    *''dig @ns2.local.kptree.net -tAXFR  kptree.net'' gave me the full name list from ns2.local.kptree.net
+    *''dig @ns1.local.kptree.net -tAXFR  kptree.net'' gave me the full name list from ns1.local.kptree.net
+      *Note that bind9 needs to be setup to allow-transfer from the requesting ip address, I include my LAN address range in the bind9 acl.
+\\
+To find the version of bind9 used, anywhere from the LAN:
+  *''nslookup -q=txt -class=CHAOS version.bind ns1.local.kptree.net''
+  *''dig -t txt -c chaos VERSION.BIND @ns1.local.kptree.net''
+=====Public DNS Provideders=====
+See internal webpage [[https://wiki.kptree.net/doku.php?id=tech_notes:dns#public_dns_providers|Public DNS Providers]] for more details.
 =====References=====
    *KPTree.net's bare metal implementation of [[linux_router:dns_dhcp|dns - dhcp]], based upon ISC Bind9 and DHCP on Debian 10 <fs xx-small>(was originally Ubuntu)</fs>.