Encrypted DNS: Difference between revisions

Line 92:

Stubby is a very lightweight resolver (40kb binary) that performs DNS-over-TLS, and nothing else. While stubby can be used as a system resolver on its own, it is typically combined with another resolver (such as unbound) to add caching and forwarding rules for local domains. See the [https://search.nixos.org/options/?query=services.stubby options documentation for <code>services.stubby.*</code>] for configuration.

Example configuration for Cloudflare. Note that digests change and need to be updated:

{

services.stubby = {

enable = true;

settings = pkgs.stubby.passthru.settingsExample // {

upstream_recursive_servers = [{

address_data = "1.1.1.1";

tls_auth_name = "cloudflare-dns.com";

tls_pubkey_pinset = [{

digest = "sha256";

value = "GP8Knf7qBae+aIfythytMbYnL+yowaWVeD6MoLHkVRg=";

}];

} {

address_data = "1.0.0.1";

tls_auth_name = "cloudflare-dns.com";

tls_pubkey_pinset = [{

digest = "sha256";

value = "GP8Knf7qBae+aIfythytMbYnL+yowaWVeD6MoLHkVRg=";

}];

};

}

</syntaxhighlight>

To update digests get the TLS certificate that signs the responses and calculate the digest:

</syntaxhighlight>

Or using <code>kdig</code> from <code>knot-dns</code>

kdig -d @1.1.1.1 +tls-ca +tls-host=one.one.one.one example.com

</syntaxhighlight>

[[Category: Networking]]

@@ Line 92: / Line 92: @@
 Stubby is a very lightweight resolver (40kb binary) that performs DNS-over-TLS, and nothing else. While stubby can be used as a system resolver on its own, it is typically combined with another resolver (such as unbound) to add caching and forwarding rules for local domains. See the [https://search.nixos.org/options/?query=services.stubby options documentation for <code>services.stubby.*</code>] for configuration.
+Example configuration for Cloudflare. Note that digests change and need to be updated:
+<syntaxhighlight lang="nix">
+{
+    services.stubby = {
+      enable = true;
+      settings = pkgs.stubby.passthru.settingsExample // {
+        upstream_recursive_servers = [{
+          address_data = "1.1.1.1";
+          tls_auth_name = "cloudflare-dns.com";
+          tls_pubkey_pinset = [{
+            digest = "sha256";
+            value = "GP8Knf7qBae+aIfythytMbYnL+yowaWVeD6MoLHkVRg=";
+          }];
+        } {
+          address_data = "1.0.0.1";
+          tls_auth_name = "cloudflare-dns.com";
+          tls_pubkey_pinset = [{
+            digest = "sha256";
+            value = "GP8Knf7qBae+aIfythytMbYnL+yowaWVeD6MoLHkVRg=";
+          }];
+        }];
+      };
+    };
+}
+</syntaxhighlight>
+To update digests get the TLS certificate that signs the responses and calculate the digest:
+<syntaxhighlight lang="bash">
+echo | openssl s_client -connect '1.1.1.1:853' 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
+</syntaxhighlight>
+Or using <code>kdig</code> from <code>knot-dns</code>
+<syntaxhighlight lang="bash">
+kdig -d @1.1.1.1 +tls-ca +tls-host=one.one.one.one example.com
+</syntaxhighlight>
 [[Category: Networking]]