DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Packages and Ports

OpenBSD Packages and Ports Installation and upgrading of packages and ports on OpenBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 19th December 2019
ip6ix's Avatar
ip6ix ip6ix is offline
Fdisk Soldier
 
Join Date: Sep 2017
Posts: 66
Lightbulb DNS-over-TLS using stubby

I've been reading about the various DNS privacy extensions recently, in particular DNS-over-HTTPS and DNS-over-TLS. I have my reservations about the former, but the latter using transport layer security piqued my interest and I decided to look for a solution which would work on OpenBSD and be fairly easy to implement.

GetDNS https://getdnsapi.net/releases/ seemed to fit the bill. This is how I got a working DNS-over-TLS stub resolver working on OpenBD 6.6 stable:

Pull the latest release of getdns from the above site. Stubby is included in the source. Read the README! Some prerequisites are needed: libunbound, libidn2, libtool, autoconf, the GNU toolchain, libgnutls, GNU make.

The following 'configure' command worked for me:

Code:
./configure --with-stubby --with-gnutls --with-nettle --disable-ecdsa
After a "gmake && doas gmake install" I had a working DNS-over-TLS on my system.

How to use it.

To test it, start stubby like so:

Code:
# stubby -g -l > /tmp/stubby.log
The stubby resolver listens on localhost, so queries of the form

Code:
% dig @::1 openbsd.org
are needed. To permanently add this to the system, modify /etc/resolv.conf with a single "nameserver ::1" or "nameserver 127.0.0.1" line (but not both).
__________________
dc -e '[q]sa[ln0=aln256%Pln256/snlbx]sb12247225403800449909543746snlbxq'
Reply With Quote
  #2   (View Single Post)  
Old 29th December 2019
CiotBSD CiotBSD is offline
c107:b5d::
 
Join Date: Jun 2019
Location: Under /
Posts: 175
Default

Yes, stub can query server DNS with DoT, as un(bou|wi)nd, and egual for DNSSEC
And perhaps, in future, it will requery on DoH.

Question: why attempt to build, install and compil this tool rather than unwind, by default on base system, or unbound, available as package?!
Just for fun, try and test?

----

Quote:
To permanently add this to the system, modify /etc/resolv.conf with a single "nameserver ::1" or "nameserver 127.0.0.1" line (but not both).
I disagree with the final sentence. You can use both lines, without any pb!
(just you need IPv4 and IPv6 addresses)

----


For, all french readers, read my article ; into EN

Last edited by CiotBSD; 29th December 2019 at 10:59 PM.
Reply With Quote
  #3   (View Single Post)  
Old 30th December 2019
ip6ix's Avatar
ip6ix ip6ix is offline
Fdisk Soldier
 
Join Date: Sep 2017
Posts: 66
Default

Quote:
Originally Posted by CiotBSD View Post
Yes, stub can query server DNS with DoT, as un(bou|wi)nd, and egual for DNSSEC
And perhaps, in future, it will requery on DoH.

Question: why attempt to build, install and compil this tool rather than unwind, by default on base system, or unbound, available as package?!
Just for fun, try and test?
Yes, there is that. Also, I didn't realise unwind(8) / unbound(8) supported DNS-over-TLS at the time I wrote the above. Now that I do, I'd recommend sticking with them, rather than using stubby. Actually, unwind(8) (which I wasn't aware of) looks ideal for using on this laptop.

Quote:
I disagree with the final sentence. You can use both lines, without any pb!
(just you need IPv4 and IPv6 addresses)
You're right! Thanks for the correction.
__________________
dc -e '[q]sa[ln0=aln256%Pln256/snlbx]sb12247225403800449909543746snlbxq'
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 03:47 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick