diff --git a/README.md b/README.md index b6a1327..8c23cd2 100644 --- a/README.md +++ b/README.md @@ -1,17 +1,54 @@ # [`coredns`](https://git.dotya.ml/dotya.ml/coredns) -this repo contains configuration files for [CoreDNS](https://coredns.io/) set -up as a simple [DNS over TLS (DoT)](https://en.wikipedia.org/wiki/DNS_over_TLS) -forwarding resolver, that is relying on a locally running -[`dnscrypt-proxy`](https://github.com/DNSCrypt/dnscrypt-proxy) instance for any -and all queries. +this repo contains the configuration files for [CoreDNS](https://coredns.io/) +set up as a [DNS over TLS (DoT)](https://en.wikipedia.org/wiki/DNS_over_TLS) +and [DNS over HTTPS (DoH)](https://en.wikipedia.org/wiki/DNS_over_HTTPS) +forwarding resolver that relies on a locally running +[`dnscrypt-proxy`](https://github.com/DNSCrypt/dnscrypt-proxy) instance for +resolution of any and all queries. -since the `systemd` service runs under an unprivileged user (here coredns, -which doesn't by default have access to `/etc/letsencrypt`), certs need to be -supplied to `coredns` another way: `copycerts_coredns.{path,service,timer}`. +CoreDNS is configured to run under an unprivileged user (see +`coredns.service`), which doesn't by default have access to `/etc/letsencrypt`. +the TLS certs therefore need to be supplied to CoreDNS using another way - see +the `copycerts_coredns.{path,service,timer}` units. -### TO DO +## how to use this - tl;dr + +DoT @`dns.dotya.ml` + +DoH @`https://dns.dotya.ml/dns-query` + +DoH alt port @`https://dns.dotya.ml:4053/dns-query` + +## how to use this - the long version + +the base domain here is `dns.dotya.ml`. + +### DoT + +simply configure the base domain directly as the standard port (`:853/tcp`) is +used. + +### DoH + +append `/dns-query` to the base domain and optionally prefix it with +`https://`, i.e. configure `dns.dotya.ml/dns-query` or +`https://dns.dotya.ml/dns-query` as the DoH server (in e.g. +[Firefox](https://mzl.la/3PeuP0z)). + +it is worth noting that the DoH server natively listens on `:4053`, not `:443`. +however, it's *additionally* proxied by `nginx` (that hogs all +`:443`/`[::]:443` on the host) so that it can be found on the standard HTTPS +port and blends in better. + +i.e. while both configurations can be used *equally* as well, one uses a +non-standard port but does not depend on `nginx` running, and the other *does* +use the standard DoH port but *could* become unavailable in the event of +`nginx` crashing for some reason. in summary, pick your set of potential +drawbacks. + +## TO DO - [ ] automated deployment (preferably using `ansible` + `drone`) -### LICENSE +## LICENSE WTFPLv2, see [LICENSE](LICENSE) for details diff --git a/etc/coredns/Corefile b/etc/coredns/Corefile index d2d4877..2362004 100644 --- a/etc/coredns/Corefile +++ b/etc/coredns/Corefile @@ -1,6 +1,5 @@ tls://.:853 { reload - errors # certs need to be either copied or mounted here. tls /var/lib/coredns/certs/fullchain.pem /var/lib/coredns/certs/privkey.pem { @@ -15,9 +14,43 @@ tls://.:853 { } cache { - success 2048 + success 4096 denial 2048 + prefetch 512 + keepttl } + + whoami + health + errors + # log +} + +https://.:4053 { + reload + + tls /var/lib/coredns/certs/fullchain.pem /var/lib/coredns/certs/privkey.pem { + client_auth verify_if_given + } + + loadbalance + forward . 127.0.0.50:53 ::1 { + health_check 7s + expire 600s + policy sequential + } + + cache { + success 4096 + denial 2048 + prefetch 512 + keepttl + } + + whoami + health + errors + # log } # vim: noexpandtab diff --git a/etc/systemd/system/copy_coredns.path b/etc/systemd/system/copy_coredns.path index 2d9944d..5129270 100644 --- a/etc/systemd/system/copy_coredns.path +++ b/etc/systemd/system/copy_coredns.path @@ -1,9 +1,9 @@ [Unit] -Description=Watching for changes to dotya.ml certs and triggering copy service -ConditionPathExists=/etc/letsencrypt/live/dotya.ml +Description=Watching for changes to TLS certs and triggering the copy service +ConditionPathExists=/etc/letsencrypt/live/dns.dotya.ml [Path] -PathChanged=/etc/letsencrypt/live/dotya.ml +PathChanged=/etc/letsencrypt/live/dns.dotya.ml TriggerLimitIntervalSec=30s TriggerLimitBurst=30 diff --git a/etc/systemd/system/copy_coredns.service b/etc/systemd/system/copy_coredns.service index 49fa094..bdb368a 100644 --- a/etc/systemd/system/copy_coredns.service +++ b/etc/systemd/system/copy_coredns.service @@ -1,13 +1,13 @@ [Unit] -Description=Copy dotya.ml certs for coredns.service +Description=Copy TLS certs for coredns.service # technically, the below should have no impact After=network.target PartOf=coredns.service -ConditionPathExists=/etc/letsencrypt/live/dotya.ml +ConditionPathExists=/etc/letsencrypt/live/dns.dotya.ml [Service] Type=oneshot -Environment=DOMAIN=dotya.ml +Environment=DOMAIN=dns.dotya.ml ExecStartPre=bash -c "mkdir -pv /var/lib/coredns/certs" ExecStart=bash -c "cp -f -v --dereference /etc/letsencrypt/live/${DOMAIN}/* /var/lib/coredns/certs/" ExecStopPost=bash -c "chown -Rv coredns:root /var/lib/coredns" diff --git a/etc/systemd/system/copy_coredns.timer b/etc/systemd/system/copy_coredns.timer index e5d67ba..b5d56ee 100644 --- a/etc/systemd/system/copy_coredns.timer +++ b/etc/systemd/system/copy_coredns.timer @@ -1,5 +1,5 @@ [Unit] -Description=Weekly copy of dotya.ml certs for coredns +Description=Weekly copy of TLS certs for coredns.service [Timer] OnCalendar=weekly diff --git a/etc/systemd/system/coredns.service b/etc/systemd/system/coredns.service index 4ec6297..a523c90 100644 --- a/etc/systemd/system/coredns.service +++ b/etc/systemd/system/coredns.service @@ -2,6 +2,8 @@ Description=CoreDNS server Documentation=https://coredns.io After=network.target +Wants=dnscrypt-proxy.service +Upholds=dnscrypt-proxy.service [Service] PermissionsStartOnly=true