DNS over HTTPS on debian 8 / dns server forwarder over https
Mengamankan jalur query dns dari server forwarder ke server public dns google karena sudah menggunakan https
Detail https://developers.google.com/speed/public-dns/docs/dns-over-https
adapun contoh qeery nya:
https://dns.google.com/query?name=google.com
dan bisa untuk dijadikan forwarder local server untuk local network kita dengan coredns
Detail https://coredns.io
Quick start https://coredns.io/2017/07/24/quick-start/
Documentation https://coredns.io/tags/documentation/
Disini running on debian with ip 10.10.10.23
mkdir /opt/coredns
cd /opt/coredns
wget https://github.com/coredns/coredns/releases/download/v0.9.10/coredns_0.9.10_linux_amd64.tgz
tar -xzvf coredns_0.9.10_linux_amd64.tgz
contoh nya bisa sbb:
1. Create Master zone tux.org dengan file tux.org :
$ORIGIN tux.org.
@ 3600 IN SOA dns.tux.org. noc.tux.org. (
2017042745 ; serial
300 ; refresh
1800 ; retry
1209600 ; expire
7200 ; minimum
)
3600 IN NS ns1.tux.org.
3600 IN NS ns2.tux.org.
ns1 IN A 10.10.10.23
ns2 IN A 10.10.10.23
www IN A 10.10.10.22
mail IN A 10.10.10.22
@ IN A 10.10.10.24
api IN CNAME https://dns.google.com.
@ IN MX 10 mail.tux.org.
@ IN MX 20 mail.tux.org.
@ IN TXT "v=spf1 a mx ~all"
jrk IN A 10.10.0.7
mail.jrk IN A 10.10.0.32
jrk IN MX 10 mail.jrk.tux.org.
jrk IN MX 20 mail.jrk.tux.org.
jrk IN TXT "v=spf1 a mx ~all"
2. Create a Corefile (file config):
tux.org {
file /opt/coredns/tux.org
prometheus # enable metrics
errors # show errors
log # enable query logs
}
3. run coredns secara default di port 53
./coredns
4. check dari client arahkan dns client ke 10.10.10.23
fals@tux:~> dig tux.org
; <<>> DiG 9.9.9-P1 <<>> tux.org @10.10.10.23
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18226
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;tux.org. IN A
;; ANSWER SECTION:
tux.org. 42000 IN A 10.10.10.24
;; AUTHORITY SECTION:
tux.org. 3600 IN NS ns1.tux.org.
tux.org. 3600 IN NS ns2.tux.org.
;; Query time: 1 msec
;; SERVER: 10.10.0.23#53(10.10.0.23)
;; WHEN: Wed Nov 22 11:16:41 WIB 2017
;; MSG SIZE rcvd: 88
3. run coredns custom port 5353
@ 3600 IN SOA dns.tux.net. noc.tux.net. (
2017042745 ; serial
7200 ; refresh (2 hours)
3600 ; retry (1 hour)
1209600 ; expire (2 weeks)
3600 ; minimum (1 hour)
)
3600 IN NS ns1.tux.net.
3600 IN NS ns2.tux.net.
www IN A 10.10.10.22
@ IN A 10.10.10.22
IN AAAA ::1
; <<>> DiG 9.9.9-P1 <<>> tux.net @10.10.0.23 -p 5300
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54398
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;tux.net. IN A
;; ANSWER SECTION:
tux.net. 3600 IN A 10.10.0.22
;; AUTHORITY SECTION:
tux.net. 3600 IN NS ns1.tux.net.
tux.net. 3600 IN NS ns2.tux.net.
;; Query time: 3 msec
;; SERVER: 10.10.0.23#5300(10.10.0.23)
;; WHEN: Wed Nov 22 11:34:52 WIB 2017
;; MSG SIZE rcvd: 88
4. CoreDNS proxy
Create a Corefile (file config):
. {
proxy . 8.8.8.8:53 8.8.4.4:53 {
protocol https_google
}
cache 3600
errors
log stdout
whoami
}
5. Multi Master Zone dan Proxy
gabungan dari kedua zone di atas Corefile bisa seperti di bawah ini:
tux.org {
file /opt/coredns/tux.org
prometheus # enable metrics
errors # show errors
log # enable query logs
}
tux.net:5353 {
file /opt/coredns/tux.net
}
. {
proxy . 8.8.8.8:53 8.8.4.4:53 {
protocol https_google
}
cache 3600
errors
log stdout
whoami
}
Jadi didalam case di atas directory /opt/coredns berisi file coredns, Corefile, Zone file tux.org dan tux.net
untuk menjalan coredns dengan custom port bisa seperti ini
./coredns -conf Corefile -dns.port 1053
Jangan lupa startup script nya biar klo restart langsung on coredns nya
dig -p 53 gmail.com @10.10.10.23
dig TXT dengan port 443 dns ip 10.10.10.23
dig -p 443 gmail.com TXT @10.10.10.23
dig MX dengan port 5353 dns ip 10.10.10.23
dig -p 5353 gmail.com MX @10.10.10.23
Detail https://developers.google.com/speed/public-dns/docs/dns-over-https
adapun contoh qeery nya:
https://dns.google.com/query?name=google.com
dan bisa untuk dijadikan forwarder local server untuk local network kita dengan coredns
Detail https://coredns.io
Quick start https://coredns.io/2017/07/24/quick-start/
Documentation https://coredns.io/tags/documentation/
Disini running on debian with ip 10.10.10.23
mkdir /opt/coredns
cd /opt/coredns
wget https://github.com/coredns/coredns/releases/download/v0.9.10/coredns_0.9.10_linux_amd64.tgz
tar -xzvf coredns_0.9.10_linux_amd64.tgz
contoh nya bisa sbb:
1. Create Master zone tux.org dengan file tux.org :
$ORIGIN tux.org.
@ 3600 IN SOA dns.tux.org. noc.tux.org. (
2017042745 ; serial
300 ; refresh
1800 ; retry
1209600 ; expire
7200 ; minimum
)
3600 IN NS ns1.tux.org.
3600 IN NS ns2.tux.org.
ns1 IN A 10.10.10.23
ns2 IN A 10.10.10.23
www IN A 10.10.10.22
mail IN A 10.10.10.22
@ IN A 10.10.10.24
api IN CNAME https://dns.google.com.
@ IN MX 10 mail.tux.org.
@ IN MX 20 mail.tux.org.
@ IN TXT "v=spf1 a mx ~all"
jrk IN A 10.10.0.7
mail.jrk IN A 10.10.0.32
jrk IN MX 10 mail.jrk.tux.org.
jrk IN MX 20 mail.jrk.tux.org.
jrk IN TXT "v=spf1 a mx ~all"
2. Create a Corefile (file config):
tux.org {
file /opt/coredns/tux.org
prometheus # enable metrics
errors # show errors
log # enable query logs
}
3. run coredns secara default di port 53
./coredns
4. check dari client arahkan dns client ke 10.10.10.23
fals@tux:~> dig tux.org
; <<>> DiG 9.9.9-P1 <<>> tux.org @10.10.10.23
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18226
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;tux.org. IN A
;; ANSWER SECTION:
tux.org. 42000 IN A 10.10.10.24
;; AUTHORITY SECTION:
tux.org. 3600 IN NS ns1.tux.org.
tux.org. 3600 IN NS ns2.tux.org.
;; Query time: 1 msec
;; SERVER: 10.10.0.23#53(10.10.0.23)
;; WHEN: Wed Nov 22 11:16:41 WIB 2017
;; MSG SIZE rcvd: 88
3. run coredns custom port 5353
- Create Master zone tux.net dengan file tux.net :
@ 3600 IN SOA dns.tux.net. noc.tux.net. (
2017042745 ; serial
7200 ; refresh (2 hours)
3600 ; retry (1 hour)
1209600 ; expire (2 weeks)
3600 ; minimum (1 hour)
)
3600 IN NS ns1.tux.net.
3600 IN NS ns2.tux.net.
www IN A 10.10.10.22
@ IN A 10.10.10.22
IN AAAA ::1
- Create a Corefile (file config):
tux.net:5353 {
file /opt/coredns/tux.net
}
- Check dari client
; <<>> DiG 9.9.9-P1 <<>> tux.net @10.10.0.23 -p 5300
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54398
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;tux.net. IN A
;; ANSWER SECTION:
tux.net. 3600 IN A 10.10.0.22
;; AUTHORITY SECTION:
tux.net. 3600 IN NS ns1.tux.net.
tux.net. 3600 IN NS ns2.tux.net.
;; Query time: 3 msec
;; SERVER: 10.10.0.23#5300(10.10.0.23)
;; WHEN: Wed Nov 22 11:34:52 WIB 2017
;; MSG SIZE rcvd: 88
4. CoreDNS proxy
Create a Corefile (file config):
. {
proxy . 8.8.8.8:53 8.8.4.4:53 {
protocol https_google
}
cache 3600
errors
log stdout
whoami
}
5. Multi Master Zone dan Proxy
gabungan dari kedua zone di atas Corefile bisa seperti di bawah ini:
tux.org {
file /opt/coredns/tux.org
prometheus # enable metrics
errors # show errors
log # enable query logs
}
tux.net:5353 {
file /opt/coredns/tux.net
}
. {
proxy . 8.8.8.8:53 8.8.4.4:53 {
protocol https_google
}
cache 3600
errors
log stdout
whoami
}
Jadi didalam case di atas directory /opt/coredns berisi file coredns, Corefile, Zone file tux.org dan tux.net
untuk menjalan coredns dengan custom port bisa seperti ini
./coredns -conf Corefile -dns.port 1053
Jangan lupa startup script nya biar klo restart langsung on coredns nya
dig -p 53 gmail.com @10.10.10.23
dig TXT dengan port 443 dns ip 10.10.10.23
dig -p 443 gmail.com TXT @10.10.10.23
dig MX dengan port 5353 dns ip 10.10.10.23
dig -p 5353 gmail.com MX @10.10.10.23
Komentar
Posting Komentar