[Dnsmasq-discuss] DNS-over-TLS

Lonnie Abelbeck lists at lonnie.abelbeck.com
Mon Apr 16 22:02:33 BST 2018


On Oct 19, 2017, at 7:16 PM, Matt Taggart <taggart at riseup.net> wrote:

> Hi,
> 
> Back in Sept 2015 I started a thread about DNS-over-TLS
> 
> http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2015q3/009833.html
> 
> Since then there is now RFC7858 ( https://tools.ietf.org/html/rfc7858 )
> and port 853 (tcp) has been assigned for this use.
> 
> The following have support:
> * unbound https://unbound.net/
> * knot-resolver https://www.knot-resolver.cz/
> * stubby https://dnsprivacy.org/wiki/display/DP/About+Stubby
> 
> Will dnsmasq get native support or will you recommend some sort of proxy solutio
> n instead?
> 
> If you need servers to test against, there is a list at
> https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
> 
> Thanks,
> 
> -- 
> Matt Taggart
> taggart at riseup.net

Our project (AstLinux) just added getdns/stubby as a DNS-TLS proxy in front of dnsmasq, so far it is working great !

Personally, I have selected Quad9 as my provider, they seem to do DNS-TLS quite well and support the 10 second idle connection timeout in my stubby config reducing new TLS connections.

-- snippet /etc/dnsmasq.conf --
no-resolv
proxy-dnssec
server=127.0.0.1#2853
--

-- snippet /etc/stubby/stubby.yml  --
listen_addresses:
  - 127.0.0.1 at 2853
--

I do not enable DNSSEC validation in either stubby or dnsmasq, Quad9 does the DNSSEC validation with "proxy-dnssec" in dnsmasq passing it down.

-- snippet /etc/stubby/stubby.yml  --
upstream_recursive_servers:
  - address_data: 9.9.9.9
    tls_port: 853
    tls_auth_name: "dns.quad9.net"
  - address_data: 149.112.112.112
    tls_port: 853
    tls_auth_name: "dns.quad9.net"
  - address_data: 2620:fe::fe
    tls_port: 853
    tls_auth_name: "dns.quad9.net"
--

So far this works very nicely in our development testing.

Lonnie




More information about the Dnsmasq-discuss mailing list