Red Hat Summit5장. Securing system DNS traffic with encrypted DNS (eDNS)
You can enable encrypted DNS (eDNS) to secure DNS communication that uses DNS-over-TLS (DoT) protocol. Encrypted DNS encrypts all DNS traffic end-to-end, with no fallback to insecure protocols, and aligns with the principles of zero trust architecture (ZTA).
The current implementation of eDNS in RHEL uses only the DoT protocol. There are two primary methods to install RHEL with eDNS enabled. You can perform an interactive installation from local media, or you can build a custom bootable ISO to ensure eDNS is configured with an enforce policy during and after installation. Alternatively, you can convert an existing RHEL installation to use eDNS.
5.1. Overview of components for eDNS in RHEL
Understanding the core components and their layered interactions used in the encrypted DNS (eDNS) setup helps ensure proper configuration and security.
The following components comprise the eDNS setup in RHEL and interact in a layered fashion:
- NetworkManager
-
NetworkManager enables eDNS and enforces the use of encrypted DNS protocols based on the configured policy. It is set to use
dnsconfdas its backend DNS resolver. dnsconfd-
dnsconfdis a local DNS cache configuration daemon. It simplifies the setup of DNS caching, split DNS, and DNS over TLS (DoT). unbound-
unboundis a validating, recursive, and caching DNS resolver. In the eDNS setup, it serves as the runtime cache service fordnsconfd.unbounduses TLS for upstream DNS queries, which is essential for encrypting DNS traffic to external DoT servers.unboundalso manages various caches to store DNS responses, which reduces the need for repeated external queries and improves performance.
5.1.1. eDNS resolution process and core interactions
- An application requests to resolve a hostname.
-
The system reads the
/etc/resolv.conffile and sends the query to the localunboundservice. -
unboundfirst checks its internal caches for a valid, cached response. -
If the request record is not found,
unboundencrypts the DNS query by using TLS and sends it to the configured upstream DoT enabled DNS server. -
The upstream DoT server processes the query and sends an encrypted DNS response back to
unbound. -
unbounddecrypts, validates, and caches the response. -
Finally,
unboundsends the resolved DNS response back to the application.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}