Written by Stanislav Datskevych, Cloudstack Engineer @Leaseweb
Domain Name System (DNS) is a crucial part of Internet infrastructure. It is responsible for translating a human-readable, memorizable domain (like leaseweb.com) into a numeric IP address (such as 89.255.251.130).
In order to translate a domain into an IP address, your device sends a DNS request to a special DNS server called a resolver (which is most likely managed by your Internet provider). The DNS requests are sent in plain text so anyone who has access to your traffic stream can see which domains you visit.
There are two recent Internet standards that have been designed to solve the DNS privacy issue:
- DNS over TLS (DoT)
- DNS over HTTPS (DoH)
Both of them provide secure and encrypted connections to a DNS server.
DoT/DoH feature compatibility matrix:
In this article, we will setup a private DoH and DoT recursor using pihole in a docker container, and dnsdist as a DNS frontend with Letsencrypt SSL certificates. As a bonus, our DNS server will block tracking and malware while resolving domains for us.
Installation
In this example we use Ubuntu 20.04 with docker and docker-compose installed, but you can choose your favorite distro (you might need to adapt a bit).
You may also need to disable systemd-resolved because it occupies port 53 of the server:
# Check which DNS resolvers your server is using:
systemd-resolve --status
# look for "DNS servers" field in output
# Stop systemd-resolved
systemctl stop systemd-resolved
# Then mask it to prevent from further starting
systemctl mask systemd-resolved
# Delete the symlink systemd-resolved used to manage
rm /etc/resolv.conf
# Create /etc/resolv.conf as a regular file with nameservers you've been using:
cat <<EOF > /etc/resolv.conf
nameserver <ip of the first DNS resolver>
nameserver <ip of the second DNS resolver>
EOFInstall dnsdist and certbot (for letsencrypt certificates):
# Install dnsdist repo
echo "deb [arch=amd64] http://repo.powerdns.com/ubuntu focal-dnsdist-15 main" > /etc/apt/sources.list.d/pdns.list
cat <<EOF > /etc/apt/preferences.d/dnsdist
Package: dnsdist*
Pin: origin repo.powerdns.com
Pin-Priority: 600
EOF
curl https://repo.powerdns.com/FD380FBB-pub.asc | apt-key add -
apt update
apt install dnsdist certbotPihole
Now we create our docker-compose project:
mkdir ~/pihole
touch ~/pihole/docker-compose.ymlThe contents of docker-compose.yml file:
version: '3'
services:
pihole:
container_name: pihole
image: 'pihole/pihole:latest'
ports:
# The DNS server will listen on localhost only, the ports 5300 tcp/udp.
# The queries from Internet won't be able to reach pihole directly.
# Admin web interface, however, will be reachable from Internet.
- '127.0.1.53:5300:53/tcp'
- '127.0.1.53:5300:53/udp'
- '8081:80/tcp'
environment:
TZ: Europe/Amsterdam
VIRTUAL_HOST: dns.example.com # domain name we'll use for our DNS server
WEBPASSWORD: super_secret # Pihole admin password
volumes:
- './etc-pihole/:/etc/pihole/'
- './etc-dnsmasq.d/:/etc/dnsmasq.d/'
restart: unless-stoppedStart the container:
docker-compose up -dAfter the container is fully started (it may take several minutes) check that it is able to resolve domain names:
dig +short @127.0.1.53 -p5300 one.one.one.one
# Expected output
# 1.0.0.1
# 1.1.1.1Letsencrypt Configuration
Issue the certificate for our dns.example.com domain:
certbot certonlyFollow the instructions on the screen (i.e. select the proper authentication method suitable for you, and fill the domain name).
After the certificate is issued it can be found by the following paths:
/etc/letsencrypt/live/dns.example.com/fullchain.pem- certificate chain/etc/letsencrypt/live/dns.example.com/privkey.pem- private key
By default only the root user can read certificates and keys. Dnsdist, however, is running as user and group _dnsdist, so permissions need to be adjusted:
chgrp _dnsdist \ /etc/letsencrypt/live/dns.example.com/{fullchain.pem,privkey.pem}
chmod g+r \ /etc/letsencrypt/live/dns.example.com/{fullchain.pem,privkey.pem}
# We should also make archive and live directories readable.
# That will not expose the keys since the private key isn't world-readable
chmod 755 /etc/letsencrypt/{live,archive}The certificates are periodically renewed by Certbot, so dnsdist should be restarted after that happens since it is not able to detect the new certificate. In order to do so, we put a so-called deploy script into /etc/letsencrypt/renewal-hooks/deploy directory:
mkdir -p /etc/letsencrypt/renewal-hooks/deploy
cat <<EOF > /etc/letsencrypt/renewal-hooks/deploy/restart-dnsdist.sh
#!/bin/sh
systemctl restart dnsdist
EOF
chmod +x /etc/letsencrypt/renewal-hooks/deploy/restart-dnsdist.shDnsdist Configuration
Create dnsdist configuration file /etc/dnsdist/dnsdist.conf with the following content:
addACL('0.0.0.0/0')
-- path for certs and listen address for DoT ipv4,
-- by default listens on port 853.
-- Set X(int) for tcp fast open queue size.
addTLSLocal("0.0.0.0", "/etc/letsencrypt/live/dns.example.com/fullchain.pem", "/etc/letsencrypt/live/dns.example.com/privkey.pem", { doTCP=true, reusePort=true, tcpFastOpenSize=64 })
-- path for certs and listen address for DoH ipv4,
-- by default listens on port 443.
-- Set X(int) for tcp fast open queue size.
--
-- In this example we listen directly on port 443. However, since the DoH queries are simple HTTPS requests, the server can be hidden behind Nginx or Haproxy.
addDOHLocal("0.0.0.0", "/etc/letsencrypt/live/dns.example.com/fullchain.pem", "/etc/letsencrypt/live/dns.example.com/privkey.pem", "/dns-query", { doTCP=true, reusePort=true, tcpFastOpenSize=64 })
-- set X(int) number of queries to be allowed per second from a IP
addAction(MaxQPSIPRule(50), DropAction())
-- drop ANY queries sent over udp
addAction(AndRule({QTypeRule(DNSQType.ANY), TCPRule(false)}), DropAction())
-- set X number of entries to be in dnsdist cache by default
-- memory will be preallocated based on the X number
pc = newPacketCache(10000, {maxTTL=86400})
getPool(""):setCache(pc)
-- server policy to choose the downstream servers for recursion
setServerPolicy(leastOutstanding)
-- Here we define our backend, the pihole dns server
newServer({address="127.0.1.53:5300", name="127.0.1.53:5300"})
setMaxTCPConnectionsPerClient(1000) -- set X(int) for number of tcp connections from a single client. Useful for rate limiting the concurrent connections.
setMaxTCPQueriesPerConnection(100) -- set X(int) , similiar to addAction(MaxQPSIPRule(X), DropAction())Checking if DoH and DoT Works
Check if DoH works using curl with doh-url flag:
curl --doh-url https://dns.example.com/dns-query https://leaseweb.com/Check if DoT works using kdig program from the knot-dnsutils package:
apt install knot-dnsutils
kdig -d @dns.example.com +tls-ca leaseweb.comSetting up Private DNS on Android
Currently only Android 9+ natively supports encrypted DNS queries by using DNS-over-TLS technology.
In order to use it go to: Settings -> Connections -> More connection settings -> Private DNS -> Private DNS provider hostname -> dns.example.com
Conclusion
In this article we’ve set up our own DNS resolving server with the following features:
- Automatic TLS certificates using Letsencrypt.
- Supports both modern encrypted protocols: DNS over TLS, and DNS over HTTPS.
- Implements rate-limit of incoming queries to prevent abuse.
- Automatically updated blacklist of malware, ad, and tracking domains.
- Easily upgradeable by simply pulling a new version of Docker image.
Technical Careers at Leaseweb
We are searching for the next generation of engineers and developers to help us build infrastructure to automate our global hosting services! If you are interested in finding out more, check out our Careers at Leaseweb.
Originally published at https://www.leaseweb.com/labs on July 29, 2020.
