Openssl x509 -req -in dns.req -out dns.crt -CA ca.crt -CAkey ca.key -CAcreateserial Openssl req -new -key dns.key -out dns.req Create a X.509 public key certificate in a X.509 Certificate Authority, for instance the homemade CA:.Openssl req -new -key ca.key -out ca.crt -x509 -extensions v3_ca You should use a real X.509 CA but for experiments you can create a CA certificate by:.Stunnel setup for the the out-of-band key-pinned privacy profile: Launch stunnel in daemon mode using the configuration file:.The DNS over TLS well-known port is 853 stunnel will accept any TLS connection on this port and forward content in TCP to 127.0.0.1 (localhost) on port 53(dns). The service_name should be dns according to documentation. This creates a self-signed certificate, enough for clients performing no authentication. Openssl req -new -key dns.key -out dns.crt -x509 Create a X.509 public key certificate, for instance by:.Stunnel setup for the opportunistic privacy profile: The setup of a privacy aggregator is at the end.īIND 9 configuration: nothing special, but if you want to limit external insecure access to the service you can play with listen-on clause address and port, acl, or even a system firewall as BIND 9 provides no per-transport protocol access control. This article explains how to provide a DNS over TLS service using BIND 9 and stunnel. One implementation example, which uses nginx, is provided in the contrib directory of the BIND 9 distribution, entitled 'dnspriv'. There are multiple ways to implement DoT. RFC 7858 specifies DNS over TLS (Transport Layer Security).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |