0

Bind9 Using Encrypted DNS

I have setup NextDNS on my bind9 server as a forwarder and is working great. However, I believe this currently means that the DNS requests are unencrypted? I saw a couple of bits of info on DNS-over-TLS with bind9 but the setup wasn't too clear. I was wondering if anyone has setup encrypted DNS with NextDNS with bind9?

My current forwarder config for NextDNS in named.conf below. If anyone has an example of their own using encryption and some details of any extra steps would be great.

options {
    querylog yes;
    forwarders {
        45.90.28.168;
        45.90.30.168;
    };
 };

Thanks

4 replies

null
    • Martheen
    • 1 yr ago
    • Reported - view

    bind9 only support DoT & DoH for downstream, you need upstream, so you'll need a forwarder that accept unencrypted DNS queries and send it through DoH/DoT. NextDNS CLI works, since you have bind9 configured you need to set the NextDNS CLI to listen on a port other than 53, then set bind9 to send the queries to that port, eg, if NextDNS CLI is listening to port 54 in the same machine where bind9 runs, 
     

    forwarders {
    127.0.0.1 port 54; }
    
    • Daniel_Gibbs
    • 1 yr ago
    • Reported - view

    Are you sure that is the case? As it appears that the latest versions of Bind9 supports DoT
    How to use DNS-over-TLS with BIND9 forwarders - Unix & Linux Stack Exchange
    8. Configuration Reference — BIND 9 9.19.17-dev documentation

      • Martheen
      • 1 yr ago
      • Reported - view

       Then why not just apply that? For the IP just resolve your DoT address first.

    • Daniel_Gibbs
    • 7 mths ago
    • Reported - view

    So a little update on this topic It appears that bind9 v9.19 does support DNS-over-TLS forwarders however this is a dev version. So the options are to run the dev version or wait until the stable version releases (9.20)

Content aside

  • 7 mths agoLast active
  • 4Replies
  • 1034Views
  • 2 Following