DNS-over-TLS with BIND and Stunnel
Last year, service providers announced that their public DNS services started supporting DNS-over-TLS. This new feature is different from the DNS-over-HTTPS API. Bacause BIND doesn’t have direct DNS-over-TLS support, I have added DNS-over-TLS capability to my BIND DNS Caching server with the help of STUNNEL.
STUNNEL provides the TLS encryption capability without making any big changes to the currently running clients or servers. Thanks to the flexibility and sophistication of its architecture, it is a powerful tool that can be used in larger projects as well.
The most crucial point of this post is that, DNS queries must be sent only over TCP. And that is supported on BIND 9.11 and higher.
I share the settings below;
Firstly, make sure that port 53 is not in use;
netstat -ltn
sudo apt install stunnel sudo vi /etc/default/stunnel4
The value in the stunnel4 file should be as follow;
ENABLED=1
sudo service stunnel4 restart sudo vi /etc/stunnel/stunnel.conf
The configuration I added to the stunnel.conf file;
[dns] client = yes accept = 127.0.0.1:53 connect = 8.8.8.8:853 CApath = /etc/ssl/certs verifyChain = yes checkIP = 8.8.8.8
After these steps, STUNNEL will start listening port 53 on your server and, if everything went well, DNS queries sent here will be responded.
Test commands;
nslookup -vc ozcan.com 127.0.0.1 dig +tcp ozcan.com @127.0.0.1
Hamdi Özcan – ozcan.com