DNS over TLS (DoT)

20201228
bind > 9.17.7 , dnsdist > 1.3.0

bind-9.17.7 + tls

tls ayu.tls {
key-file "ayu.tls.key";
cert-file "ayu.tls.crt";
};

listen-on port 853 tls ayu.tls { any; };

openssl genrsa -out ayu.tls.key 1024
openssl req -new -key ayu.tls.key -out ayu.tls.crt -x509

# sockstat -4USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESSbind     named      19718 42 tcp4   192.168.1.249:853     *:*bind     named      19718 44 tcp4   127.0.0.1:853         *:*bind     named      19718 46 tcp4   127.0.0.1:953         *:*dig +tls @192.168.1.249 tw.yahoo.com a; <<>> DiG 9.17.8 <<>> +tls @192.168.1.249 tw.yahoo.com a(略);; SERVER: 192.168.1.249#853(192.168.1.249) (TLS)成功了

注1:
曾在 Debian-10.7 + OpenSSL 1.1.1d + bind-9.17.9 遇到这样的讯息
Error initializing TLS context: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small
解法: 将key的长度改到2048以上

dnsdist + tls

source install 仍会遇到 boost 的问题, 所以改试 dnsdist
apt install dnsdist (1.3.3)

openssl genrsa -out p247.rsa.key 1024
openssl req -new -key p247.rsa.key -out p247.rsa.crt -x509

/etc/dnsdist/dnsdist.conf
参考 /usr/share/doc/dnsdist/examples/dnsdist.conf
addTLSLocal('192.168.1.247', '/etc/dnsdist/p247.rsa.crt', '/etc/dnsdist/p247.rsa.key')
addLocal("0.0.0.0")
newServer("8.8.8.8", 1)
newServer("8.8.4.4", 1)

tcp        0      0 192.168.1.247:853       0.0.0.0:*               LISTEN      8043/dnsdisttcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      8043/dnsdistudp        0      0 0.0.0.0:53              0.0.0.0:*                           8043/dnsdist% dig +tls @192.168.1.247 tw.yahoo.com a(略);; SERVER: 192.168.1.247#853(192.168.1.247) (TLS)