「DNS over HTTPS サーバー」の版間の差分
Kusanaginoturugi (トーク | 投稿記録) |
Kusanaginoturugi (トーク | 投稿記録) (→coreDNS: } 抜け) |
||
42行目: | 42行目: | ||
tls_servername cloudflare-dns.com |
tls_servername cloudflare-dns.com |
||
} |
} |
||
− | } |
+ | }} |
また、複数のインスタンスと転送プラグインを使用できます。 |
また、複数のインスタンスと転送プラグインを使用できます。 |
||
61行目: | 61行目: | ||
</nowiki>}} |
</nowiki>}} |
||
− | {{ic|coredns.service}} ユニットを[[ |
+ | {{ic|coredns.service}} ユニットを[[起動/有効化]] してください。 |
=== dns-over-https === |
=== dns-over-https === |
2023年3月24日 (金) 10:59時点における版
関連記事
DNS は当初から、UDP/53、後に TCP/53 で暗号化されていないため、盗聴攻撃を受けやすくなっています。この脆弱性に対処するために使用できる利用可能なプロトコルに関する追加情報については、ドメイン名前解決#プライバシーとセキュリティ を参照してください。この記事では、DNS サーバーに必要なプロキシ設定を提供して、DNS over HTTPS(DoH)および DNS over TLS(DoT)の両方を提供する 3 つの利用可能なプロトコルのうち 2 つをカバーしています。AUR には、corednsAUR、dns-over-https、doh-proxyAUR、および python-doh-proxyAUR を含む複数の DoH ユーティリティが利用可能です。利用可能なソリューションの中から適切なものは、ネットワークのニーズによって異なります。
corednsAUR は、キャッシング機能を持つ非権威 DNS サーバーと DoH サービスを提供します(出典が必要)。
dns-over-https、doh-proxyAUR、および python-doh-proxyAUR はすべて、既存の HTTPS サーバーの背後でプロキシを使用するための HTTP リスナーと、UDP/53 の通常のクエリをセキュア DNS サーバーに転送するスタブリゾルバを提供します。さらに、doh-proxyAUR と python-doh-proxyAUR の両方が、スタンドアロンの HTTPS/2 サーバーを提供します。
目次
DoH サーバー/プロキシーソフトウェア設定
coreDNS
corednsAUR パッケージを[インストール]してください。
coreDNS を DoH/DoT/gRPC DNS サーバーおよび/または DoT プロキシとして使用できます。デフォルトの設定ファイルは /etc/coredns/Corefile
にあります。
シンプルな設定ファイルの例は次のようになります。
/etc/coredns/Corefile
protocol://domain:port { forward domain forward_to tls_servername domain_of_dot_server tls cert_path key_path }
最初の文字列はリスナーで、次のプロトコルを使用できます:dns://
はプレーンな DNS プロトコル、http://
は DNS over HTTPS、tls://
は DNS over TLS、grpc://
は gRPC 用です([1] を参照)。プロトコルを空にすると(例:example.com:53)、デフォルトで dns:// が選択されます。domain
は照会されるドメインにマッチし、特定のドメインを使用することもできます(例:dns: //example.com: 53)し、.
(例:dns: //.: 53)を使用してすべてのドメインにマッチさせることもできます。:port
でリスニングポートを設定できます。空にしておくと、ポート 53 が選択されます。
forward
文字列は、DNS クエリが転送される場所です。domain
に .
を使用して、すべてのドメインにマッチさせます。forward_to
にクエリを送信する上流 DNS サーバーを設定し、DoT サーバーの場合は tls://
プロトコルを指定できます。上流の DoT サーバーを使用している場合は、TLS ネゴシエーションのために tls_servername
を設定する必要があります。
DoH、DoT、または gRPC プロトコルを使用する場合、tls
文字列は必須です。与えられた順序で証明書と秘密鍵のパスをここに入力してください。
Cloudflare の DoT サーバーを使用して、ポート 53 をリッスンする単純な DoT プロキシの設定例:
/etc/coredns/Corefile
. { forward . tls://1.1.1.1 { tls_servername cloudflare-dns.com }
また、複数のインスタンスと転送プラグインを使用できます。
/etc/coredns/Corefile
https://.:443 { forward . 127.0.0.1 { forward example1.com 8.8.8.8 tls cert.pem key.pem } tls://example2.com:853 { tls cert.pem key.pem forward . tls://9.9.9.9 { tls_servername dns.quad9.net } }
coredns.service
ユニットを起動/有効化 してください。
dns-over-https
At first, install dns-over-https and after setting will not forget to enable and start needed service.
Stub resolver
You can start using it right after install with default settings. Defaults ports for listening is 53 and 5380, if one of them is already binded, it will be ignored. Start/enable doh-client.service
.
Configuration file locate at /etc/dns-over-https/doh-client.conf
. You can change desired ports at section listen
. There are many included third-parted DoH servers in configuration file, you need just uncomment one you needed or write unspecified. You can use several resolvers as well. One of them will be chosen randomly for each request. To force dns-over-https use resolvers in the required order set upstream_selector
to weighted_round_robin
or lvs_weighted_round_robin
and change weight value at resolvers in use.
DoH proxy
Configuration file for use as doh server locate at /etc/dns-over-https/doh-server.conf
. At upstream
section can set desired upstream resolver and its protocol for use. You can use dns-over-https as standalone service or together with HTTPS services like nginx or apache.
For standalone use you need to set port to 443 and specify proper cert and key:
/etc/dns-over-https/doh-server.conf
listen = [ "127.0.0.1:443", ] ... cert = "" key = ""
If you want use HTTP server for caching or using along with other HTTPS services leave empty cert and key strings in doh-server.conf
and use next examples for configuration desired HTTP server. Note that there using default dns-over-https port.
nginx:
/etc/nginx/nginx/site-available/doh
server { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; server_name MY_SERVER_NAME; ssl_certificate /path/to/your/server/certificates/fullchain.pem; ssl_certificate_key /path/to/your/server/certificates/privkey.pem; location /dns-query { proxy_pass http://localhost:8053/dns-query; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; } }
apache:
/etc/httpd/conf/vhosts/doh.conf
<VirtualHost *:443> ServerName MY_SERVER_NAME Protocols h2 http/1.1 ProxyPass /dns-query http://[::1]:8053/dns-query ProxyPassReverse /dns-query http://[::1]:8053/dns-query </VirtualHost>
After setting up, start/enable doh-server.service
.
doh-proxy
python-doh-proxy
Install the following packages: python-requests_downloadAUR; install-wheel-scriptsAUR[リンク切れ: package not found]; python-flit; and python-doh-proxyAUR.
Stub resolver
If you intend to provide encrypted queries to your local network for legacy applications, configure the stub resolver:
/etc/conf.d/doh-stub
LISTENPORT=5353 ADDR=127.0.0.1 DOMAIN=mydomain.tld NS=127.0.0.1 PORT=443
If you do not have a way to provide a secure forward DNS lookoup to your real DNS server, you should configure both DOMAIN and NS to use one of the upstream providers (CloudFlare, OpenDNS, etc., instead of localhost). If you only need to provide lookups to localhost, this is fine. If you need to provide them for the entire network, the you could listen on 53 directly if you do not have a local caching or authoritative DNS server - you would also want to use the real IP address instead of the loopback adapter in this case.
DoH proxy
If you have an existing HTTP server and wish to proxy DNS lookups with it, setup the HTTP proxy to listen on port 8080:
/etc/conf.d/doh-httpproxy
NS=127.0.0.1 PORT=8080 ADDR=127.0.0.1
Optionally, you can utilize either the doh-proxy service or an upstream DoH provider to forward queries.
DoH proxy
If you do not have an existing http server, you can configure the HTTPS/2 lisener:
/etc/conf.d/doh-proxy
NS=127.0.0.1 UPSTREAMPORT=5353 ADDR=127.0.0.1 LISTENPORT=443 CERT=/etc/ssl/private/fullchain.pem KEY=/etc/ssl/private/privkey.pem
Again, adjust as necessary, but be certain that the upstream server has a way to perform secure queries, or you will be creating a loop.
Standalone DNS server configuration
BIND
BIND 9.18 natively supports serving both DNS over HTTPS and DNS over TLS. See BIND#Configuration for details.
As resolver, with TLS proxy
Typical: If using ISC bind as the current DNS provider, and you will be providing both forwarding services for legacy clients and DoH to modern clients, you will likely want to configure named to forward all non-local queries to your stub resolver, comment out any forwarding lines an forward to the stub resolver (omit forward only if you would like to fall back to roots):
/etc/named.conf
options { ... //forwarders { 8.8.8.8; 8.8.4.4; }; forwarders { 127.0.0.1 port 5353; }; forward only; ... }; ...
If you want to forward to an external TLS proxy (via stunnel), do the same but use only TCP/54 (see stunnel configuration below):
/etc/named.conf
options { ... //forwarders { 8.8.8.8; 8.8.4.4; }; forwarders { 127.0.0.1 port 54; }; forward only; ... }; ... server 127.0.0.1 { tcp-only yes; }; ...
Optional: If using ISC bind as the the current DNS provider, and you will be providing both forwarding services for legacy clients and DoH to modern clients, you might want to configure named to listen on an alternate port, for example TCP|UDP/54, rather than the default of 53 so that your stub resolver will listen on the standard port. Comment out any existing 'listen' lines and add the following (omit the v6 line if not needed):
/etc/named.conf
... //listen-on { any; }; listen-on port 54 { any; }; listen-on-v6 port 54 { any; }; ...
Unbound
You can easily set up DoT server by adding to your configuration file port 853 to listening and specify certificate and key paths:
/etc/unbound/unbound.conf
server: ... interface: 127.0.0.1@853 tls-service-pem: /etc/unbound/public.pem tls-service-key: /etc/unbound/private.pem ...
DoH server setup is same as DoT, but needed port is 443:
/etc/unbound/unbound.conf
server: ... interface: 127.0.0.1@443 tls-service-pem: /etc/unbound/public.pem tls-service-key: /etc/unbound/private.pem ...
Web server configuration
Apache httpd proxy configuration
Configure a proxy in your primary httpd.conf or appropriate vhost listening on 443:
/etc/httpd/conf/vhosts/yourhost.conf
... ProxyPass /dns-query http://[127.0.0.1]:8080/dns-query ProxyPassReverse /dns-query http://[127.0.0.1]:8080/dns-query ...
nginx proxy configuration
DoT Proxy
With Nginx stream module you can setup proxy to upstream DNS. Note that you can use local dns as well as third parties.
/etc/nginx/nginx.conf
... stream { upstream dns { zone dns 64k; server 8.8.8.8:53; } server { listen 853 ssl; ssl_certificate /etc/nginx/ssl/certs/public.pem; ssl_certificate_key /etc/nginx/ssl/private/private.pem; proxy_pass dns; } } ...
DoH Proxy
For DoH implementation you need for use additional NJS scripts. You need to get it from this GitHub's page, put it to /etc/nginx/njs.d/
and be sure package nginx-mod-njs is installed.
At first you need to setup stream service, which will be get DNS request from nginx's HTTP/2 service, process it with js_filter
to find DNS packets and pass it to upstream DNS server.
/etc/nginx/nginx.conf
... stream { upstream dns { zone dns 64k; server 1.1.1.1:53; server { listen 127.0.0.1:8053; js_filter doh_filter_request; proxy_ssl on; proxy_pass dns; } } ...
Then, setup HTTP/2 service to listen DNS requests at URI /dns-query and relay them to stream service. Note that to a need change certificates to valid
/etc/nginx/nginx.conf
... upstream dohloop { zone dohloop 64k; server 127.0.0.1:8053; } server { listen 443 ssl http2; ssl_certificate /etc/nginx/ssl/certs/public.pem; ssl_certificate_key /etc/nginx/ssl/private/private.pem; location /dns-query { proxy_http_version 1.0; proxy_pass http://dohloop; } } ...
You can use both DoT and DoH services at same time, caching and multiple upstream DNS. For more examples see these configuration files
DNS over TLS configuration via stunnel
Configure stunnel to listen on TCP/853 for TLS connections, and forward to your local DNS provider:
/etc/stunnel/conf.d/DoT.conf
[dns] accept = 853 connect = 127.0.0.1:53 cert = /etc/ssl/private/fullchain.pem key = /etc/ssl/private/privkey.pem
Configure stunnel to listen on TCP/54 and forward to an upstream secure provider:
/etc/stunnel/conf.d/DoT-Remote.conf
[dnsovertls] client = yes accept = 54 connect = 10.10.10.1:853 verifyChain = yes CAPath = /etc/ssl/certs checkHost = <your_host_name>