Mirrors/coredns
1
0
Fork 0
mirror of https://github.com/coredns/coredns.git synced 2025-11-03 18:53:13 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
705f350c7e7a94cc3c638da06a1fffa752a2ceb4
coredns/plugin/tls/README.md
Nakano Masaki 62b23aeae6 fix broken link in webpage (#6488) 
Signed-off-by: Masaki Nakano <admin@namachan10777.dev>
2024-03-07 14:24:38 -05:00

74 lines
2.2 KiB
Markdown
Raw Blame History

# tls
## Name
*tls* - allows you to configure the server certificates for the TLS, gRPC, DoH servers.
## Description
CoreDNS supports queries that are encrypted using TLS (DNS over Transport Layer Security, RFC 7858)
or are using gRPC (https://grpc.io/ , not an IETF standard). Normally DNS traffic isn't encrypted at
all (DNSSEC only signs resource records).
The *tls* "plugin" allows you to configure the cryptographic keys that are needed for both
DNS-over-TLS and DNS-over-gRPC. If the *tls* plugin is omitted, then no encryption takes place.
The gRPC protobuffer is defined in `pb/dns.proto`. It defines the proto as a simple wrapper for the
wire data of a DNS message.
## Syntax
~~~ txt
tls CERT KEY [CA]
~~~
Parameter CA is optional. If not set, system CAs can be used to verify the client certificate
~~~ txt
tls CERT KEY [CA] {
client_auth nocert|request|require|verify_if_given|require_and_verify
}
~~~
If client\_auth option is specified, it controls the client authentication policy.
The option value corresponds to the [ClientAuthType values of the Go tls package](https://golang.org/pkg/crypto/tls/#ClientAuthType): NoClientCert, RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, and RequireAndVerifyClientCert, respectively.
The default is "nocert". Note that it makes no sense to specify parameter CA unless this option is
set to verify\_if\_given or require\_and\_verify.
## Examples
Start a DNS-over-TLS server that picks up incoming DNS-over-TLS queries on port 5553 and uses the
nameservers defined in `/etc/resolv.conf` to resolve the query. This proxy path uses plain old DNS.
~~~
tls://.:5553 {
tls cert.pem key.pem ca.pem
forward . /etc/resolv.conf
}
~~~
Start a DNS-over-gRPC server that is similar to the previous example, but using DNS-over-gRPC for
incoming queries.
~~~
grpc://. {
tls cert.pem key.pem ca.pem
forward . /etc/resolv.conf
}
~~~
Start a DoH server on port 443 that is similar to the previous example, but using DoH for incoming queries.
~~~
https://. {
tls cert.pem key.pem ca.pem
forward . /etc/resolv.conf
}
~~~
Only Knot DNS' `kdig` supports DNS-over-TLS queries, no command line client supports gRPC making
debugging these transports harder than it should be.
## See Also
RFC 7858 and https://grpc.io.
Reference in New Issue View Git Blame Copy Permalink