Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
docker_notes:docker-dns [2024-08-31 Sat wk35 16:00] – [Testing DNS] baumkpdocker_notes:docker-dns [2024-12-29 Sun wk52 10:05] (current) – [References] baumkp
Line 132: Line 132:
 DNS over TLS encrypts the DNS data so others can not see the specific DNS query and response.  DNSSEC does not prevent viewing of the DNS data, but rather ensure prevent man in the middle attacks. DNS over TLS encrypts the DNS data so others can not see the specific DNS query and response.  DNSSEC does not prevent viewing of the DNS data, but rather ensure prevent man in the middle attacks.
  
-It looks like Bind9 is still working on support for DNS over TLS (DoT). It may work on the current developer release 9.19. +It looks like Bind9 is still working on support for DNS over TLS (DoT) for forwarders. It may work on the current developer release 9.19. 
  
   *quad9 TLS config data:   *quad9 TLS config data:
Line 139: Line 139:
     *''sha256''      *''sha256'' 
     *''%%echo | openssl s_client -connect '9.9.9.9:853' 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64%%'' to get the SPKI key for quad9     *''%%echo | openssl s_client -connect '9.9.9.9:853' 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64%%'' to get the SPKI key for quad9
 +
 +
  
 ====reference==== ====reference====
Line 170: Line 172:
     *''dig @ns2.local.kptree.net -p 53 kptree.net any''     *''dig @ns2.local.kptree.net -p 53 kptree.net any''
     *''dig @ns2.local.kptree.net -tAXFR  kptree.net'' gave me the full name list from ns2.local.kptree.net     *''dig @ns2.local.kptree.net -tAXFR  kptree.net'' gave me the full name list from ns2.local.kptree.net
-    *''dig @ns1.local.kptree.net -tAXFR  kptree.net'' gave me a Transfer failed response +    *''dig @ns1.local.kptree.net -tAXFR  kptree.net'' gave me the full name list from ns1.local.kptree.net  
 +      *Note that bind9 needs to be setup to allow-transfer from the requesting ip address, I include my LAN address range in the bind9 acl.
  
-/+\\
 To find the version of bind9 used, anywhere from the LAN: To find the version of bind9 used, anywhere from the LAN:
   *''nslookup -q=txt -class=CHAOS version.bind ns1.local.kptree.net''   *''nslookup -q=txt -class=CHAOS version.bind ns1.local.kptree.net''
 +  *''dig -t txt -c chaos VERSION.BIND @ns1.local.kptree.net''
 +=====Public DNS Provideders=====
 +See internal webpage [[https://wiki.kptree.net/doku.php?id=tech_notes:dns#public_dns_providers|Public DNS Providers]] for more details.
 +
 =====References===== =====References=====
    *KPTree.net's bare metal implementation of [[linux_router:dns_dhcp|dns - dhcp]], based upon ISC Bind9 and DHCP on Debian 10 <fs xx-small>(was originally Ubuntu)</fs>.    *KPTree.net's bare metal implementation of [[linux_router:dns_dhcp|dns - dhcp]], based upon ISC Bind9 and DHCP on Debian 10 <fs xx-small>(was originally Ubuntu)</fs>.