webmin icon indicating copy to clipboard operation
webmin copied to clipboard
verified publisher icon webmin

Add DNS over TLS support (DoT) for Bind DNS server

Open shoulders opened this issue 1 year ago • 3 comments

SYSTEM INFORMATION
OS type and version Ubuntu Linux 22.04.4
Webmin version 2.111
Usermin version 2.010
Virtualmin version 7.20.1  
Theme version 21.10
Package updates All installed packages are up to date
BIND version 9.18.28

the feature

Can you add support for DoT into Webmin GUI and SSL handling.

Bind9 as of version 9.18.28 it is now officially supports DoT along with DoH, might of been earlier but it is there now.

Using the hostname SSL or the default website SSL certificates would do the trick but does this then require virtualmin.

FirewallD already has this port open in its default set of ports.

Links

  • https://www.isc.org/blogs/doh-talkdns/ - some instructions I found
  • https://bind9.readthedocs.io/en/v9.18.28/notes.html#id84 - Release notes showing support
  • https://forum.virtualmin.com/t/dns-over-tls-dot/122805

shoulders avatar Jul 23 '24 17:07 shoulders

Great idea. See: https://github.com/virtualmin/virtualmin-gpl/issues/149

chris001 avatar Jul 23 '24 22:07 chris001

Interesting idea, I'll look into this..

jcameron avatar Jul 23 '24 22:07 jcameron

This would be great for debian/ubuntu and upcoming RHEL10, unfortunately it is not available in RHEL9/Centos/alma/rocky 8/9, since it uses 9.16 of bind and not 9.18.

Lawkss avatar Sep 02 '24 09:09 Lawkss

Ok, with the next Webmin and Virtualmin releases it will be possible to setup DNS over TLS.

jcameron avatar May 07 '25 03:05 jcameron

Nice one. Tar.

shoulders avatar May 07 '25 07:05 shoulders

@jcameron I know this feature has been added and I think there is a new icon called SSL Keys And Certificates in BIND

Image
  • Do you have any basic instructions on enabling?
  • Does the system generates it's own keys/certs?
  • Do you have to pick a specific domain or will it default to use the hostname?
  • Do I need to run the virtualmin config checker to install the certificates?

Any pointers and then I can fill in the blanks

NB: capital A in And in the icon looks funny

Image

shoulders avatar Aug 21 '25 14:08 shoulders

@iliaross can you add an icon to the theme for this!

As for instructions, you need to enter the paths to existing cert and key files. Once the key has been created, you can reference it in the ports and addresses section.

jcameron avatar Aug 22 '25 23:08 jcameron

  • the SSL icon shown above is already there, it is just the And is captialized
  • There is no ports and addresses section in either the config files or the GUI
  • When DoT support was added for BIND into virtualmin, I thought it would all be handled automatically, i.e. you could just turn it on and perhaps select a SSL cert or it would use the hostname cert or each nameserver would ssl would get bound to BIND.
  • Why do you have to create certs for BIND, when dovecot, postfix and others all get their certs created and installed automatically. Is there technical differences with BIND?
  • Do i need to add a listener command into the config for DoT https://bind9.readthedocs.io/en/v9.18.28/reference.html#namedconf-statement-listen-on
    • listen-on [ port <integer> ] [ tls <string> ] [ http <string> ] { <address_match_element>; ... }; // may occur multiple times
    • Some distros require using listen-on tls instead of listen-on port for DoT specifically. ??
    • tls-port 853; # Enable TLS is this needed soemwhere?
  • I don't think the SSL cert are validated
    • https://downloads.isc.org/isc/bind9/9.18.0/doc/arm/html/reference.html#access-control Please note that incoming TLS connections are currently not authenticated at the TLS level. Please use TSIG to authenticate requestors.

So long story short, I am not sure what @jcameron has added as everything needs to be setup manually, which I might struggle to do.

P.S. this is not a moan, but constructive feedback 😄

shoulders avatar Aug 23 '25 07:08 shoulders

@iliaross can you add an icon to the theme for this!

Yes, I fixed the icon and also "And" in the title for consistency with other modules.

iliaross avatar Aug 23 '25 10:08 iliaross

Was there an icon missing with new features for DoT ?

shoulders avatar Aug 23 '25 10:08 shoulders

Was there an icon missing with new features for DoT ?

It wasn't, but it was from the older icon set.

iliaross avatar Aug 23 '25 10:08 iliaross

There is no ports and addresses section in either the config files or the GUI

Sorry, it's actually called "Addresses and Topology"

When DoT support was added for BIND into virtualmin, I thought it would all be handled automatically, i.e. you could just turn it on and perhaps select a SSL cert or it would use the hostname cert or each nameserver would ssl would get bound to BIND.

This will happen with the next Virtualmin release, which will have a button to copy the cert for one domain to BIND.

jcameron avatar Aug 23 '25 22:08 jcameron

This will happen with the next Virtualmin release, which will have a button to copy the cert for one domain to BIND.

Can this include the hostname cert?

shoulders avatar Aug 24 '25 08:08 shoulders

Can this include the hostname cert?

Yes, if you have a Virtualmin domain for the hostname with a cert (which we setup by default).

jcameron avatar Aug 24 '25 22:08 jcameron