Solid DNS: Introduction - Bind, pihole and DNS over HTTPS (cloudflared)
+ 
+ 
The internet as most people know it is primarily dependent on two things operating.
- BGP (Border Gateway Protocol)
- DNS (Domain Name System)
There are of course many other things that need to work for the internet to function the way people think it works. I won’t go into every bit of technology that is required to view a website from the moment you hit enter in a browser to the moment you actually see a page render on your desktop/smartphone etc. For now, I want to focus on one of the most important functions of the “world wide web”. In this case, it is DNS.
Before I get into what I am going to be doing, and why, if you don’t know what DNS is perhaps check out this cool video by the folks over at DNS Made Easy
I like to have control over how DNS works when at home. I run a mildly complicated setup at home with a test environment, a few VPN tunnels, various test servers/services and control of the local/reverse resolution. The how is easy to justify, the why is a personal preference.
I like the simplicity of BIND
I like the reporting capability of Pi-Hole
I like the security of DNS over HTTPS
Let’s talk about the three different technologies I am going to make use of today.
BIND
As Wikipedia states, BIND/named is “the most widely used Domain Name System software on the internet”. It stands for “Berkeley Internet Name Domain” as the software originated from the University of California at Berkeley. It allows DNS providers, hosting companies, and just about anyone to run an authoritative or recursive DNS. It is extremely powerful, very robust, scales well and most importantly free!
Pi-hole
Pi-hole is similar to BIND, but functions primarily on the “recursive” function of DNS. It was originally intended to work on devices like Raspberry Pi. It also works as a DNS blackhole, allowing network administrators the ability to block access to certain websites using DNS. It is commonly used to block advertisements, which can be great for those pesky popups etc.
DNS over HTTPS
DNS over HTTPS (DoH) RFC 8484 is a method of performing DNS queries using the HTTPS protocol. It uses TCP port 443 to perform the queries, usually via an API, which I have chosen for this demonstration . The other popular way to perform secure DNS requests is using TLS (DoT) RFC 7858. Both methods achieve the same outcome (Encrypted DNS requests), but how they achieve the end result is quite different. I wont go into the pros and cons of each solution, only to say that at present DoH is the solution I am working with. The reasons why will be revealed in a later article.
Typically when you perform a DNS query these queries aren’t secured. They happen over UDP port 53 (sometimes TCP port 53 depending on the request/response) and anyone listening on the wire can see what it is you queried. Using a service like DoH means those queries are performed using a secure channel. Anyone eavesdropping on your connection would only see securely encrypted packets between your device and the DoH service you’re using.
I intend on using all three of these services hosted on a single server. While you could certainly have each of them separated on different servers (and that may be ideal in large environments), for my use there is no need to have three separate servers.
For DNS over HTTPS, I will be using Cloudflare’s 1.1.1.1 service. This means using cloudflared
My setup
The environment (for demonstration purposes only) I will be showing you how to do this using Ubuntu 18.04 which will be running in GCP. I have my own VPN setup at home connecting into GCP so network connectivity is nice and simple, and it allows me to spin up tiny instances in a matter of seconds instead of installing them myself on my local test environment. The instance is an f1-micro (1 vCPU, 0.6 GB memory) which is about as small as they come, but should be perfectly fine for what we are trying to demonstrate. Again, if your environment is large you may of course need to allocate more resources depending on your situation. My server is called dns-1 and it has a local IP of 10.152.0.3. Your servers IP will probably be different to mine, so keep that in mind when reading the below instructions as you will need to substitute it!
This guide is split into three separate parts.
- The installation and configuration of DoH using cloudflared
- The installation and configuration of Pi-hole
- (Optional) The installation and configuration of BIND
NOTE: These guides assume you know how to operate, to some level, a linux system. That you have control of your network and can set up your servers to meet the specifications required by each of the vendors listed above. If you struggle with any part, feel free to reach out, you can find my contact details at the bottom of ever page.