[Yeti DNS Discuss] 答复: A public Yeti DNS resolver (but with TLS)

Davey Song(宋林健) ljsong at biigroup.cn
Wed Mar 8 09:07:06 UTC 2017

I try it with getdns_query and stubby. Some feedback: 

1) an error reported that "unable to get local issue certificate" (for
newbie of TLS certificate setting, is there any instruction?)
2) It works without ' tls_authentication: GETDNS_AUTHENTICATION_REQUIRED'
3) it causes 1~2 second delay compared to raw udp which I think may affect
users experience.

发件人: discuss [mailto:discuss-bounces at lists.yeti-dns.org] 代表 Stephane
发送时间: 2016年12月22日 4:11
收件人: discuss at lists.yeti-dns.org
主题: [Yeti DNS Discuss] A public Yeti DNS resolver (but with TLS)

Yeti does not have a public DNS resolver
<http://lists.yeti-dns.org/pipermail/discuss/2016-November/000736.html>. And
there are few public DNS-over-TLS (RFC 7858) resolvers
which is sad, since DNS privacy is a big not-yet-solved problem

So, I installed an *experimental* public DNS-overs-TLS Yeti resolver on
dns-resolver.bortzmeyer.org (IPv6 only, which makes sense for Yeti). Two
warnings: it is best effort only, and since it sends requests to the Yeti
root, the user's data is captured and analyzed. So, it is to test
technically privacy-enhancing technqiues, not to provide actual privacy.

The certificate was issued by CAcert <https://www.cacert.org/> I wonder if
it's possible to get a Let's Encrypt certificate for a DNS server (you need
to set up a callback server)?

If you don't know DNS-over-TLS clients, you can find some in

Another way to use it is a forwarder for a local resolver. Unbound can do

  auto-trust-anchor-file: "autokey/yeti-key.key"
  ssl-upstream: yes

  name: "."
  #forward-host: "dns-resolver.bortzmeyer.org" forward-host does not work,
unknown reason
  forward-addr: 2001:4b98:dc2:43:216:3eff:fea9:41a at 853
  forward-first: no

The public resolver itself is implemented with Unbound. Here is its

  use-syslog: yes
  username: "unbound"
  directory: "/etc/unbound"
  root-hints: "yeti-hints"
  auto-trust-anchor-file: autokey/yeti-key.key
  # Do NOT listen on public addresses (except with
  # DNS-over-TLS-over-TCP, port 853) because we accept queries from
  # everyone.
  interface: ::1
  interface: 2001:4b98:dc2:43:216:3eff:fea9:41a at 853
  qname-minimisation: yes
  harden-below-nxdomain: yes
  harden-referral-path: yes
  harden-glue: yes
  ssl-service-key: "/etc/unbound/tls-server.key"
  ssl-service-pem: "/etc/unbound/tls-server.pem"
  ssl-port: 853
  # Be careful: this turn us into an open resolver. This is safe only
  # because we do not listen to any interface except with DNS-over-TLS
  # (port 853). May be using the new "views" feature of Unbound >=
  # 1.6?
  access-control: ::0/0 allow
  # Slow but useful to debug the public resolver
  log-queries: yes

The requests are logged locally (see above the warning about privacy):

% sudo journalctl -n  -f -t unbound
Dec 21 17:20:12 dahu1 unbound[25626]: [25626:0] info:
2001:db8:1:2:6c65:ec27:7a25:8aa www.eu.org. AAAA IN Dec 21 17:20:12 dahu1
unbound[25626]: [25626:0] info: 2001:db8:1:2:6c65:ec27:7a25:8aa www.eu.org.

And the certificate is:

%  openssl s_client -showcerts -connect dns-resolver.bortzmeyer.org:853 |
openssl x509 -text
depth=2 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing
Authority, emailAddress = support at cacert.org verify return:1
depth=1 O = CAcert Inc., OU = http://www.CAcert.org, CN = CAcert Class 3
Root verify return:1
depth=0 CN = dns-resolver.bortzmeyer.org verify return:1
        Version: 3 (0x2)
        Serial Number: 172663 (0x2a277)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = CAcert Inc., OU = http://www.CAcert.org, CN = CAcert
Class 3 Root
            Not Before: Dec 21 16:42:26 2016 GMT
            Not After : Dec 21 16:42:26 2018 GMT
        Subject: CN = dns-resolver.bortzmeyer.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
    X509v3 extensions:
            X509v3 Basic Constraints: critical
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server
Authentication, Netscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access: 
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points: 

                Full Name:

            X509v3 Subject Alternative Name: 
                DNS:dns-resolver.bortzmeyer.org, othername:<unsupported>

discuss mailing list
discuss at lists.yeti-dns.org

More information about the discuss mailing list