Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
docker_notes:docker-dns [2024-07-21 Sun wk29 16:22] – [reference] baumkpdocker_notes:docker-dns [2024-08-31 Sat wk35 17:03] (current) – [Testing DNS] baumkp
Line 130: Line 130:
 ++++ ++++
 =====DNS over TLS (DoT)===== =====DNS over TLS (DoT)=====
-It looks like Bind9 is still working on support for DNS over TLS (DoT). It may work on the current developer release 9.19. +DNS over TLS encrypts the DNS data so others can not see the specific DNS query and response.  DNSSEC does not prevent viewing of the DNS data, but rather ensure prevent man in the middle attacks. 
 + 
 +It looks like Bind9 is still working on support for DNS over TLS (DoT) for forwarders. It may work on the current developer release 9.19. 
  
   *quad9 TLS config data:   *quad9 TLS config data:
Line 143: Line 145:
     *[[https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-forwarders|Bind Forwarders Grammar]]     *[[https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-forwarders|Bind Forwarders Grammar]]
     *[[https://bind9.readthedocs.io/_/downloads/en/latest/pdf/|Bind 9 Administrator Reference Manual]]     *[[https://bind9.readthedocs.io/_/downloads/en/latest/pdf/|Bind 9 Administrator Reference Manual]]
-    *[[https://medium.com/nlnetlabs/privacy-using-dns-over-tls-with-the-new-quad9-dns-service-1ff2d2b687c5|Privacy: Using DNS-over-TLS with the Quad9 DNS Service]] +  *[[https://medium.com/nlnetlabs/privacy-using-dns-over-tls-with-the-new-quad9-dns-service-1ff2d2b687c5|Privacy: Using DNS-over-TLS with the Quad9 DNS Service]] 
-    *[[https://unix.stackexchange.com/questions/735368/how-to-use-dns-over-tls-with-bind9-forwarders|How to use DNS-over-TLS with BIND9 forwarders]] +  *[[https://unix.stackexchange.com/questions/735368/how-to-use-dns-over-tls-with-bind9-forwarders|How to use DNS-over-TLS with BIND9 forwarders]] 
-    *[[https://unix.stackexchange.com/questions/756994/enable-tls-on-bind9|Enable TLS on BIND9]]+  *[[https://unix.stackexchange.com/questions/756994/enable-tls-on-bind9|Enable TLS on BIND9]]
   *QUAD9   *QUAD9
     *[[https://www.quad9.net/|quad9]]     *[[https://www.quad9.net/|quad9]]
Line 152: Line 154:
   *[[https://www.internetsociety.org/blog/2018/12/dns-privacy-in-linux-systemd/|DNS-over-TLS in Linux (systemd)]]   *[[https://www.internetsociety.org/blog/2018/12/dns-privacy-in-linux-systemd/|DNS-over-TLS in Linux (systemd)]]
   *   *
 +=====Testing DNS=====
 +My local recursive servers are ''ns1.local.kptree.net'' and ''ns2.local.kptree.net'', which are on separate serves on the local network.  These DNS servers are for local LAN use only and cannot and should not be accessible from outside the LAN.
 +  *Using ''host'' command:
 +    *''host -t A ns1.local.kptree.net ns2.local.kptree.net'' - if both local name servers are running to cross check
 +    *''host -t A ns2.local.kptree.net ns1.local.kptree.net'' - if both local name servers are running to cross check
 +    *''host -t A google.com ns1.local.kptree.net'' - an external services via local name server
 +    *''host -t A mail.kptree.net 9.9.9.9'' - remote address to local hosted external services via an external name server
 +  *Using ''delv'':
 +    *''delv @ns2.local.kptree.net ns1.local.kptree.net'' - if both local name servers are running to cross check
 +    *''delv @ns1.local.kptree.net ns2.local.kptree.net'' - if both local name servers are running to cross check
 +    *''delv @ns2.local.kptree.net google.com''  - an external services via local name server
 +    *''delv @1.1.1.1 mail.kptree.net'' - remote address to local hosted external services via an external name server
 +  *Using ''dig'':
 +    *''dig @ns2.local.kptree.net -p 53 ns1.local.kptree.net any''
 +    *''dig @ns2.local.kptree.net -p 53 kptree.net any''
 +    *''dig @ns2.local.kptree.net -tAXFR  kptree.net'' gave me the full name list from ns2.local.kptree.net
 +    *''dig @ns1.local.kptree.net -tAXFR  kptree.net'' gave me the full name list from ns1.local.kptree.net 
 +      *Note that bind9 needs to be setup to allow-transfer from the requesting ip address, I include my LAN address range in the bind9 acl.
 +
 +\\
 +To find the version of bind9 used, anywhere from the LAN:
 +  *''nslookup -q=txt -class=CHAOS version.bind ns1.local.kptree.net''
 +  *''dig -t txt -c chaos VERSION.BIND @ns1.local.kptree.net''
 =====References===== =====References=====
    *KPTree.net's bare metal implementation of [[linux_router:dns_dhcp|dns - dhcp]], based upon ISC Bind9 and DHCP on Debian 10 <fs xx-small>(was originally Ubuntu)</fs>.    *KPTree.net's bare metal implementation of [[linux_router:dns_dhcp|dns - dhcp]], based upon ISC Bind9 and DHCP on Debian 10 <fs xx-small>(was originally Ubuntu)</fs>.