====== 使用 Nginx 搭建 DNS over TLS (DoT) ======

==== 参考文档及源代码 ====

  - [[https://www.nginx.com/blog/using-nginx-as-dot-doh-gateway/|Using NGINX as a DoT or DoH Gateway]]

==== 配置 Nginx ====

以下是简明配置, 详细的参考上面的文档 #1

如果上游DNS服务器使用DNS over TLS(DoT),一般是853端口, 则 stream 配置需要启用 proxy_ssl

如果上游DNS服务器是普通形式, 一般是53端口, 则 stream 配置**不**需要启用 proxy_ssl

<code>
stream {
	ssl_protocols			TLSv1.2 TLSv1.3;
	ssl_ciphers			"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
	ssl_prefer_server_ciphers	on;
	#ssl_session_cache		shared:SSL:50m;
	ssl_session_timeout		1d;
	ssl_dhparam			/path/dh4096.pem;
	tcp_nodelay			on;
	upstream dot {
		zone	dot 64k;
		server	8.8.8.8:853;
		server	8.8.4.4:853;
	}
	server {
		listen			853 ssl;
		ssl_certificate		/path/fullchain.pem;
		ssl_certificate_key	/path/privkey.pem;
		proxy_pass		dot;
		proxy_ssl		on; # 如果上面upstream dot内的DNS服务器不是DoT, 即是普通53端口, 则注释本行
	}
}
</code>

==== 测试 ====

=== 用 kdig 测试 ===

简单的不检查TLS证书
<code>
kdig -p 853 @dns_server_ip +tls intel.com
</code>

匹配TLS证书为domain
<code>
kdig -p 853 @dns_server_ip +tls-ca +tls-host=domain intel.com
</code>

使用 [[https://getdnsapi.net/query/|getdns]] 查询

  - Transport order: 选择TLS
  - TLS resolver IP: 输入要检查的DNS服务器IP
  - TLS auth name: (可选)TLS证书验证域名