OPNsense Forum

English Forums => General Discussion => Topic started by: xPliZit_xs on September 03, 2023, 05:18:18 PM

Title: DNS over TLS or DNS over HTTPS without certificates question
Post by: xPliZit_xs on September 03, 2023, 05:18:18 PM
Hi,

i wanted to ask about what exactly you will get when enabling DNS over TLS/HTTPS on unbound or adguard "without" using SSL certificates.
In adguard there is a section to add the certificates in order to enable "encryption".
OK!
But, i am able to configure the local DNS server (unbound or adguard) using lets say DNS over TLS.
Isn't that already "encryption" when using the TLS protocol?? (I assume that the local DNS server establishes encryption (TLS) to the specified remote DNS provider e.g. 9.9.9.9 and you are dependent on the DNS provider if they honor privacy).
Is this correct?
If you had SSL certificates on the local DNS server enables encryption also...
Title: Re: DNS over TLS or DNS over HTTPS without certificates question
Post by: Maurice on September 03, 2023, 08:29:20 PM
Are you talking about upstream DoT (Unbound uses DoT to forward queries to other DNS servers) or downstream DoT (hosts in your LANs use DoT to send queries to Unbound)?

Upstream doesn't require adding certificates to Unbound, you only need to specify the CNs of the upstream servers to enable certificate verification.

Downstream requires adding a certificate and matching private key. This is currently not supported via GUI, you have to create a custom include.

Can't say anything about Adguard.

Cheers
Maurice
Title: Re: DNS over TLS or DNS over HTTPS without certificates question
Post by: xPliZit_xs on September 03, 2023, 10:27:09 PM
I guess that answers my question. Thank you.