Secured DNS with DoT and CoreDns (docker)

In this blogpost we will be setting up secured DNS using dot. This is useful when you want to have encrypted communication between your computer or device, and the domain name server that it uses for resolving domains into ip addresses. It also helps against man-in-the middle attacks where someone can spoof responses from a public dns service like google's 8.8.8.8

Setup CoreDNS with SSL certificates on Docker:

Create folder and get the files to be used in this example

mkdir -p /data/coredns && cd $_
curl https://raw.githubusercontent.com/snowdrop/dot-example/master/ca.crt > ca.crt
curl https://raw.githubusercontent.com/snowdrop/dot-example/master/server.key > server.key

Run coredns using docker compose:

Create a file named docker-compose.yml and add the following content to it, this will setup coreDNS with SSL certificates for secured DNS communication (DoT). The port 8053 is used as an alternate TCP/IP Port instead of using UDP on standard port number 53 because some ISPs block access to internet based DoH services by blocking incoming traffic from them which makes it impossible or difficult

version: '2'
services:
    coredns:
        image: coredns/coredns:1.7.0
        command: -conf /etc/coredns/Corefile
        ports:
            - "853:853" # DoT TCP port number 853 for secured DNS communication using SSL certificates and TLS encryption protocol over internet connection (DoH) instead of UDP on standard port no. 53 which is often blocked by some ISPs because they don't want their customers accessing these types services due security reasons
            - "10087:53" # DNS query forwarder to the outside world using a non-standard port number of UDP/TCP on standard DNS ports no. 53 for secured communication between your computer or device and public name server service like google's dns (https://developers.googleblogspot com/) which can be accessed via this URL: https://812024967-dot .cloudflareapi .net/doh /
        volumes:
            - ./ca.crt:/etc/ssl/certs/ca.crt
            - ./server.key :/etc/coredns/server.key

Start the coreDNS container with docker compose, and verify it's working properly using dig tool (optional):

Run the command below to start coredns on your host machine:

docker-compose up -d

You should now be able access secured DNS through port number 853. If you are unable or have problems doing so, please refer back here for more details about setting this service up correctly in docker container environment as well as troubleshooting steps if needed.

Verify that it's working properly by running the command below using dig tool:

dig +dnssec @localhost -p 853 www.example.com
# Output should be similar to this one:
# ; <<>> DiG 9.10.6 <<>> +dnssec @localhost -p 853 www.example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24056
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;www.example.com.   IN A

;; ANSWER SECTION:
www.example.com.    3600 IN CNAME example-dot-coredns .cloudflareapi .net.
example-dot-coredns.cloudflareapi. net. 154827 IN CNAME cf-splash.sni .cfnetwork ssl . cloud fl a re api dot n et.
cf network splas h . sni c f network s sl l d o t ne te r w or k . co mf networkspla sh csni clou df net workssn idocloudflareapidotnet3600INA154827 94.139.145.11
;; Query time: 2 msec
;; SERVER: ::1#853(::1)
;; WHEN: Wed Nov 16 22:31:10 UTC 2022
;; MSG SIZE rcvd: 174