networking:dns:unbound:configure_encrypted_dns_with_caching
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revision | |||
| networking:dns:unbound:configure_encrypted_dns_with_caching [2020/12/06 11:19] – peter | networking:dns:unbound:configure_encrypted_dns_with_caching [2020/12/06 11:33] (current) – peter | ||
|---|---|---|---|
| Line 122: | Line 122: | ||
| </ | </ | ||
| + | ---- | ||
| + | ===== Test that TLS is Working ===== | ||
| + | |||
| + | <code bash> | ||
| + | openssl s_client -connect localhost: | ||
| + | </ | ||
| + | |||
| + | You can find the name suitable for an upstream server using: | ||
| + | |||
| + | <code bash> | ||
| + | openssl s_client -connect 1.1.1.1:853 | ||
| + | </ | ||
| + | |||
| + | The host name you append to your **forward-addr** should match that given as the CN name reported by openssl. | ||
| + | |||
| + | ---- | ||
| + | |||
| + | ===== Workaround Man-In-The-Middle ===== | ||
| + | |||
| + | A corporate firewall that inserts itself as a man-in-the-middle in all connections may cause this setup to fail. | ||
| + | |||
| + | If your TLS CA bundle does not have the corporate certificates, | ||
| + | |||
| + | This situation prevents you from resolving any names. In addition, in some extreme cases, corporate firewalls block access to the DNS ports completely. | ||
| + | |||
| + | ==== Resolution ==== | ||
| + | |||
| + | To work around this issue, access to a trusted resolver is provided using an SSH tunnel; assuming that SSH can be used, and the IP address of the secure server is known so that setting up the tunnel is not dependent on the resolver. | ||
| + | |||
| + | If TLS is not required: | ||
| + | |||
| + | <file bash / | ||
| + | ... | ||
| + | server: | ||
| + | tcp-upstream: | ||
| + | do-not-query-localhost: | ||
| + | |||
| + | forward-zone: | ||
| + | forward-tls-upstream: | ||
| + | forward-addr: | ||
| + | ... | ||
| + | </ | ||
| + | |||
| + | <WRAP info> | ||
| + | **NOTE: | ||
| + | </ | ||
| + | |||
| + | |||
| + | If TLS will be used for all upstream resolvers: | ||
| + | |||
| + | <file bash / | ||
| + | server: | ||
| + | do-not-query-localhost: | ||
| + | |||
| + | forward-zone: | ||
| + | forward-tls-upstream: | ||
| + | forward-addr: | ||
| + | </ | ||
| + | |||
| + | <WRAP info> | ||
| + | **NOTE: | ||
| + | |||
| + | TLS must be properly configured for the secure remote resolver being accessed through the SSH tunnel and your local certificate authority bundle must include the certificate of the authority that issued your TLS certificate. | ||
| + | |||
| + | |||
| + | This example uses: | ||
| + | |||
| + | * server-name.tld is a name compatible with the certificate. | ||
| + | * An SSH tunnel exists from localhost@11853 to the remote secure server’s port 853. | ||
| + | </ | ||
networking/dns/unbound/configure_encrypted_dns_with_caching.1607253555.txt.gz · Last modified: 2020/12/06 11:19 by peter