Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Version 1.0 of getdns offers a daemon mode which can be used to run getdns locally as a DNS-over-TLS stub resolver. The daemon can listen on the loopback address send all outgoing DNS queries over TLS to a DNS Privacy server. Version 1.1 of getdns includes some performance improvements to make this mode more robust, so it is currently recommended to use that code, rather than the 1.0 release. If you want to set this up on your laptop/desktop follow the step-by-step instructions below!

 

Numbered Headings

Dependancies

In this mode, the only dependancy is OpenSSL. If this is installed in a non-standard location on your system use the --with-ssl option to configure below to specify where it is. 

Download the getdns source

Info

The 1.1 branch will be available any day now. Until then please pick the code up directly from a branch in Sara Dickinson's fork of getdns as shown below!

Code Block
> git clone https://github.com/saradickinson/getdns.git
> cd getdns
> git checkout feature/upstream_handling

Build the code

Code Block
> git submodule update --init
> libtoolize -ci
> autoreconf -fi
> mkdir build
> cd build
> ../configure --prefix=<install_location> --without-libidn --enable-stub-only
> make
> make getdns_query

If you want to see detailed debug information as messages are processed then add the --enable-debug-stub option to the configure line above

Run the daemon

The command below will run the daemon listening on port 53 of the loopback address and sending queries to the NLnet Labs test DNS Privacy server (at 185.49.141.38 and 2a04:b900:0:100::38)

over TLS. It also specifies an idle timeout on the TLS connection of 10s with the '-e 10000' option. This test server does not support EDNS0 TCP Keepalive yet, so this timeout will always be used.

IPv4 only

Code Block
> sudo src/test/getdns_query -s @185.49.141.38 -l L -z 127.0.0.1@53 -e 1000

IPv4 and IPv6

Code Block
> sudo src/test/getdns_query -s @185.49.141.38 @2a04:b900:0:100::38 -l L -z 127.0.0.1@53 -z ::1@53 -e 1000

Exit the daemon at any time by hitting CTRL-C.

Modify your upstream resolvers

For getdns to re-send outgoing DNS queries over TLS the recursive resolvers configured on your machine must be changed to send all the queries over the loopback interface. This depends on the operating system being run

Linux/Unix systems

  • Edit the /etc/resolv.conf file
  • Comment out the existing nameserver entries
  • Add the following (only add the IPv4 address if you don't have IPv6)

    Code Block
    nameserver 127.0.0.1
    nameserver ::1

OS X

  • Open System Preferences->Network->Advanced->DNS
  • Use the '-' button to remove the existing nameservers
  • Use the + button to add '127.0.0.1' and '::1' (only add the IPv4 address if you don't have IPv6)
  • Hit 'OK' in the DNS pane and then 'Apply' on the Network pane
Note

Once the change in step 1.6 is made your queries will be re-directed to the getdns daemon and sent over TLS! You can monitor the traffic using Wireshark watching on port 853.

 

 

...