DNS over TLS
DNS over TLS, is a internet protocol that got standardized in May 2016 RFC 7858.
This protocol is like the unencrypted DNS protocol, but encrypted and wrapped with TLS.
A good thing about this protocol is that Android have built in DNS over TLS into their operating system.
The biggest drawback on this protocol is that its using its own port number, this makes it harder to use encrypted DNS on public networks that either havent opened up for DNS over TLS traffic, or have actively blocked it. A protocol that can bypass a lot of network blocking is DNS over HTTPS.
Install nginx
:
apt-get install nginx
Create ssl and streams directories:
mkdir /etc/nginx/ssl
mkdir /etc/nginx/streams
Generate dhparam:
cd /etc/nginx/ssl
openssl dhparam -out dhparam.pem 4096
Edit /etc/nginx/nginx.conf
to use configs in streams directory:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {}
stream {
include /etc/nginx/streams/*;
}
Add this to /etc/nginx/streams/dns-over-tls
, to get dns-over-tls working in nginx:
upstream dns-servers {
server 127.0.0.1:53;
}
server {
listen 853 ssl;
listen [::]:853 ssl;
ssl_certificate /etc/letsencrypt/live/{YOUR_DOMAIN}/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/{YOUR_DOMAIN}/private.pem; # managed by Certbot
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_handshake_timeout 10s;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 4h;
proxy_pass dns-servers;
}