plugin/tls/README.md

# tls

## Name

*tls* - allows you to configure the server certificates for the TLS, gRPC, DoH servers.

## Description

CoreDNS supports queries that are encrypted using TLS (DNS over Transport Layer Security, RFC 7858)
or are using gRPC (https://grpc.io/ , not an IETF standard). Normally DNS traffic isn't encrypted at
all (DNSSEC only signs resource records).

The *tls* "plugin" allows you to configure the cryptographic keys that are needed for both
DNS-over-TLS and DNS-over-gRPC. If the *tls* plugin is omitted, then no encryption takes place.

The gRPC protobuffer is defined in `pb/dns.proto`. It defines the proto as a simple wrapper for the
wire data of a DNS message.

## Syntax

~~~ txt
tls CERT KEY [CA]
~~~

Parameter CA is optional. If not set, system CAs can be used to verify the client certificate

~~~ txt
tls CERT KEY [CA] {
    client_auth nocert|request|require|verify_if_given|require_and_verify
    keylog FILE
}
~~~

If client\_auth option is specified, it controls the client authentication policy.
The option value corresponds to the [ClientAuthType values of the Go tls package](https://golang.org/pkg/crypto/tls/#ClientAuthType): NoClientCert, RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, and RequireAndVerifyClientCert, respectively.
The default is "nocert".  Note that it makes no sense to specify parameter CA unless this option is
set to verify\_if\_given or require\_and\_verify.

The keylog can be specified to export TLS master secrets in key log format to allow external programs
to decrypt TLS connections. It compromises security and should only be used for debugging!

## Examples

Start a DNS-over-TLS server that picks up incoming DNS-over-TLS queries on port 5553 and uses the
nameservers defined in `/etc/resolv.conf` to resolve the query. This proxy path uses plain old DNS.

~~~
tls://.:5553 {
	tls cert.pem key.pem ca.pem
	forward . /etc/resolv.conf
}
~~~

Start a DNS-over-gRPC server that is similar to the previous example, but using DNS-over-gRPC for
incoming queries.

~~~
grpc://. {
	tls cert.pem key.pem ca.pem
	forward . /etc/resolv.conf
}
~~~

Start a DoH server on port 443 that is similar to the previous example, but using DoH for incoming queries.
~~~
https://. {
	tls cert.pem key.pem ca.pem
	forward . /etc/resolv.conf
}
~~~

Only Knot DNS' `kdig` supports DNS-over-TLS queries, no command line client supports gRPC making
debugging these transports harder than it should be.

## See Also

RFC 7858 and https://grpc.io.
core: add more transports (#574) * core: add listening for other protocols Allow CoreDNS to listen for TLS request coming over port 853. This can be enabled with `tls://` in the config file. Implement listening for grps:// as well. a Corefile like: ~~~ . tls://.:1853 { whoami tls } ~~~ Means we listen on 1853 for tls requests, the `tls` config item allows configuration for TLS parameters. We might be tempted to use Caddy's Let's Encrypt implementation here. * Refactor coredns/grpc into CoreDNS This makes gRPC a first class citizen in CoreDNS. Add defines as being just another server. * some cleanups * unexport the servers * Move protobuf dir * Hook up TLS properly * Fix test * listen for TLS as well. README updates * disable test, fix package * fix test * Fix tests * Fix remaining test * Some tests * Make the test work * Add grpc test from #580 * fix crash * Fix tests * Close conn * README cleanups * README * link RFC 2017-03-13 20:24:37 +00:00			`# tls`

Manual pages (#1346) * Add manual pages Generate manual pages from the README and extend README with Name and Description sections. The generation requires 'ronn' which may not be available. Just check in all generated manual pages. 2018-01-04 12:53:07 +00:00			`## Name`

support plain HTTP for DoH (#4997) Signed-off-by: Ondřej Benkovský <ondrej.benkovsky@jamf.com> 2021-11-23 14:03:26 +01:00			`tls - allows you to configure the server certificates for the TLS, gRPC, DoH servers.`
Manual pages (#1346) * Add manual pages Generate manual pages from the README and extend README with Name and Description sections. The generation requires 'ronn' which may not be available. Just check in all generated manual pages. 2018-01-04 12:53:07 +00:00
			`## Description`
core: add more transports (#574) * core: add listening for other protocols Allow CoreDNS to listen for TLS request coming over port 853. This can be enabled with `tls://` in the config file. Implement listening for grps:// as well. a Corefile like: ~~~ . tls://.:1853 { whoami tls } ~~~ Means we listen on 1853 for tls requests, the `tls` config item allows configuration for TLS parameters. We might be tempted to use Caddy's Let's Encrypt implementation here. * Refactor coredns/grpc into CoreDNS This makes gRPC a first class citizen in CoreDNS. Add defines as being just another server. * some cleanups * unexport the servers * Move protobuf dir * Hook up TLS properly * Fix test * listen for TLS as well. README updates * disable test, fix package * fix test * Fix tests * Fix remaining test * Some tests * Make the test work * Add grpc test from #580 * fix crash * Fix tests * Close conn * README cleanups * README * link RFC 2017-03-13 20:24:37 +00:00
Update the tls documentation (#1061) * Update the tls documentation * cant test corefile because we dont have pem data * Add note on client support 2017-09-12 14:54:26 +01:00			`CoreDNS supports queries that are encrypted using TLS (DNS over Transport Layer Security, RFC 7858)`
fix broken link in webpage (#6488) Signed-off-by: Masaki Nakano <admin@namachan10777.dev> 2024-03-08 04:24:38 +09:00			`or are using gRPC (https://grpc.io/ , not an IETF standard). Normally DNS traffic isn't encrypted at`
Update the tls documentation (#1061) * Update the tls documentation * cant test corefile because we dont have pem data * Add note on client support 2017-09-12 14:54:26 +01:00			`all (DNSSEC only signs resource records).`

Remove the word middleware (#1067) * Rename middleware to plugin first pass; mostly used 'sed', few spots where I manually changed text. This still builds a coredns binary. * fmt error * Rename AddMiddleware to AddPlugin * Readd AddMiddleware to remain backwards compat 2017-09-14 09:36:06 +01:00			`The tls "plugin" allows you to configure the cryptographic keys that are needed for both`
Directive -> plugin (#3363) Caught my eye, we name things directive still, esp when talking about the prometheus plugin. Rename everything that needs to be plugin to 'plugin'. Also make sure Metrics is a H2 section (not H1). Signed-off-by: Miek Gieben <miek@miek.nl> 2019-10-08 10:20:48 +01:00			`DNS-over-TLS and DNS-over-gRPC. If the tls plugin is omitted, then no encryption takes place.`
Update the tls documentation (#1061) * Update the tls documentation * cant test corefile because we dont have pem data * Add note on client support 2017-09-12 14:54:26 +01:00
			The gRPC protobuffer is defined in `pb/dns.proto`. It defines the proto as a simple wrapper for the
			`wire data of a DNS message.`

core: add more transports (#574) * core: add listening for other protocols Allow CoreDNS to listen for TLS request coming over port 853. This can be enabled with `tls://` in the config file. Implement listening for grps:// as well. a Corefile like: ~~~ . tls://.:1853 { whoami tls } ~~~ Means we listen on 1853 for tls requests, the `tls` config item allows configuration for TLS parameters. We might be tempted to use Caddy's Let's Encrypt implementation here. * Refactor coredns/grpc into CoreDNS This makes gRPC a first class citizen in CoreDNS. Add defines as being just another server. * some cleanups * unexport the servers * Move protobuf dir * Hook up TLS properly * Fix test * listen for TLS as well. README updates * disable test, fix package * fix test * Fix tests * Fix remaining test * Some tests * Make the test work * Add grpc test from #580 * fix crash * Fix tests * Close conn * README cleanups * README * link RFC 2017-03-13 20:24:37 +00:00			`## Syntax`

			`~~~ txt`
plugin/tls: make CA parameter optional (#1800) 2018-05-15 19:53:46 +03:00			`tls CERT KEY [CA]`
core: add more transports (#574) * core: add listening for other protocols Allow CoreDNS to listen for TLS request coming over port 853. This can be enabled with `tls://` in the config file. Implement listening for grps:// as well. a Corefile like: ~~~ . tls://.:1853 { whoami tls } ~~~ Means we listen on 1853 for tls requests, the `tls` config item allows configuration for TLS parameters. We might be tempted to use Caddy's Let's Encrypt implementation here. * Refactor coredns/grpc into CoreDNS This makes gRPC a first class citizen in CoreDNS. Add defines as being just another server. * some cleanups * unexport the servers * Move protobuf dir * Hook up TLS properly * Fix test * listen for TLS as well. README updates * disable test, fix package * fix test * Fix tests * Fix remaining test * Some tests * Make the test work * Add grpc test from #580 * fix crash * Fix tests * Close conn * README cleanups * README * link RFC 2017-03-13 20:24:37 +00:00			`~~~`

plugin/tls: make CA parameter optional (#1800) 2018-05-15 19:53:46 +03:00			`Parameter CA is optional. If not set, system CAs can be used to verify the client certificate`

make sure client CA and auth type are set if CA is explicitly specified. (#2825) * make sure client CA and auth type are set if CA is explicitly specified. added some simple tests to confirm the effect. * test certificates (forgot to add them in the previous commit) * made client auth policy configurable with new client_auth option. README has been updated accordingly. * fix editorial in README 2019-05-31 09:30:15 -07:00			`~~~ txt`
			`tls CERT KEY [CA] {`
			`client_auth nocert\|request\|require\|verify_if_given\|require_and_verify`
plugin/tls: Add the keylog option to configure TLSConfig.KeyLogWriter (#7537) * tls: Add the keylog option to configure TLSConfig.KeyLogWriter Signed-off-by: Ilya Kulakov <kulakov.ilya@gmail.com> * tls: Close keylog file on instance shutdown. Signed-off-by: Ilya Kulakov <kulakov.ilya@gmail.com> --------- Signed-off-by: Ilya Kulakov <kulakov.ilya@gmail.com> 2026-03-27 12:10:13 -07:00			`keylog FILE`
make sure client CA and auth type are set if CA is explicitly specified. (#2825) * make sure client CA and auth type are set if CA is explicitly specified. added some simple tests to confirm the effect. * test certificates (forgot to add them in the previous commit) * made client auth policy configurable with new client_auth option. README has been updated accordingly. * fix editorial in README 2019-05-31 09:30:15 -07:00			`}`
			`~~~`

doc: fix generated manual pages (#3571) Went over all generated manual pages and fixed some markdown issues, mostly escaping "_" to avoid underlining entire paragraphs. Some textual fixes in route53 and other cloud DNS plugins. Regenerated the markdown with mmark. Signed-off-by: Miek Gieben <miek@miek.nl> 2019-12-29 13:35:17 +01:00			`If client\_auth option is specified, it controls the client authentication policy.`
make sure client CA and auth type are set if CA is explicitly specified. (#2825) * make sure client CA and auth type are set if CA is explicitly specified. added some simple tests to confirm the effect. * test certificates (forgot to add them in the previous commit) * made client auth policy configurable with new client_auth option. README has been updated accordingly. * fix editorial in README 2019-05-31 09:30:15 -07:00			`The option value corresponds to the [ClientAuthType values of the Go tls package](https://golang.org/pkg/crypto/tls/#ClientAuthType): NoClientCert, RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, and RequireAndVerifyClientCert, respectively.`
doc: fix generated manual pages (#3571) Went over all generated manual pages and fixed some markdown issues, mostly escaping "_" to avoid underlining entire paragraphs. Some textual fixes in route53 and other cloud DNS plugins. Regenerated the markdown with mmark. Signed-off-by: Miek Gieben <miek@miek.nl> 2019-12-29 13:35:17 +01:00			`The default is "nocert". Note that it makes no sense to specify parameter CA unless this option is`
			`set to verify\_if\_given or require\_and\_verify.`
make sure client CA and auth type are set if CA is explicitly specified. (#2825) * make sure client CA and auth type are set if CA is explicitly specified. added some simple tests to confirm the effect. * test certificates (forgot to add them in the previous commit) * made client auth policy configurable with new client_auth option. README has been updated accordingly. * fix editorial in README 2019-05-31 09:30:15 -07:00
plugin/tls: Add the keylog option to configure TLSConfig.KeyLogWriter (#7537) * tls: Add the keylog option to configure TLSConfig.KeyLogWriter Signed-off-by: Ilya Kulakov <kulakov.ilya@gmail.com> * tls: Close keylog file on instance shutdown. Signed-off-by: Ilya Kulakov <kulakov.ilya@gmail.com> --------- Signed-off-by: Ilya Kulakov <kulakov.ilya@gmail.com> 2026-03-27 12:10:13 -07:00			`The keylog can be specified to export TLS master secrets in key log format to allow external programs`
			`to decrypt TLS connections. It compromises security and should only be used for debugging!`

core: add more transports (#574) * core: add listening for other protocols Allow CoreDNS to listen for TLS request coming over port 853. This can be enabled with `tls://` in the config file. Implement listening for grps:// as well. a Corefile like: ~~~ . tls://.:1853 { whoami tls } ~~~ Means we listen on 1853 for tls requests, the `tls` config item allows configuration for TLS parameters. We might be tempted to use Caddy's Let's Encrypt implementation here. * Refactor coredns/grpc into CoreDNS This makes gRPC a first class citizen in CoreDNS. Add defines as being just another server. * some cleanups * unexport the servers * Move protobuf dir * Hook up TLS properly * Fix test * listen for TLS as well. README updates * disable test, fix package * fix test * Fix tests * Fix remaining test * Some tests * Make the test work * Add grpc test from #580 * fix crash * Fix tests * Close conn * README cleanups * README * link RFC 2017-03-13 20:24:37 +00:00			`## Examples`
Clean up the tls middleware README (#631) 2017-04-19 17:43:10 -04:00
Update the tls documentation (#1061) * Update the tls documentation * cant test corefile because we dont have pem data * Add note on client support 2017-09-12 14:54:26 +01:00			`Start a DNS-over-TLS server that picks up incoming DNS-over-TLS queries on port 5553 and uses the`
			nameservers defined in `/etc/resolv.conf` to resolve the query. This proxy path uses plain old DNS.
Clean up the tls middleware README (#631) 2017-04-19 17:43:10 -04:00
			`~~~`
Update the tls documentation (#1061) * Update the tls documentation * cant test corefile because we dont have pem data * Add note on client support 2017-09-12 14:54:26 +01:00			`tls://.:5553 {`
Clean up the tls middleware README (#631) 2017-04-19 17:43:10 -04:00			`tls cert.pem key.pem ca.pem`
Move proxy to external (#2651) * Move proxy to external move the proxy plugin into coredns/proxy and remove it as a default plugin. Link the proxy to deprecated in plugin.cfg coredns/proxy doesn't compile because of the vendoring :( Signed-off-by: Miek Gieben <miek@miek.nl> * Add github.com/coredns/proxy Signed-off-by: Yong Tang <yong.tang.github@outlook.com> 2019-03-03 23:32:38 -08:00			`forward . /etc/resolv.conf`
Clean up the tls middleware README (#631) 2017-04-19 17:43:10 -04:00			`}`
			`~~~`

Update the tls documentation (#1061) * Update the tls documentation * cant test corefile because we dont have pem data * Add note on client support 2017-09-12 14:54:26 +01:00			`Start a DNS-over-gRPC server that is similar to the previous example, but using DNS-over-gRPC for`
			`incoming queries.`
Clean up the tls middleware README (#631) 2017-04-19 17:43:10 -04:00
			`~~~`
Update the tls documentation (#1061) * Update the tls documentation * cant test corefile because we dont have pem data * Add note on client support 2017-09-12 14:54:26 +01:00			`grpc://. {`
Clean up the tls middleware README (#631) 2017-04-19 17:43:10 -04:00			`tls cert.pem key.pem ca.pem`
Move proxy to external (#2651) * Move proxy to external move the proxy plugin into coredns/proxy and remove it as a default plugin. Link the proxy to deprecated in plugin.cfg coredns/proxy doesn't compile because of the vendoring :( Signed-off-by: Miek Gieben <miek@miek.nl> * Add github.com/coredns/proxy Signed-off-by: Yong Tang <yong.tang.github@outlook.com> 2019-03-03 23:32:38 -08:00			`forward . /etc/resolv.conf`
Clean up the tls middleware README (#631) 2017-04-19 17:43:10 -04:00			`}`
			`~~~`
Update the tls documentation (#1061) * Update the tls documentation * cant test corefile because we dont have pem data * Add note on client support 2017-09-12 14:54:26 +01:00
support plain HTTP for DoH (#4997) Signed-off-by: Ondřej Benkovský <ondrej.benkovsky@jamf.com> 2021-11-23 14:03:26 +01:00			`Start a DoH server on port 443 that is similar to the previous example, but using DoH for incoming queries.`
			`~~~`
			`https://. {`
			`tls cert.pem key.pem ca.pem`
			`forward . /etc/resolv.conf`
			`}`
			`~~~`

Update the tls documentation (#1061) * Update the tls documentation * cant test corefile because we dont have pem data * Add note on client support 2017-09-12 14:54:26 +01:00			Only Knot DNS' `kdig` supports DNS-over-TLS queries, no command line client supports gRPC making
			`debugging these transports harder than it should be.`

docs: move Also See to See Also (#4245) sed -i 's/Also See/See Also/' plugin/**/README.md Some plugins did already use 'See Also', so it's all consistent now. Fixes: #4196 Signed-off-by: Miek Gieben <miek@miek.nl> 2020-10-28 18:56:35 +01:00			`## See Also`
Update the tls documentation (#1061) * Update the tls documentation * cant test corefile because we dont have pem data * Add note on client support 2017-09-12 14:54:26 +01:00
			`RFC 7858 and https://grpc.io.`