惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

博客园 - 【当耐特】
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Y
Y Combinator Blog
D
DataBreaches.Net
Google DeepMind News
Google DeepMind News
H
Hackread – Cybersecurity News, Data Breaches, AI and More
云风的 BLOG
云风的 BLOG
Recorded Future
Recorded Future
I
InfoQ
L
LangChain Blog
Stack Overflow Blog
Stack Overflow Blog
Recent Announcements
Recent Announcements
宝玉的分享
宝玉的分享
Martin Fowler
Martin Fowler
J
Java Code Geeks
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
A
About on SuperTechFans
人人都是产品经理
人人都是产品经理
G
Google Developers Blog
大猫的无限游戏
大猫的无限游戏
C
Cybersecurity and Infrastructure Security Agency CISA
Know Your Adversary
Know Your Adversary
MongoDB | Blog
MongoDB | Blog
T
Tor Project blog
The Register - Security
The Register - Security
H
Help Net Security
Cisco Talos Blog
Cisco Talos Blog
P
Privacy & Cybersecurity Law Blog
NISL@THU
NISL@THU
P
Palo Alto Networks Blog
B
Blog RSS Feed
Latest news
Latest news
T
Threat Research - Cisco Blogs
The Hacker News
The Hacker News
C
Cisco Blogs
P
Privacy International News Feed
T
The Exploit Database - CXSecurity.com
V
Vulnerabilities – Threatpost
S
Schneier on Security
P
Proofpoint News Feed
Schneier on Security
Schneier on Security
www.infosecurity-magazine.com
www.infosecurity-magazine.com
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
AI
AI
Google Online Security Blog
Google Online Security Blog
H
Hacker News: Front Page
N
News and Events Feed by Topic
W
WeLiveSecurity

Google on CoreDNS: DNS and Service Discovery

暂无文章

DNS over HTTPS
miek · 2016-11-27 · via Google on CoreDNS: DNS and Service Discovery

Note this requires the proxy plugin which has been deprecated.

Since almost a year Google has a DNS service that can be queried over HTTPS: https://dns.google.com. This means your queries are encrypted and can only be seen by you (and Google(!)). Seeing all the press about the UK’s snooper’s charter I though I should implement this as a plugin in CoreDNS.

I’m (obviously) going to use this myself; which is perfect as it protects me and it allows me to dog food CoreDNS as a DNS proxy in my home network.

A note worthy other implementation is “dingo”: https://github.com/pforemski/dingo.

Also note that this a different protocol than “DNS over TLS” which has similar goals and is being standardized by the IETF.

Currently you’ll need to compile CoreDNS from source to play with this or wait until CoreDNS-004 is released.

The configuration on the CoreDNS side is pretty straight forward. The following Corefile is all you’ll need:

. {
    proxy . 8.8.8.8 {
        protocol https_google
    }
    cache
    log
    errors
}

Next start CoreDNS, and query it.

% ./coredns
.:53
2016/11/26 17:11:07 [INFO] CoreDNS-003
CoreDNS-003
::1 - [26/Nov/2016:17:13:10 +0000] "MX IN miek.nl. udp false 4096" NOERROR 246 149.791162ms
::1 - [26/Nov/2016:17:13:11 +0000] "MX IN miek.nl. udp false 4096" NOERROR 170 156.432µs

The only unencrypted DNS used is from your laptop/phone/computer to CoreDNS, the rest is encrypted.

By default, dns.google.com will be re-resolved every 30 seconds using 8.8.8.8 and 8.8.4.4 (you can override these defaults). This is the only query not encrypted, but this will probably lead to a very boring browser history.

Next, I need to configure a Raspberry Pi and install CoreDNS on it. And as with all CoreDNS developments feedback is welcome.