DNS-over-TLS with BIND and Stunnel

Last year, service providers announced that their public DNS services started supporting DNS-over-TLS. This new feature is different from the DNS-over-HTTPS API. Bacause BIND doesn’t have direct DNS-over-TLS support, I have added DNS-over-TLS capability to my BIND DNS Caching server with the help of STUNNEL.

STUNNEL provides the TLS encryption capability without making any big changes to the currently running clients or servers. Thanks to the flexibility and sophistication of its architecture, it is a powerful tool that can be used in larger projects as well.

The most crucial point of this post is that, DNS queries must be sent only over TCP. And that is supported on BIND 9.11 and higher.

I share the settings below;

Firstly, make sure that port 53 is not in use;

netstat -ltn
sudo apt install stunnel
sudo vi /etc/default/stunnel4

The value in the stunnel4 file should be as follow;

sudo service stunnel4 restart
sudo vi /etc/stunnel/stunnel.conf

The configuration I added to the stunnel.conf file;

client = yes
accept =
connect =
CApath = /etc/ssl/certs
verifyChain = yes
checkIP =

After these steps, STUNNEL will start listening port 53 on your server and, if everything went well, DNS queries sent here will be responded.

Test commands;

nslookup -vc ozcan.com
dig +tcp ozcan.com @

Hamdi Özcan – ozcan.com

Bir cevap yazın