Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
DNS over TLS (knot resolver) setup using 1.1.1.1 on macOS
# Configuring DNS-over-TLS on macOS
# Worked on macOS 10.13.4
brew -v update
brew -v doctor
# Next two commands are optional
sudo chown -R $(whoami) $(brew --prefix)/*
echo 'export PATH="/usr/local/sbin:$PATH"' >> ~/.bash_profile
# Install DNS client
brew install knot-resolver
# Should be installed to something like: /usr/local/Cellar/knot-resolver/2.3.0/sbin/kresd
# Test prior to changing
kdig www.google.com
# Look for line starting with "From"
openssl s_client -showcerts -connect 1.1.1.1:443 </dev/null 2>/dev/null|openssl x509 -outform PEM > /usr/local/etc/kresd/DigiCertGlobalRootCA.pem
# $HOSTNAME='1.1.1.1' $PORT='443' openssl s_client -connect {HOSTNAME}:{PORT} -showcerts
cp -av /usr/local/etc/kresd/config /usr/local/etc/kresd/config-$(date +%Y%m%d)
echo "policy.TLS_FORWARD({{'1.1.1.1', hostname='cloudflare-dns.com.', ca_file='/usr/local/etc/kresd/DigiCertGlobalRootCA.pem' }})" >> /usr/local/etc/kresd/config
sudo brew services restart knot-resolver
# Look for error messages. Log file is /usr/local/etc/kresd/config
# Change resolver
Go to Apple Menu > System Preferences > Network > Advanced > DNS and add 127.0.0.1 as your DNS server.
# Test prior to changing
kdig www.google.com
# Look for line starting with "From"
# Something like: ;; From 127.0.0.1@53(UDP) in 32.5 ms
# Further testing
kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com google.com
# Optional config file settings:
-- Prefetch learning (20-minute blocks over 24 hours)
predict.config(20, 72)
-- Enable DNSSEC validation
trust_anchors.file = '/etc/knot-resolver/root.keys'
# IPv6 addresses for Cloudflare:
2606:4700:4700::1111
2606:4700:4700::1001
# Get root keys:
# https://data.iana.org/root-anchors/root-anchors.xml
# Automatic bootstrap requires luasocket and luasec to be installed.
brew install ldns
kdig DNSKEY . @k.root-servers.net +noall +answer | grep "DNSKEY[[:space:]]257" > /etc/knot-resolver/root.keys
ldns-key2ds -n /etc/knot-resolver/root.keys
# Bootstrapping and automatic update need write access to keyfile direcory. If you want to manage root anchors manually you should use trust_anchors.add_file('/etc/knot-resolver/root.keys', true)
# See https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec for more help
# Validation (it seems backwards):
dig @ADDRESS dnssec-failed.org a +dnssec
# Success
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL
# Failure
;; ->>HEADER<<- opcode: QUERY, status: NOERROR
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment