add DoH support

* add instructions on how to use the resolvers * additionally, configure better caching on CoreDNS * tweak the main domain used * reorganise the README a bit
2023-10-05 14:53:36 +02:00 · 2023-10-05 14:53:36 +02:00 · 51cb74c853
commit 51cb74c853
parent 09a2e7cd19
6 changed files with 91 additions and 19 deletions
--- a/README.md
+++ b/README.md
@ -1,17 +1,54 @@
 # [`coredns`](https://git.dotya.ml/dotya.ml/coredns)
-this repo contains configuration files for [CoreDNS](https://coredns.io/) set
+this repo contains the configuration files for [CoreDNS](https://coredns.io/)
-up as a simple [DNS over TLS (DoT)](https://en.wikipedia.org/wiki/DNS_over_TLS)
+set up as a [DNS over TLS (DoT)](https://en.wikipedia.org/wiki/DNS_over_TLS)
-forwarding resolver, that is relying on a locally running
+and [DNS over HTTPS (DoH)](https://en.wikipedia.org/wiki/DNS_over_HTTPS)
-[`dnscrypt-proxy`](https://github.com/DNSCrypt/dnscrypt-proxy) instance for any
+forwarding resolver that relies on a locally running
-and all queries.
+[`dnscrypt-proxy`](https://github.com/DNSCrypt/dnscrypt-proxy) instance for
 resolution of any and all queries.
-since the `systemd` service runs under an unprivileged user (here coredns,
+CoreDNS is configured to run under an unprivileged user (see
-which doesn't by default have access to `/etc/letsencrypt`), certs need to be
+`coredns.service`), which doesn't by default have access to `/etc/letsencrypt`.
-supplied to `coredns` another way: `copycerts_coredns.{path,service,timer}`.
+the TLS certs therefore need to be supplied to CoreDNS using another way - see
 the `copycerts_coredns.{path,service,timer}` units.
-### TO DO
+## how to use this - tl;dr
 DoT @`dns.dotya.ml`
 DoH @`https://dns.dotya.ml/dns-query`
 DoH alt port @`https://dns.dotya.ml:4053/dns-query`
 ## how to use this - the long version
 the base domain here is `dns.dotya.ml`.
 ### DoT
 simply configure the base domain directly as the standard port (`:853/tcp`) is
 used.
 ### DoH
 append `/dns-query` to the base domain and optionally prefix it with
 `https://`, i.e. configure `dns.dotya.ml/dns-query` or
 `https://dns.dotya.ml/dns-query` as the DoH server (in e.g.
 [Firefox](https://mzl.la/3PeuP0z)).
 it is worth noting that the DoH server natively listens on `:4053`, not `:443`.
 however, it's *additionally* proxied by `nginx` (that hogs all
 `:443`/`[::]:443` on the host) so that it can be found on the standard HTTPS
 port and blends in better.
 i.e. while both configurations can be used *equally* as well, one uses a
 non-standard port but does not depend on `nginx` running, and the other *does*
 use the standard DoH port but *could* become unavailable in the event of
 `nginx` crashing for some reason. in summary, pick your set of potential
 drawbacks.
 ## TO DO
 - [ ] automated deployment (preferably using `ansible` + `drone`)
-### LICENSE
+## LICENSE
 WTFPLv2, see [LICENSE](LICENSE) for details
--- a/etc/coredns/Corefile
+++ b/etc/coredns/Corefile
@ -1,6 +1,5 @@
 tls://.:853 {
 	reload
 	errors
 	# certs need to be either copied or mounted here.
 	tls /var/lib/coredns/certs/fullchain.pem /var/lib/coredns/certs/privkey.pem {
@ -15,9 +14,43 @@ tls://.:853 {
 	}
 	cache {
-		success	2048
+		success	4096
 		denial	2048
 		prefetch 512
 		keepttl
 	}
 	whoami
 	health
 	errors
 	# log
 }
 https://.:4053 {
 	reload
 	tls /var/lib/coredns/certs/fullchain.pem /var/lib/coredns/certs/privkey.pem {
 		client_auth verify_if_given
 	}
 	loadbalance
 	forward . 127.0.0.50:53 ::1 {
 		health_check 7s
 		expire 600s
 		policy sequential
 	}
 	cache {
 		success	4096
 		denial	2048
 		prefetch 512
 		keepttl
 	}
 	whoami
 	health
 	errors
 	# log
 }
 # vim: noexpandtab
--- a/etc/systemd/system/copy_coredns.path
+++ b/etc/systemd/system/copy_coredns.path
@ -1,9 +1,9 @@
 [Unit]
-Description=Watching for changes to dotya.ml certs and triggering copy service
+Description=Watching for changes to TLS certs and triggering the copy service
-ConditionPathExists=/etc/letsencrypt/live/dotya.ml
+ConditionPathExists=/etc/letsencrypt/live/dns.dotya.ml
 [Path]
-PathChanged=/etc/letsencrypt/live/dotya.ml
+PathChanged=/etc/letsencrypt/live/dns.dotya.ml
 TriggerLimitIntervalSec=30s
 TriggerLimitBurst=30
--- a/etc/systemd/system/copy_coredns.service
+++ b/etc/systemd/system/copy_coredns.service
@ -1,13 +1,13 @@
 [Unit]
-Description=Copy dotya.ml certs for coredns.service
+Description=Copy TLS certs for coredns.service
 # technically, the below should have no impact
 After=network.target
 PartOf=coredns.service
-ConditionPathExists=/etc/letsencrypt/live/dotya.ml
+ConditionPathExists=/etc/letsencrypt/live/dns.dotya.ml
 [Service]
 Type=oneshot
-Environment=DOMAIN=dotya.ml
+Environment=DOMAIN=dns.dotya.ml
 ExecStartPre=bash -c "mkdir -pv /var/lib/coredns/certs"
 ExecStart=bash -c "cp -f -v --dereference /etc/letsencrypt/live/${DOMAIN}/* /var/lib/coredns/certs/"
 ExecStopPost=bash -c "chown -Rv coredns:root /var/lib/coredns"
--- a/etc/systemd/system/copy_coredns.timer
+++ b/etc/systemd/system/copy_coredns.timer
@ -1,5 +1,5 @@
 [Unit]
-Description=Weekly copy of dotya.ml certs for coredns
+Description=Weekly copy of TLS certs for coredns.service
 [Timer]
 OnCalendar=weekly
--- a/etc/systemd/system/coredns.service
+++ b/etc/systemd/system/coredns.service
@ -2,6 +2,8 @@
 Description=CoreDNS server
 Documentation=https://coredns.io
 After=network.target
 Wants=dnscrypt-proxy.service
 Upholds=dnscrypt-proxy.service
 [Service]
 PermissionsStartOnly=true