#dnsd — Public Fediverse posts

I'm experimenting with DNS security this weekend. While plaintext DNS over 53/udp is still ubiquitous, there are two decent options that have been developed to provide security of that data in transit: DNS-over-TLS and DNS-over-HTTPS.

The latter is likely the more widely used; modern browsers have the capability to specify DNS-over-HTTPS and natively circumvent a potentially insecure local resolver. DNS-over-TLS is older (as I understand it) and I've found support more rare. But I have been able to use it on Android with a manual setting.

I've added #DoT and #DoH capabilities to my WIP VPP-native #dnsd caching recursor. I also added the ability for the daemon to seamlessly request and provision TLS certificates from LetsEncrypt using #TLSALPN01. No messing around with DNS records or secondary HTTP servers - just set some configuration options and a public address and it handles the rest.

So far I have the software serving my Firefox browsers using DoH, my Android phone using DoT, and my Windows laptop at a system level using DoH. I thought my Macs would be the easiest because they generally have been about #IPv6 and RAs. But from what I can see, they have some outdated requirements for automatic provisioning (i.e., providing the TLS domain name in the message isn't enough; TLS also needs to include SAN records for the IP addresses) that have proven intractable so far with my tech stack. To be fair, none of the other systems configure this automatically either. But I have come to expect more from my Macs.

Regardless, I added several record types in sfw and dhcpd to facilitate automatic assignment when the systems support it.

> dnsd-query stats

{
  "type": "stats",
  "queries_udp": 644,
  "queries_tcp": 0,
  "queries_dot": 76,
  "queries_doh": 188,
  "cache_hits": 127,
  "cache_misses": 775,
  "forwarder_matched": 0,
  "recursion_walked": 534,
  "rrl_dropped": 0,
  "acl_denied": 0,
  "dns64_synthesised": 100,
  "dnssec_validated": 64,
  "dnssec_failed": 0,
  "udp_inflight_shed": 0
}