-
Notifications
You must be signed in to change notification settings - Fork 0
DNS over TLS
Wikipedia describes DNS over TLS like this:
DNS over TLS (DoT) is a security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks.
Normally DNS queries and answers are not encrypted which makes it possible for ISP, goverments or other people that want to spy to do man-in-the middle attacks, for instance replace or block answers from DNS servers. By using protocols with encryption it becomes much harder to do this. DNS over TLS is one way to do it. DNS over HTTPS is another way.
Stubby is an application that acts as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver increasing end user privacy.
Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards.
We are going to use Stubby in combination with Unbound - Unbound provides a local cache and Stubby manages the upstream TLS connections (since Unbound cannot yet re-use TCP/TLS connections). You can get the same result by combining Stubby with dnsmasq as described here.
Installing Stubby on debian involves compiling from source code and may be a bit complicated for normal users. Combining it with Unbound also involves some configuration. A much easier way to do it is to use precompiled docker images. Matthew Vance has developed a docker solution that sets this configuration up. You can find them on dockerhub too - Stubby and Unbound.
This allows you to run a Stubby for better DNS over TLS support than Unbound provides without losing the performance benefits of having a local caching DNS resolver.
On debian Linux we install docker and docker-compose by following official docker documentation. Take a look at the docker documentation how to install Docker CE on debian. Install Docker CE as described there.
You need to do the post-installation steps for Linux. The steps can be summarized as:
$ sudo groupadd docker
$ sudo usermod -aG docker lthn
$ sudo systemctl enable dockerThey also have instructions about how to install Docker Compose. Click on the Linux tab at "Install Compose" section to see instructions how to do it on Linux. Install docker-compose according to their instructions.
Docker have its own mamagement of iptables firewall which is in conflict with our own customized iptables firewall setup. To get full contol over iptables we must disable iptables management by docker. IPv6 support seems to be disabled by default in docker but to be sure we add this to configuration too.
Docker official documentation Docker and iptables.
To prevent Docker from manipulating the iptables policies at all, set the iptables key to false in /etc/docker/daemon.json. This is inappropriate for most users, because the iptables policies then need to be managed by hand.
Well it is not inappropriate for us because we want to manage iptables by hand.
Take a look at docker documentation how to Enable IPv6 support, but we do it the other way around and disable it.