Red Hat SummitQuesto contenuto non è disponibile nella lingua selezionata.
Chapter 5. Securing system DNS traffic with encrypted DNS (eDNS)
You can enable encrypted DNS (eDNS) to secure DNS communication that uses DNS-over-TLS (DoT) protocol. Encrypted DNS encrypts all DNS traffic end-to-end, with no fallback to insecure protocols, and aligns with the principles of zero trust architecture (ZTA).
The current implementation of eDNS in RHEL uses only the DoT protocol. There are two primary methods to install RHEL with eDNS enabled. You can perform an interactive installation from local media, or you can build a custom bootable ISO to ensure eDNS is configured with an enforce policy during and after installation. Alternatively, you can convert an existing RHEL installation to use eDNS.
5.1. Overview of components for eDNS in RHEL
Understanding the core components and their layered interactions used in the encrypted DNS (eDNS) setup helps ensure proper configuration and security.
The following components comprise the eDNS setup in RHEL and interact in a layered fashion:
- NetworkManager
-
NetworkManager enables eDNS and enforces the use of encrypted DNS protocols based on the configured policy. It is set to use
dnsconfdas its backend DNS resolver. dnsconfd-
dnsconfdis a local DNS cache configuration daemon. It simplifies the setup of DNS caching, split DNS, and DNS over TLS (DoT). unbound-
unboundis a validating, recursive, and caching DNS resolver. In the eDNS setup, it serves as the runtime cache service fordnsconfd.unbounduses TLS for upstream DNS queries, which is essential for encrypting DNS traffic to external DoT servers.unboundalso manages various caches to store DNS responses, which reduces the need for repeated external queries and improves performance.
5.1.1. eDNS resolution process and core interactions
- An application requests to resolve a hostname.
-
The system reads the
/etc/resolv.conffile and sends the query to the localunboundservice. -
unboundfirst checks its internal caches for a valid, cached response. -
If the request record is not found,
unboundencrypts the DNS query by using TLS and sends it to the configured upstream DoT enabled DNS server. -
The upstream DoT server processes the query and sends an encrypted DNS response back to
unbound. -
unbounddecrypts, validates, and caches the response. -
Finally,
unboundsends the resolved DNS response back to the application.
5.2. Installing RHEL with eDNS enabled from a local installation media
Install RHEL with encrypted DNS (eDNS) enabled directly from local media using an enforce policy. This helps ensure that all DNS queries remain private and secure during and after the installation process.
If you require a custom CA certificate bundle, you must install it by using the %certificate section in the Kickstart file.
During the installation, you must provide both the RHEL installation content and the Kickstart file from local media. You cannot download the Kickstart file from a remote HTTP server because the installation program requires to use DNS to resolve the server’s hostname. If your environment is configured to support a fallback to unencrypted DNS, you can perform a standard RHEL installation and configure eDNS afterwards.
Prerequisites
-
Commands that start with the
#command prompt require administrative privileges provided bysudoor root user access. For information on how to configuresudoaccess, see Enabling unprivileged users to run certain commands. - You have the RHEL installation media available locally.
-
If you require a custom CA bundle, have your Kickstart file with a
%certificatesection available locally.
Procedure
Optional: Create a Kickstart file with a
%certificatesection. Ensure the certificate is saved in a file namedtls-ca-bundle.pem.%certificate --dir /etc/pki/dns/extracted/pem/ --filename tls-ca-bundle.pem -----BEGIN CERTIFICATE----- <Base64-encoded_certificate_content> -----END CERTIFICATE----- %end- Prepare your bootable installation media, and include the Kickstart file if you need a custom CA bundle.
- Boot the installation media.
-
From the boot menu window, select the required option and press the
ekey to edit the boot parameters. Add the eDNS kernel arguments:
linux ($root)/vmlinuz-6.12.0-0.el10_0.x86_64 root=/dev/mapper/rhel-root ro crashkernel=2G-64G:256M,64G-:512M resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet emergency ip=dhcp rd.net.dns=dns+tls://<server_ip>#<dns_server_hostname> rd.net.dns-resolve-mode=exclusive rd.net.dns-backend=dnsconfd inst.ks=hd:/dev/sdb1/mykickstart.ks-
When you finish editing, press
Ctrl+Xto start the installation using the specified options.
Verification
Verify your eDNS configuration:
$ dnsconfd statusExpected output:
Running cache service: unbound Resolving mode: exclusive Config present in service: { ".": [ "dns+tls://198.51.100.143#dot.dns.example.com" ] } State of Dnsconfd: RUNNING Info about servers: [ { "address": "198.51.100.143", "port": 853, "name": "dot.dns.example.com", "routing_domains": [ "." ], "search_domains": [], "interface": null, "protocol": "dns+tls", "dnssec": true, "networks": [], "firewall_zone": null } ]Verify that DNS server is responsive by using
nslookup:$ nslookup <domain_name>Replace the
<domain_name>with the domain that you want to query.
Troubleshooting
Enable detailed logging in
unbound:# unbound-control verbosity 5Review logs for the relevant service:
$ journalctl -xe -u <service_name>Replace
<service_name>withNetworkManager,dnsconfd, orunbound.
5.3. Installing RHEL with eDNS enabled using a custom bootable ISO
Create a custom bootable ISO to install RHEL with encrypted DNS (eDNS) enabled using a strict enforce policy. This method helps ensure that all DNS traffic is private and secure during and after the installation.
If you require a custom CA certificate bundle, you must install it by using the %certificate section in the Kickstart file. You then reference this Kickstart file in a script to build a new ISO, which includes kernel arguments to enforce a strict DoT policy. If your environment is configured to support a fallback to unencrypted DNS, you can perform a standard RHEL installation and configure eDNS afterwards.
Prerequisites
-
Commands that start with the
#command prompt require administrative privileges provided bysudoor root user access. For information on how to configuresudoaccess, see Enabling unprivileged users to run certain commands. - You have downloaded the minimal installation Boot ISO image from the Product Downloads page.
-
You have a Kickstart file ready with a
%certificatesection if you need a custom CA bundle. -
The
loraxpackage is installed.
Procedure
Optional: Create a Kickstart file with a
%certificatesection. Ensure the certificate is saved in a file namedtls-ca-bundle.pem.%certificate --dir /etc/pki/dns/extracted/pem/ --filename tls-ca-bundle.pem -----BEGIN CERTIFICATE----- <Base64-encoded_certificate_content> -----END CERTIFICATE----- %endAdd the Kickstart file and kernel arguments into the ISO:
The following script example demonstrates how to create a custom bootable ISO with eDNS enabled. You must create a script file to automate this process.
#!/bin/bash set -ex KERNELARGS="" # Enable network KERNELARGS+="ip=dhcp " # Set DoT DNS server KERNELARGS+="rd.net.dns=dns+tls://_<server_ip>_#_<dns_server_hostname>_ " # Set to 'exclusive' to disable fallback to unencrypted DNS. Other values: 'backup', 'prefer'. KERNELARGS+="rd.net.dns-resolve-mode=exclusive " # Set the dnsconfd plugin for NetworkManager KERNELARGS+="rd.net.dns-backend=dnsconfd " # Remove any existing ISO to prevent conflicts with the new build rm -f _<output_iso_filename>_ # Create a new bootable ISO with the Kickstart config file and kernel arguments mkksiso --ks _<kickstart_file>_ --cmdline "$KERNELARGS" _<input_iso_filename>_ _<output_iso_filename>_Run the script.
sh <script_filename>- Install RHEL using the customized ISO file.
Verification
Verify your eDNS configuration:
$ dnsconfd statusExpected output:
Running cache service: unbound Resolving mode: exclusive Config present in service: { ".": [ "dns+tls://198.51.100.143#dot.dns.example.com" ] } State of Dnsconfd: RUNNING Info about servers: [ { "address": "198.51.100.143", "port": 853, "name": "dot.dns.example.com", "routing_domains": [ "." ], "search_domains": [], "interface": null, "protocol": "dns+tls", "dnssec": true, "networks": [], "firewall_zone": null } ]Verify that DNS server is responsive by using
nslookup:$ nslookup <domain_name>Replace the
<domain_name>with the domain that you want to query.
Troubleshooting
Enable detailed logging in
unbound:# unbound-control verbosity 5Review logs for the relevant service:
$ journalctl -xe -u <service_name>Replace
<service_name>withNetworkManager,dnsconfd, orunbound.
5.4. Enabling eDNS on an existing RHEL installation
You can enable encrypted DNS (eDNS) on an existing RHEL installation to handle all DNS traffic by using DNS-over-TLS.
Prerequisites
-
Commands that start with the
#command prompt require administrative privileges provided bysudoor root user access. For information on how to configuresudoaccess, see Enabling unprivileged users to run certain commands. - Have an existing RHEL installation.
The following packages are installed on your system:
-
dnsconfd -
dnsconfd-dracut -
grubby
-
-
If on an IBM Z system, the
ziplutility is installed.
Procedure
Configure NetworkManager in the
/etc/NetworkManager/conf.d/global-dot.conffile:[main] dns=dnsconfd [global-dns] resolve-mode=exclusive [global-dns-domain-*] servers=dns+tls://<server_ip_1><dns_server_hostname_1>,dns+tls://<server_ip_2><dns_server_hostname_2>For more details on global DNS options, see the
GLOBAL-DNS SECTIONinNetworkManager.conf(5)man page on your system.Optional: To use a custom CA bundle for validating upstream DoT servers, copy the PEM-formatted file to the
/etc/pki/dns/extracted/pem/tls-ca-bundle.pemfile.NoteAfter adding or removing certificates in
/etc/pki/dns/extracted/pem, restart thednsconfdservice to apply the changes.Enable the
dnsconfdservice:# systemctl enable --now dnsconfdReload NetworkManager:
# systemctl reload NetworkManagerRegenerate
initramfsfor all installed kernels to includednsconfdand its configuration:# for kernel in `rpm -q kernel --qf '%{VERSION}-%{RELEASE}.%{ARCH}\n'`; do dracut -f --kver="$kernel" doneSet kernel arguments to the current and newly installed kernel version:
# grubby --args="rd.net.dns=dns+tls://<server_ip>#<dns_server_hostname> rd.net.dns-resolve-mode=exclusive rd.net.dns-backend=dnsconfd" --update-kernel=ALLIf on IBM Z, update the boot menu:
# zipl
Verification
Verify your eDNS configuration:
$ dnsconfd statusExpected output:
Running cache service: unbound Resolving mode: exclusive Config present in service: { ".": [ "dns+tls://198.51.100.143#dot.dns.example.com" ] } State of Dnsconfd: RUNNING Info about servers: [ { "address": "198.51.100.143", "port": 853, "name": "dot.dns.example.com", "routing_domains": [ "." ], "search_domains": [], "interface": null, "protocol": "dns+tls", "dnssec": true, "networks": [], "firewall_zone": null } ]Verify that the DNS server is responsive by using
nslookup:$ nslookup <domain_name>Replace the
<domain_name>with the domain that you want to query.
Troubleshooting
Enable detailed logging in
unbound:# unbound-control verbosity 5Review logs for the relevant service:
$ journalctl -xe -u <service_name>Replace
<service_name>withNetworkManager,dnsconfd, orunbound.
5.5. Kernel parameters for DNS configuration
You can use kernel arguments to enable DNS over TLS (DoT) at boot time and set DNS resolution behavior for your system.
rd.net.dns-resolve-modeDefines how DNS servers from global configuration are used during resolution. The following modes are relevant for both kernel arguments and
NetworkManager.confglobal configuration:exclusive-
Uses only the DNS servers specified by kernel arguments or in
NetworkManager.conf. Forbids fallback to DNS servers retrieved from connections. This mode is currently relevant only fordnsconfdplugin. prefer- Forbids using DNS servers from connections for general queries unless the queries are subdomains of domains set by connection.
backup- Merges and uses DNS servers from both the global configuration and network connections for the same purposes.
rd.net.dns-serversConfigures the list of DNS servers to use. To define multiple DNS servers, set
rd.net.dnsmultiple times:rd.net.dns=dns+tls://<server_ip_1>#<dns_server_hostname_1> rd.net.dns=dns+tls://<server_ip_2>#<dns_server_hostname_2>For example:
rd.net.dns=dns+tls://198.51.100.143#dot.dns.example.com rd.net.dns=dns+tls://203.0.113.1#dot.dns.example.netrd.net.dns-backend-
Specifies the back-end DNS resolver. When set to
dnsconfd, the system usesdnsconfdas a local DNS cache configuration daemon.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}