surtur
51cb74c853
* add instructions on how to use the resolvers * additionally, configure better caching on CoreDNS * tweak the main domain used * reorganise the README a bit |
||
|---|---|---|
| etc | ||
| .gitattributes | ||
| LICENSE | ||
| README.md | ||
README.md
coredns
this repo contains the configuration files for CoreDNS
set up as a DNS over TLS (DoT)
and DNS over HTTPS (DoH)
forwarding resolver that relies on a locally running
dnscrypt-proxy instance for
resolution of any and all queries.
CoreDNS is configured to run under an unprivileged user (see
coredns.service), which doesn't by default have access to /etc/letsencrypt.
the TLS certs therefore need to be supplied to CoreDNS using another way - see
the copycerts_coredns.{path,service,timer} units.
how to use this - tl;dr
DoT @dns.dotya.ml
DoH @https://dns.dotya.ml/dns-query
DoH alt port @https://dns.dotya.ml:4053/dns-query
how to use this - the long version
the base domain here is dns.dotya.ml.
DoT
simply configure the base domain directly as the standard port (:853/tcp) is
used.
DoH
append /dns-query to the base domain and optionally prefix it with
https://, i.e. configure dns.dotya.ml/dns-query or
https://dns.dotya.ml/dns-query as the DoH server (in e.g.
Firefox).
it is worth noting that the DoH server natively listens on :4053, not :443.
however, it's additionally proxied by nginx (that hogs all
:443/[::]:443 on the host) so that it can be found on the standard HTTPS
port and blends in better.
i.e. while both configurations can be used equally as well, one uses a
non-standard port but does not depend on nginx running, and the other does
use the standard DoH port but could become unavailable in the event of
nginx crashing for some reason. in summary, pick your set of potential
drawbacks.
TO DO
- automated deployment (preferably using
ansible+drone)
LICENSE
WTFPLv2, see LICENSE for details