Denis Machard

My technical gists

Infrastructure background, developer mindset. I build things for pleasure.
    @github @mastodon @rss
    dns powerdns dnsdist security

    How to configure TLS for the API using stunnel and DNSdist

    This post will detail how to wrap your DnsDIST webserver/API and dnstap stream with TLS using stunnel.

    Purpose

    This tutorial assumes you have a working PowerDNS dnsdist server installed on a Centos/AlmaLinux with webserver api. Also we will use the same user/group that dnsdist for stunnel. Any feedbacks will be appreciated to improve this tutorial.

    Installation

    Install stunnel

    yum install stunnel
mkdir /var/run/stunnel
chown dnsdist:dnsdist /var/run/stunnel

    Configuration

    Create a certificate. In this example we used a self-signed cert. Prefer to use an official TLS certificate according to your context.

    cd /etc/stunnel/
openssl req -x509 -nodes -newkey rsa:2048 -keyout stunnel.key -out stunnel.crt

    Replace the key <your_dnstap_collector> by your dnstap collector address.

    vim /etc/stunnel/stunnel.conf

chroot = /var/run/stunnel
setuid = dnsdist
setgid = dnsdist
pid = /stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

ciphers=EECDH+AESGCM:EDH+AESGCM
sslVersion = TLSv1.2
options = NO_SSLv2
options = NO_SSLv3

[dnsdist-webapi]
accept=443
connect=127.0.0.1:8080
cert = /etc/stunnel/stunnel.crt
key = /etc/stunnel/stunnel.key

    Systemd

    Enable & Start stunnel and configure your systemd service

    vim /usr/lib/systemd/system/stunnel.service

[Unit]
Description=TLS tunnel for network daemons
After=dnsdist.target

[Service]
ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf
ExecStop=/usr/bin/pkill stunnel
Type=forking

[Install]
WantedBy=multi-user.target

    Enable and start the stunnel service.

    systemctl enable --now stunnel
systemctl restart stunnel
    propulsed by hugo and hugo-theme-gists