DoT (DNS over TLS)
DNS is one of the last widely used protocols that isn’t being encrypted, the only right way to do this is by implementing DoT. On the bottom of this page there are some reference links that can inform you about why this is the case.
When running bind9 you can use stunnel to enable DNS over TLS, below an example on how to accomplish this. In this examples both stunnel and bind are running on the same server, but this can also be used in a distributed environment.
This example assumes that there is already a dns server running and will not cover that part. For the stunnel part, install stunnel with the help of your os repository or build it from source.
user@host:~$ sudo apt-get install stunnel
Configure stunnel for DoT operation:
user@host:~$ vi /etc/stunnel/stunnel4.conf ; debug = warning foreground = no pid = /var/run/stunnel4/stunnel4.pid output = /var/log/stunnel4/stunnel4.log ; options = -NO_SSLv3 ; setuid = stunnel4 setgid = stunnel4 ; include = /etc/stunnel/conf.d ; user@host:~$ vi /etc/stunnel/conf.d/dsntls.conf [dns] ; accept = 853 connect = 127.0.0.1:53 ; CAfile = ca.pem cert = host.crt key = host.pem ;
You can test the config by running the command in the foreground by setting foreground = yes and run the command stunnel4 /etc/stunnel/stunnel4.conf if everything looks OK then enable the service. On a systemd system this is done via sudo systemctl enable stunnel4 and then to run the service systemctl start stunnel4.
To test if this is working one can use the following tools:
Other dns solutions you can use to enable DoT are:
BIND: DNS over TLS
PowerDNS: DNS over TLS