Ryan Malloy
066ba1892a
- New Corefile snippet (common) shared across plain DNS / DoT / DoH so zone-loading + forward + cache stay DRY across all three transports - scripts/generate-certs.sh: openssl-only self-signed RSA cert with SANs for localhost / 127.0.0.1 / ::1 / coredns / dns.local. Idempotent — skips regeneration if cert is valid >24h ahead; FORCE=1 to rotate. - Key chmod is 0644 so the CoreDNS container's nonroot user can read it via the bind mount. Acceptable for local dev; production should mount real certs with proper UID/GID. - DOT_PORT=8853, DOH_PORT=8443 (avoids Caddy already-on-443 collision) - Makefile: `make certs`, `make test-tls` - All three transports verified end-to-end (dig +tls, dig +https, curl with raw RFC 8484 wire format)
38 lines
948 B
Plaintext
38 lines
948 B
Plaintext
# Shared zone-loading + recursive-forwarding config.
|
|
# CoreDNS snippets are textually expanded by `import`, so we keep anything
|
|
# that's not transport-specific (TLS) in here.
|
|
(common) {
|
|
auto {
|
|
directory /zones (.*)\.zone {1}
|
|
reload 30s
|
|
}
|
|
forward . 1.1.1.1 1.0.0.1 9.9.9.9 {
|
|
max_concurrent 1000
|
|
}
|
|
cache 30
|
|
errors
|
|
log
|
|
loop
|
|
reload 10s
|
|
}
|
|
|
|
# Plain DNS — UDP/TCP :53. Health + metrics live here only (one binding).
|
|
. {
|
|
import common
|
|
health :8080
|
|
prometheus :9153
|
|
}
|
|
|
|
# DNS-over-TLS — RFC 7858. Port 853 is the IANA-assigned DoT port.
|
|
tls://.:853 {
|
|
tls /etc/coredns/certs/cert.pem /etc/coredns/certs/key.pem
|
|
import common
|
|
}
|
|
|
|
# DNS-over-HTTPS — RFC 8484. Default path is /dns-query.
|
|
# Clients: curl -H 'accept: application/dns-message' https://host:8443/dns-query?dns=...
|
|
https://.:443 {
|
|
tls /etc/coredns/certs/cert.pem /etc/coredns/certs/key.pem
|
|
import common
|
|
}
|