Using dns over tls or https

Software SW tweaks
21

Now that 3.10 has been out for a while, I have tried putting the pieces together. Here is my recipe:

  1. Go to Forris DNS tab and make sure that “Use forwarding” is not checked, save.

  2. Grab and convert the needed certificate, as described by HomerSp, ssh into Omnia and from /root

wget https://www.digicert.com/CACerts/DigiCertECCSecureServerCA.crt

openssl x509 -inform der -in DigiCertECCSecureServerCA.crt -out DigiCertECCSecureServerCA.pem
  1. It looks like certificates are in /etc/ssl/certs so put the newly converted file there
cp DigiCertECCSecureServerCA.pem /etc/ssl/certs/DigiCertECCSecureServerCA.pem
  1. We are really making a customized rule for kresd, so create the file /etc/kresd/custom.conf containing a modified version of vcunat’s config
policy.add(policy.all(
      policy.TLS_FORWARD({
          {'1.1.1.1', hostname='cloudflare-dns.com', ca_file='/etc/ssl/certs/DigiCertECCSecureServerCA.pem'},
          {'1.0.0.1', hostname='cloudflare-dns.com', ca_file='/etc/ssl/certs/DigiCertECCSecureServerCA.pem'}
      })
))
  1. The resolver needs to know where to find the rule, so edit /etc/config/resolver, adding the following line at the end of the config resolver ‘kresd’ section

option include_config ‘/etc/kresd/custom.conf’

  1. Everything should be in place now, so give the router a little kick to get things going, type the following
/etc/init.d/resolver restart

Congratz, all done. You should be using dns over tls via Cloudflare’s 1.1.1.1

I confirmed things were working from dnsleaktest.com, only entries from Cloudflare should be returned.

It took me some time to figure this out from the forum, I hope this saves somebody else some trouble. Please feel free to knit-pick for any corrections.

9 Likes
22

Thanks for that summary. Would be nice if you put that into documentation :slight_smile:

But please before doing that change your apostrophs from
and
to
'
otherwise it won’t work :wink:

1 Like
23

The benefit of changing it is really tremendous - DNS resolution now happens within only a fraction of a second, that’s really nice. At least compared to DNS servers provided by my ISP (German Telekom)… :roll_eyes::sleeping:

24

I think you are talking about the ‘/etc/kresd/custom.conf’ entry. It did render strangely, I removed the bolding. Otherwise, yes single quotes and there should not be a single ` in the post. shuddering slightly

25

It’s expected to be soon clickable in Foris. I think early adopters can find this thread…

2 Likes
26

Not only - also inside custom.conf

27

I am not seeing it, but for good measure, I deleted the stanza and pasted from a terminal displaying my working config. I think what we are experiencing is Discuss being too “user friendly” with its formatting. If there is a “code box” available in the forum, I don’t know where it is. At least the content is sound.

1 Like
28

What about section

config interface 'wan'
	option dns

in /etc/config/network, isnt it needed to be modified also? (Trying to avoid any Foris actions; I understand your point 1 as forward_upstream '0' in /etc/config/resolver)

@dibdot - could we use that with adblock DNS feature? I mean, if there is any need to modify also adblock’s configuration or not…

29

yes, of course it’s compatible with “last mile encryption” (no changes required)! :wink:

2 Likes
30

I just tried with and without option dns set. My conclusion is that as long as forwarding is off, it has no effect. ymmv.

1 Like
31

Thanks. I was thinking about it, but cant test personally yet. Looks kinda neat and easy then…

I would like to add this to the community documentation, unfortunatelly I cant find (or dont have rights) to create new page :frowning:

https://pastebin.com/9S8ueB3a

1 Like
32

Is there anyone who could add this to https://doc.turris.cz/doc/en/public/start ? Or anyone, willing to give me rights to create community wiki page? :disappointed_relieved:

33

If you create your own user account, you will be able to participate in community section.
Link to the registration page is here (in Czech) or here (in English)

34

I am registered there as “Jirka”, I edited some of created pages in history, but I just cant find create page (within public en/namespace) button or link…

35

Then perhaps edit https://doc.turris.cz/doc/en/public/dns_knot_misc ? It would seem a suitable place to me.

36

seems good, done. However, it doesnt propagate content of tricks (or type of tricks) to the main community page. Anyway, I would like to know how is it with rights anyway (for possible future purposes), but thats offtopic.

37

Perhaps one addition? I found I needed to install wget as the version within BusyBox wouldn’t allow download via https.

38

Didnt you have problem with certificates? Turris OS 3.9.6:

root@Doma:~# wget https://www.digicert.com/CACerts/DigiCertECCSecureServerCA.crt
--2018-05-20 14:02:55--  https://www.digicert.com/CACerts/DigiCertECCSecureServerCA.crt
Resolving www.digicert.com... 45.60.123.229
Connecting to www.digicert.com|45.60.123.229|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 944
Saving to: 'DigiCertECCSecureServerCA.crt'

DigiCertECCSecureServerCA.crt      100%[================================================================>]     944  --.-KB/s    in 0s

2018-05-20 14:02:56 (5.16 MB/s) - 'DigiCertECCSecureServerCA.crt' saved [944/944]

(and I am not aware touching wget/curl/etc on my Omnia)

39

Yes, wget was complaining about it not being a http or ftp address. Downloaded OK when I changed the address to http. Also fine through regular terminal via https.
My Omnia setup is quite vanilla and all the latest updates had been installed (Turris OS 3.10), wget package wasn’t installed previously.

40

Would anyone know how to randomize DNS (over TLS) resolver selection for the Omnia as done in the following article? https://www.ctrl.blog/entry/kresd-random-dns-forwarding