We recently had a blog post on how to secure your DNS traffic using DNS-over-TLS or DNS-over-HTTPS (German only). The article gave an introduction on how to run dnsdist as a local resolver on Debian11. In this case, dnsdist would accept queries using DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH).
This surely is the right solution for those scenarios, where your clients are capable of speaking DoT or DoH natively. But what if they don’t? In this case you can create your own resolver that listens on the “usual” aka unencrypted DNS ports. The DNS traffic on your local network is then unencrypted, which might or might not be acceptable depending on your threat analysis. Once the requests have reached your local resolver, it will forward them using DoH to a server of your choice. Which one to pick is up to you, a list of available servers can be found at DNSprivacy.org.
In this article, we will run our own resolver in Kubernetes using a helm chart for cloudflared. Despite the name, it can be used with many different endpoints, not just the ones from Cloudflare.