Setting up DoT

[DistractedCanuck]

So I'm trying to set up DoT to secure my DNS traffic. I've tried adding tcp-tls:protected.canadianshield.cira.ca:853 as my only upstream resolver. But when I do that I no longer get any results.
Looking at the similar config for unbound it looks like I need to call a cert library as well as have and Ip in addition to the tcp-tls domain.

Currently my config file has the following:

upstream:
  externalResolvers:
    - tcp-tls:protected.canadianshield.cira.ca:853

I am running blocky in a docker container based on repo with metric. My setup works when I just add a normal IP in to the upstream resolver.

The DNS I am trying to add is the following CIRA Shield but it would also apply to Quad9 as the give their DoT in the same format.

My docker container is currently only open to port 53 and 4000.
Do I need to also forward port 853 to the container?

Thanks for the help!

[0xERR0R]

Hi, there a 2 different things: configuration of upstream DNS servers and configuration of blocky.

To use an external DNS resolver with TLS, just configure tcp-tls:protected.canadianshield.cira.ca:853, your example is correct. Blocky will contact this external DNS server with TLS.

Another thing is configuraiton of blocky: blocky can serve DNS over port 53 (DNS UDP and TCP) without encryption or DNS-over-HTTPS (aka DoH) with encryption. Blocky doesn't provide DoT as endpoint. If you want to use DoH, you can follow the guide (https://github.com/0xERR0R/blocky/wiki/Configuration-of-HTTPS-for-DoH-and-Rest-API) or simple put blocky behind a reverse proxy with encryption (e.g. traefik).

Please consider, if you use blocky only in your home network, without access from outside, I would recommend to use UDP via port 53, this is much faster and you don't need traffic encryption at home (use encrypted external DNS via DoT/DoH). If blocky is reachable from the internet, I would recommend to use DoH.

[DistractedCanuck]

Ok, So just adding the bootstrapDns did allow me to load the blacklists but it did not resolve the issue.
Adding a DNS to the docker container does seem to work. It no longer creates issues and does seem to be using the correct DNS resolvers when I use DNSLeak. However, now the DoT is no longer working.

running dig private.canadianshield.cira.ca or dig www.google.ca provide the same error.

;; reply from unexpected source: 127.0.0.1#53, expected 127.0.0.53#53

;; reply from unexpected source: 127.0.0.1#53, expected 127.0.0.53#53

;; reply from unexpected source: 127.0.0.1#53, expected 127.0.0.53#53

; <<>> DiG 9.16.1-Ubuntu <<>> private.canadianshield.cira.ca
;; global options: +cmd
;; connection timed out; no servers could be reached

I think you're right it must be an issue with the DNS on my host machine.

To set up blocky I am changing the DNS resolver on my router to blocky.

[DistractedCanuck]

Sounds like its a systemresolve issue. I've disabled it and will try to reload later. (People are using the home internet now). This seems to have fixed the issue for people over on the pi-hole forums.

[DistractedCanuck]

Alright so, after playing with this for a while I have it working...ish.

I had to stop the systemresolve service. Than add my own nameserver into resolv.conf. Once that was done blocky was able to load and resolve queries.

2021-04-17 14:48:07	192.168.0.1	dlinkrouter	188	RESOLVED (private.canadianshield.cira.ca:853)	A (api.github.com.)	A (140.82.112.6)	NOERROR
2021-04-17 14:48:07	192.168.0.1	dlinkrouter	197	RESOLVED (private.canadianshield.cira.ca:853)	A (api.github.com.)	A (140.82.113.6)	NOERROR

So that works! If I can also change that to Quad9 and it will work and call the correct dns so it doesn't seem to be leaking.

That being said I can't seem to get the encryption to work. I don't know if thats from a lack of understanding what it actually is or if its not working.

When I use Wireshark to monitor my traffic I can still see all the requested IPs unencrypted and when I test it using the Browser Privacy Test it tells me TLS is not enabled.

My conf file looks like this:

upstream:
  externalResolvers:
   - tcp-tls:protected.canadianshield.cira.ca:853
   - tcp-tls:private.canadianshield.cira.ca:853
  #  - tcp-tls:dns.quad9.net:853
 #   - tcp-tls:dns.adguard.com:853
 #   - tcp-tls:cloudflare-dns.com:853

clientLookup:
    upstream: udp:192.168.0.1
    singleNameOrder:
      - 2
      - 1

blocking:
  blackLists:
    ads:
      - https://hosts.anudeep.me/mirror/adservers.txt
      - https://hosts.anudeep.me/mirror/facebook.txt
      - https://hosts.anudeep.me/mirror/CoinMiner.txt
      - https://blocklistproject.github.io/Lists/abuse.txt
      - https://blocklistproject.github.io/Lists/ads.txt
      - https://blocklistproject.github.io/Lists/crypto.txt
      - https://blocklistproject.github.io/Lists/malware.txt
      - https://blocklistproject.github.io/Lists/phishing.txt
      - https://blocklistproject.github.io/Lists/ransomware.txt
      - https://blocklistproject.github.io/Lists/redirect.txt
      - https://blocklistproject.github.io/Lists/scam.txt
      - https://blocklistproject.github.io/Lists/tracking.txt
  whiteLists: 
    ads:
      - /whitelists/whitelist.txt
  clientGroupsBlock:
    default:
      - ads
  blockType: zeroIp
prometheus:
  enable: true
port: 53
httpPort: 4000
bootstrapDns: 1.1.1.1
queryLog:
    dir: /logs
    perClient: true
    logRetentionDays: 7

and the docker compose like this:

version: '3'

services:
  blocky:
    image: spx01/blocky
    container_name: blocky
    restart: unless-stopped
    networks:
       - blocky
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "853:853/tcp"
      - "853:853/udp"
      - "4000:4000"
    environment:
      - TZ=America/Halifax
    volumes:
      - ./blocky/config.yml:/app/config.yml
      - ./blocky/logs/:/logs/
      - ./whitelists/:/whitelists/
  prometheus:
    image: prom/prometheus
    container_name: prometheus
    networks: 
      - blocky
    volumes:
      - ./prometheus/:/etc/prometheus/
      - prometheus_data:/prometheus
    command:
      - '--config.file=/etc/prometheus/prometheus.yml'
      - '--storage.tsdb.path=/prometheus'
      - '--web.console.libraries=/usr/share/prometheus/console_libraries'
      - '--web.console.templates=/usr/share/prometheus/consoles'
    ports:
      - 9090:9090
    restart: unless-stopped

  grafana:
    image: grafana/grafana:6.7.1
    container_name: grafana
    networks: 
      - blocky
    depends_on:
      - prometheus
    ports:
      - 3000:3000
    volumes:
      - grafana_data:/var/lib/grafana
      - ./grafana/provisioning/:/etc/grafana/provisioning/
    environment:
      - GF_PANELS_DISABLE_SANITIZE_HTML=true
      - GF_INSTALL_PLUGINS=grafana-piechart-panel
    restart: unless-stopped    

volumes:
    prometheus_data: {}
    grafana_data: {}

    
networks:
  blocky:
    driver: bridge
    ipam:
      config:
       - subnet: 10.5.0.0/16
         gateway: 10.5.0.1
         aux_addresses:
          blocky: 10.5.0.5

I tried opening port 853 to the container but that didn't seem to make a difference and closing port 53 broke it.

using dig private.canadianshield.cira.ca:853 now actually returns the expected response of:

; <<>> DiG 9.16.1-Ubuntu <<>> private.canadianshield.cira.ca:853
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37227
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;private.canadianshield.cira.ca:853. IN A

;; AUTHORITY SECTION:
.                       10800   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2021041701 1800 900 604800 86400

;; Query time: 40 msec
;; SERVER: 149.112.121.20#53(149.112.121.20)
;; WHEN: Sat Apr 17 14:56:45 ADT 2021
;; MSG SIZE  rcvd: 138

Thank you for your help and hopefully I have annoyed you to much!

[0xERR0R]

Does your browser/PC use blocky? Do you see any requests in the log? The communication between blocky and external DNS server should be encrypted, since you use the port 853. The communication between your PC/browser and blocky is NOT encrypted -> this is OK, since you are using port 53 and UDP/TCP DNS. Blocky does not provide TLS endpoint, there is no need to map the port 853 into blocky container. If you need encryption between client and blocky, you can configure DoH, but normally, there is no need to have such encryption in a local network (this increases the response time).

[DistractedCanuck]

Yes it does. I do. Based on what you said I think I might just be checking the wrong data. I think I'm reading the packet that is traveling from blocky to my laptop rather than the packet from blocky to the external DNS. I'll have to find out a good way to do that. But what you've said makes a ton of sense. I don't really need that data to be encrypted on my LAN.

Thanks! Keep up the great work. I'm glad I stumbled up this project.