Proj 8x: DNS Over HTTPS (10 pts. extra credit)
What You Need for This Project
- A 64-bit Linux machine, real or virtual. I used
Ubuntu 16.04 Server.
Purpose
Enhance privacy by resolving DNS over
HTTPS.
Intalling CoreDNS
On your 64-bit Linux server,
in a Terminal prompt
(or an SSH session), execute these
commands:
cd
wget https://github.com/coredns/coredns/releases/download/v011/coredns_011_linux_x86_64.tgz
tar xzvf coredns_011_linux_x86_64.tgz
./coredns -h
You should see the CoreDNS help message,
as shown below.
Configuring a CoreDNS Proxy
On your 64-bit Linux server,
in a Terminal prompt
(or an SSH session), execute this
command:
nano Corefile
Paste in this code,
as shown below.
. {
proxy . 8.8.8.8:53 {
protocol https_google
}
prometheus
errors stdout
log stdout
}
Save the file with
Ctrl+X, Y,
Enter.
Start the proxy server with this
command:
sudo ./coredns
Enter your password when you are prompted to.
Leave this window open.
Performing a DNS Lookup
Open a second Terminal window
or SSH session on your 64-bit
Linux machine.
Execute this
command:
dig @127.0.0.1 ccsf.edu
You get the A record for ccsf.edu
from the proxy server,
as shown below.
Saving a Screen Image
Make sure you can see these required
elements:
- Bootstrapping A records from "dns.google.com"
- dig @127.0.0.1 ccsf.edu
- 147.144.1.212
Save a full-desktop image
with the filename
"YOUR NAME Proj 8xa",
replacing "YOUR NAME" with your real name.
Viewing Traffic to dns.google.com
In a Terminal window, execute this command:
dig @127.0.0.1 dns.google.com
You get the A record for dns.google.com
as shown below. Remember this IP address.
When I did it, the IP address was 172.217.6.46
Monitoring Traffic with tcpdump
Open a third Terminal window or SSH session
to your 64-bit Linux server and
execute this command, replacing the
IP address with the address you remembered
in the previous step.
sudo tcpdump -nX dst 172.217.6.46
In the unused Terminal window,
execute this command:
dig @127.0.0.1 kittenwar.com
As shown below, you get the A record
for kittenwar.com, but the traffic actually
sent to Google travels over HTTPS on port
443, so it's encrypted--the string
"kittenwar" does not appear in the lowest
window below.
Saving a Screen Image
Make sure you can see traffic to
port 443, like this:
172.217.6.46.443,
as show above.
Save a full-desktop image
with the filename
"YOUR NAME Proj 8xb",
replacing "YOUR NAME" with your real name.
Turning In Your Project
Email the images to me as an attachments to an e-mail message. Send it to: cnit.40@gmail.com with a subject line of "Proj 8x From YOUR NAME", replacing "YOUR NAME" with your real name.
Send a Cc to yourself.
Sources
CoreDNS Quick Start
Last modified 12-5-18