Ihr erinnert euch an meine Ankündigung über TLS an meinem DNS vor ein paar Tagen? RFC 7858 – DNS over Transport Layer Security
Bei mir ist inzwischen recht oft die Frage nach dem „Wie“ angekommen. Nun ich habe dafür stunnel benutzt. stunnel ist nicht speziell für DNS sondern ist ein Stück Software welches sich vor Dienste schalten lässt die keine oder eine schlechte Implementierung für SSL/TLS haben. Eine komplett stumpfe Konfiguration um zu testen würde zum Beispiel auf einem FreeBSD wie folgt aussehen:
/usr/local/etc/stunnel/conf.d/dnstls.conf
[dns4] accept = 853 connect = 5.9.24.235:53 cert = /usr/local/etc/stunnel/ssl/dns.crt key = /usr/local/etc/stunnel/ssl/dns.key CAfile = /usr/local/etc/stunnel/ssl/ca.crt
[dns6]
accept = :::853 connect = 5.9.24.235:53 cert = /usr/local/etc/stunnel/ssl/dns.crt key = /usr/local/etc/stunnel/ssl/dns.key CAfile = /usr/local/etc/stunnel/ssl/ca.crt
So gestartet lässt sich eine TLS Verbinung zu Port 853 aufbauen und stunnel schiebt dann alles einfach weiter an den Bind auf Port 53. Ob eine SSL/TLS Verbindung aufgebaut werden kann testet man am besten mit openSSL: openssl s_client -connect ns1.kernel-error.de:853 -showcerts Ich werfe weiter unten mal den kompletten Output in den Post…
Um eine komplette DNS Abfrage über TLS zu prüfen nutze ich gerne getdns_query. Dieses ist bereits in den FreeBSD Ports. Ein Test würde wie folgt aussehen: getdns_query @5.9.24.235 -s -a -A -l L www.kernel-error.de AAAA die Option „-l L“ weißt getdns_query dabei an es per TLS zu probieren. Auch hier werde ich den kompletten Output weiter untem im Post zeigen.
Der versprochene openSSL Output
kernel@s-meer-bsd ~> openssl s_client -connect ns1.kernel-error.de:853 -showcerts CONNECTED(00000003) depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA verify return:1 depth=1 C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2 verify return:1 depth=0 OU = Domain Control Validated, CN = *.kernel-error.de verify return:1 --- Certificate chain 0 s:/OU=Domain Control Validated/CN=*.kernel-error.de i:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2 -----BEGIN CERTIFICATE----- MIIIVjCCBz6gAwIBAgIMKHSoWgqp4f0QDMWoMA0GCSqGSIb3DQEBCwUAMEwxCzAJ BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSIwIAYDVQQDExlB bHBoYVNTTCBDQSAtIFNIQTI1NiAtIEcyMB4XDTE3MDMxMDEwNTI1MloXDTE4MDMx MTEwNTI1MlowPzEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRow GAYDVQQDDBEqLmtlcm5lbC1lcnJvci5kZTCCAiIwDQYJKoZIhvcNAQEBBQADggIP ADCCAgoCggIBAMtVm/TykTvxvwZN0h6H2YeIeu4G+scVCb+kxxa8Jrua7DuLchjm 05wj6zPTe+2opDNNeZ6T5/ISSKczUQO4p+ttxFzl8OGA8FaZe4Qc9FNYdzY35w2d oMgpTpsO+xTEdLHbXcNvEdFXg/8vyKS5y9Ddp8mSvz/Mt04rj2sjXGWwV00ImDQ1 DHBEuNuvFsnyaXQkDXeC3bA+2EkuVIcFcviQT5At88CDLkP8ygJsD3iDudnVeEJZ N1AFnjN/qQksjKvT5V75R7GcIhA0a6lC56iBmEykht8YdPy63940hYmO4Ug17p68 7uiPZKUsFkGmYchbkiw5KLTck6VVv9b5Z+lFfIQcfBf5blmaUkQQ8CP3yXXajmfP 3KqJu5c+M3OW9evFiE+z7ihtKVtOHQS86z0ijvSNaCfj9OWQKXhBzBzdEGTogC7n Iq8YYjveRQ+ExffM+RY3xaqMc1368tUx6ir+0LdGiqgzDC5OcWPqRTNobeTfcETz VCxqgTfVr4tDNTk1+LmRsWKVDuBtG3p/lJEwCU1z6ZP6xmNTBZc1iOuNOJN+CmYW ZpKaI3F6JPRK4G2Hu4fa0GWjRHSSZYFkyBl520a8fTMGIY8JlfHfx9HVK2fFJ4yP NxKligKSydphqEG8cyEU/V3oRlgZ7en1HmrWRrIRiWcmWk3qKl/AZk97AgMBAAGj ggRDMIIEPzAOBgNVHQ8BAf8EBAMCBaAwgYkGCCsGAQUFBwEBBH0wezBCBggrBgEF BQcwAoY2aHR0cDovL3NlY3VyZTIuYWxwaGFzc2wuY29tL2NhY2VydC9nc2FscGhh c2hhMmcycjEuY3J0MDUGCCsGAQUFBzABhilodHRwOi8vb2NzcDIuZ2xvYmFsc2ln bi5jb20vZ3NhbHBoYXNoYTJnMjBXBgNVHSAEUDBOMEIGCisGAQQBoDIBCgowNDAy BggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9y eS8wCAYGZ4EMAQIBMAkGA1UdEwQCMAAwPgYDVR0fBDcwNTAzoDGgL4YtaHR0cDov L2NybDIuYWxwaGFzc2wuY29tL2dzL2dzYWxwaGFzaGEyZzIuY3JsMC0GA1UdEQQm MCSCESoua2VybmVsLWVycm9yLmRlgg9rZXJuZWwtZXJyb3IuZGUwHQYDVR0lBBYw FAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBSL6GOdfjNSVXP7NNrKRfN/ ZEGEJTAfBgNVHSMEGDAWgBT1zdU8CFD5ak86t5faVoPmadJo9zCCAm0GCisGAQQB 1nkCBAIEggJdBIICWQJXAHUAu9nfvB+KcbWTlCOXqpJ7RzhXlQqrUugakJZkNo4e 0YUAAAFat9mThAAABAMARjBEAiBA/XALdgdBZzdvL20DwfeGUAKVhFAueJG6hIWF eooeSwIgBAMtgDdRxtSkDbKZdkuT9pul6HlZgGSKBLwHjt08rSAAdgDd6x0reg1P piCLga2BaHB+Lo6dAdVciI09EcTNtuy+zAAAAVq32ZOaAAAEAwBHMEUCIAwdq+Ma WZ+v8TuKuwIT9oTHT6mlOuov2brZHNa53o5MAiEAq1ZFktpd5XzJQixebUuaCNKW dZWUF58tKuB4l7xvGOUAdgCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3c EAAAAVq32ZZ1AAAEAwBHMEUCIAUVh0ZRcb/+WRb9F+nn/Jmzvgs/bnLQNwEjBUT1 /t2aAiEAmZWAnrB3RnsCbedw8SOvJk6HsZG67T0fdI96M/Pc47kAdgBWFAaaL9fC 7NP14b1Esj7HRna5vJkRXMDvlJhV1onQ3QAAAVq32Za/AAAEAwBHMEUCIQD92ZOc 1xqff1TJ7gsw/ZGtkvzrjIW6uu/Hu7ZxBKkOgQIgRC0TkK19+m8nUN7KDCqyKsZT DqUrKE01MuPhx1RnIPMAdgDuS723dc5guuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9 ywAAAVq32ZllAAAEAwBHMEUCIQCPAWIduEfXjVVq+qKHEtoy84Nqm+PsibSk8uXq ziMziQIgJp3NRvIM8bFtzQe/ZQYBnNv2H3MwZmldaIbV5VcbMOQwDQYJKoZIhvcN AQELBQADggEBAKmQsE/CjF2nRuqaPZht7EFsQpHzihm+VBA48HDN0Uj9JpObHadg kxNunKd3K+KNsZP4gwg8Z+LfNAU2smK//Ptq7S/y3ECZTniwLMNx4ogekIuQ9i6a 5zgdN3TpWMV/pu2PEguG/FhDIeIEoC5L7qYAKsSq/4VMexUeVfg3IDbdFH0FGlF7 NRAvfY8KfkvkM6c0VhkAuisnYpt+N3RoXOUlQEbv2qRPikiRnLW4hyms0Y73W5v2 GBA6H66lPIqWTzalY9d1kUVY0N+qz/ZgZhdY0LkeTHG4l+XAyKwa241LHGtDHz7m 7c9LBqS3mXSFvfCL9eU2vzDHkU6cMixjf94= -----END CERTIFICATE----- 1 s:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2 i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA -----BEGIN CERTIFICATE----- MIIETTCCAzWgAwIBAgILBAAAAAABRE7wNjEwDQYJKoZIhvcNAQELBQAwVzELMAkG A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xNDAyMjAxMDAw MDBaFw0yNDAyMjAxMDAwMDBaMEwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i YWxTaWduIG52LXNhMSIwIAYDVQQDExlBbHBoYVNTTCBDQSAtIFNIQTI1NiAtIEcy MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2gHs5OxzYPt+j2q3xhfj kmQy1KwA2aIPue3ua4qGypJn2XTXXUcCPI9A1p5tFM3D2ik5pw8FCmiiZhoexLKL dljlq10dj0CzOYvvHoN9ItDjqQAu7FPPYhmFRChMwCfLew7sEGQAEKQFzKByvkFs MVtI5LHsuSPrVU3QfWJKpbSlpFmFxSWRpv6mCZ8GEG2PgQxkQF5zAJrgLmWYVBAA cJjI4e00X9icxw3A1iNZRfz+VXqG7pRgIvGu0eZVRvaZxRsIdF+ssGSEj4k4HKGn kCFPAm694GFn1PhChw8K98kEbSqpL+9Cpd/do1PbmB6B+Zpye1reTz5/olig4het ZwIDAQABo4IBIzCCAR8wDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C AQAwHQYDVR0OBBYEFPXN1TwIUPlqTzq3l9pWg+Zp0mj3MEUGA1UdIAQ+MDwwOgYE VR0gADAyMDAGCCsGAQUFBwIBFiRodHRwczovL3d3dy5hbHBoYXNzbC5jb20vcmVw b3NpdG9yeS8wMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5nbG9iYWxzaWdu Lm5ldC9yb290LmNybDA9BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAGGIWh0dHA6 Ly9vY3NwLmdsb2JhbHNpZ24uY29tL3Jvb3RyMTAfBgNVHSMEGDAWgBRge2YaRQ2X yolQL30EzTSo//z9SzANBgkqhkiG9w0BAQsFAAOCAQEAYEBoFkfnFo3bXKFWKsv0 XJuwHqJL9csCP/gLofKnQtS3TOvjZoDzJUN4LhsXVgdSGMvRqOzm+3M+pGKMgLTS xRJzo9P6Aji+Yz2EuJnB8br3n8NA0VgYU8Fi3a8YQn80TsVD1XGwMADH45CuP1eG l87qDBKOInDjZqdUfy4oy9RU0LMeYmcI+Sfhy+NmuCQbiWqJRGXy2UzSWByMTsCV odTvZy84IOgu/5ZR8LrYPZJwR2UcnnNytGAMXOLRc3bgr07i5TelRS+KIz6HxzDm MTh89N1SyvNTBCVXVmaU6Avu5gMUTu79bZRknl7OedSyps9AsUSoPocZXun4IRZZ Uw== -----END CERTIFICATE----- --- Server certificate subject=/OU=Domain Control Validated/CN=*.kernel-error.de issuer=/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2 --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 4014 bytes and written 433 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: B1956B432DABE228C78E756329A796FA56C9646BE64326F8F96782BD946CCA82 Session-ID-ctx: Master-Key: 10329FBAE32471FC56D45E0AA0971CF5EB7977F7569AE4079219D9438E7A0F9DA8EC4150D9A074FC0AD8E63E00849047 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1513937385 Timeout : 300 (sec) Verify return code: 0 (ok) ---
Der versprochene getdns_query Output:
kernel@s-meer-bsd ~> getdns_query @5.9.24.235 -s -a -A -l L www.kernel-error.de AAAA { "answer_type": GETDNS_NAMETYPE_DNS, "canonical_name": <bindata for www.kernel-error.de.>, "just_address_answers": [ { "address_data": <bindata for 2a01:4f8:161:3ec::443>, "address_type": <bindata of "IPv6"> }, { "address_data": <bindata for 5.9.24.250>, "address_type": <bindata of "IPv4"> } ], "replies_full": [ <bindata of 0xd3578500000100010003000703777777...>, <bindata of 0xe9288500000100010003000703777777...> ], "replies_tree": [ { "additional": [ { "class": GETDNS_RRCLASS_IN, "name": <bindata for ns1.kernel-error.de.>, "rdata": { "ipv4_address": <bindata for 5.9.24.235>, "rdata_raw": <bindata of 0x050918eb> }, "ttl": 300, "type": GETDNS_RRTYPE_A }, { "class": GETDNS_RRCLASS_IN, "name": <bindata for ns2.kernel-error.org.>, "rdata": { "ipv4_address": <bindata for 176.9.109.53>, "rdata_raw": <bindata of 0xb0096d35> }, "ttl": 300, "type": GETDNS_RRTYPE_A }, { "class": GETDNS_RRCLASS_IN, "name": <bindata for ns3.kernel-error.com.>, "rdata": { "ipv4_address": <bindata for 203.137.119.119>, "rdata_raw": <bindata of 0xcb897777> }, "ttl": 300, "type": GETDNS_RRTYPE_A }, { "class": GETDNS_RRCLASS_IN, "name": <bindata for ns1.kernel-error.de.>, "rdata": { "ipv6_address": <bindata for 2a01:4f8:161:3ec::53>, "rdata_raw": <bindata of 0x2a0104f8016103ec0000000000000053> }, "ttl": 300, "type": GETDNS_RRTYPE_AAAA }, { "class": GETDNS_RRCLASS_IN, "name": <bindata for ns2.kernel-error.org.>, "rdata": { "ipv6_address": <bindata for 2a01:4f8:150:1095::53>, "rdata_raw": <bindata of 0x2a0104f8015010950000000000000053> }, "ttl": 300, "type": GETDNS_RRTYPE_AAAA }, { "class": GETDNS_RRCLASS_IN, "name": <bindata for ns3.kernel-error.com.>, "rdata": { "ipv6_address": <bindata for 2001:310:6000:f::1fc7:1>, "rdata_raw": <bindata of 0x200103106000000f000000001fc70001> }, "ttl": 300, "type": GETDNS_RRTYPE_AAAA }, { "do": 0, "extended_rcode": 0, "rdata": { "rdata_raw": <bindata of 0x> }, "type": GETDNS_RRTYPE_OPT, "udp_payload_size": 4096, "version": 0, "z": 0 } ], "answer": [ { "class": GETDNS_RRCLASS_IN, "name": <bindata for www.kernel-error.de.>, "rdata": { "ipv6_address": <bindata for 2a01:4f8:161:3ec::443>, "rdata_raw": <bindata of 0x2a0104f8016103ec0000000000000443> }, "ttl": 300, "type": GETDNS_RRTYPE_AAAA } ], "answer_type": GETDNS_NAMETYPE_DNS, "authority": [ { "class": GETDNS_RRCLASS_IN, "name": <bindata for kernel-error.de.>, "rdata": { "nsdname": <bindata for ns2.kernel-error.org.>, "rdata_raw": <bindata for ns2.kernel-error.org.> }, "ttl": 86400, "type": GETDNS_RRTYPE_NS }, { "class": GETDNS_RRCLASS_IN, "name": <bindata for kernel-error.de.>, "rdata": { "nsdname": <bindata for ns1.kernel-error.de.>, "rdata_raw": <bindata of 0x036e7331c010> }, "ttl": 86400, "type": GETDNS_RRTYPE_NS }, { "class": GETDNS_RRCLASS_IN, "name": <bindata for kernel-error.de.>, "rdata": { "nsdname": <bindata for ns3.kernel-error.com.>, "rdata_raw": <bindata for ns3.kernel-error.com.> }, "ttl": 86400, "type": GETDNS_RRTYPE_NS } ], "canonical_name": <bindata for www.kernel-error.de.>, "header": { "aa": 1, "ad": 0, "ancount": 1, "arcount": 7, "cd": 0, "id": 54103, "nscount": 3, "opcode": GETDNS_OPCODE_QUERY, "qdcount": 1, "qr": 1, "ra": 0, "rcode": GETDNS_RCODE_NOERROR, "rd": 1, "tc": 0, "z": 0 }, "question": { "qclass": GETDNS_RRCLASS_IN, "qname": <bindata for www.kernel-error.de.>, "qtype": GETDNS_RRTYPE_AAAA } }, { "additional": [ { "class": GETDNS_RRCLASS_IN, "name": <bindata for ns1.kernel-error.de.>, "rdata": { "ipv4_address": <bindata for 5.9.24.235>, "rdata_raw": <bindata of 0x050918eb> }, "ttl": 300, "type": GETDNS_RRTYPE_A }, { "class": GETDNS_RRCLASS_IN, "name": <bindata for ns2.kernel-error.org.>, "rdata": { "ipv4_address": <bindata for 176.9.109.53>, "rdata_raw": <bindata of 0xb0096d35> }, "ttl": 300, "type": GETDNS_RRTYPE_A }, { "class": GETDNS_RRCLASS_IN, "name": <bindata for ns3.kernel-error.com.>, "rdata": { "ipv4_address": <bindata for 203.137.119.119>, "rdata_raw": <bindata of 0xcb897777> }, "ttl": 300, "type": GETDNS_RRTYPE_A }, { "class": GETDNS_RRCLASS_IN, "name": <bindata for ns1.kernel-error.de.>, "rdata": { "ipv6_address": <bindata for 2a01:4f8:161:3ec::53>, "rdata_raw": <bindata of 0x2a0104f8016103ec0000000000000053> }, "ttl": 300, "type": GETDNS_RRTYPE_AAAA }, { "class": GETDNS_RRCLASS_IN, "name": <bindata for ns2.kernel-error.org.>, "rdata": { "ipv6_address": <bindata for 2a01:4f8:150:1095::53>, "rdata_raw": <bindata of 0x2a0104f8015010950000000000000053> }, "ttl": 300, "type": GETDNS_RRTYPE_AAAA }, { "class": GETDNS_RRCLASS_IN, "name": <bindata for ns3.kernel-error.com.>, "rdata": { "ipv6_address": <bindata for 2001:310:6000:f::1fc7:1>, "rdata_raw": <bindata of 0x200103106000000f000000001fc70001> }, "ttl": 300, "type": GETDNS_RRTYPE_AAAA }, { "do": 0, "extended_rcode": 0, "rdata": { "rdata_raw": <bindata of 0x> }, "type": GETDNS_RRTYPE_OPT, "udp_payload_size": 4096, "version": 0, "z": 0 } ], "answer": [ { "class": GETDNS_RRCLASS_IN, "name": <bindata for www.kernel-error.de.>, "rdata": { "ipv4_address": <bindata for 5.9.24.250>, "rdata_raw": <bindata of 0x050918fa> }, "ttl": 300, "type": GETDNS_RRTYPE_A } ], "answer_type": GETDNS_NAMETYPE_DNS, "authority": [ { "class": GETDNS_RRCLASS_IN, "name": <bindata for kernel-error.de.>, "rdata": { "nsdname": <bindata for ns2.kernel-error.org.>, "rdata_raw": <bindata for ns2.kernel-error.org.> }, "ttl": 86400, "type": GETDNS_RRTYPE_NS }, { "class": GETDNS_RRCLASS_IN, "name": <bindata for kernel-error.de.>, "rdata": { "nsdname": <bindata for ns1.kernel-error.de.>, "rdata_raw": <bindata of 0x036e7331c010> }, "ttl": 86400, "type": GETDNS_RRTYPE_NS }, { "class": GETDNS_RRCLASS_IN, "name": <bindata for kernel-error.de.>, "rdata": { "nsdname": <bindata for ns3.kernel-error.com.>, "rdata_raw": <bindata for ns3.kernel-error.com.> }, "ttl": 86400, "type": GETDNS_RRTYPE_NS } ], "canonical_name": <bindata for www.kernel-error.de.>, "header": { "aa": 1, "ad": 0, "ancount": 1, "arcount": 7, "cd": 0, "id": 59688, "nscount": 3, "opcode": GETDNS_OPCODE_QUERY, "qdcount": 1, "qr": 1, "ra": 0, "rcode": GETDNS_RCODE_NOERROR, "rd": 1, "tc": 0, "z": 0 }, "question": { "qclass": GETDNS_RRCLASS_IN, "qname": <bindata for www.kernel-error.de.>, "qtype": GETDNS_RRTYPE_A } } ], "status": GETDNS_RESPSTATUS_GOOD }
Oh und weil ich gerade dabei war… Ich habe direkt ns2.kernel-error.org mit einem gültigen Zertifikat ausgestattet.
Fragen? Dann fragen 🙂