Is it possible to use haproxy for DNS over TLS?



  • I have a pihole on my network sending dns over 53 on udp and tcp

    bastion# dig @10.0.1.199 google.com +vc +short
    108.177.122.138
    108.177.122.102
    108.177.122.139
    108.177.122.100
    108.177.122.113
    108.177.122.101
    
    pihole# netstat -ntulp | grep 53
    tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      19576/dnsmasq
    tcp6       0      0 :::53                   :::*                    LISTEN      19576/dnsmasq
    udp      768      0 0.0.0.0:53              0.0.0.0:*                           19576/dnsmasq
    udp6       0      0 :::53                   :::*                                19576/dnsmasq
    

    I'm trying to get haproxy setup to take 53 and present it as 853 for DNS over TLS. I'm not sure what I'm doing wrong, but I am.

    Here's my test output:

    kdig -d @dns.mydomain.com +tls-ca +tls-host=dns.mydomain.com google.com
    ;; DEBUG: Querying for owner(google.com.), class(1), type(1), server(dns.mydomain.com), port(853), protocol(TCP)
    ;; DEBUG: TLS, imported 151 system certificates
    ;; DEBUG: TLS, received certificate hierarchy:
    ;; DEBUG:  #1, CN=dns.mydomain.com
    ;; DEBUG:      SHA-256 PIN: lHdYmRl7/NJxhATlXTondPJnswpPnJgBELTJOX83FMc=
    ;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
    ;; DEBUG:      SHA-256 PIN: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
    ;; DEBUG: TLS, skipping certificate PIN check
    ;; DEBUG: TLS, The certificate is trusted.
    ;; WARNING: TLS, peer has closed the connection
    ;; WARNING: can't receive reply from 66.38.67.33@853(TCP)
    ;; WARNING: failed to query server dns.mydomain.com@853(TCP)
    

    Any ideas?


  • Rebel Alliance Developer Netgate

    A client has to explicitly know it's using DNS over TLS, it isn't as simple as forwarding 53 to 853. Running that on 53 may just confuse clients.

    Even so I'm not sure HAProxy can be used to present a certificate and work with DNS over TLS. Maybe as a simple TCP frontend to a real DNS over TLS backend like Unbound.

    But if you want something local to answer on 53 and then send the requests out to an upstream DNS over TLS server, then the DNS Resolver on pfSense can handle that. It can also act directly as a DNS over TLS server. It's possible to do with the custom options for DNS Resolver but there are native GUI controls for it in 2.4.4.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy