DNS over TLS

DNS over TLS, is a internet protocol that got standardized in May 2016 RFC 7858.

This protocol is like the unencrypted DNS protocol, but encrypted and wrapped with TLS.

A good thing about this protocol is that Android have built in DNS over TLS into their operating system.

The biggest drawback on this protocol is that its using its own port number, this makes it harder to use encrypted DNS on public networks that either havent opened up for DNS over TLS traffic, or have actively blocked it. A protocol that can bypass a lot of network blocking is DNS over HTTPS.

Install nginx:

apt-get install nginx

Create ssl and streams directories:

mkdir /etc/nginx/ssl
mkdir /etc/nginx/streams

Generate dhparam:

cd /etc/nginx/ssl
openssl dhparam -out dhparam.pem 4096

Edit /etc/nginx/nginx.conf to use configs in streams directory:

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {}

stream {
        include /etc/nginx/streams/*;

Add this to /etc/nginx/streams/dns-over-tls, to get dns-over-tls working in nginx:

upstream dns-servers {
server {
  listen 853 ssl;
  listen [::]:853 ssl;
  ssl_certificate /etc/letsencrypt/live/{YOUR_DOMAIN}/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/{YOUR_DOMAIN}/private.pem; # managed by Certbot
  ssl_dhparam /etc/nginx/ssl/dhparam.pem;
  ssl_protocols        TLSv1.2;
  ssl_ciphers          HIGH:!aNULL:!MD5;

  ssl_handshake_timeout    10s;
  ssl_session_cache        shared:SSL:20m;
  ssl_session_timeout      4h;
  proxy_pass dns-servers;