In case anyone else is trying to get this to work, I had a few problems settings things up myself, but I have now finally got it to work.
First of all, you have to set forward_upstream to 0 in /etc/config/resolver under common. Not doing this will cause it to still forward DNS queries to whatever servers you get from your ISP.
Secondly, the ca_file should not be the certificate from cloudflare-dns.com, instead it should be the certificate that authored it, which is “DigiCert ECC Secure Server CA”. You can download this cert from: https://www.digicert.com/CACerts/DigiCertECCSecureServerCA.crt. Knot-resolver doesn’t seem to support DER, so make sure you convert it to PEM:
openssl x509 -inform der -in DigiCertECCSecureServerCA.crt -out DigiCertECCSecureServerCA.pem
It’s about Android and not Omnia, but let me post a link: https://android-developers.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html
Ok so:
I just did that. How do I verify if it works (wireshark?)? And what about 1.0.0.1 can I just set another rule with the second ip?
EDIT: I reverted the changes since it breaks lxc-create -t download -n container_name
functionality with:
Setting up the GPG keyring
ERROR: Unable to fetch GPG key from keyserver.
lxc-create: lxccontainer.c: create_run_template: 1201 container creation template for container_name failed
lxc-create: lxc_create.c: main: 274 Error creating container container_name
Discovered by accident
EDIT2:
I followed https://doc.turris.cz/doc/en/public/dns_knot_misc with clearing the cache and now everything works. https://dnsleaktest.com/ points to Cloudflare DNS. Before it could be some temporary error.
Hi,
is this adaptation still necessary if knot resolver has appeared in version 2.0.0? So with the release of TurrisOS 3.10? Or is that easier to adjust?
Best regards
It’s impossible to forward over TLS with knot-resolver < 2.0.0, i.e. the default version with Omnia < 3.10. I don’t expect Omnia would have some clickable way to set this up as of 3.10.x already, but I don’t follow this side closely. @paja should know.
Hi,
yes our plan is to introduce DNS-over-TLS setting in future Foris version (probably 3.10.x or 3.11 TurrisOS)
For those ones using RC and having setup DNS over TLS: are DNS-queries speeds really that fast as advertised by cloudflare?
I think the numbers will be significantly affected by your particular ping to their IPs. (In CZ they have servers in Prague.)
Where exactly do I add the policy
-section you mentioned above?
See the wiki. I expect you also need to uncheck forwarding in Foris, as that would normally result into a different forwarding rule before the one added by you (and thus taking precedence); combining config pieces from different sources is just hard to do generally…
Now that 3.10 has been out for a while, I have tried putting the pieces together. Here is my recipe:
-
Go to Forris DNS tab and make sure that “Use forwarding” is not checked, save.
-
Grab and convert the needed certificate, as described by HomerSp, ssh into Omnia and from /root
wget https://www.digicert.com/CACerts/DigiCertECCSecureServerCA.crt
openssl x509 -inform der -in DigiCertECCSecureServerCA.crt -out DigiCertECCSecureServerCA.pem
- It looks like certificates are in /etc/ssl/certs so put the newly converted file there
cp DigiCertECCSecureServerCA.pem /etc/ssl/certs/DigiCertECCSecureServerCA.pem
- We are really making a customized rule for kresd, so create the file /etc/kresd/custom.conf containing a modified version of vcunat’s config
policy.add(policy.all(
policy.TLS_FORWARD({
{'1.1.1.1', hostname='cloudflare-dns.com', ca_file='/etc/ssl/certs/DigiCertECCSecureServerCA.pem'},
{'1.0.0.1', hostname='cloudflare-dns.com', ca_file='/etc/ssl/certs/DigiCertECCSecureServerCA.pem'}
})
))
- The resolver needs to know where to find the rule, so edit /etc/config/resolver, adding the following line at the end of the config resolver ‘kresd’ section
option include_config ‘/etc/kresd/custom.conf’
- Everything should be in place now, so give the router a little kick to get things going, type the following
/etc/init.d/resolver restart
Congratz, all done. You should be using dns over tls via Cloudflare’s 1.1.1.1
I confirmed things were working from dnsleaktest.com, only entries from Cloudflare should be returned.
It took me some time to figure this out from the forum, I hope this saves somebody else some trouble. Please feel free to knit-pick for any corrections.
Thanks for that summary. Would be nice if you put that into documentation
But please before doing that change your apostrophs from
‘
and ’
to
'
otherwise it won’t work
The benefit of changing it is really tremendous - DNS resolution now happens within only a fraction of a second, that’s really nice. At least compared to DNS servers provided by my ISP (German Telekom)…
I think you are talking about the ‘/etc/kresd/custom.conf’ entry. It did render strangely, I removed the bolding. Otherwise, yes single quotes and there should not be a single ` in the post. shuddering slightly
It’s expected to be soon clickable in Foris. I think early adopters can find this thread…
Not only - also inside custom.conf
I am not seeing it, but for good measure, I deleted the stanza and pasted from a terminal displaying my working config. I think what we are experiencing is Discuss being too “user friendly” with its formatting. If there is a “code box” available in the forum, I don’t know where it is. At least the content is sound.
What about section
config interface 'wan'
option dns
in /etc/config/network
, isnt it needed to be modified also? (Trying to avoid any Foris actions; I understand your point 1 as forward_upstream '0'
in /etc/config/resolver
)
@dibdot - could we use that with adblock DNS feature? I mean, if there is any need to modify also adblock’s configuration or not…
yes, of course it’s compatible with “last mile encryption” (no changes required)!
I just tried with and without option dns set. My conclusion is that as long as forwarding is off, it has no effect. ymmv.