Skip to content

Instantly share code, notes, and snippets.

Last active March 27, 2021 09:18
  • Star 11 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
DNS over TLS (knot resolver) setup using on macOS
# Configuring DNS-over-TLS on macOS
# Worked on macOS 10.13.4
brew -v update
brew -v doctor
# Next two commands are optional
sudo chown -R $(whoami) $(brew --prefix)/*
echo 'export PATH="/usr/local/sbin:$PATH"' >> ~/.bash_profile
# Install DNS client
brew install knot-resolver
# Should be installed to something like: /usr/local/Cellar/knot-resolver/2.3.0/sbin/kresd
# Test prior to changing
# Look for line starting with "From"
openssl s_client -showcerts -connect </dev/null 2>/dev/null|openssl x509 -outform PEM > /usr/local/etc/kresd/DigiCertGlobalRootCA.pem
# $HOSTNAME='' $PORT='443' openssl s_client -connect {HOSTNAME}:{PORT} -showcerts
cp -av /usr/local/etc/kresd/config /usr/local/etc/kresd/config-$(date +%Y%m%d)
echo "policy.TLS_FORWARD({{'', hostname='', ca_file='/usr/local/etc/kresd/DigiCertGlobalRootCA.pem' }})" >> /usr/local/etc/kresd/config
sudo brew services restart knot-resolver
# Look for error messages. Log file is /usr/local/etc/kresd/config
# Change resolver
Go to Apple Menu > System Preferences > Network > Advanced > DNS and add as your DNS server.
# Test prior to changing
# Look for line starting with "From"
# Something like: ;; From in 32.5 ms
# Further testing
kdig -d @ +tls-ca
# Optional config file settings:
-- Prefetch learning (20-minute blocks over 24 hours)
predict.config(20, 72)
-- Enable DNSSEC validation
trust_anchors.file = '/etc/knot-resolver/root.keys'
# IPv6 addresses for Cloudflare:
# Get root keys:
# Automatic bootstrap requires luasocket and luasec to be installed.
brew install ldns
kdig DNSKEY . +noall +answer | grep "DNSKEY[[:space:]]257" > /etc/knot-resolver/root.keys
ldns-key2ds -n /etc/knot-resolver/root.keys
# Bootstrapping and automatic update need write access to keyfile direcory. If you want to manage root anchors manually you should use trust_anchors.add_file('/etc/knot-resolver/root.keys', true)
# See for more help
# Validation (it seems backwards):
dig @ADDRESS a +dnssec
# Success
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL
# Failure
;; ->>HEADER<<- opcode: QUERY, status: NOERROR
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment