目录
使用BIND9-dev通过DNS Over TLs和DNS Over HTTPS
冷静的路
2021年08月01日 20:32
收录于文集
共3篇

系统:debian10云服务器(已经选择ssh服务器)

软件:dnsproxy,bind9-dev

证书:可以在阿里云,腾讯云免费申请证书

1.安装配置

网页链接​

2.配置文件

nano /etc/bind/named.conf.options

代码块
Shell
自动换行
复制代码
tls dot-local-tls {
        key-file "/etc/dot/dot.key";
        cert-file "/etc/dot/dot.pem";
};
tls doh-local-tls {
        key-file "/etc/doh/doh.key";
        cert-file "/etc/doh/doh.pem";
};

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        forwarders { 127.0.0.1 port 54;
         };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation yes;
        listen-on port 53 { any; };
        listen-on-v6 port 53 { any; };
        recursion yes;
        allow-query { any; };
        listen-on port 853 tls dot-local-tls { any; };
        listen-on port 443 tls doh-local-tls http default {any;};
};
复制成功

3.配置apparmor,允许访问证书路径:

nano /etc/apparmor.d/local/usr.sbin.named

代码块
Shell
自动换行
复制代码
/etc/dot/** r,
/etc/doh/** r,
复制成功

4.现在我们需要重新加载本地的appArmor配置文件:

代码块
Shell
自动换行
复制代码
apparmor_parser -r /etc/apparmor.d/usr.sbin.named
复制成功

5.重启bind9

代码块
Shell
自动换行
复制代码
service bind9 restart
复制成功

大功告成!

本文为我原创,未经授权禁止转载
cv12436501