DNS

DNS providers

DNS Providers with API integration:

• letsencrypt go lib
  • LeGo DNS Providers
• Cert-manager native DNS provider integrations
  • Cert-manager webhook supported DNS providers
    • cert-manager-webhook-gandi With good instructions
• Traefik Acme providers
• terraform DNS acme challenge

Options to consider:

• Gandi
• https://www.inwx.de
  • Terraform Provider
  • No API keys, API auth with user/password
  • OTP needed on each API call

Hetzner

• cert-manager-webhook-hetzner
  • Actively developed
  • Works !

njal.la

• cert-manager-webhook-njalla
  • Couldn't make it work (unable to check TXT record: code: 403, message: Permission denied.)
  • Stale ?
• Terraform njal.la providers

Other tf provider options:

• https://github.com/gidsi/terraform-provider-njalla
  • No provider documentation
  • Only an example in the README.md

njal.la dyndns

• dyndns docs

  ❯ export TOKEN=$(gopass show --password token/njal.la/dyndns/varac.net)

Manual update from inside of webserver network:

❯ curl "https://njal.la/update/?h=varac.net&auto&k=$TOKEN"
{"status": 200, "message": "record updated", "value": {"A": "93.221.19.99"}}

Update from outside:

Update:

❯ export IP=93.221.16.69
❯ curl "https://njal.la/update/?h=varac.net&auto&k=${TOKEN}&a=$IP"

Verify:

host varac.net

systemd-resolved

see [[systemd/resolved.md]] (also how to enable DNSSEC resolver)

Privacy preserving DNS servers

• Quad 9
• Digitale Gesellschaft DoT + DoH
• dns.watch
• digitalcourage

  Update am 18. Februar 2020: Zur Zeit können wir bei unserem DoT-Dienst bei vielen Abfragen hintereinander Ausfälle/Hänger beobachten. Die Auflösung dauert dann länger oder bricht ab. Wir werden demnächst auf eine neue Software umstellen (und diesen Hinweis dann entfernen).

• Cloudflare

DNS proxies with ad-blocking

• https://github.com/0xERR0R/blocky

  • https://artifacthub.io/packages/helm/k8s-at-home/blocky

• https://pi-hole.net/
  • https://hub.helm.sh/charts?q=pi-hole
• https://adguard.com/de/adguard-home/overview.html

DNS encryption

• Understanding DoT and DoH (DNS over TLS vs. DNS over HTTPS)

DNS over HTTPS (DoH)

• Add support for DNS-over-HTTPS to systemd-resolved

DNS over TLS (DoT)

• Arch wiki: systemd-resolved with DoT

DNS over Quic (DoQ)

• DNS-over-QUIC wird zum offiziellen Standard

DNSCrypt

• Website

DNSSEC

• Arch wiki: DNSSEC support in systemd-resolve
• DNSSEC Resolver Test
• https://dnsviz.net/d/systemli.org/dnssec/

Test DNS

/usr/lib/nagios/plugins/check_dns -H varac-test.openappstack.net -a 213.108.108.134 -s 1.1.1.1

dnsdiag tools

https://dnsdiag.org/

sudo apt install dnsdiag

dnsping -c 5 -s 10.27.13.1 varac.net

SRV records

https://www.pair.com/support/kb/what-is-an-srv-record/