cvogt · January 9, 2019 19:56
diff --git a/gistfile1.txt b/gistfile1.txt
 # Configuring DNS-over-TLS on macOS
 # Worked on macOS 10.13.4
 brew -v update
 brew -v doctor
 # Next two commands are optional
 sudo chown -R $(whoami) $(brew --prefix)/*
 echo 'export PATH="/usr/local/sbin:$PATH"' >> ~/.bash_profile
 # Install DNS client
 brew install knot-resolver
 # Should be installed to something like: /usr/local/Cellar/knot-resolver/2.3.0/sbin/kresd
 # Test prior to changing
 kdig www.google.com
 # Look for line starting with "From"
 openssl s_client -showcerts -connect 1.1.1.1:443 </dev/null 2>/dev/null|openssl x509 -outform PEM > /usr/local/etc/kresd/DigiCertGlobalRootCA.pem
 # $HOSTNAME='1.1.1.1' $PORT='443' openssl s_client -connect {HOSTNAME}:{PORT} -showcerts
 cp -av /usr/local/etc/kresd/config /usr/local/etc/kresd/config-$(date +%Y%m%d)
 echo "policy.TLS_FORWARD({{'1.1.1.1', hostname='cloudflare-dns.com.', ca_file='/usr/local/etc/kresd/DigiCertGlobalRootCA.pem' }})" >> /usr/local/etc/kresd/config
 sudo brew services restart knot-resolver
 # Look for error messages. Log file is /usr/local/etc/kresd/config
 # Change resolver
 Go to Apple Menu > System Preferences > Network > Advanced > DNS and add 127.0.0.1 as your DNS server.
 # Test prior to changing
 kdig www.google.com
 # Look for line starting with "From"
 # Something like: ;; From 127.0.0.1@53(UDP) in 32.5 ms
 # Further testing
 kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com google.com

 # Optional config file settings:
 -- Prefetch learning (20-minute blocks over 24 hours)
 predict.config(20, 72)

 -- Enable DNSSEC validation
 trust_anchors.file = '/etc/knot-resolver/root.keys'

 # IPv6 addresses for Cloudflare:
 2606:4700:4700::1111
 2606:4700:4700::1001

 # Get root keys:
 # https://data.iana.org/root-anchors/root-anchors.xml
 # Automatic bootstrap requires luasocket and luasec to be installed.
 brew install ldns
 kdig DNSKEY . @k.root-servers.net +noall +answer | grep "DNSKEY[[:space:]]257" > /etc/knot-resolver/root.keys
 ldns-key2ds -n /etc/knot-resolver/root.keys
 # Bootstrapping and automatic update need write access to keyfile direcory. If you want to manage root anchors manually you should use trust_anchors.add_file('/etc/knot-resolver/root.keys', true)
 # See https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec for more help

 # Validation (it seems backwards):
 dig @ADDRESS dnssec-failed.org a +dnssec
 # Success
 ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL
 # Failure
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR
	# Configuring DNS-over-TLS on macOS
	# Worked on macOS 10.13.4
	brew -v update
	brew -v doctor
	# Next two commands are optional
	sudo chown -R $(whoami) $(brew --prefix)/*
	echo 'export PATH="/usr/local/sbin:$PATH"' >> ~/.bash_profile
	# Install DNS client
	brew install knot-resolver
	# Should be installed to something like: /usr/local/Cellar/knot-resolver/2.3.0/sbin/kresd
	# Test prior to changing
	kdig www.google.com
	# Look for line starting with "From"
	openssl s_client -showcerts -connect 1.1.1.1:443 </dev/null 2>/dev/null\|openssl x509 -outform PEM > /usr/local/etc/kresd/DigiCertGlobalRootCA.pem
	# $HOSTNAME='1.1.1.1' $PORT='443' openssl s_client -connect {HOSTNAME}:{PORT} -showcerts
	cp -av /usr/local/etc/kresd/config /usr/local/etc/kresd/config-$(date +%Y%m%d)
	echo "policy.TLS_FORWARD({{'1.1.1.1', hostname='cloudflare-dns.com.', ca_file='/usr/local/etc/kresd/DigiCertGlobalRootCA.pem' }})" >> /usr/local/etc/kresd/config
	sudo brew services restart knot-resolver
	# Look for error messages. Log file is /usr/local/etc/kresd/config
	# Change resolver
	Go to Apple Menu > System Preferences > Network > Advanced > DNS and add 127.0.0.1 as your DNS server.
	# Test prior to changing
	kdig www.google.com
	# Look for line starting with "From"
	# Something like: ;; From 127.0.0.1@53(UDP) in 32.5 ms
	# Further testing
	kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com google.com

	# Optional config file settings:
	-- Prefetch learning (20-minute blocks over 24 hours)
	predict.config(20, 72)

	-- Enable DNSSEC validation
	trust_anchors.file = '/etc/knot-resolver/root.keys'

	# IPv6 addresses for Cloudflare:
	2606:4700:4700::1111
	2606:4700:4700::1001

	# Get root keys:
	# https://data.iana.org/root-anchors/root-anchors.xml
	# Automatic bootstrap requires luasocket and luasec to be installed.
	brew install ldns
	kdig DNSKEY . @k.root-servers.net +noall +answer \| grep "DNSKEY[[:space:]]257" > /etc/knot-resolver/root.keys
	ldns-key2ds -n /etc/knot-resolver/root.keys
	# Bootstrapping and automatic update need write access to keyfile direcory. If you want to manage root anchors manually you should use trust_anchors.add_file('/etc/knot-resolver/root.keys', true)
	# See https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec for more help

	# Validation (it seems backwards):
	dig @ADDRESS dnssec-failed.org a +dnssec
	# Success
	;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL
	# Failure
	;; ->>HEADER<<- opcode: QUERY, status: NOERROR