Inspired by the HTTPS-DNS project I started to look for another approach for doing encrypted dns-requests. The following solution should work with nearly all unixoid operatingsystems ( for Microsoft Windows see below ) and can easily be applied. It works absolutly transparently for the clients and servers.
Encrypting DNS-requests is usefull, because it
- prevents manipulation of dns-requests
- prevents recognizing of dns-requests
- prevents logging of dns-requests
On the serverside we have a normal dns-server running like bind, which is reachable on port 53. Now we use stunnel to create a new TLS-server on port 5667. stunnel forwards the packets on the localhost to socat, which forwards them to bind. You have to use socat because dns requests use udp but stunnel just supports tcp. But with socat we can forward udp to tcp, back and forth again.
On the clientside we configure socat to forward udp packets from port 53 to stunnel as tcp and stunnel to forward them to the server on port 5667. We then configure ure client to use the localhost as dns server.
If you want your client machine to make dns-requests over TLS you have to install socat and stunnel .
Modify your /etc/stunnel/stunnel.conf to this:
sslVersion = TLSv1 chroot = /var/run/stunnel setuid = stunnel setgid = stunnel pid = /stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 client = yes verify=0 [dns] accept = 5666 connect = IPOFDNSSERVER:TLS-DNS-PORT # !!!!!!!!!!!!!!!!modify this!!!!!!!!!!!!!!
and start the stunnel-daemon. Now start socat:
$socat udp4-listen:53,reuseaddr,fork tcp:localhost:5666
That's it! Test it with:
dig @localhost www.google.de
Now all you have to do is make your system use the localhost as dns server. This is very distributionspecific, so look at the doc of your distro. To permanently use TLS-DNS, make stunnel and socat start at boot.
If you are running a dns server and want to extend it to support TLS-DNS you can do this pretty easy. This won't conflict with your existing dns-server in any way. It has been tested on debian lenny with bind9. I expect in the following that you correctly installed your dns server and it is reachable by port 53.
For the stunnel-server you have to create a key:
$openssl req -new -x509 -days 3650 -nodes -out dns.pem -keyout dns.pem
, move it to /etc/stunnel/ and change its permissions to 600. Now configure your stunnel.conf like this:
cert = /etc/stunnel/dns.pem sslVersion = TLSv1 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 pid = /stunnel4.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 [dns] accept = 5667 connect = localhost:5668
Finally start socat to foward tcp 5668 to udp 53:
$socat tcp4-listen:5668,reuseaddr,fork UDP:localhost:53
and the server setup is done.
Your server offers now:
DNS - port 53 TLS-DNS - port 5667