Is it possible to use haproxy for DNS over TLS?
cwesterfield last edited by
I have a pihole on my network sending dns over 53 on udp and tcp
bastion# dig @10.0.1.199 google.com +vc +short 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168
pihole# netstat -ntulp | grep 53 tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 19576/dnsmasq tcp6 0 0 :::53 :::* LISTEN 19576/dnsmasq udp 768 0 0.0.0.0:53 0.0.0.0:* 19576/dnsmasq udp6 0 0 :::53 :::* 19576/dnsmasq
I'm trying to get haproxy setup to take 53 and present it as 853 for DNS over TLS. I'm not sure what I'm doing wrong, but I am.
Here's my test output:
kdig -d @dns.mydomain.com +tls-ca +tls-host=dns.mydomain.com google.com ;; DEBUG: Querying for owner(google.com.), class(1), type(1), server(dns.mydomain.com), port(853), protocol(TCP) ;; DEBUG: TLS, imported 151 system certificates ;; DEBUG: TLS, received certificate hierarchy: ;; DEBUG: #1, CN=dns.mydomain.com ;; DEBUG: SHA-256 PIN: lHdYmRl7/NJxhATlXTondPJnswpPnJgBELTJOX83FMc= ;; DEBUG: #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3 ;; DEBUG: SHA-256 PIN: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg= ;; DEBUG: TLS, skipping certificate PIN check ;; DEBUG: TLS, The certificate is trusted. ;; WARNING: TLS, peer has closed the connection ;; WARNING: can't receive reply from 22.214.171.124@853(TCP) ;; WARNING: failed to query server dns.mydomain.com@853(TCP)
A client has to explicitly know it's using DNS over TLS, it isn't as simple as forwarding 53 to 853. Running that on 53 may just confuse clients.
Even so I'm not sure HAProxy can be used to present a certificate and work with DNS over TLS. Maybe as a simple TCP frontend to a real DNS over TLS backend like Unbound.
But if you want something local to answer on 53 and then send the requests out to an upstream DNS over TLS server, then the DNS Resolver on pfSense can handle that. It can also act directly as a DNS over TLS server. It's possible to do with the custom options for DNS Resolver but there are native GUI controls for it in 2.4.4.