Using dns over tls or https

Hi,
yes our plan is to introduce DNS-over-TLS setting in future Foris version (probably 3.10.x or 3.11 TurrisOS)

5 Likes

For those ones using RC and having setup DNS over TLS: are DNS-queries speeds really that fast as advertised by cloudflare?

I think the numbers will be significantly affected by your particular ping to their IPs. (In CZ they have servers in Prague.)

1 Like

Where exactly do I add the policy-section you mentioned above?

See the wiki. I expect you also need to uncheck forwarding in Foris, as that would normally result into a different forwarding rule before the one added by you (and thus taking precedence); combining config pieces from different sources is just hard to do generally…

1 Like

Now that 3.10 has been out for a while, I have tried putting the pieces together. Here is my recipe:

  1. Go to Forris DNS tab and make sure that “Use forwarding” is not checked, save.

  2. Grab and convert the needed certificate, as described by HomerSp, ssh into Omnia and from /root

wget https://www.digicert.com/CACerts/DigiCertECCSecureServerCA.crt

openssl x509 -inform der -in DigiCertECCSecureServerCA.crt -out DigiCertECCSecureServerCA.pem
  1. It looks like certificates are in /etc/ssl/certs so put the newly converted file there
cp DigiCertECCSecureServerCA.pem /etc/ssl/certs/DigiCertECCSecureServerCA.pem
  1. We are really making a customized rule for kresd, so create the file /etc/kresd/custom.conf containing a modified version of vcunat’s config
policy.add(policy.all(
      policy.TLS_FORWARD({
          {'1.1.1.1', hostname='cloudflare-dns.com', ca_file='/etc/ssl/certs/DigiCertECCSecureServerCA.pem'},
          {'1.0.0.1', hostname='cloudflare-dns.com', ca_file='/etc/ssl/certs/DigiCertECCSecureServerCA.pem'}
      })
))
  1. The resolver needs to know where to find the rule, so edit /etc/config/resolver, adding the following line at the end of the config resolver ‘kresd’ section

option include_config ‘/etc/kresd/custom.conf’

  1. Everything should be in place now, so give the router a little kick to get things going, type the following
/etc/init.d/resolver restart

Congratz, all done. You should be using dns over tls via Cloudflare’s 1.1.1.1

I confirmed things were working from dnsleaktest.com, only entries from Cloudflare should be returned.

It took me some time to figure this out from the forum, I hope this saves somebody else some trouble. Please feel free to knit-pick for any corrections.

9 Likes

Thanks for that summary. Would be nice if you put that into documentation :slight_smile:

But please before doing that change your apostrophs from
and
to
'
otherwise it won’t work :wink:

1 Like

The benefit of changing it is really tremendous - DNS resolution now happens within only a fraction of a second, that’s really nice. At least compared to DNS servers provided by my ISP (German Telekom)… :roll_eyes::sleeping:

I think you are talking about the ‘/etc/kresd/custom.conf’ entry. It did render strangely, I removed the bolding. Otherwise, yes single quotes and there should not be a single ` in the post. shuddering slightly

It’s expected to be soon clickable in Foris. I think early adopters can find this thread…

2 Likes

Not only - also inside custom.conf

I am not seeing it, but for good measure, I deleted the stanza and pasted from a terminal displaying my working config. I think what we are experiencing is Discuss being too “user friendly” with its formatting. If there is a “code box” available in the forum, I don’t know where it is. At least the content is sound.

1 Like

What about section

config interface 'wan'
	option dns

in /etc/config/network, isnt it needed to be modified also? (Trying to avoid any Foris actions; I understand your point 1 as forward_upstream '0' in /etc/config/resolver)

@dibdot - could we use that with adblock DNS feature? I mean, if there is any need to modify also adblock’s configuration or not…

yes, of course it’s compatible with “last mile encryption” (no changes required)! :wink:

2 Likes

I just tried with and without option dns set. My conclusion is that as long as forwarding is off, it has no effect. ymmv.

1 Like

Thanks. I was thinking about it, but cant test personally yet. Looks kinda neat and easy then…

I would like to add this to the community documentation, unfortunatelly I cant find (or dont have rights) to create new page :frowning:

https://pastebin.com/9S8ueB3a

1 Like

Is there anyone who could add this to https://doc.turris.cz/doc/en/public/start ? Or anyone, willing to give me rights to create community wiki page? :disappointed_relieved:

If you create your own user account, you will be able to participate in community section.
Link to the registration page is here (in Czech) or here (in English)

I am registered there as “Jirka”, I edited some of created pages in history, but I just cant find create page (within public en/namespace) button or link…

Then perhaps edit https://doc.turris.cz/doc/en/public/dns_knot_misc ? It would seem a suitable place to me.