Post

Secure DNS with bind and DoT

Starting with BIND 9.19, you can now set up DNS over TLS in the forwarders option.

You can use this in Fedora now by installing the bind9-next packages instead of bind.

Configuring this is quite simple, the example below uses Google, Quad9 and Cloudflare as upstream DNS servers:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
tls cloudflare-tls { remote-hostname "one.one.one.one"; };
tls quad9-tls { remote-hostname "dns.quad9.net"; };
tls google-tls { remote-hostname "dns.google"; };
options {
    ...
    forwarders port 853 {
        1.1.1.1 tls cloudflare-tls;
        1.0.0.1 tls cloudflare-tls;
        2606:4700:4700::1111 tls cloudflare-tls;
        2606:4700:4700::1001 tls cloudflare-tls;

        9.9.9.9 tls quad9-tls;
        149.112.112.112 tls quad9-tls;
        2620:fe::fe tls quad9-tls;
        2620:fe::9 tls quad9-tls;

        8.8.8.8 tls google-tls;
        8.8.4.4 tls google-tls;
        2001:4860:4860::8844 tls google-tls;
        2001:4860:4860::8888 tls google-tls;
    };
};

Customise the above however you like to disable IPv6 servers, or a certain upstream provider.

Keep in mind that all traffic for upstream DNS will now go to port 853 on the target upstream.

This post is licensed under CC BY 4.0 by the author.