Text only | Text with Images

OPNsense Forum

Archive => 21.7 Legacy Series => Topic started by: ryp43 on August 06, 2021, 06:34:25 PM

Title: How to use setting under Unbound:"Verfiy if CN in certficate matches"
Post by: ryp43 on August 06, 2021, 06:34:25 PM
Would like to know what shall be entered under the setting under Unbound: "Verfiy if CN in certficate matches" for Cloudflare DNS?

Also, the setting is terribly misspelled.
Title: Re: How to use setting under Unbound:"Verfiy if CN in certficate matches"
Post by: ryp43 on August 06, 2021, 07:04:03 PM
Figured it out - it's CNAME of a DNS server. For Cloudflare, it's 'one.one.one.one'
Title: Re: How to use setting under Unbound:"Verfiy if CN in certficate matches"
Post by: franco on August 06, 2021, 09:42:58 PM
Not entirely the CNAME in the DNS sense, but rather the hostname to verify in the SSL certificate.

https://github.com/opnsense/core/commit/d824e7163b0 ;)


Cheers,
Franco
Title: Re: How to use setting under Unbound:"Verfiy if CN in certficate matches"
Post by: ryp43 on August 06, 2021, 09:56:07 PM
Sorry, for calling it "terrible". but you missed the "certificate" misspelling
Title: Re: How to use setting under Unbound:"Verfiy if CN in certficate matches"
Post by: franco on August 06, 2021, 10:01:21 PM
No problem at all. Missed this one. Thanks again!

https://github.com/opnsense/core/commit/25b98610


Cheers,
Franco
Title: Re: How to use setting under Unbound:"Verfiy if CN in certficate matches"
Post by: mnaim on August 13, 2021, 02:35:24 PM
Based on this https://developers.cloudflare.com/1.1.1.1/dns-over-tls
cloudflare-dns.com is correct CN in certificate
Title: Re: How to use setting under Unbound:"Verfiy if CN in certficate matches"
Post by: hushcoden on August 14, 2021, 09:49:19 PM
1.1.1.1 / 1.0.0.1  <--> cloudflare-dns.com

Block malware:
1.1.1.2 / 1.0.0.2  <--> security.cloudflare-dns.com

EDIT:
Block malware and adult content:
1.1.1.3 / 1.0.0.3  <--> family.cloudflare-dns.com
Title: Re: How to use setting under Unbound:"Verfiy if CN in certficate matches"
Post by: adk20 on November 27, 2021, 10:48:49 PM
This setting prevents unbound from starting on my box:

1.1.1.3 / 1.0.0.3  <--> security.cloudflare-dns.com

Any idea what other CN I could try?

Thanks a heap!

EDIT
family.cloudflare-dns.com seems to work. However, unbound failed to start automatically but required a manual restart after adding the DoT CN.
/EDIT

Title: Re: How to use setting under Unbound:"Verfiy if CN in certficate matches"
Post by: hushcoden on November 28, 2021, 11:54:38 AM
Thanks adk20, I've amended my post  8)
Title: Re: How to use setting under Unbound:"Verfiy if CN in certficate matches"
Post by: GiantJack on December 12, 2021, 09:37:31 PM
Hi !
May I ask how to check if the provided "verify CN" works fine ?
I tried to figure out what to use with quad9...I found it may be dns.quad9.net...can I confirm this with opnsense logs or something?
Title: Re: How to use setting under Unbound:"Verfiy if CN in certficate matches"
Post by: Gary7 on December 13, 2021, 06:17:09 AM
I took a look at the cloudflare.com SSL certificates.
Here is the list of addresses, Common Names, and Subject Alternative Names (SAN)

Cloudflare SSL certificates

Addresses: 1.1.1.1  &  1.0.0.1
Common name: cloudflare-dns.com
                SAN: DNS Name=cloudflare-dns.com
                        DNS Name=*.cloudflare-dns.com
                        DNS Name=one.one.one.one
                        IP Address=1.1.1.1
                        IP Address=1.0.0.1
                        IP Address=162.159.36.1
                        IP Address=162.159.46.1
                        IP Address=2606:4700:4700:0000:0000:0000:0000:1111
                        IP Address=2606:4700:4700:0000:0000:0000:0000:1001
                        IP Address=2606:4700:4700:0000:0000:0000:0000:0064
                        IP Address=2606:4700:4700:0000:0000:0000:0000:6400


Addresses:  1.1.1.2  &  1.0.0.2
Common name: security.cloudflare-dns.com
                SAN: IP Address=2606:4700:4700:0000:0000:0000:0000:1112
                        IP Address=2606:4700:4700:0000:0000:0000:0000:1002
                        DNS Name=security.cloudflare-dns.com
                        DNS Name=*.security.cloudflare-dns.com
                        IP Address=1.1.1.2
                        IP Address=1.0.0.2

Addresses:  1.1.1.3  &  1.0.0.3
Common name: family.cloudflare-dns.com
                SAN: IP Address=2606:4700:4700:0000:0000:0000:0000:1113
                        IP Address=2606:4700:4700:0000:0000:0000:0000:1003
                        DNS Name=family.cloudflare-dns.com
                        DNS Name=*.family.cloudflare-dns.com
                        IP Address=1.1.1.3
                        IP Address=1.0.0.3

Title: Re: How to use setting under Unbound:"Verfiy if CN in certficate matches"
Post by: ryp43 on December 13, 2021, 07:47:59 AM
Thanks, wasn't aware of these 4

IP Address=162.159.36.1
IP Address=162.159.46.1
IP Address=2606:4700:4700:0000:0000:0000:0000:0064
IP Address=2606:4700:4700:0000:0000:0000:0000:6400

https://ssl-tools.net/webservers/cloudflare-dns.com

Text only | Text with Images