add DoH support
* add instructions on how to use the resolvers * additionally, configure better caching on CoreDNS * tweak the main domain used * reorganise the README a bit
This commit is contained in:
parent
09a2e7cd19
commit
34d2879deb
51
README.md
51
README.md
|
@ -1,17 +1,48 @@
|
|||
# [`coredns`](https://git.dotya.ml/dotya.ml/coredns)
|
||||
|
||||
this repo contains configuration files for [CoreDNS](https://coredns.io/) set
|
||||
up as a simple [DNS over TLS (DoT)](https://en.wikipedia.org/wiki/DNS_over_TLS)
|
||||
forwarding resolver, that is relying on a locally running
|
||||
[`dnscrypt-proxy`](https://github.com/DNSCrypt/dnscrypt-proxy) instance for any
|
||||
and all queries.
|
||||
this repo contains the configuration files for [CoreDNS](https://coredns.io/)
|
||||
set up as a [DNS over TLS (DoT)](https://en.wikipedia.org/wiki/DNS_over_TLS)
|
||||
and [DNS over HTTPS (DoH)](https://en.wikipedia.org/wiki/DNS_over_HTTPS)
|
||||
forwarding resolver that relies on a locally running
|
||||
[`dnscrypt-proxy`](https://github.com/DNSCrypt/dnscrypt-proxy) instance for
|
||||
resolution of any and all queries.
|
||||
|
||||
since the `systemd` service runs under an unprivileged user (here coredns,
|
||||
which doesn't by default have access to `/etc/letsencrypt`), certs need to be
|
||||
supplied to `coredns` another way: `copycerts_coredns.{path,service,timer}`.
|
||||
CoreDNS is configured to run under an unprivileged user (see
|
||||
`coredns.service`), which doesn't by default have access to `/etc/letsencrypt`.
|
||||
the TLS certs therefore need to be supplied to CoreDNS using another way - see
|
||||
the `copycerts_coredns.{path,service,timer}` units.
|
||||
|
||||
### TO DO
|
||||
## how to use this - tl;dr
|
||||
|
||||
### DoT
|
||||
```
|
||||
dns.dotya.ml
|
||||
```
|
||||
### DoH
|
||||
```
|
||||
https://dns.dotya.ml/dns-query
|
||||
```
|
||||
### DoH alt port
|
||||
```
|
||||
https://dns.dotya.ml:4053/dns-query
|
||||
```
|
||||
|
||||
## how to use this - the long version
|
||||
|
||||
the overarching domain for dns is `dns.dotya.ml`.
|
||||
|
||||
for DoT, simply configure the domain.
|
||||
|
||||
for DoH, append `/dns-query` to the domain, i.e. configure
|
||||
`dns.dotya.ml/dns-query` (optionally prefixed with `https`) as the DoH server
|
||||
(in e.g. Firefox).
|
||||
|
||||
it is worth noting that the DoH server natively listens on `:4053`, but is
|
||||
additionally proxied by `nginx` so that it can be found on a standard HTTPS
|
||||
port and blends in better.
|
||||
|
||||
## TO DO
|
||||
- [ ] automated deployment (preferably using `ansible` + `drone`)
|
||||
|
||||
### LICENSE
|
||||
## LICENSE
|
||||
WTFPLv2, see [LICENSE](LICENSE) for details
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
tls://.:853 {
|
||||
reload
|
||||
errors
|
||||
|
||||
# certs need to be either copied or mounted here.
|
||||
tls /var/lib/coredns/certs/fullchain.pem /var/lib/coredns/certs/privkey.pem {
|
||||
|
@ -15,9 +14,43 @@ tls://.:853 {
|
|||
}
|
||||
|
||||
cache {
|
||||
success 2048
|
||||
success 4096
|
||||
denial 2048
|
||||
prefetch 512
|
||||
keepttl
|
||||
}
|
||||
|
||||
whoami
|
||||
health
|
||||
errors
|
||||
# log
|
||||
}
|
||||
|
||||
https://.:4053 {
|
||||
reload
|
||||
|
||||
tls /var/lib/coredns/certs/fullchain.pem /var/lib/coredns/certs/privkey.pem {
|
||||
client_auth verify_if_given
|
||||
}
|
||||
|
||||
loadbalance
|
||||
forward . 127.0.0.50:53 ::1 {
|
||||
health_check 7s
|
||||
expire 600s
|
||||
policy sequential
|
||||
}
|
||||
|
||||
cache {
|
||||
success 4096
|
||||
denial 2048
|
||||
prefetch 512
|
||||
keepttl
|
||||
}
|
||||
|
||||
whoami
|
||||
health
|
||||
errors
|
||||
# log
|
||||
}
|
||||
|
||||
# vim: noexpandtab
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
[Unit]
|
||||
Description=Watching for changes to dotya.ml certs and triggering copy service
|
||||
ConditionPathExists=/etc/letsencrypt/live/dotya.ml
|
||||
Description=Watching for changes to TLS certs and triggering the copy service
|
||||
ConditionPathExists=/etc/letsencrypt/live/dns.dotya.ml
|
||||
|
||||
[Path]
|
||||
PathChanged=/etc/letsencrypt/live/dotya.ml
|
||||
PathChanged=/etc/letsencrypt/live/dns.dotya.ml
|
||||
TriggerLimitIntervalSec=30s
|
||||
TriggerLimitBurst=30
|
||||
|
||||
|
|
|
@ -1,13 +1,13 @@
|
|||
[Unit]
|
||||
Description=Copy dotya.ml certs for coredns.service
|
||||
Description=Copy TLS certs for coredns.service
|
||||
# technically, the below should have no impact
|
||||
After=network.target
|
||||
PartOf=coredns.service
|
||||
ConditionPathExists=/etc/letsencrypt/live/dotya.ml
|
||||
ConditionPathExists=/etc/letsencrypt/live/dns.dotya.ml
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
Environment=DOMAIN=dotya.ml
|
||||
Environment=DOMAIN=dns.dotya.ml
|
||||
ExecStartPre=bash -c "mkdir -pv /var/lib/coredns/certs"
|
||||
ExecStart=bash -c "cp -f -v --dereference /etc/letsencrypt/live/${DOMAIN}/* /var/lib/coredns/certs/"
|
||||
ExecStopPost=bash -c "chown -Rv coredns:root /var/lib/coredns"
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
[Unit]
|
||||
Description=Weekly copy of dotya.ml certs for coredns
|
||||
Description=Weekly copy of TLS certs for coredns.service
|
||||
|
||||
[Timer]
|
||||
OnCalendar=weekly
|
||||
|
|
|
@ -2,6 +2,8 @@
|
|||
Description=CoreDNS server
|
||||
Documentation=https://coredns.io
|
||||
After=network.target
|
||||
Wants=dnscrypt-proxy.service
|
||||
Upholds=dnscrypt-proxy.service
|
||||
|
||||
[Service]
|
||||
PermissionsStartOnly=true
|
||||
|
|
Loading…
Reference in New Issue