Skip to content

Instantly share code, notes, and snippets.

@nikitasius

nikitasius/readme.md

Last active August 4, 2021 08:11
Show Gist options
  • Save nikitasius/e1b1c1ed05b8e35f02fb12277e06e03b to your computer and use it in GitHub Desktop.
Save nikitasius/e1b1c1ed05b8e35f02fb12277e06e03b to your computer and use it in GitHub Desktop.
Download ZIP
own DNS for NGINX (and whole system too) with DNSSEC from google DNS
Raw
readme.md
  • install dnsmasq (2.78+, cause 2.72 is bugged with certain DNS, including cloudflare)
  • /etc/dnsmasq.conf:
port=53
listen-address=127.0.0.1
interface=lo
bind-interfaces
dnssec
dnssec-check-unsigned
trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
resolv-file=/etc/resolv.dnsmasq.conf
cache-size=262144
dns-forward-max=4096
strict-order

anchor from https://data.iana.org/root-anchors/root-anchors.xml

  • /etc/resolv.dnsmasq.conf
nameserver 1.1.1.1
nameserver 8.8.8.8
nameserver 8.8.4.4
  • now lock resolv.conf for the autoupdates (one way from below).
  • check is you have /etc/NetworkManager/NetworkManager.conf, if yes
    • open /etc/NetworkManager/NetworkManager.conf add dns=none into [main] section. If file is empty, just make it looks like this:
[main]
dns=none
  • dhclient.conf
    • open /etc/dhclient.conf or /etc/dhcp/dhclient.conf (which one is exists) and insert this line supersede domain-name-servers 127.0.0.1;
  • /etc/network/interfaces
    • add into /etc/network/interfaces this line dns-nameservers 127.0.0.1

Next:

  • start dnsmasq with dnsmasq --conf-file=/etc/dnsmasq.conf, but disable systemctl disable dnsmasq
  • resolver 127.0.0.1; in nginx & restart it
  • /etc/resolv.conf:
nameserver 127.0.0.1
  • disable all IPv4 DNS for actual username (if not root) due dnsmasq will run as nobody except 127.0.0.1
iptables -A OUTPUT -p udp --destination-port 53 -m owner --uid-owner username -j DROP                                                                                                                              
iptables -I OUTPUT -p udp --destination-port 53 -d 127.0.0.1 -m owner --uid-owner username -j ACCEPT
  • if you want to override some A records you should add addn-hosts=/etc/hosts.dnsmasq.conf into /etc/dnsmasq.conf
0.0.0.0         null.localhost
0.0.0.0         account.example.com
  • to override some CNAME records you should add cname=account.example.com,null.localhost into /etc/dnsmasq.conf, in such case CNAME for account.example.com will be null.localhost which points to 0.0.0.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment