Using dns over tls or https

In case anyone else is trying to get this to work, I had a few problems settings things up myself, but I have now finally got it to work.
First of all, you have to set forward_upstream to 0 in /etc/config/resolver under common. Not doing this will cause it to still forward DNS queries to whatever servers you get from your ISP.
Secondly, the ca_file should not be the certificate from cloudflare-dns.com, instead it should be the certificate that authored it, which is “DigiCert ECC Secure Server CA”. You can download this cert from: https://www.digicert.com/CACerts/DigiCertECCSecureServerCA.crt. Knot-resolver doesn’t seem to support DER, so make sure you convert it to PEM:
openssl x509 -inform der -in DigiCertECCSecureServerCA.crt -out DigiCertECCSecureServerCA.pem

2 Likes

It’s about Android and not Omnia, but let me post a link: https://android-developers.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html

Ok so:

I just did that. How do I verify if it works (wireshark?)? And what about 1.0.0.1 can I just set another rule with the second ip?

EDIT: I reverted the changes since it breaks lxc-create -t download -n container_name functionality with:
Setting up the GPG keyring
ERROR: Unable to fetch GPG key from keyserver.
lxc-create: lxccontainer.c: create_run_template: 1201 container creation template for container_name failed
lxc-create: lxc_create.c: main: 274 Error creating container container_name
Discovered by accident

EDIT2:
I followed https://doc.turris.cz/doc/en/public/dns_knot_misc with clearing the cache and now everything works. https://dnsleaktest.com/ points to Cloudflare DNS. Before it could be some temporary error.

1 Like

Hi,
is this adaptation still necessary if knot resolver has appeared in version 2.0.0? So with the release of TurrisOS 3.10? Or is that easier to adjust?

Best regards

It’s impossible to forward over TLS with knot-resolver < 2.0.0, i.e. the default version with Omnia < 3.10. I don’t expect Omnia would have some clickable way to set this up as of 3.10.x already, but I don’t follow this side closely. @paja should know.

Hi,
yes our plan is to introduce DNS-over-TLS setting in future Foris version (probably 3.10.x or 3.11 TurrisOS)

5 Likes

For those ones using RC and having setup DNS over TLS: are DNS-queries speeds really that fast as advertised by cloudflare?

I think the numbers will be significantly affected by your particular ping to their IPs. (In CZ they have servers in Prague.)

1 Like

Where exactly do I add the policy-section you mentioned above?

See the wiki. I expect you also need to uncheck forwarding in Foris, as that would normally result into a different forwarding rule before the one added by you (and thus taking precedence); combining config pieces from different sources is just hard to do generally…

1 Like

Now that 3.10 has been out for a while, I have tried putting the pieces together. Here is my recipe:

  1. Go to Forris DNS tab and make sure that “Use forwarding” is not checked, save.

  2. Grab and convert the needed certificate, as described by HomerSp, ssh into Omnia and from /root

wget https://www.digicert.com/CACerts/DigiCertECCSecureServerCA.crt

openssl x509 -inform der -in DigiCertECCSecureServerCA.crt -out DigiCertECCSecureServerCA.pem
  1. It looks like certificates are in /etc/ssl/certs so put the newly converted file there
cp DigiCertECCSecureServerCA.pem /etc/ssl/certs/DigiCertECCSecureServerCA.pem
  1. We are really making a customized rule for kresd, so create the file /etc/kresd/custom.conf containing a modified version of vcunat’s config
policy.add(policy.all(
      policy.TLS_FORWARD({
          {'1.1.1.1', hostname='cloudflare-dns.com', ca_file='/etc/ssl/certs/DigiCertECCSecureServerCA.pem'},
          {'1.0.0.1', hostname='cloudflare-dns.com', ca_file='/etc/ssl/certs/DigiCertECCSecureServerCA.pem'}
      })
))
  1. The resolver needs to know where to find the rule, so edit /etc/config/resolver, adding the following line at the end of the config resolver ‘kresd’ section

option include_config ‘/etc/kresd/custom.conf’

  1. Everything should be in place now, so give the router a little kick to get things going, type the following
/etc/init.d/resolver restart

Congratz, all done. You should be using dns over tls via Cloudflare’s 1.1.1.1

I confirmed things were working from dnsleaktest.com, only entries from Cloudflare should be returned.

It took me some time to figure this out from the forum, I hope this saves somebody else some trouble. Please feel free to knit-pick for any corrections.

9 Likes

Thanks for that summary. Would be nice if you put that into documentation :slight_smile:

But please before doing that change your apostrophs from
and
to
'
otherwise it won’t work :wink:

1 Like

The benefit of changing it is really tremendous - DNS resolution now happens within only a fraction of a second, that’s really nice. At least compared to DNS servers provided by my ISP (German Telekom)… :roll_eyes::sleeping:

I think you are talking about the ‘/etc/kresd/custom.conf’ entry. It did render strangely, I removed the bolding. Otherwise, yes single quotes and there should not be a single ` in the post. shuddering slightly

It’s expected to be soon clickable in Foris. I think early adopters can find this thread…

2 Likes

Not only - also inside custom.conf

I am not seeing it, but for good measure, I deleted the stanza and pasted from a terminal displaying my working config. I think what we are experiencing is Discuss being too “user friendly” with its formatting. If there is a “code box” available in the forum, I don’t know where it is. At least the content is sound.

1 Like

What about section

config interface 'wan'
	option dns

in /etc/config/network, isnt it needed to be modified also? (Trying to avoid any Foris actions; I understand your point 1 as forward_upstream '0' in /etc/config/resolver)

@dibdot - could we use that with adblock DNS feature? I mean, if there is any need to modify also adblock’s configuration or not…

yes, of course it’s compatible with “last mile encryption” (no changes required)! :wink:

2 Likes

I just tried with and without option dns set. My conclusion is that as long as forwarding is off, it has no effect. ymmv.

1 Like