OPNsense Forum
Archive => 21.7 Legacy Series => Topic started by: Julien on November 16, 2021, 12:29:46 am
-
Hi guys,
i previously had Dot working fine, the tutoriali i followed is this https://www.dnsknowledge.com/unbound/opnsense-set-up-and-configure-dns-over-tls-dot/ (https://www.dnsknowledge.com/unbound/opnsense-set-up-and-configure-dns-over-tls-dot/)
after the latest update the DoT seems stopped working, atleast the https://1.1.1.1/help shows its NO.
when i run
tcpdump -i igb1853
it shows some 853 succecfull connections.
can someone please advies of the Dot behaivor has been changed on the latest release?
DNSLEAK shows my DNS is correct "see screenshot:.
the logs shows the Dot.
2021-11-16T00:40:11 unbound[38963] [38963:1] info: Verified that unsigned response is INSECURE
2021-11-16T00:40:11 unbound[38963] [38963:1] info: NSEC3s for the referral proved no DS.
2021-11-16T00:40:11 unbound[38963] [38963:1] info: resolving azure.com. DS IN
2021-11-16T00:40:11 unbound[38963] [38963:1] info: Verified that unsigned response is INSECURE
2021-11-16T00:40:11 unbound[38963] [38963:1] info: NSEC3s for the referral proved no DS.
2021-11-16T00:40:11 unbound[38963] [38963:1] info: resolving trafficmanager.net. DS IN
2021-11-16T00:40:11 unbound[38963] [38963:1] info: Verified that unsigned response is INSECURE
2021-11-16T00:40:11 unbound[38963] [38963:1] info: NSEC3s for the referral proved no DS.
2021-11-16T00:40:11 unbound[38963] [38963:1] info: query response was nodata ANSWER
2021-11-16T00:40:11 unbound[38963] [38963:1] info: reply from <.> 1.1.1.1#853
2021-11-16T00:40:11 unbound[38963] [38963:1] info: response for microsoft.com. DS IN
2021-11-16T00:40:11 unbound[38963] [38963:1] info: resolving microsoft.com. DS IN
2021-11-16T00:40:11 unbound[38963] [38963:1] info: query response was ANSWER
2021-11-16T00:40:11 unbound[38963] [38963:1] info: reply from <.> 1.1.1.1#853
2021-11-16T00:40:11 unbound[38963] [38963:1] info: response for teams.events.data.microsoft.com. A IN
2021-11-16T00:40:11 unbound[38963] [38963:1] info: resolving teams.events.data.microsoft.com. A IN
2021-11-16T00:40:11 unbound[38963] [38963:1] info: query response was CNAME
2021-11-16T00:40:11 unbound[38963] [38963:1] info: reply from <.> 1.1.1.1#853
2021-11-16T00:40:11 unbound[38963] [38963:1] info: response for teams.events.data.microsoft.com. A IN
2021-11-16T00:40:11 unbound[38963] [38963:1] info: resolving teams.events.data.microsoft.com. A IN
what am i doing wrong?
Thank you
-
Hi,
the field Verify CN was added . There you can provide the Common Name of the DoT server.
For the cloudflare DNS server you can use one.one.one.one. 1.1.1.1 has also some other names which I do not remember.
Also, did you enable DNSSEC?
And if you disabled the Forwarding Mode and the unbound is still working, then DoT still works.
Also, I am not sure if https://1.1.1.1/help only analyzes your client, and between your computer and opnsense no DoT is used.
KH
-
Hi,
the field Verify CN was added . There you can provide the Common Name of the DoT server.
For the cloudflare DNS server you can use one.one.one.one. 1.1.1.1 has also some other names which I do not remember.
Also, did you enable DNSSEC?
And if you disabled the Forwarding Mode and the unbound is still working, then DoT still works.
Also, I am not sure if https://1.1.1.1/help only analyzes your client, and between your computer and opnsense no DoT is used.
KH
Thank you for your answer
what cn name is cloudflare using?
when i use cloudflar-dns.com my clients stops working, and the log on the dns keeps showing.
without CN the requests are not encrypted.
2021-11-16T02:21:23 unbound[40850] [40850:4] notice: ssl handshake failed 1.1.1.1 port 853
2021-11-16T02:21:23 unbound[40850] [40850:4] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2021-11-16T02:21:23 unbound[40850] [40850:4] notice: ssl handshake failed 1.1.1.1 port 853
2021-11-16T02:21:23 unbound[40850] [40850:4] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2021-11-16T02:21:23 unbound[40850] [40850:4] notice: ssl handshake failed 1.0.0.1 port 853
2021-11-16T02:21:23 unbound[40850] [40850:4] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2021-11-16T02:21:23 unbound[40850] [40850:4] notice: ssl handshake failed 1.0.0.1 port 853
2021-11-16T02:21:23 unbound[40850] [40850:4] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2021-11-16T02:21:18 unbound[40850] [40850:4] notice: ssl handshake failed 1.0.0.1 port 853
2021-11-16T02:21:18 unbound[40850] [40850:4] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2021-11-16T02:21:18 unbound[40850] [40850:4] notice: ssl handshake failed 1.0.0.1 port 853
2021-11-16T02:21:18 unbound[40850] [40850:4] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Edit : issue is resolved.
after doing some reasch the cn is
1.1.1.1 / 1.0.0.1 <--> cloudflare-dns.com
Block malware:
1.1.1.2 / 1.0.0.2 <--> security.cloudflare-dns.com
Block malware and adult content:
1.1.1.3 / 1.0.0.3 <--> security.cloudflare-dns.com
the internet is working however the https://1.1.1.1/help still shwoing Dot is No.
what am i doing wrong?
-
https://community.cloudflare.com/t/dns-over-dot-with-unbound-opnsense/339348/3
Looks like I got them to ticket themselves over the /help and esni checker.. finally