Digitalcourage as DNS over TLS Addition in Foris

freshdax · January 9, 2020, 11:33pm

Hello,

would it be possible to add the following entry to the “DNS” item in Foris?

Digitalcourage | Server location: Germany
DNS server (supports DNSSEC)
DNS over TLS:
Host: dns2.digitalcourage.de
port: 853

That would be a fine addition!
https://digitalcourage.de/support/zensurfreier-dns-server

Best regards

lucenera · January 9, 2020, 11:42pm

In the meantime, I think you can do it yourself: https://doc.turris.cz/doc/en/public/dns_knot_misc

Pepe · January 9, 2020, 11:45pm

Rather refer to this documentation in our Gitlab how to add a new DNS server, which will be available in Foris:

freshdax · January 10, 2020, 12:11am

I’m well aware of that, I would just like to make it available to everyone in a simple way.
I’ve already entered it in the system. I find it just a good and useful addition.
Therefore my wish is more in the direction of the team to offer it simply with.

dmth · January 10, 2020, 6:03pm

Hi, thank you for bringing up this topic. Do you mind to share your config?
My digitalcourage-config does not not work (meaning: I cannot resolve external URLs):

#cat /etc/resolver/dns_servers/01_digitalcourage.conf 
name="01_digitalcourage.conf"
description="digitalcourage"
enable_tls="1"
port="853"
hostname="dns2.digitalcourage.de"
pin_sha256="v7rm6OtQQD3x/wbsdHDZjiDg+utMZvnoX3jq3Vi8tGU="
ipv6="2a02:2970:1002::18"
ipv4="46.182.19.48"

DNS works, when I’m using my providers’ DNS-Server.

vcunat · January 10, 2020, 6:56pm

Neither of the addresses accepts connections from me.

dmth · January 10, 2020, 7:05pm

Thanks for testing. The IPv4 and the IPv6 addresses are those which are listed here:
https://digitalcourage.de/support/zensurfreier-dns-server (german language only)

Quote (english see below):

Wir betreiben einen freien DNS-Server, weil wir zeigen wollen, dass Zensur umgangen werden kann – und ständig befürchten müssen, dass sie ausgeweitet wird. Der Server hat die IP: 46.182.19.48 bzw. 2a02:2970:1002::18 und unterstützt verschlüsselte Anfragen via DNS-over-TLS.

google translate:

We run a free DNS server because we want to show that censorship can be circumvented - and we have to constantly fear that it will be expanded. The server has the IP: 46.182.19.48 or 2a02: 2970: 1002 :: 18 and supports encrypted requests via DNS-over-TLS.

Maybe they are currently down.

freshdax · January 10, 2020, 10:20pm

Greetings!

This is my configuration, successfully tested at https://dnsleaktest.com:

name=“99_digitalcourage.conf”
description=“Digitalcourage (TLS)”
enable_tls=“1”
tls_port=“853”
ipv4=“46.182.19.48”
ipv6=“2a02:2970:1002::18”
ca_file="/etc/ssl/certs/ca-certificates.crt"
pin_sha256=“v7rm6OtQQD3x/wbsdHDZjiDg+utMZvnoX3jq3Vi8tGU=”
hostname=“dns2.digitalcourage.de”

I also set the attributes exactly the same as the other preconfigured servers, i.e. “0600” flag in the permissions for the file itself. I don’t know if this is important but it worked right away. I also named the file “99_digitalcourage.conf” which is the same scheme.

Hope this helps you,

Best regards

vcunat · January 10, 2020, 10:29pm

Now it answers to me. We hit a bad moment, apparently.

freshdax · January 10, 2020, 10:32pm

good to hear!
“/etc/init.d/resolver restart” is also important

Best Regards

n8v8r · January 11, 2020, 10:32am

Their DNS server does not provide reliable connectivity, particularly via IPv6. Tried them several times but in the end gave up and only left their IPv4 instance in place.