add DoH support

* add instructions on how to use the resolvers
* additionally, configure better caching on CoreDNS
* tweak the main domain used
* reorganise the README a bit
This commit is contained in:
surtur 2023-10-05 14:53:36 +02:00
parent 09a2e7cd19
commit 51cb74c853
Signed by: wanderer
SSH Key Fingerprint: SHA256:MdCZyJ2sHLltrLBp0xQO0O1qTW9BT/xl5nXkDvhlMCI
6 changed files with 91 additions and 19 deletions

@ -1,17 +1,54 @@
# [`coredns`](https://git.dotya.ml/dotya.ml/coredns) # [`coredns`](https://git.dotya.ml/dotya.ml/coredns)
this repo contains configuration files for [CoreDNS](https://coredns.io/) set this repo contains the configuration files for [CoreDNS](https://coredns.io/)
up as a simple [DNS over TLS (DoT)](https://en.wikipedia.org/wiki/DNS_over_TLS) set up as a [DNS over TLS (DoT)](https://en.wikipedia.org/wiki/DNS_over_TLS)
forwarding resolver, that is relying on a locally running and [DNS over HTTPS (DoH)](https://en.wikipedia.org/wiki/DNS_over_HTTPS)
[`dnscrypt-proxy`](https://github.com/DNSCrypt/dnscrypt-proxy) instance for any forwarding resolver that relies on a locally running
and all queries. [`dnscrypt-proxy`](https://github.com/DNSCrypt/dnscrypt-proxy) instance for
resolution of any and all queries.
since the `systemd` service runs under an unprivileged user (here coredns, CoreDNS is configured to run under an unprivileged user (see
which doesn't by default have access to `/etc/letsencrypt`), certs need to be `coredns.service`), which doesn't by default have access to `/etc/letsencrypt`.
supplied to `coredns` another way: `copycerts_coredns.{path,service,timer}`. the TLS certs therefore need to be supplied to CoreDNS using another way - see
the `copycerts_coredns.{path,service,timer}` units.
### TO DO ## how to use this - tl;dr
DoT @`dns.dotya.ml`
DoH @`https://dns.dotya.ml/dns-query`
DoH alt port @`https://dns.dotya.ml:4053/dns-query`
## how to use this - the long version
the base domain here is `dns.dotya.ml`.
### DoT
simply configure the base domain directly as the standard port (`:853/tcp`) is
used.
### DoH
append `/dns-query` to the base domain and optionally prefix it with
`https://`, i.e. configure `dns.dotya.ml/dns-query` or
`https://dns.dotya.ml/dns-query` as the DoH server (in e.g.
[Firefox](https://mzl.la/3PeuP0z)).
it is worth noting that the DoH server natively listens on `:4053`, not `:443`.
however, it's *additionally* proxied by `nginx` (that hogs all
`:443`/`[::]:443` on the host) so that it can be found on the standard HTTPS
port and blends in better.
i.e. while both configurations can be used *equally* as well, one uses a
non-standard port but does not depend on `nginx` running, and the other *does*
use the standard DoH port but *could* become unavailable in the event of
`nginx` crashing for some reason. in summary, pick your set of potential
drawbacks.
## TO DO
- [ ] automated deployment (preferably using `ansible` + `drone`) - [ ] automated deployment (preferably using `ansible` + `drone`)
### LICENSE ## LICENSE
WTFPLv2, see [LICENSE](LICENSE) for details WTFPLv2, see [LICENSE](LICENSE) for details

@ -1,6 +1,5 @@
tls://.:853 { tls://.:853 {
reload reload
errors
# certs need to be either copied or mounted here. # certs need to be either copied or mounted here.
tls /var/lib/coredns/certs/fullchain.pem /var/lib/coredns/certs/privkey.pem { tls /var/lib/coredns/certs/fullchain.pem /var/lib/coredns/certs/privkey.pem {
@ -15,9 +14,43 @@ tls://.:853 {
} }
cache { cache {
success 2048 success 4096
denial 2048 denial 2048
prefetch 512
keepttl
} }
whoami
health
errors
# log
}
https://.:4053 {
reload
tls /var/lib/coredns/certs/fullchain.pem /var/lib/coredns/certs/privkey.pem {
client_auth verify_if_given
}
loadbalance
forward . 127.0.0.50:53 ::1 {
health_check 7s
expire 600s
policy sequential
}
cache {
success 4096
denial 2048
prefetch 512
keepttl
}
whoami
health
errors
# log
} }
# vim: noexpandtab # vim: noexpandtab

@ -1,9 +1,9 @@
[Unit] [Unit]
Description=Watching for changes to dotya.ml certs and triggering copy service Description=Watching for changes to TLS certs and triggering the copy service
ConditionPathExists=/etc/letsencrypt/live/dotya.ml ConditionPathExists=/etc/letsencrypt/live/dns.dotya.ml
[Path] [Path]
PathChanged=/etc/letsencrypt/live/dotya.ml PathChanged=/etc/letsencrypt/live/dns.dotya.ml
TriggerLimitIntervalSec=30s TriggerLimitIntervalSec=30s
TriggerLimitBurst=30 TriggerLimitBurst=30

@ -1,13 +1,13 @@
[Unit] [Unit]
Description=Copy dotya.ml certs for coredns.service Description=Copy TLS certs for coredns.service
# technically, the below should have no impact # technically, the below should have no impact
After=network.target After=network.target
PartOf=coredns.service PartOf=coredns.service
ConditionPathExists=/etc/letsencrypt/live/dotya.ml ConditionPathExists=/etc/letsencrypt/live/dns.dotya.ml
[Service] [Service]
Type=oneshot Type=oneshot
Environment=DOMAIN=dotya.ml Environment=DOMAIN=dns.dotya.ml
ExecStartPre=bash -c "mkdir -pv /var/lib/coredns/certs" ExecStartPre=bash -c "mkdir -pv /var/lib/coredns/certs"
ExecStart=bash -c "cp -f -v --dereference /etc/letsencrypt/live/${DOMAIN}/* /var/lib/coredns/certs/" ExecStart=bash -c "cp -f -v --dereference /etc/letsencrypt/live/${DOMAIN}/* /var/lib/coredns/certs/"
ExecStopPost=bash -c "chown -Rv coredns:root /var/lib/coredns" ExecStopPost=bash -c "chown -Rv coredns:root /var/lib/coredns"

@ -1,5 +1,5 @@
[Unit] [Unit]
Description=Weekly copy of dotya.ml certs for coredns Description=Weekly copy of TLS certs for coredns.service
[Timer] [Timer]
OnCalendar=weekly OnCalendar=weekly

@ -2,6 +2,8 @@
Description=CoreDNS server Description=CoreDNS server
Documentation=https://coredns.io Documentation=https://coredns.io
After=network.target After=network.target
Wants=dnscrypt-proxy.service
Upholds=dnscrypt-proxy.service
[Service] [Service]
PermissionsStartOnly=true PermissionsStartOnly=true