add DoH support

* add instructions on how to use the resolvers * additionally, configure better caching on CoreDNS * tweak the main domain used * reorganise the README a bit
2023-10-05 14:53:36 +02:00 · 2023-10-05 14:53:36 +02:00 · 51cb74c853
commit 51cb74c853
parent 09a2e7cd19
6 changed files with 91 additions and 19 deletions
--- a/README.md
+++ b/README.md
@ -1,17 +1,54 @@
 # [`coredns`](https://git.dotya.ml/dotya.ml/coredns)

-this repo contains configuration files for [CoreDNS](https://coredns.io/) set
-up as a simple [DNS over TLS (DoT)](https://en.wikipedia.org/wiki/DNS_over_TLS)
-forwarding resolver, that is relying on a locally running
-[`dnscrypt-proxy`](https://github.com/DNSCrypt/dnscrypt-proxy) instance for any
-and all queries.
+this repo contains the configuration files for [CoreDNS](https://coredns.io/)
+set up as a [DNS over TLS (DoT)](https://en.wikipedia.org/wiki/DNS_over_TLS)
+and [DNS over HTTPS (DoH)](https://en.wikipedia.org/wiki/DNS_over_HTTPS)
+forwarding resolver that relies on a locally running
+[`dnscrypt-proxy`](https://github.com/DNSCrypt/dnscrypt-proxy) instance for
+resolution of any and all queries.

-since the `systemd` service runs under an unprivileged user (here coredns,
-which doesn't by default have access to `/etc/letsencrypt`), certs need to be
-supplied to `coredns` another way: `copycerts_coredns.{path,service,timer}`.
+CoreDNS is configured to run under an unprivileged user (see
+`coredns.service`), which doesn't by default have access to `/etc/letsencrypt`.
+the TLS certs therefore need to be supplied to CoreDNS using another way - see
+the `copycerts_coredns.{path,service,timer}` units.

-### TO DO
+## how to use this - tl;dr
+
+DoT @`dns.dotya.ml`
+
+DoH @`https://dns.dotya.ml/dns-query`
+
+DoH alt port @`https://dns.dotya.ml:4053/dns-query`
+
+## how to use this - the long version
+
+the base domain here is `dns.dotya.ml`.
+
+### DoT
+
+simply configure the base domain directly as the standard port (`:853/tcp`) is
+used.
+
+### DoH
+
+append `/dns-query` to the base domain and optionally prefix it with
+`https://`, i.e. configure `dns.dotya.ml/dns-query` or
+`https://dns.dotya.ml/dns-query` as the DoH server (in e.g.
+[Firefox](https://mzl.la/3PeuP0z)).
+
+it is worth noting that the DoH server natively listens on `:4053`, not `:443`.
+however, it's *additionally* proxied by `nginx` (that hogs all
+`:443`/`[::]:443` on the host) so that it can be found on the standard HTTPS
+port and blends in better.
+
+i.e. while both configurations can be used *equally* as well, one uses a
+non-standard port but does not depend on `nginx` running, and the other *does*
+use the standard DoH port but *could* become unavailable in the event of
+`nginx` crashing for some reason. in summary, pick your set of potential
+drawbacks.
+
+## TO DO
 - [ ] automated deployment (preferably using `ansible` + `drone`)

-### LICENSE
+## LICENSE
 WTFPLv2, see [LICENSE](LICENSE) for details
--- a/etc/coredns/Corefile
+++ b/etc/coredns/Corefile
@ -1,6 +1,5 @@
 tls://.:853 {
 	reload
-	errors

 	# certs need to be either copied or mounted here.
 	tls /var/lib/coredns/certs/fullchain.pem /var/lib/coredns/certs/privkey.pem {
@ -15,9 +14,43 @@ tls://.:853 {
 	}

 	cache {
-		success	2048
+		success	4096
 		denial	2048
+		prefetch 512
+		keepttl
 	}
+
+	whoami
+	health
+	errors
+	# log
+}
+
+https://.:4053 {
+	reload
+
+	tls /var/lib/coredns/certs/fullchain.pem /var/lib/coredns/certs/privkey.pem {
+		client_auth verify_if_given
+	}
+
+	loadbalance
+	forward . 127.0.0.50:53 ::1 {
+		health_check 7s
+		expire 600s
+		policy sequential
+	}
+
+	cache {
+		success	4096
+		denial	2048
+		prefetch 512
+		keepttl
+	}
+
+	whoami
+	health
+	errors
+	# log
 }

 # vim: noexpandtab
--- a/etc/systemd/system/copy_coredns.path
+++ b/etc/systemd/system/copy_coredns.path
@ -1,9 +1,9 @@
 [Unit]
-Description=Watching for changes to dotya.ml certs and triggering copy service
-ConditionPathExists=/etc/letsencrypt/live/dotya.ml
+Description=Watching for changes to TLS certs and triggering the copy service
+ConditionPathExists=/etc/letsencrypt/live/dns.dotya.ml

 [Path]
-PathChanged=/etc/letsencrypt/live/dotya.ml
+PathChanged=/etc/letsencrypt/live/dns.dotya.ml
 TriggerLimitIntervalSec=30s
 TriggerLimitBurst=30

--- a/etc/systemd/system/copy_coredns.service
+++ b/etc/systemd/system/copy_coredns.service
@ -1,13 +1,13 @@
 [Unit]
-Description=Copy dotya.ml certs for coredns.service
+Description=Copy TLS certs for coredns.service
 # technically, the below should have no impact
 After=network.target
 PartOf=coredns.service
-ConditionPathExists=/etc/letsencrypt/live/dotya.ml
+ConditionPathExists=/etc/letsencrypt/live/dns.dotya.ml

 [Service]
 Type=oneshot
-Environment=DOMAIN=dotya.ml
+Environment=DOMAIN=dns.dotya.ml
 ExecStartPre=bash -c "mkdir -pv /var/lib/coredns/certs"
 ExecStart=bash -c "cp -f -v --dereference /etc/letsencrypt/live/${DOMAIN}/* /var/lib/coredns/certs/"
 ExecStopPost=bash -c "chown -Rv coredns:root /var/lib/coredns"
--- a/etc/systemd/system/copy_coredns.timer
+++ b/etc/systemd/system/copy_coredns.timer
@ -1,5 +1,5 @@
 [Unit]
-Description=Weekly copy of dotya.ml certs for coredns
+Description=Weekly copy of TLS certs for coredns.service

 [Timer]
 OnCalendar=weekly
--- a/etc/systemd/system/coredns.service
+++ b/etc/systemd/system/coredns.service
@ -2,6 +2,8 @@
 Description=CoreDNS server
 Documentation=https://coredns.io
 After=network.target
+Wants=dnscrypt-proxy.service
+Upholds=dnscrypt-proxy.service

 [Service]
 PermissionsStartOnly=true