Go to Qiita Advent Calendar 2024 Top
LoginSignup
2
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

@kakinaguru_zo(おじさん)

systemd でDoT (DNS over TLS) と DNSSEC に対応したDNSキャッシュサーバーを作る

Last updated at Posted at 2021-08-04

DoT (DNS over TLS) と DNSSEC に対応したDNSキャッシュサーバーsystemd-resolved で作る話です。 systemd-networkdをDHCPサーバーにする を組み合わせると dnsmasq の代わりに systemd を使えるようになります。以下の設定はsystemd 247かそれ以降 で使えます。

/etc/systemd/resolved.conf.d/my.conf
[Resolve]

DNS=2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
DNSSEC=allow-downgrade
DNSOverTLS=yes
MulticastDNS=yes
LLMNR=yes
Cache=no-negative
DNSStubListener=no
DNSStubListenerExtra=192.168.1.2
DNSStubListenerExtra=127.0.0.1

ポイント

  • DNSSEC, DNSOverTLS と一緒に使うときCloudflare DNSととても相性が悪い のでクラウドフレアを用いない
  • DNSStubListenerExtra にDNSの問い合わせを受け付けるIPアドレスを書く
  • /etc/resolv.conf を以下のようにnameserver の部分に上記のDNSStubListenerExtra に指定したIPアドレスを設定する
/etc/resolv.conf
options inet6 edns0 trust-ad use-vc
nameserver 127.0.0.1
2
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
2
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?