9dd288943a
* Move *proxy* to external move the proxy plugin into coredns/proxy and remove it as a default plugin. Link the proxy to deprecated in plugin.cfg coredns/proxy doesn't compile because of the vendoring :( Signed-off-by: Miek Gieben <miek@miek.nl> * Add github.com/coredns/proxy Signed-off-by: Yong Tang <yong.tang.github@outlook.com> |
||
|---|---|---|
| .. | ||
| log_test.go | ||
| OWNERS | ||
| README.md | ||
| tls.go | ||
| tls_test.go | ||
tls
Name
tls - allows you to configure the server certificates for the TLS and gRPC servers.
Description
CoreDNS supports queries that are encrypted using TLS (DNS over Transport Layer Security, RFC 7858) or are using gRPC (https://grpc.io/, not an IETF standard). Normally DNS traffic isn't encrypted at all (DNSSEC only signs resource records).
The tls "plugin" allows you to configure the cryptographic keys that are needed for both
DNS-over-TLS and DNS-over-gRPC. If the tls directive is omitted, then no encryption takes place.
The gRPC protobuffer is defined in pb/dns.proto. It defines the proto as a simple wrapper for the
wire data of a DNS message.
Syntax
tls CERT KEY [CA]
Parameter CA is optional. If not set, system CAs can be used to verify the client certificate
Examples
Start a DNS-over-TLS server that picks up incoming DNS-over-TLS queries on port 5553 and uses the
nameservers defined in /etc/resolv.conf to resolve the query. This proxy path uses plain old DNS.
tls://.:5553 {
tls cert.pem key.pem ca.pem
forward . /etc/resolv.conf
}
Start a DNS-over-gRPC server that is similar to the previous example, but using DNS-over-gRPC for incoming queries.
grpc://. {
tls cert.pem key.pem ca.pem
forward . /etc/resolv.conf
}
Only Knot DNS' kdig supports DNS-over-TLS queries, no command line client supports gRPC making
debugging these transports harder than it should be.
Also See
RFC 7858 and https://grpc.io.