DNS over TLS at your laptop. Today.

Looks like google started to operate DNS-over-TLS at their public available DNS servers.

So, we have at least 3 different provider who offers public DNS-over-TLS:

• Quad9: 9.9.9.9 and 149.112.112.112
• Cloudflare: 1.1.1.1 and 1.0.0.1
• Goole: 8.8.8.8 and 8.8.4.4

You can easy add all of this servers to your laptop by knot-resolver.

The first step is install it. I’m using macOS and I’ve run bew install knot-resolver

The next step was to get root certificates of DNS servers and put it near krestd config.

How determinate which one is require? You can do it by openssl s_client -showcerts -connect 1.1.1.1:853 any way I can save your time:

• Quad9 and Cloudflare use DigiCert
• Google uses GlobalSign R2

You can download DER-encoded versions from:

• DigCert https://www.digicert.com/CACerts/DigiCertECCSecureServerCA.crt
• GlobalSign R2 https://secure.globalsign.net/cacert/Root-R2.crt

After that you need openssl to convert it to pem: openssl x509 -inform der -in Root-R2.crt -out GlobalSignR2CA.pem

Ok, you have certificates, you have installed knot-resolver. Now you should enable forwarding. Just put to config (/usr/local/etc/kresd/config at macOS):

and install/start the services by sudo brew services restart knot-resolver

dig @127.0.0.1 medium.com should return something reasonable. It does? Good. Doesn’t? Well… enjoy /usr/local/var/log/kresd.log :)

The last step is force switch DNS server to 127.0.0.1