Denis Machard

My technical gists

Infrastructure background, developer mindset. I build things for pleasure.
    @github @mastodon @rss

    How to configure TLS for outgoing dnstap stream using stunnel and DNSdist

    This post will detail how to wrap your outgoing dnstap stream with TLS using stunnel.

    Introduction

    This tutorial assumes you have a working PowerDNS dnsdist server installed on a Centos/AlmaLinux with dnstap enabled. Also we will use the same user/group that dnsdist for stunnel. Any feedbacks will be appreciated to improve this tutorial.

    Installation

    Install stunnel

    yum install stunnel
    mkdir /var/run/stunnel
    chown dnsdist:dnsdist /var/run/stunnel
    

    Configuration

    Configure stunnel

    Replace the key <your_dnstap_collector> by your dnstap collector address. This is example is done with dnstap unix socket but you can use tcp socket too.

    vim /etc/stunnel/stunnel.conf
    
    chroot = /var/run/stunnel
    setuid = dnsdist
    setgid = dnsdist
    pid = /stunnel.pid
    socket = r:TCP_NODELAY=1
    
    [dnsdist-dnstaptls]
    client=yes
    accept=/var/run/stunnel/dnstap.sock
    connect=<your_dnstap_collector>:6000
    

    Systemd

    Enable & Start stunnel. Configure your systemd service. All files in /var/run/ are deleted in stop action.

    vim /usr/lib/systemd/system/stunnel.service
    
    [Unit]
    Description=TLS tunnel for network daemons
    After=dnsdist.target
    
    [Service]
    ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf
    ExecStop=/usr/bin/pkill stunnel
    ExecStop=-/usr/bin/find /var/run/stunnel -mindepth 1 -delete
    Type=forking
    
    [Install]
    WantedBy=multi-user.target
    

    Enable and start the stunnel service.

    systemctl enable --now stunnel
    
    propulsed by hugo and hugo-theme-gists