Commit 8fa01076 authored by Oli Schacher's avatar Oli Schacher
Browse files

Update demonotes.md

parent 1a42b1ee
......@@ -36,8 +36,10 @@ https://repo.powerdns.com/repo-files/centos-auth-42.repo && \
yum install -y pdns-tools knot-utils bind-utils
```
(pdns-tools includes sdig vor DoH queries, knot-utils includes kdig for DoT queries, bind-utils includes dig for...plain old dns queries)
## Resolver setup
## Resolver setup (pdns-recursor)
```
yum install epel-release yum-plugin-priorities &&
......@@ -51,11 +53,10 @@ vi /etc/pdns-recursor/recursor.conf
config-dir=/etc/pdns-recursor
setuid=pdns-recursor
setgid=pdns-recursor
allow-from=127.0.0.1, ::1, 2001:620::/48
allow-from=127.0.0.1, ::1
local-address=[::]:5300
dnssec=validate
dnssec-log-bogus=yes
query-local-address6=2001:620:5ca1:4015:f816:3eff:fec7:148
webserver=yes
webserver-address=::
webserver-port=8054
......@@ -75,23 +76,6 @@ dig @::1 -p 5300 dnsheads.ch
dig @::1 -p 5300 dnssec-failed.org
```
## Create certificate
```
git clone https://github.com/Neilpang/acme.sh.git
cd acme.sh
CERTHOSTNAME=bacon.dnsheads.ch
CERTHOSTNAME=dohrestest.dnsheads.ch
./acme.sh --issue -d ${CERTHOSTNAME} --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please
add txt record to dnsheads.ch
./acme.sh --issue -d ${CERTHOSTNAME} --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please --renew
sudo cp ~/.acme.sh/${CERTHOSTNAME}/fullchain.cer /etc/dnsdist/dnsdist.pem
sudo cp ~/.acme.sh/${CERTHOSTNAME}/${CERTHOSTNAME}.key /etc/dnsdist/dnsdist.key
```
## dnsdist setup
......@@ -140,6 +124,27 @@ function nxdomain(dq) return DNSAction.Nxdomain end
addAction("use-application-dns.net", LuaAction(nxdomain))
```
## Create temp certificate using letsencrypt
```
git clone https://github.com/Neilpang/acme.sh.git
cd acme.sh
CERTHOSTNAME=bacon.dnsheads.ch
CERTHOSTNAME=dohrestest.dnsheads.ch
./acme.sh --issue -d ${CERTHOSTNAME} --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please
add txt record to dnsheads.ch, then rerun with `--renew`:
./acme.sh --issue -d ${CERTHOSTNAME} --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please --renew
sudo cp ~/.acme.sh/${CERTHOSTNAME}/fullchain.cer /etc/dnsdist/dnsdist.pem
sudo cp ~/.acme.sh/${CERTHOSTNAME}/${CERTHOSTNAME}.key /etc/dnsdist/dnsdist.key
```
## enable Dns over TLS
```
......@@ -160,6 +165,8 @@ addDOHLocal('::','/etc/dnsdist/dnsdist.pem', '/etc/dnsdist/dnsdist.key',{'/', '/
addDOHLocal('0.0.0.0','/etc/dnsdist/dnsdist.pem', '/etc/dnsdist/dnsdist.key',{'/', '/dns-query'}, {reusePort=true, tcpFastOpenQueueSize=100, ciphers="EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!TLSv1:!TLSv1.1"})
```
Test:
```
sdig https://bacon.dnsheads.ch/ 443 switch.ch ns
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment