惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Help Net Security
Help Net Security
S
SegmentFault 最新的问题
T
The Blog of Author Tim Ferriss
J
Java Code Geeks
博客园 - 三生石上(FineUI控件)
月光博客
月光博客
C
Check Point Blog
M
MIT News - Artificial intelligence
GbyAI
GbyAI
H
Hackread – Cybersecurity News, Data Breaches, AI and More
U
Unit 42
D
Docker
G
Google Developers Blog
云风的 BLOG
云风的 BLOG
H
Help Net Security
D
DataBreaches.Net
Microsoft Azure Blog
Microsoft Azure Blog
B
Blog RSS Feed
Engineering at Meta
Engineering at Meta
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
B
Blog
Cloudbric
Cloudbric
Blog — PlanetScale
Blog — PlanetScale
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
T
Troy Hunt's Blog
N
News | PayPal Newsroom
V2EX - 技术
V2EX - 技术
H
Heimdal Security Blog
S
Security @ Cisco Blogs
V
Visual Studio Blog
The Last Watchdog
The Last Watchdog
博客园 - Franky
大猫的无限游戏
大猫的无限游戏
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Webroot Blog
Webroot Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
C
Cyber Attacks, Cyber Crime and Cyber Security
Last Week in AI
Last Week in AI
爱范儿
爱范儿
博客园 - 聂微东
S
Securelist
小众软件
小众软件
酷 壳 – CoolShell
酷 壳 – CoolShell
Cisco Talos Blog
Cisco Talos Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
C
CXSECURITY Database RSS Feed - CXSecurity.com
V
Vulnerabilities – Threatpost
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
O
OpenAI News
Apple Machine Learning Research
Apple Machine Learning Research

Encryption on CoreDNS: DNS and Service Discovery

暂无文章

DNS over HTTPS
miek · 2016-11-27 · via Encryption on CoreDNS: DNS and Service Discovery

Note this requires the proxy plugin which has been deprecated.

Since almost a year Google has a DNS service that can be queried over HTTPS: https://dns.google.com. This means your queries are encrypted and can only be seen by you (and Google(!)). Seeing all the press about the UK’s snooper’s charter I though I should implement this as a plugin in CoreDNS.

I’m (obviously) going to use this myself; which is perfect as it protects me and it allows me to dog food CoreDNS as a DNS proxy in my home network.

A note worthy other implementation is “dingo”: https://github.com/pforemski/dingo.

Also note that this a different protocol than “DNS over TLS” which has similar goals and is being standardized by the IETF.

Currently you’ll need to compile CoreDNS from source to play with this or wait until CoreDNS-004 is released.

The configuration on the CoreDNS side is pretty straight forward. The following Corefile is all you’ll need:

. {
    proxy . 8.8.8.8 {
        protocol https_google
    }
    cache
    log
    errors
}

Next start CoreDNS, and query it.

% ./coredns
.:53
2016/11/26 17:11:07 [INFO] CoreDNS-003
CoreDNS-003
::1 - [26/Nov/2016:17:13:10 +0000] "MX IN miek.nl. udp false 4096" NOERROR 246 149.791162ms
::1 - [26/Nov/2016:17:13:11 +0000] "MX IN miek.nl. udp false 4096" NOERROR 170 156.432µs

The only unencrypted DNS used is from your laptop/phone/computer to CoreDNS, the rest is encrypted.

By default, dns.google.com will be re-resolved every 30 seconds using 8.8.8.8 and 8.8.4.4 (you can override these defaults). This is the only query not encrypted, but this will probably lead to a very boring browser history.

Next, I need to configure a Raspberry Pi and install CoreDNS on it. And as with all CoreDNS developments feedback is welcome.