userdoc:tt_dns_tls_proxy

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
userdoc:tt_dns_tls_proxy [2018/04/21 21:24]
abelbeck [DNS-TLS Proxy Configuration] 		userdoc:tt_dns_tls_proxy [2023/02/17 19:38]
abelbeck
Line 1: Line 1:
 ====== DNS-TLS Proxy Server ====== ====== DNS-TLS Proxy Server ======
  
-AstLinux now supports the [[https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby|getdns/stubby]] package, a local DNS Privacy stub resolver using DNS-over-TLS+AstLinux supports the [[https://nlnetlabs.nl/projects/unbound/about/|unbound]] package, functioning as a local DNS proxy forwarder using DNS-over-TLS.
-Getdns/Stubby encrypts local DNS queries forwarded to upstream recursive DNS-TLS servers.+
  
-The ''stubby'' local service functions as a DNS forwarder, used in conjunction with dnsmasq, encrypting and authenticating requests using the DNS-TLS protocol and passing them to an upstream DNS-TLS server.+The ''unbound'' local service functions as a DNS forwarder, used in conjunction with dnsmasq, encrypting and authenticating requests using the DNS-TLS protocol and passing them to an upstream DNS-TLS server.
  
-DNS and Privacy talk by [[https://www.youtube.com/watch?v=gQfjEFZNlLg|Sara Dickinson]], Sinodun YouTube+!!NoteAstLinux 1.3.3 through 1.4.0 supported DNS-TLS!! but used ''stubby''
  
-!!Note: AstLinux 1.3.or later is required!!+!!Note: AstLinux 1.4.or later!! uses ''unbound''
  
 ==== DNS-TLS Proxy Configuration ==== ==== DNS-TLS Proxy Configuration ====
Line 22: Line 21:
 By default DNS-TLS is disabled, to enable, select "enabled" from the menu and click **Save Settings** and then **Restart DNS-TLS**. By default DNS-TLS is disabled, to enable, select "enabled" from the menu and click **Save Settings** and then **Restart DNS-TLS**.
  
-{{:userdoc:dns_tls-default-config1.jpg?nolink|DNS-TLS Default Configuration}}+{{:userdoc:dns_tls-default-config1x.jpg?nolink|DNS-TLS Default Configuration}}
  
-The "Query Server(s)" selection defines the stubby ''round_robin_upstreams'' configuration. By default, only the first upstream server entry is used. If the server becomes unavailable then the next server in the list will be used. +\\
- +
-{{:userdoc:dns_tls-default-config1a.jpg?nolink|DNS-TLS Default Configuration}} +
- +
-If you want to enable the stubby ''round_robin_upstreams'' configuration, select the +
  
 {{:userdoc:dns_tls-default-config2.jpg?nolink|DNS-TLS Default Configuration}} {{:userdoc:dns_tls-default-config2.jpg?nolink|DNS-TLS Default Configuration}}
  
 The default configuration is to use [[https://quad9.net/|Quad9]] as the DNS-TLS provider, which is a good choice for most users. The default configuration is to use [[https://quad9.net/|Quad9]] as the DNS-TLS provider, which is a good choice for most users.
 +
 +!!Note ->!! The tilde (''~'') separated ''IPv4/IPv6'' and ''Auth_Name'' must **both** be defined.  The ''Optional_Port'' defaults to ''853''.
  
 ==== DNS-TLS Proxy server list ==== ==== DNS-TLS Proxy server list ====
Line 38: Line 35:
 The default [[https://quad9.net/|Quad9]] DNS-TLS provider is an "anycast" server, so it should provide reasonable performance throughout the world. The default [[https://quad9.net/|Quad9]] DNS-TLS provider is an "anycast" server, so it should provide reasonable performance throughout the world.
  
-If your external connection supports native IPv6, you may want to add the Quad9 IPv6 server.+Below is a list of IPv4-only and IPv4/IPv6 entries for various public "anycast" DNS-TLS servers.
  
-  2620:fe::fe~dns.quad9.net+**Quad9 DNSSEC (block threats/malware)** 
 + 
 +IPv4-only:
   9.9.9.9~dns.quad9.net   9.9.9.9~dns.quad9.net
   149.112.112.112~dns.quad9.net   149.112.112.112~dns.quad9.net
  
-Additional DNS-TLS public servers can be found here: [[https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers|DNS Privacy Recursive Servers]]+IPv4/IPv6: 
 +  2620:fe::fe~dns.quad9.net 
 +  9.9.9.9~dns.quad9.net 
 + 
 +**Quad9 (no filtering, no upstream DNSSEC)** 
 + 
 +IPv4-only: 
 +  9.9.9.10~dns.quad9.net 
 +  149.112.112.10~dns.quad9.net 
 + 
 +IPv4/IPv6: 
 +  2620:fe::10~dns.quad9.net 
 +  9.9.9.10~dns.quad9.net 
 + 
 +**Cloudflare DNSSEC (no filtering)** 
 + 
 +IPv4-only: 
 +  1.1.1.1~cloudflare-dns.com 
 +  1.0.0.1~cloudflare-dns.com 
 + 
 +IPv4/IPv6: 
 +  2606:4700:4700::1111~cloudflare-dns.com 
 +  1.1.1.1~cloudflare-dns.com 
 + 
 +**Cloudflare DNSSEC (block malware)** 
 + 
 +IPv4-only: 
 +  1.1.1.2~cloudflare-dns.com 
 +  1.0.0.2~cloudflare-dns.com 
 + 
 +IPv4/IPv6: 
 +  2606:4700:4700::1112~cloudflare-dns.com 
 +  1.1.1.2~cloudflare-dns.com 
 + 
 +**Cloudflare DNSSEC (block malware/adult)** 
 + 
 +IPv4-only: 
 +  1.1.1.3~cloudflare-dns.com 
 +  1.0.0.3~cloudflare-dns.com 
 + 
 +IPv4/IPv6: 
 +  2606:4700:4700::1113~cloudflare-dns.com 
 +  1.1.1.3~cloudflare-dns.com 
 + 
 +**Google DNSSEC (no filtering)** 
 + 
 +IPv4-only: 
 +  8.8.8.8~dns.google 
 +  8.8.4.4~dns.google 
 + 
 +IPv4/IPv6: 
 +  2001:4860:4860::8888~dns.google 
 +  8.8.8.8~dns.google 
 + 
 +**NextDNS DNSSEC (block threats/malware/trackers/ads)** [[https://nextdns.io/|NextDNS Setup]]\\ 
 +(Replace the ''xxxxxx'' with your unique Endpoint ID) 
 + 
 +IPv4-only: 
 +  45.90.28.0~xxxxxx.dns.nextdns.io 
 +  45.90.30.0~xxxxxx.dns.nextdns.io 
 + 
 +IPv4/IPv6: 
 +  45.90.28.0~xxxxxx.dns.nextdns.io 
 +  2a07:a8c0::~xxxxxx.dns.nextdns.io 
 +  45.90.30.0~xxxxxx.dns.nextdns.io 
 +  2a07:a8c1::~xxxxxx.dns.nextdns.io 
 + 
 +\\ 
 +Additional DNS-TLS public servers can be found here: [[https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Public+Resolvers|DNS Privacy Public Resolvers]]
  
 +\\
  
 ==== Display DNS-TLS Status ==== ==== Display DNS-TLS Status ====
  • userdoc/tt_dns_tls_proxy.txt
  • Last modified: 2023/02/17 19:38
  • by abelbeck