DNS over TLS setup on Turris Omnia using Knot DNS Resolver

By Posted in - Blog on July 14th, 2018 1 Comments

Information extracted from here.

Go to Forris DNS tab and make sure that “Use forwarding” is not checked, save.

Grab and convert the needed ssh certificate into Omnia. From /root :

wget https://www.digicert.com/CACerts/DigiCertECCSecureServerCA.crt

openssl x509 -inform der -in DigiCertECCSecureServerCA.crt -out DigiCertECCSecureServerCA.pem

Copy the pem file into /etc/ssl/certs

cp DigiCertECCSecureServerCA.pem /etc/ssl/certs/DigiCertECCSecureServerCA.pem

Create the configuration file /etc/kresd/custom.conf with content:

policy.add(policy.all(
policy.TLS_FORWARD({
{'1.1.1.1', hostname='cloudflare-dns.com', ca_file='/etc/ssl/certs/DigiCertECCSecureServerCA.pem'},
{'1.0.0.1', hostname='cloudflare-dns.com', ca_file='/etc/ssl/certs/DigiCertECCSecureServerCA.pem'}
})
))

The resolver needs to know where to find the rule, so edit /etc/config/resolver, adding the following line at the end of the config resolver ‘kresd’ section

option include_config ‘/etc/kresd/custom.conf’

Restart the resolver with the following command:

/etc/init.d/resolver restart

You are all done. You should be using dns over tls via Cloudflare’s 1.1.1.1

One can confirm this fact by testing for DNS leaks -> dnsleaktest.com

(1) awesome folk have had something to say...

  • Ted Konow - Reply

    September 22, 2020 at 2:33 am

    Thank you for the good writeup. It in fact was a leisure account it. Look complex to more added agreeable from you! However, how could we keep up a correspondence?

Please leave a Comment

Solve : *
11 + 16 =