How to use a TLS proxy with a DNS nameserver
It is of course possible to configure a TLS proxy in front of a DNS nameserver to provide DNS-over-TLS. Example configurations for nginx and haproxy are given here.
A more comprehensive setup guide using Docker has been provided by Warren Kumari: dprive-nginx-bind (Thanks Warren!)
To use the following with BIND to offer a TLS service, configure BIND based on the following named.conf snippet
- This assumes BIND 9.12 which supports response padding (comment that line out if you are using an earlier version)
- The rncd and logging config is used to capture traffic volume stats - statistics can be dumped periodically with the 'rndc stats' command
If you use HA proxy and have generated your certificates from Let's encrypt then you need to combing the certificate chain and key into one file using a command similar to: