Commit 4ac849de authored by Oli Schacher's avatar Oli Schacher
Browse files

Add new file

parents
# DNSHeads DOH Demo
## Server overview
test dnsdist: dohrestest.dnsheads.ch
* IPv6 2001:620:5ca1:4015:f816:3eff:fe50:be94
* IPv4 86.119.38.67
dnsdist : http://dohrestest.dnsheads.ch:8053
recursor: http://dohrestest.dnsheads.ch:8054
live demo dnsdist: bacon.dnsheads.ch
* IPv6 2001:620:5ca1:4015:f816:3eff:fe0b:8684
* IPv4 86.119.40.52
dnsdist : http://dohrestest.dnsheads.ch:8053
recursor: http://dohrestest.dnsheads.ch:8054
## Tooling setup
`yum install -y knot-utils bind-utils`
## Resolver setup
```
yum install epel-release yum-plugin-priorities &&
curl -o /etc/yum.repos.d/powerdns-rec-43.repo https://repo.powerdns.com/repo-files/centos-rec-43.repo &&
yum install pdns-recursor
```
mv /etc/pdns-recursor/recursor.conf /etc/pdns-recursor/recursor.conf.orig
vi /etc/pdns-recursor/recursor.conf
```
config-dir=/etc/pdns-recursor
setuid=pdns-recursor
setgid=pdns-recursor
allow-from=127.0.0.1, ::1, 2001:620::/48
local-address=[::]:5300
dnssec=validate
dnssec-log-bogus=yes
query-local-address6=2001:620:5ca1:4015:f816:3eff:fec7:148
webserver=yes
webserver-address=::
webserver-port=8054
webserver-password=dnsheads
api-key=dnsheads
qname-minimization=yes
```
```
systemctl enable pdns-recursor
systemctl restart pdns-recursor
```
```
yum install -y bind-utils
dig @::1 -p 5300 dnsheads.ch
dig @::1 -p 5300 dnssec-failed.org
```
## Create certificate
```
git clone https://github.com/Neilpang/acme.sh.git
cd acme.sh
CERTHOSTNAME=bacon.dnsheads.ch
CERTHOSTNAME=dohrestest.dnsheads.ch
./acme.sh --issue -d ${CERTHOSTNAME} --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please
add txt record to dnsheads.ch
./acme.sh --issue -d ${CERTHOSTNAME} --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please --renew
sudo cp ~/.acme.sh/${CERTHOSTNAME}/fullchain.cer /etc/dnsdist/dnsdist.pem
sudo cp ~/.acme.sh/${CERTHOSTNAME}/${CERTHOSTNAME}.key /etc/dnsdist/dnsdist.key
```
## dnsdist setup
```
yum install -y epel-release yum-plugin-priorities &&
curl -o /etc/yum.repos.d/powerdns-dnsdist-14.repo https://repo.powerdns.com/repo-files/centos-dnsdist-14.repo &&
yum install -y dnsdist bind-utils
```
```
setLocal("127.0.0.1")
addLocal("::1")
controlSocket("127.0.0.1")
setACL("0.0.0.0/0");
addACL("::/0");
setKey("NzFWHDrlWa8gOx9AakTTb/76w6ElTLTxZ/0KNFYCNnA=")
webserver("0.0.0.0:8053", "dnsheads")
newServer({address="[::1]:5300", name="local-resolver", order=1 })
```
```
systemctl enable dnsdist
systemctl restart dnsdist
```
dnsdist demo: fallback
```
dnsdist -c
newServer({address="9.9.9.9", name="quad9", order=2 })
```
```
systemctl stop pdns-recursor
dig switch.ch @localhost
```
dnsdist demo: block firefox auto-doh
```
dnsdist -c
function nxdomain(dq) return DNSAction.Nxdomain end
addAction("use-application-dns.net", LuaAction(nxdomain))
```
## enable Dns over TLS
```
addTLSLocal('0.0.0.0', '/etc/dnsdist/dnsdist.pem', '/etc/dnsdist/dnsdist.key',{reusePort=true, tcpFastOpenQueueSize=100, provider="gnutls", ciphers="-CIPHER-ALL:+PFS:-ARCFOUR-128:-3DES-CBC:-VERS-ALL:+VERS-TLS1.2"})
addTLSLocal('::','/etc/dnsdist/dnsdist.pem', '/etc/dnsdist/dnsdist.key',{reusePort=true, tcpFastOpenQueueSize=100, provider="gnutls", ciphers="-CIPHER-ALL:+PFS:-ARCFOUR-128:-3DES-CBC:-VERS-ALL:+VERS-TLS1.2"})
```
Test:
```
kdig +tls @bacon.dnsheads.ch switch.ch
```
## Enable DoH
```
addDOHLocal('::','/etc/dnsdist/dnsdist.pem', '/etc/dnsdist/dnsdist.key',{'/', '/dns-query'}, {reusePort=true, tcpFastOpenQueueSize=100, ciphers="EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!TLSv1:!TLSv1.1"})
addDOHLocal('0.0.0.0','/etc/dnsdist/dnsdist.pem', '/etc/dnsdist/dnsdist.key',{'/', '/dns-query'}, {reusePort=true, tcpFastOpenQueueSize=100, ciphers="EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!TLSv1:!TLSv1.1"})
```
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment