Forked from jfeilbach/gist:fd109c7dbc9798ce6e47358b82d0be76
Created
January 9, 2019 19:56
-
-
Save cvogt/0b681c6edfce504ca3553b336ca55ef7 to your computer and use it in GitHub Desktop.
Revisions
-
jfeilbach revised this gist
May 15, 2018 . No changes.There are no files selected for viewing
-
May 15, 2018 . 1 changed file with 1 addition and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -44,6 +44,7 @@ brew install ldns kdig DNSKEY . @k.root-servers.net +noall +answer | grep "DNSKEY[[:space:]]257" > /etc/knot-resolver/root.keys ldns-key2ds -n /etc/knot-resolver/root.keys # Bootstrapping and automatic update need write access to keyfile direcory. If you want to manage root anchors manually you should use trust_anchors.add_file('/etc/knot-resolver/root.keys', true) # See https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec for more help # Validation (it seems backwards): dig @ADDRESS dnssec-failed.org a +dnssec -
May 15, 2018 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -45,7 +45,7 @@ kdig DNSKEY . @k.root-servers.net +noall +answer | grep "DNSKEY[[:space:]]257" > ldns-key2ds -n /etc/knot-resolver/root.keys # Bootstrapping and automatic update need write access to keyfile direcory. If you want to manage root anchors manually you should use trust_anchors.add_file('/etc/knot-resolver/root.keys', true) # Validation (it seems backwards): dig @ADDRESS dnssec-failed.org a +dnssec # Success ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL -
May 15, 2018 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -7,6 +7,7 @@ sudo chown -R $(whoami) $(brew --prefix)/* echo 'export PATH="/usr/local/sbin:$PATH"' >> ~/.bash_profile # Install DNS client brew install knot-resolver # Should be installed to something like: /usr/local/Cellar/knot-resolver/2.3.0/sbin/kresd # Test prior to changing kdig www.google.com # Look for line starting with "From" @@ -38,6 +39,7 @@ trust_anchors.file = '/etc/knot-resolver/root.keys' # Get root keys: # https://data.iana.org/root-anchors/root-anchors.xml # Automatic bootstrap requires luasocket and luasec to be installed. brew install ldns kdig DNSKEY . @k.root-servers.net +noall +answer | grep "DNSKEY[[:space:]]257" > /etc/knot-resolver/root.keys ldns-key2ds -n /etc/knot-resolver/root.keys -
May 15, 2018 . 1 changed file with 13 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -37,6 +37,16 @@ trust_anchors.file = '/etc/knot-resolver/root.keys' 2606:4700:4700::1001 # Get root keys: # https://data.iana.org/root-anchors/root-anchors.xml brew install ldns kdig DNSKEY . @k.root-servers.net +noall +answer | grep "DNSKEY[[:space:]]257" > /etc/knot-resolver/root.keys ldns-key2ds -n /etc/knot-resolver/root.keys # Bootstrapping and automatic update need write access to keyfile direcory. If you want to manage root anchors manually you should use trust_anchors.add_file('/etc/knot-resolver/root.keys', true) # Validation: dig @ADDRESS dnssec-failed.org a +dnssec # Success ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL # Failure ;; ->>HEADER<<- opcode: QUERY, status: NOERROR -
May 15, 2018 . 1 changed file with 2 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -38,4 +38,5 @@ trust_anchors.file = '/etc/knot-resolver/root.keys' # Get root keys: kdig DNSKEY . @k.root-servers.net +noall +answer | grep "DNSKEY[[:space:]]257" > root.keys ldns-key2ds -n root.keys # Only print to stdout kresd -k root.keys -
May 15, 2018 . 1 changed file with 5 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -34,4 +34,8 @@ trust_anchors.file = '/etc/knot-resolver/root.keys' # IPv6 addresses for Cloudflare: 2606:4700:4700::1111 2606:4700:4700::1001 # Get root keys: kdig DNSKEY . @k.root-servers.net +noall +answer | grep "DNSKEY[[:space:]]257" > root.keys ldns-key2ds -n root.keys # Only print to stdout -
May 15, 2018 . 1 changed file with 5 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -30,4 +30,8 @@ kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com google.com predict.config(20, 72) -- Enable DNSSEC validation trust_anchors.file = '/etc/knot-resolver/root.keys' # IPv6 addresses for Cloudflare: 2606:4700:4700::1111 2606:4700:4700::1001 -
May 15, 2018 . 1 changed file with 8 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -23,4 +23,11 @@ kdig www.google.com # Look for line starting with "From" # Something like: ;; From 127.0.0.1@53(UDP) in 32.5 ms # Further testing kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com google.com # Optional config file settings: -- Prefetch learning (20-minute blocks over 24 hours) predict.config(20, 72) -- Enable DNSSEC validation trust_anchors.file = '/etc/knot-resolver/root.keys' -
May 15, 2018 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,26 @@ # Configuring DNS-over-TLS on macOS # Worked on macOS 10.13.4 brew -v update brew -v doctor # Next two commands are optional sudo chown -R $(whoami) $(brew --prefix)/* echo 'export PATH="/usr/local/sbin:$PATH"' >> ~/.bash_profile # Install DNS client brew install knot-resolver # Test prior to changing kdig www.google.com # Look for line starting with "From" openssl s_client -showcerts -connect 1.1.1.1:443 </dev/null 2>/dev/null|openssl x509 -outform PEM > /usr/local/etc/kresd/DigiCertGlobalRootCA.pem # $HOSTNAME='1.1.1.1' $PORT='443' openssl s_client -connect {HOSTNAME}:{PORT} -showcerts cp -av /usr/local/etc/kresd/config /usr/local/etc/kresd/config-$(date +%Y%m%d) echo "policy.TLS_FORWARD({{'1.1.1.1', hostname='cloudflare-dns.com.', ca_file='/usr/local/etc/kresd/DigiCertGlobalRootCA.pem' }})" >> /usr/local/etc/kresd/config sudo brew services restart knot-resolver # Look for error messages. Log file is /usr/local/etc/kresd/config # Change resolver Go to Apple Menu > System Preferences > Network > Advanced > DNS and add 127.0.0.1 as your DNS server. # Test prior to changing kdig www.google.com # Look for line starting with "From" # Something like: ;; From 127.0.0.1@53(UDP) in 32.5 ms # Further testing kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com google.com