• HTTPS-DNS
• TLS-DNS

Intro

Inspired by the HTTPS-DNS project I started to look for another approach for doing encrypted dns-requests. The following solution should work with nearly all unixoid operatingsystems ( for Microsoft Windows see below ) and can easily be applied. It works absolutly transparently for the clients and servers.

Encrypting DNS-requests is usefull, because it

• prevents manipulation of dns-requests
• prevents recognizing of dns-requests
• prevents logging of dns-requests

Implementation

The whole concept is based on socat for udp <-> tcp and stunnel for TLS-encryption between the clients and the dns-server.

On the serverside we have a normal dns-server running like bind, which is reachable on port 53. Now we use stunnel to create a new TLS-server on port 5667. stunnel forwards the packets on the localhost to socat, which forwards them to bind. You have to use socat because dns requests use udp but stunnel just supports tcp. But with socat we can forward udp to tcp, back and forth again.

On the clientside we configure socat to forward udp packets from port 53 to stunnel as tcp and stunnel to forward them to the server on port 5667. We then configure ure client to use the localhost as dns server.

Client

If you want your client machine to make dns-requests over TLS you have to install socat and stunnel .

Modify your /etc/stunnel/stunnel.conf to this:

sslVersion = TLSv1

chroot = /var/run/stunnel
setuid = stunnel
setgid = stunnel
pid = /stunnel.pid

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

client = yes
verify=0

[dns]
accept  = 5666
connect = IPOFDNSSERVER:TLS-DNS-PORT #          !!!!!!!!!!!!!!!!modify this!!!!!!!!!!!!!!

and start the stunnel-daemon. Now start socat:

 $socat udp4-listen:53,reuseaddr,fork tcp:localhost:5666

That's it! Test it with:

 dig @localhost www.google.de

Now all you have to do is make your system use the localhost as dns server. This is very distributionspecific, so look at the doc of your distro. To permanently use TLS-DNS, make stunnel and socat start at boot.

Server

If you are running a dns server and want to extend it to support TLS-DNS you can do this pretty easy. This won't conflict with your existing dns-server in any way. It has been tested on debian lenny with bind9. I expect in the following that you correctly installed your dns server and it is reachable by port 53.

For the stunnel-server you have to create a key:

•  $openssl req -new -x509 -days 3650 -nodes -out dns.pem -keyout dns.pem

, move it to /etc/stunnel/ and change its permissions to 600. Now configure your stunnel.conf like this:

cert = /etc/stunnel/dns.pem

sslVersion = TLSv1

chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
pid = /stunnel4.pid

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

[dns]
accept  = 5667
connect = localhost:5668

Finally start socat to foward tcp 5668 to udp 53:

•  $socat tcp4-listen:5668,reuseaddr,fork UDP:localhost:53

and the server setup is done.

Your server offers now:

DNS - port 53
TLS-DNS - port 5667

Windows

I haven't tested it but it could also work with Windows. At least there is a socat windows-port and stunnel too is available for Windows. If you tested it please report here!