OPNsense Forum

English Forums => Tutorials and FAQs => Topic started by: p1n0ck10 on December 13, 2018, 10:14:12 pm

Title: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: p1n0ck10 on December 13, 2018, 10:14:12 pm
[Updated on 05.07.2019]

Since opnsense 18.7.9 it is possible to use DNSCrypt (https://dnscrypt.info) with the new opnsense-plugin "os-dnscrypt-proxy". Thanks to mimugmail (m.muenz@gmail.com). This plugin supports encrypted dns over DNSCrypt or DNS over HTTPS and has the option for DNSSEC.


Explanations and Differences:
DNSCrypt or DNS over HTTPS = protocol that authenticates communications between a dns-client and a dns-resolver. It prevents dns spoofing, man-in-the-middle-attacks and encrypts the traffic.
DNSSEC = DNS Extension that allows a client to validate the dns response on supported domains and TLDs. Resolvers check the digital signature of dns responses.

This technique prevents not against ISP-censorship !!! Tor or a VPN can solve this.
here the answer from the developer of DNSCrypt, Frank Denis:
https://superuser.com/questions/1318588/what-exactly-isp-can-see-when-someone-use-dnscrypt-proxy-with-dnscrypt-enabled-p

This guide is based on the posting in the opnsense forum from emwe. Thanks for your HowTo  :D
https://forum.opnsense.org/index.php?topic=10017.0 (https://forum.opnsense.org/index.php?topic=10017.0)
with the new plugin is not necessary to install dnscrypt-proxy manually. I don’t like to configure the firewall with manual pkg’s and configurations for several reasons.


Scenario:
dnscrypt-proxy is set to listen only on the localhost addresses 127.0.0.1 (IPv4) and ::1 (IPv6) on port 5353. The unbound dns is setup to forward all queries to these addresses/port while itself is listening on port 53 on all interfaces. So the flow for a dns query from a client in the lan is:

client =>
unbound dns (port 53 on all interfaces on opnsense) =>
dnscrypt-proxy (port 5353 on localhost addresses on opnsense =>
public dnscrypt server (port 443) via wan interface on opnsense =>
dnscrypt-proxy (port 5353 on localhost addresses on opnsense =>
unbound dns (port 53 on all interfaces on opnsense) =>
client.

The reason behind that scenario is unbound can act as a dns-resolver for your local network. If you allow to register dhcp leases of your clients in the unbound dns you can reach them via their hostnames and do not need to know their ip addresses. The dns traffic on the lan side is not encrypted because unbound currently does not support this.
You can also configure DNSCrypt-Proxy as standalone-server. For this follow these instructions:
https://wiki.opnsense.org/manual/how-tos/dnscrypt-proxy.html
The need for dnscrypt-proxy is only because unbound dns (and also dnsmasq) currently has only limited support for DNSCrypt and the freebsd version is built without it. In future versions when unbound dns fully supports DNSCrypt, DoH (DNS over HTTP) and DoT (DNS over TLS) there’s no longer need for a proxy like dnscrypt.


Install DNSCrypt:
System/Firmware/Plugins
=> Install "os-dnscrypt-proxy"


Configuration DNSCrypt:
Services/DNSCrypt-Proxy/Configuration
=> Check "Enable DNSCrypt-Proxy"
=> "Listen Address" is 127.0.0.1:5353 and [::1]:5353
=> Check "Use IPv4 Servers"
=> Check "Use IPv6 Servers"
=> Check "Use DNSCrypt Servers"
=> Check "Use DNS-over-HTTPS Servers"
=> Check "Require DNSSEC"
(see attachments "Services-DNSCrypt-Proxy_01.png", "Services-DNSCrypt-Proxy_02.png")
(https://forum.opnsense.org/index.php?action=dlattach;topic=10670.0;attach=7461;image)
(https://forum.opnsense.org/index.php?action=dlattach;topic=10670.0;attach=7463;image)


=> As "Fallback Resolver" you can use the standard Quad9 Server (9.9.9.9:53) or Cloudflare (1.1.1.1:53) or what ever you want.
=> Under "Server List" you can choose your favorite servers that you want to use https://dnscrypt.info/public-servers/. Otherwise you don't know what DNS-Server is currently using. Normally is choosing automatically the fastest with the options you set ("Require DNSSEC", "Require NoLog", "Require NoFilter").

I choose Cloudflare (DoH) "cloudflare-ipv6" and "cloudflare" because its the fastest but with Cloudflare another user has make the experience that some sites are not available like postbank.com or postbank.de because DNSSEC seems to be broken. see https://community.cloudflare.com/t/problem-with-oneplus-com-and-postbank-de/29232
In that case you must configure Unbound DNS to use an exception and must redirect the query to another server. This problem seems to be only at Cloudflare but caused by Postbank (See under Configuration Unbound DNS).

With Quad9 (DNSCrypt) "quad9-dnscrypt-ip4-filter-pri" and "quad9-dnscrypt-ip6-filter-pri" you don't have to add exceptions to the advanced config in Unbound DNS but its slower.

If you want to use Cisco/OpenDNS (DNSCrypt) for services like Cisco Umbrella you can use "cisco" and "cisco-ipv6". Maybe you must uncheck the options for DNSSEC (currently not supported, planed in half year), NoLog and NoFilter.

Otherwise you can leave this blank and add your own server under Services/DNSCrypt-Proxy/Servers.

(see attachment "Services-DNSCrypt-Proxy_03.png")
(https://forum.opnsense.org/index.php?action=dlattach;topic=10670.0;attach=7465;image)


Configuration Unbound DNS:
Services/Unbound DNS/General
=> Check "Enable DNSSEC Support"
=> Uncheck "DNS Query Forwarding"
=> Under "Custom options" you must configure unbound dns that is all forwarding to dnscrypt-proxy. I setup this for IPv6 + IPv4
Code: [Select]
do-not-query-localhost: no

forward-zone:
   name: "."
   forward-addr: ::1@5353
   forward-addr: 127.0.0.1@5353

Exception with Cloudflare:
Code: [Select]
do-not-query-localhost: no

forward-zone:
   name: "postbank.com"
   forward-addr: 9.9.9.9
forward-zone:
   name: "postbank.de"
   forward-addr: 9.9.9.9
forward-zone:
   name: "."
   forward-addr: ::1@5353
   forward-addr: 127.0.0.1@5353



Configuration System DNS-Server:
System/Settings/General
=> Check that no one DNS-Server is configured
=> Uncheck "Allow DNS server list to be overridden by DHCP/PPP on WAN"
=> Uncheck "Do not use the local DNS service as a nameserver for this system"
(see attachment "System-Settings-General.png")
(https://forum.opnsense.org/index.php?action=dlattach;topic=10670.0;attach=7467;image)


All is done!

Check if your DNS Configuration works correctly:
=> https://dnsleaktest.com (https://dnsleaktest.com)
Check against dns-leaks and what dns-server you currently use
=> https://internet.nl/test-connection/ (https://internet.nl/test-connection/)
If you use IPv6 and DNSSEC
=> https://tools.dnsstuff.com/ (https://tools.dnsstuff.com/)
DNS-Tools and more
=> https://cmdns.dev.dns-oarc.net/ (https://cmdns.dev.dns-oarc.net/)
Check your dns
=> http://www.dnssec-or-not.com/ (http://www.dnssec-or-not.com/)
If you use DNSSEC


Kind Regards  ;)
Title: Re: HOWTO - Unbound DNS with DNSCrypt Plugin for IPv4 + IPv6
Post by: mimugmail on December 14, 2018, 05:37:46 am
Nice :)
Title: Re: HOWTO - Unbound DNS with DNSCrypt Plugin for IPv4 + IPv6
Post by: gambrinus on December 14, 2018, 10:51:49 pm
Thanks, p1n0ck10.
Title: Re: HOWTO - Unbound DNS with DNSCrypt Plugin for IPv4 + IPv6
Post by: opnsenseuser on December 16, 2018, 08:37:38 am
This technique prevents not against ISP-censorship !!! a VPN-Provider can solve this.
here the answer from the developer Frank Denis:
https://superuser.com/questions/1318588/what-exactly-isp-can-see-when-someone-use-dnscrypt-proxy-with-dnscrypt-enabled-p

First of all many thanks for this ingenious instruction.
I have two questions.

1. What settings should I make if I use a transparent proxy and at the same time have a few clients that do not use a transparent proxy and continue to receive their DNS request via unbound?

2. Now if my provider can read everything again which sense is behind this plugin to use?
Because the different servers the dnscrypt used I can enter myself also in the unbound dns server list and for that I don´t need this plugin.

thx
rené
Title: Re: HOWTO - Unbound DNS with DNSCrypt Plugin for IPv4 + IPv6
Post by: p1n0ck10 on December 16, 2018, 01:29:26 pm
1. What settings should I make if I use a transparent proxy and at the same time have a few clients that do not use a transparent proxy and continue to receive their DNS request via unbound?
Which Transparent Proxy do you mean? Web Proxy or DNS Proxy?

2. Now if my provider can read everything again which sense is behind this plugin to use?
Because the different servers the dnscrypt used I can enter myself also in the unbound dns server list and for that I don´t need this plugin.
The sense of the plugin is to encrypt the DNS traffic over DNSCrypt or DoH (DNS over HTTPS). This in combination with DNSSEC checks the digital signature of DNS responses to verify that the data match what the zone owner initially configured. It makes DNS more secure against spoofing or changing the DNS-Records do you ask for. More Info here: https://dnscrypt.info/faq/




Title: Re: HOWTO - Unbound DNS with DNSCrypt Plugin for IPv4 + IPv6
Post by: opnsenseuser on December 16, 2018, 02:08:27 pm
1. What settings should I make if I use a transparent proxy and at the same time have a few clients that do not use a transparent proxy and continue to receive their DNS request via unbound?
Which Transparent Proxy do you mean? Web Proxy or DNS Proxy?

1. Squid http(s) proxy with cert (yes, web)

2. What can i do to give the provider no way to read my surfing behavior?
You wrote something about vpn dns!
I currently do not use vpn.
Is this still possible ?
And is there any instructions for opnsense?

Title: Re: HOWTO - Unbound DNS with DNSCrypt Plugin for IPv4 + IPv6
Post by: p1n0ck10 on December 16, 2018, 02:56:47 pm
1. What settings should I make if I use a transparent proxy and at the same time have a few clients that do not use a transparent proxy and continue to receive their DNS request via unbound?

Which Transparent Proxy do you mean? Web Proxy or DNS Proxy?

Squid http(s) proxy with cert (yes, web)

Web Proxy and DNS are different things. Transparent Web Proxy catch all your clients to HTTP and HTTPS requests when you have set a NAT-Rule. Your clients will still ask for DNS even if you use the Transparent Web Proxy. In the Web Proxy you can add blocklists, too. Without DNS you can't resolve names in the internet. So DNS is a important component to search the Internet and should be encrypted like HTTPS.

2. What can i do to give the provider no way to read my surfing behavior?
You wrote something about vpn dns!
I currently do not use vpn.
Is this still possible ?
And is there any instructions for opnsense?

(all traffic not only for DNS) The opnsense-plugin "os-tor" (https://www.torproject.org/) can solve this or a VPN-Provider. First you must read what VPN-Provider do you prefer and which features it has and what do you need. here two examples:
https://nordvpn.com
https://www.perfect-privacy.com/

The most VPN-Provider supports normal IPsec and OpenVPN. OPNsense can do that ;-)


Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt Plugin for IPv4 + IPv6
Post by: PaoPao on December 19, 2018, 02:27:20 pm
Do I have to change anything for the Bind PlugIn to work together?
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt Plugin for IPv4 + IPv6
Post by: donatom3 on December 25, 2018, 07:12:00 am
So follow the instructions in here and make sure that unbound is pointing to port 53530 (default for BIND).

Bind doesn't let you put in port numbers for the forwarders so you have to edit the config file.
Go to the BIND service page first and fill in 127.0.0.1 and ::1 in the forwarders section.
Also make sure DNSSEC Validation is "Auto". Now hit Save
Then you need to edit /usr/local/etc/namedb/named.conf to add in the ports for the forwarders to point to dnscrypt. I like using winscp to ssh to the unit and doing this in a txt editor but do it however you'd like
Now you should have a forwarders line
This is what my forwarder line looks like after adding in the port numbers.
forwarders    { 127.0.0.1 port 5353; ::1 port 5353; };
Basically I just added " port 5353" to the end of each forwarder IP.

It appears to be working for me. All the leak tests give me the same result I got when I was just using dnscrypt and BIND appears.

Only quirk I had is the first time after installing bind and dnscrypt-proxy I could not start dnscrypt-proxy service without restarting opnsense. After the restart it appeared to work fine.
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt Plugin for IPv4 + IPv6
Post by: mimugmail on December 25, 2018, 07:55:19 am
You can also add an alias 127.0.0.8 and listen dnscrypt to this IP with port 53. Will also work ...
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt Plugin for IPv4 + IPv6
Post by: donatom3 on December 25, 2018, 07:58:44 am
You can also add an alias 127.0.0.8 and listen dnscrypt to this IP with port 53. Will also work ...

Yes that would make it easier so you wouldn't have to edit the file. I wish I thought of doing it that way.
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: rickg3 on January 05, 2019, 07:13:45 pm
Thanks for the tutorial. I am always looking for ways to improve DNS security.
I know enough about networking to be dangerous. You tutorial was easy to follow and get working.

I am curious though. Before, I used Cloudflare and Google for DNS and that is reflected in DNS tests. Now when I check DNS it appears that I am using random servers, but the provider comes back as Cloudflare. I assume the fastest server available is responding but the request is encrypted?
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: mimugmail on January 05, 2019, 10:33:48 pm
Yes, it chooses fastest one, but you can also use manual server (with next version)
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: rickg3 on January 13, 2019, 01:59:21 pm
Had to give up on this plugin. While I like the idea, I had too many DNS lookup failures.
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: mimugmail on January 13, 2019, 03:27:29 pm
And why should they be related to the plugin? If it works it works .. if you have something wrong, nothing works.
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: cake on January 25, 2019, 04:23:02 am
This is great! Many thanks to the dev mimugmail (m.muenz@gmail.com) and for the tutorial!
I had a little trouble with it not starting when I entered some dns servers in the list at https://dnscrypt.info/public-servers/ (https://dnscrypt.info/public-servers/)
I ended up looking at the log located in
Code: [Select]
cat /var/log/dnscrypt-proxy/dnscrypt-proxy.log and choosing 3 of the resolvers that worked. I am wondering if one of the resolvers goes down, will this stop dnsproxy from starting at boot?

I went a different route from the tutorial in first post, I set up a Virtual IP in Firewall --> Virtual IP
I used: IP Alias | loopback | 127.0.0.2
Then configured the DNSCrypt plugin to use 127.0.0.2:53 (and deleted the default ones)
Lastly I headed over to  System --> Settings --> General and put 127.0.0.2 in the in the DNS Server box.

My test at https://www.dnsleaktest.com showed my dns queries are using dnscrypt. :-)

One feature request is to be able edit the verb for the log and also to show the log in the GUI.
Thanks again for this plugin!
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: mimugmail on January 25, 2019, 05:58:19 am
Log in the UI is already under review, perhaps with 19.1.
The default behavior is to use the fastest two servers, and it checks every hour which one is the fastest, so no problem :)
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: p1n0ck10 on January 28, 2019, 11:55:22 pm

I had a little trouble with it not starting when I entered some dns servers in the list at  
I ended up looking at the log located in  (https://dnscrypt.info/public-servers/[/url)
Code: [Select]
cat /var/log/dnscrypt-proxy/dnscrypt-proxy.log and choosing 3 of the resolvers that worked. I am wondering if one of the resolvers goes down, will this stop dnsproxy from starting at boot?

Lastly I headed over to  System --> Settings --> General and put 127.0.0.2 in the in the DNS Server box.

One feature request is to be able edit the verb for the log and also to show the log in the GUI.

Thanks again for this plugin!

I only recommend unbound and dnscrypt in this way what i wrote because i'm not a fan to have to many DNS-resolver between clients and internet. makes little bit difficult to solve dns errors. i have testet many DNS-resolver from the public list  https://dnscrypt.info/public-servers/ (https://dnscrypt.info/public-servers/)
The best way is to use the automatic option because the fastest and a pool of random servers is used. If you use the manuell configuration of servers i only recommend cloudflare and cisco (opendns) because these are dnsproviders with bigger infrastructure behind the szene. Cisco (opendns) has the disadvantage thats not using DNSSEC.
The best DNS results on https://cmdns.dev.dns-oarc.net (https://cmdns.dev.dns-oarc.net) i achieved with cloudflare.

I don't know why you using 127.0.0.2 in the configuration of system/settings/general. In my opinion opnsense uses localhost as default dns-resolver. The dns-resolver in system/settings/general is normally configured with external dns resolver. that job makes dnscrypt. in my configuration is the way.
opnsense => localhost = unbound => forwarding mode to dnscrypt. thats it

Good too hear that the log is coming to the GUI  ;)
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: malkovich78 on February 02, 2019, 09:33:40 pm
Hi,

After reading all configuration guides for dnscrypt-proxy plugin and several testing I wasn't able to make it work with unbound, only with dnsmaq and dnscrypt-proxy instance running on 127.0.0.2:53 and 127.0.0.2 as the only dns server on System-> settings; but with this configuration I found a problem because on boot dnsmasq is started before dnscrypt-proxy so system can't resove domains. Creating an script to start dnscrypt-proxy before dnsmasq at boot time finally solved it.
I hope this info may be useful to others.

Regards.
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: zaggynl on March 20, 2019, 08:59:24 pm
I'm running into the same issue.
I can enable and start Unbound but it will not start after adding Advanced Settings part per: https://wiki.opnsense.org/manual/how-tos/dnscrypt-proxy.html
Code: [Select]
do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 127.0.0.1@5353

No error messages appear in webui or log.
I can start unbound from shell with -d -v, it shows no errors at that time in shell or in ui log.

Goal is to forward incoming requests to my pihole VM, which should get its DNS replies from dnscrypt on opnsense.
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: franco on March 20, 2019, 09:23:16 pm
I'm guessing same Unbound problem as Bind has:

> When you are using Overrides in Unbound you can not use ``do-not-query-localhost``.


Cheers,
Franco
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: zaggynl on March 21, 2019, 12:40:53 pm
I'm guessing same Unbound problem as Bind has:

> When you are using Overrides in Unbound you can not use ``do-not-query-localhost``.


Cheers,
Franco

Thanks for the reply, I have a number of Overrides, after removing the do-not-query-localhost line Unbound starts!
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: mimugmail on March 21, 2019, 02:34:44 pm
Overrides can also be done via dnscrypt-proxy if you need them. Also Adblocking is now available vial the plugin itself.
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: zaggynl on March 22, 2019, 12:45:35 pm
Overrides can also be done via dnscrypt-proxy if you need them. Also Adblocking is now available vial the plugin itself.

Thanks.
Had a look at using dnscrypt-proxy alone but the webui of pihole proved to be more featured.
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: mimugmail on March 22, 2019, 12:54:29 pm
Indeed :)
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: p1n0ck10 on March 22, 2019, 03:32:35 pm
Hi All,

strange. I have 1 entry in the Host Override in Unbound and have no issues with "do-not-query-localhost: no"

great that DNSBL is implemented in the dnycrypt proxy. thanks mimugmail  ;)
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: cake on April 18, 2019, 03:04:41 pm
Does anybody get server timeouts after a few days or so?  I start dnscrypt and after a couple days most servers are timeout according to the log. Not sure how to investigate. Maybe I start with making the log more verbose?
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: mimugmail on April 18, 2019, 09:31:08 pm
But does it switch to other ones?
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: cake on April 19, 2019, 01:41:17 am
Yes it does switch, maybe I have a setting wrong or some other configuration.
Here is a bit of a log, you can see at first 3 have a timeout, and 6 hours later 11 servers are timeout.
Code: [Select]
[2019-04-18 19:56:57] [NOTICE] Source [public-resolvers.md] loaded
[2019-04-18 19:56:57] [NOTICE] dnscrypt-proxy 2.0.19
[2019-04-18 19:56:57] [NOTICE] Loading the set of whitelisting rules from [whitelist.txt]
[2019-04-18 19:56:57] [NOTICE] Loading the set of blocking rules from [blacklist.txt]
[2019-04-18 19:56:57] [NOTICE] Loading the set of cloaking rules from [cloaking-rules.txt]
[2019-04-18 19:56:57] [NOTICE] Loading the set of forwarding rules from [forwarding-rules.txt]
[2019-04-18 19:56:57] [NOTICE] Now listening to 127.0.0.2:53 [UDP]
[2019-04-18 19:56:57] [NOTICE] Now listening to 127.0.0.2:53 [TCP]
[2019-04-18 19:56:57] [NOTICE] Now listening to 192.168.44.4:53 [UDP]
[2019-04-18 19:56:57] [NOTICE] Now listening to 192.168.44.4:53 [TCP]
[2019-04-18 19:56:58] [NOTICE] [arvind-io] OK (crypto v2) - rtt: 256ms
[2019-04-18 19:56:58] [NOTICE] [bottlepost-dns-nl] OK (crypto v2) - rtt: 286ms
[2019-04-18 19:57:00] [NOTICE] [charis] TIMEOUT
[2019-04-18 19:57:00] [NOTICE] [cpunks-ru] OK (crypto v1) - rtt: 313ms
[2019-04-18 19:57:01] [NOTICE] [cs-ch] OK (crypto v2) - rtt: 312ms
[2019-04-18 19:57:01] [NOTICE] [cs-swe] OK (crypto v2) - rtt: 293ms
[2019-04-18 19:57:01] [NOTICE] [cs-nl] OK (crypto v2) - rtt: 213ms
[2019-04-18 19:57:01] [NOTICE] [cs-nl2] OK (crypto v2) - rtt: 169ms
[2019-04-18 19:57:02] [NOTICE] [cs-fi] OK (crypto v2) - rtt: 200ms
[2019-04-18 19:57:02] [NOTICE] [cs-pl] OK (crypto v2) - rtt: 295ms
[2019-04-18 19:57:02] [NOTICE] [cs-dk] OK (crypto v2) - rtt: 206ms
[2019-04-18 19:57:02] [NOTICE] [cs-it] OK (crypto v2) - rtt: 170ms
[2019-04-18 19:57:02] [NOTICE] [cs-fr] OK (crypto v2) - rtt: 158ms
[2019-04-18 19:57:03] [NOTICE] [cs-fr2] OK (crypto v2) - rtt: 160ms
[2019-04-18 19:57:03] [NOTICE] [cs-pt] OK (crypto v2) - rtt: 211ms
[2019-04-18 19:57:03] [NOTICE] [cs-hk] OK (crypto v2) - rtt: 361ms
[2019-04-18 19:57:03] [NOTICE] [cs-ro] OK (crypto v2) - rtt: 191ms
[2019-04-18 19:57:03] [NOTICE] [cs-mo] OK (crypto v2) - rtt: 205ms
[2019-04-18 19:57:04] [NOTICE] [cs-lv] OK (crypto v2) - rtt: 202ms
[2019-04-18 19:57:04] [NOTICE] [cs-uk] OK (crypto v2) - rtt: 165ms
[2019-04-18 19:57:04] [NOTICE] [cs-de] OK (crypto v2) - rtt: 162ms
[2019-04-18 19:57:04] [NOTICE] [cs-de2] OK (crypto v2) - rtt: 169ms
[2019-04-18 19:57:04] [NOTICE] [cs-ca] OK (crypto v2) - rtt: 218ms
[2019-04-18 19:57:05] [NOTICE] [cs-ca2] OK (crypto v2) - rtt: 291ms
[2019-04-18 19:57:05] [NOTICE] [cs-usny] OK (crypto v2) - rtt: 274ms
[2019-04-18 19:57:05] [NOTICE] [cs-usil] OK (crypto v2) - rtt: 274ms
[2019-04-18 19:57:05] [NOTICE] [cs-usnv] OK (crypto v2) - rtt: 216ms
[2019-04-18 19:57:08] [NOTICE] [cs-uswa] TIMEOUT
[2019-04-18 19:57:08] [NOTICE] [cs-usdc] OK (crypto v2) - rtt: 264ms
[2019-04-18 19:57:08] [NOTICE] [cs-ustx] OK (crypto v2) - rtt: 242ms
[2019-04-18 19:57:08] [NOTICE] [cs-usga] OK (crypto v2) - rtt: 250ms
[2019-04-18 19:57:09] [NOTICE] [cs-usnc] OK (crypto v2) - rtt: 258ms
[2019-04-18 19:57:09] [NOTICE] [cs-usca] OK (crypto v2) - rtt: 209ms
[2019-04-18 19:57:09] [NOTICE] [cs-usor] OK (crypto v2) - rtt: 272ms
[2019-04-18 19:57:09] [NOTICE] [d0wn-is-ns2] OK (crypto v1) - rtt: 235ms
[2019-04-18 19:57:10] [NOTICE] [d0wn-tz-ns1] OK (crypto v1) - rtt: 392ms
[2019-04-18 19:57:10] [NOTICE] [de.dnsmaschine.net] OK (crypto v2) - rtt: 204ms
[2019-04-18 19:57:10] [NOTICE] [dnscrypt.ca-1] OK (crypto v2) - rtt: 297ms
[2019-04-18 19:57:11] [NOTICE] [dnscrypt.ca-2] OK (crypto v2) - rtt: 288ms
[2019-04-18 19:57:11] [NOTICE] [dnscrypt.eu-dk] OK (crypto v2) - rtt: 205ms
[2019-04-18 19:57:11] [NOTICE] [dnscrypt.eu-nl] OK (crypto v1) - rtt: 301ms
[2019-04-18 19:57:11] [NOTICE] [dnscrypt.me] OK (crypto v2) - rtt: 180ms
[2019-04-18 19:57:11] [NOTICE] [dnscrypt.nl-ns0] OK (crypto v2) - rtt: 196ms
[2019-04-18 19:57:12] [NOTICE] [dnscrypt.uk-ipv4] OK (crypto v2) - rtt: 282ms
[2019-04-18 19:57:12] [NOTICE] [ev-va] OK (crypto v2) - rtt: 274ms
[2019-04-18 19:57:12] [NOTICE] [ev-to] OK (crypto v2) - rtt: 270ms
[2019-04-18 19:57:12] [NOTICE] [freetsa.org] OK (crypto v1) - rtt: 256ms
[2019-04-18 19:57:13] [NOTICE] [ibksturm] OK (crypto v2) - rtt: 453ms
[2019-04-18 19:57:13] [NOTICE] [ipredator] OK (crypto v1) - rtt: 194ms
[2019-04-18 19:57:13] [NOTICE] [opennic-ethservices] OK (crypto v1) - rtt: 261ms
[2019-04-18 19:57:14] [NOTICE] [opennic-ethservices2] OK (crypto v1) - rtt: 259ms
[2019-04-18 19:57:14] [NOTICE] [opennic-luggs] OK (crypto v1) - rtt: 284ms
[2019-04-18 19:57:14] [NOTICE] [opennic-luggs2] OK (crypto v1) - rtt: 287ms
[2019-04-18 19:57:14] [NOTICE] [publicarray-au] OK (crypto v2) - rtt: 176ms
[2019-04-18 19:57:17] [NOTICE] [qag.me] TIMEOUT
[2019-04-18 19:57:17] [NOTICE] [quad9-dnscrypt-ip4-nofilter-pri] OK (crypto v1) - rtt: 160ms
[2019-04-18 19:57:17] [NOTICE] [quad9-dnscrypt-ip4-nofilter-alt] OK (crypto v1) - rtt: 158ms
[2019-04-18 19:57:19] [NOTICE] [qualityology.com] TIMEOUT
[2019-04-18 19:57:19] [NOTICE] [scaleway-fr] OK (crypto v2) - rtt: 162ms
[2019-04-18 19:57:19] [NOTICE] [securedns] OK (crypto v1) - rtt: 284ms
[2019-04-18 19:57:20] [NOTICE] [soltysiak] OK (crypto v1) - rtt: 280ms
[2019-04-18 19:57:20] [NOTICE] [suami] OK (crypto v2) - rtt: 161ms
[2019-04-18 19:57:20] [NOTICE] [trashvpn.de] OK (crypto v2) - rtt: 169ms
[2019-04-18 19:57:20] [NOTICE] [ventricle.us] OK (crypto v2) - rtt: 275ms
[2019-04-18 19:57:22] [NOTICE] [opennic-bongobow] TIMEOUT
[2019-04-18 19:57:22] [NOTICE] [opennic-R4SAS] OK (crypto v2) - rtt: 191ms
[2019-04-18 19:57:22] [NOTICE] Server with the lowest initial latency: cs-fr (rtt: 158ms)
[2019-04-18 19:57:22] [NOTICE] dnscrypt-proxy is ready - live servers: 61
[2019-04-18 20:57:25] [NOTICE] [charis] TIMEOUT
[2019-04-18 20:57:31] [NOTICE] [cs-uswa] OK (crypto v2) - rtt: 289ms
[2019-04-18 20:57:40] [NOTICE] [qag.me] TIMEOUT
[2019-04-18 20:57:42] [NOTICE] [qualityology.com] TIMEOUT
[2019-04-18 20:57:46] [NOTICE] [opennic-bongobow] TIMEOUT
[2019-04-18 20:58:01] [NOTICE] Server with the lowest initial latency: cs-fr (rtt: 158ms)
[2019-04-18 21:58:04] [NOTICE] [charis] TIMEOUT
[2019-04-18 21:58:18] [NOTICE] [qag.me] TIMEOUT
[2019-04-18 21:58:20] [NOTICE] [qualityology.com] TIMEOUT
[2019-04-18 21:58:24] [NOTICE] [opennic-bongobow] TIMEOUT
[2019-04-18 21:58:39] [NOTICE] Server with the lowest initial latency: cs-fr (rtt: 158ms)
[2019-04-18 22:58:42] [NOTICE] [charis] TIMEOUT
[2019-04-18 22:58:57] [NOTICE] [qag.me] TIMEOUT
[2019-04-18 22:58:59] [NOTICE] [qualityology.com] TIMEOUT
[2019-04-18 22:59:02] [NOTICE] [opennic-bongobow] TIMEOUT
[2019-04-18 22:59:17] [NOTICE] Server with the lowest initial latency: scaleway-fr (rtt: 159ms)
[2019-04-18 23:59:19] [NOTICE] [charis] TIMEOUT
[2019-04-18 23:59:25] [NOTICE] [cs-lv] TIMEOUT
[2019-04-18 23:59:27] [NOTICE] [cs-de] TIMEOUT
[2019-04-18 23:59:38] [NOTICE] [qag.me] TIMEOUT
[2019-04-18 23:59:40] [NOTICE] [qualityology.com] TIMEOUT
[2019-04-18 23:59:44] [NOTICE] [opennic-bongobow] TIMEOUT
[2019-04-18 23:59:50] [NOTICE] [cs-lv] TIMEOUT
[2019-04-18 23:59:52] [NOTICE] [cs-de] TIMEOUT
[2019-04-19 00:00:02] [NOTICE] Server with the lowest initial latency: cs-fr2 (rtt: 158ms)
[2019-04-19 01:00:05] [NOTICE] [charis] TIMEOUT
[2019-04-19 01:00:10] [NOTICE] [cs-lv] TIMEOUT
[2019-04-19 01:00:12] [NOTICE] [cs-de] TIMEOUT
[2019-04-19 01:00:16] [NOTICE] [cs-uswa] TIMEOUT
[2019-04-19 01:00:25] [NOTICE] [qag.me] TIMEOUT
[2019-04-19 01:00:27] [NOTICE] [qualityology.com] TIMEOUT
[2019-04-19 01:00:30] [NOTICE] [opennic-bongobow] TIMEOUT
[2019-04-19 01:00:37] [NOTICE] [cs-lv] TIMEOUT
[2019-04-19 01:00:39] [NOTICE] [cs-de] TIMEOUT
[2019-04-19 01:00:51] [NOTICE] [cs-uswa] TIMEOUT
[2019-04-19 01:00:51] [NOTICE] Server with the lowest initial latency: cs-fr2 (rtt: 158ms)
[2019-04-19 02:00:54] [NOTICE] [charis] TIMEOUT
[2019-04-19 02:01:00] [NOTICE] [cs-lv] TIMEOUT
[2019-04-19 02:01:02] [NOTICE] [cs-de] TIMEOUT
[2019-04-19 02:01:05] [NOTICE] [cs-uswa] TIMEOUT
[2019-04-19 02:01:12] [NOTICE] [ibksturm] TIMEOUT
[2019-04-19 02:01:16] [NOTICE] [qag.me] TIMEOUT
[2019-04-19 02:01:18] [NOTICE] [qualityology.com] TIMEOUT
[2019-04-19 02:01:22] [NOTICE] [opennic-bongobow] TIMEOUT
[2019-04-19 02:01:28] [NOTICE] [cs-lv] TIMEOUT
[2019-04-19 02:01:30] [NOTICE] [cs-de] TIMEOUT
[2019-04-19 02:01:42] [NOTICE] [cs-uswa] TIMEOUT
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: thg0432 on April 22, 2019, 05:03:10 pm
is it possible to have dnscrypt have a different set of DNS server(s) for an ip range? 
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: mimugmail on April 22, 2019, 05:30:48 pm
No, but manual addition
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: thg0432 on April 22, 2019, 06:51:51 pm
so essentially just add dns servers in via static ip mappings?  I have my kids devices mapped, but I was hoping to set it via range or group setting rather than manually per device.  I hope this could be a future feature.  It would be great for parental control features and being able to drill down for reports that are generated per user.
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: mimugmail on April 22, 2019, 10:31:57 pm
Just use Port redirection for kids IPs to make use of it. Rest could go with usual DNS
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: DoomSalamander on June 27, 2019, 01:59:00 pm
While I would love to use dnscrypt I can't because of some websites apperently having broken dnssec support like postbank.de see https://community.cloudflare.com/t/problem-with-oneplus-com-and-postbank-de/29232. I currently use dns over tls and there happends the same with dnssec enabled but I can configure a override to get those sites working. I don't know how I can make this work with dnssec and dnscrypt set up because you can only use unbound overrides if "do-not-query-localhost: no" isn't being used. If anyone knows how to make it work please let me know.
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: p1n0ck10 on June 30, 2019, 01:03:08 pm
While I would love to use dnscrypt I can't because of some websites apperently having broken dnssec support like postbank.de see https://community.cloudflare.com/t/problem-with-oneplus-com-and-postbank-de/29232. I currently use dns over tls and there happends the same with dnssec enabled but I can configure a override to get those sites working. I don't know how I can make this work with dnssec and dnscrypt set up because you can only use unbound overrides if "do-not-query-localhost: no" isn't being used. If anyone knows how to make it work please let me know.

You must configure Unbound DNS to redirect this query to another DNS-Resolver. Example with Quad9 DNS.
Copy this to your Advanced Config:
Code: [Select]
do-not-query-localhost: no

forward-zone:
   name: "postbank.com"
   forward-addr: 9.9.9.9
forward-zone:
   name: "postbank.de"
   forward-addr: 9.9.9.9
forward-zone:
   name: "."
   forward-addr: ::1@5353
   forward-addr: 127.0.0.1@5353

with this config i can resolve postbank.com and postbank.de

Kind Regards
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: DoomSalamander on June 30, 2019, 01:53:49 pm
Thank you very much! Seems to work flawlessly. You should add that to your tutorial and mention that some sites may have broken dnssec support and you can add them that way as an exception.
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: p1n0ck10 on June 30, 2019, 02:15:28 pm
Thank you very much! Seems to work flawlessly. You should add that to your tutorial and mention that some sites may have broken dnssec support and you can add them that way as an exception.

This problem seems to be only at Cloudflare but its caused by Postbank
Another options is to use Quad9 DNS Server in the Server List of the DNSCrypt-Proxy Plugin on OPNsense
Code: [Select]
quad9-dnscrypt-ip6-filter-pri
quad9-dnscrypt-ip4-filter-pri

Then you don't have to add exceptions to the advanced config in Unbound DNS. But Quad9 seems to be more slowly.

Kind Regards
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: DoomSalamander on June 30, 2019, 03:08:42 pm
This problem seems to be only at Cloudflare.
Another options is to use Quad9 DNS Server in the Server List of the DNSCrypt-Proxy Plugin on OPNsense

Yeah I read that too that this only happens with cloudflare. Apparently of their IETF implantation of DNSSEC. I wanted to use cloudflare because of their speed.
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: p1n0ck10 on June 30, 2019, 03:10:26 pm
i have updated the tutorial...

The different  between Cloudflare and Quad9 is that Cloudflare use QNAME Minimisation and Quad9 not and Quad9 is slower. Results on https://cmdns.dev.dns-oarc.net/

Cloudflare:
(see Attachment: Cloudflare_DNS-Results.png)
https://forum.opnsense.org/index.php?action=dlattach;topic=10670.0;attach=7441;image

Quad9:
(see Attachment: Quad9_DNS-Results.png)
https://forum.opnsense.org/index.php?action=dlattach;topic=10670.0;attach=7443;image
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: p1n0ck10 on July 02, 2019, 08:33:44 pm
@mimugmail:
i have tried to configure the exceptions under Services/DNSCrypt-Proxy/Configuration/Forwarders
but it don't work. In my opinion this would be the right place? Have you any ideas?

Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: mimugmail on July 02, 2019, 09:57:50 pm
Sorry, can't follow. What exactly do you want to achieve.
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: p1n0ck10 on July 02, 2019, 10:31:55 pm
Sorry, can't follow. What exactly do you want to achieve.

If you use Cloudflare in the Server List you can't access the Domains postbank.com and postbank.de. My idea was to redirect the DNS query to another Server (example Quad9). If i use this on Unbound DNS it works. If i configure this in the DNSCrypt-Proxy under Forwarders it don't work.
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: vip-123 on September 13, 2019, 05:38:49 pm
Old - Post but was reading up on the "Server List" if you want to manually use known servers like "cloudflare"

Noticed that when I add 1.1.1.1 / 1.1.1.1:53 it fails with something like no servers found.

the list does seem to work when typing cloudflare lower case then it saves and works.

SNI Still not encrypted but still a vast improvement for my testing.

- The sites not loading issue.
(figure off topic but might as well attempt to explain what I'm guess Issue is in this particular Case)

That I found is the firewall on the remote site blocking origination countries / geo IPs
I do this to on many firewalls like meraki and others.

trick is some sites are pulling css / fonts and other items from IPs that are not located in referenced IPs by Geo and if your rule is set to something like only allow these counties and deny all other traffic.  then you get the above kind of issue.

basically the bank is blocking certain countries from access.
you might be in .de however your request when using CF is routed through another country like (example) spain/france/etc for speed / backbone performance - then that might be a blocked inbound ..

the firewall for the bank is blocking inbound from either CF proxy due to too many hits from their proxy IP (which is common for a webserver that doesn't understand to strip back to the originators actual IP)

(/figure off topic but might as well attempt to explain what I'm guess Issue is in this particular Case)
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: dpshak on September 23, 2019, 04:58:51 pm
HELP!?!

I've googled around, hunted high and low, and STILL haven't found an answer...I'm not sure that this is the right forum for this question, BUT it concerns the topic of what I'm trying to do.  If I'm in the wrong place, feel free to move me!

First off, I'm new to both OPNSense and *BSD.  I found my way here via the 'Security Now' podcast.  Steve Gibson mentioned pfSense in a recent podcast; he was talking about his SG1100 router equipped with pfSense and also mentioned that pfSense could be installed on a router or spare PC - the spare PC caught my attention!  :o  After investigating, I ruled out pfSense because the machine that I intended to use is an OLD, Intel P4 system - pfSense seems to have deprecated support for 32bit machines.  After more googling, I discovered that OPNSense was another fork of the old mOnOwall firewall AND it still supports 32bit machines.  :)

The reason that 'spare PC' caught my attention: I started dual booting WindowsXP and Gentoo Linux back in the early 2000s.  When XP hit its' expiration date, I moved completely over to Gentoo Linux.  That old P4 has been gathering dust and I decided I wanted to turn it into a firewall/router box.  I had the router side working, more or less, when other things came up.  So I never finished it.  When I discovered OPNSense, and realized it did EVERYTHING that I wanted, out-of-the-box, I decided to have at it.

So; 3 weeks later, after much fiddling (and googling) around, I have a working system!  Getting my primary and secondary wireless network up and running was a P.I.T.A!!!  (I have a Netgear WNR3500 and a Linksys WRT-54G, both running DD-WRT variants, that provide my primary and secondary WiFi networks.)  So, that brings me to my question...

I want to use DNSCrypt-Proxy on my OPNSense box.  EVERYTHING I've found says: go to System->Firmware->Plugins and install DNSCrypt-Proxy.  It DOES NOT exist on my box!!!  I tried changing 'repository' locations and updating, but NO DNSCrypt-Proxy in 'Plugins'!  Eventually, after reading through these forums, I found a post that helped me bring 'ports' into that box.  In turn, I was able to intall DNSCrypt-Proxy2.  HOWEVER, that's all CLI stuff.  It's installed as a 'package' on my machine and doesn't show up in the 'Services' menu.  Being a Gentoo Linux user, I'm not adverse to fiddling around with config files but, as the OP said, I REALLY don't want to mix config file setup with GUI configurations...  So, the question is: why is this NOT showing up as a plugin in System->Firmware->Plugins and, where can I go to make this happen?  If I CAN'T make this happen, is there a preferred 'how-to tutorial' site that I can go to, to configure this manually?

This is what's in the box:
Code: [Select]
OPNsense 19.7.4_1-i386
FreeBSD 11.2-RELEASE-p14-HBSD
OpenSSL 1.0.2s 28 May 2019
and the initial install was: OPNsense-19.7-OpenSSL-vga-i386.img (downloaded form OPNSense website), installed on a bootable USB drive.

TIA!!!   
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: mimugmail on September 23, 2019, 08:14:48 pm
Dnscrypt depends on Go language and Go is not compatible to i386 :( Sorry Dude ...
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: franco on September 24, 2019, 07:26:48 am
It's compatible, but we keep the i386 version light so that it keeps building faster. Please also note that OPNsense 20.1 (January 2020) will remove i386 altogether as planned a long time ago.


Cheers,
Franco
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: dpshak on September 24, 2019, 03:06:55 pm
Dnscrypt depends on Go language and Go is not compatible to i386 :( Sorry Dude ...

It's compatible, but we keep the i386 version light so that it keeps building faster. Please also note that OPNsense 20.1 (January 2020) will remove i386 altogether as planned a long time ago.

Cheers,
Franco


Well then...I guess that's a good excuse to upgrade the motherboard!   ;D   The board in that machine IS about 15 years old!

In the mean time: I have a FreeBSD 13.0-Current install running in Virtualbox so I can get some education on *BSD.  If I understand the *BSD system correctly, this would be the equivalent of the 'testing' branch in Linux. 

I learn best by doing, which is why I chose Gentoo when I converted to Linux.   To this day, I run ' ~AMD64' (testing branch) on MY machine.  Periodically, I run into problems but, fixing those problems is the best way, IMHO to learn more about the system!  So, by installing a 'testing' branch, I will learn more about how *BSD works!  :)

Thanks franco, and mimugmail, for your responses!  :)
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: mimugmail on September 24, 2019, 04:22:59 pm
When you install 13 you wont get any binary updates, it's usually only for testing the current state (correct me if I'm wrong Franco). You should install 12.0, there are not many features and it's way better supported.

It's not like with linux that you have bleeding edge wifi or graphic adapters when running 13 :)
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: Mr.Goodcat on October 19, 2019, 06:08:08 pm
For some odd reason the guide doesn't work for me. After activating the plugin URLs are no longer resoved. I'm on the latest version of OPN and have two WAN interfaces. There are rules on the LAN interface to allow packets going to ports 53 and 5353 on the firewall itself. Any ideas?
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: mimugmail on October 19, 2019, 06:37:39 pm
Are only interested in DNSBL?
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: Mr.Goodcat on October 19, 2019, 06:54:14 pm
I'm trying to switch to DoH, right now i'm using DoT via unbound.
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: l0stnyc on October 20, 2019, 12:32:57 am
Are you using unbound and dnscrypt for DOH?  Or just using dnscrypt as standalone? 

When using unbound and dnscrypt as per the instructions in the first post (but unchecking DNSSEC in unbound) it works fine.  However when trying to use dnscrypt as standalone DNS listening on port 53, it also doesnt work.  To be more specific it works for a bit then nothing resolves.  I'm not sure why.
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: Mr.Goodcat on October 20, 2019, 02:18:19 pm
I tried both, neither works.
Thanks for the hint regarding unchecking DNSSEC in unbound! However it still won't resolve any addresses :( Either I'm missing something or there are issues when using multi-WAN (fallback, not load balancing).
My settings are in attachment in case anyone is kind enough to check (I re-activeted DNSSEC in unbound and uncommented the custom options to reactivate DoT for now) :)
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: mimugmail on October 20, 2019, 03:38:17 pm
Outgoing interface WAN doesnt make sense when it forwards to dnscrypt on localhost? Do you have ipv6 on WAN?
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: Mr.Goodcat on October 20, 2019, 04:09:00 pm
I have two VLANs, one each per ISP. WAN uses IPv4+6 and WAN_elem IPv4.

You were right, the outgoing interface had to be changed to reach DNSCrypt at localhost. It's pretty obvious if you think about it, yet I completely missed it :P Thank you!
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: mimugmail on October 20, 2019, 05:23:49 pm
Glad you did it :)
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: WhosTheBosch on December 08, 2019, 07:48:48 am
I've setup everything in this guide. It's worked great and appears to be doing it's job. I've selected only Cloudflare for my DNScrypt provider. However, when I go to Cloudflare's help page it shows me that I'm not connected and DNS over HTTPS isn't working. I was wondering if you might know why?

I use the 1.1.1.1 test page: https://1.1.1.1/help/
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: mimugmail on December 08, 2019, 09:46:14 am
Can you check the logs after dnscrypt-proxy restart if there is something interesting?
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: WhosTheBosch on December 08, 2019, 10:34:48 am
Unbound settings:
Code: [Select]
Network interfaces: All local ones
CheckDNSSec Support
Check DHCP Registration
Check DHCP Static Mappings
Local Zone Type: Transparent
Outgoing Network Interfaces: All local ones
- Note I had this set to WAN when I was using pfSense but it doesn't work for me here

do-not-query-localhost: no

forward-zone:
   name: "."
   forward-addr: 127.0.0.1@5353

Can you check the logs after dnscrypt-proxy restart if there is something interesting?

Nothing that I could see:

Code: [Select]
[2019-12-08 08:53:59] [NOTICE] dnscrypt-proxy is ready - live servers: 1
[2019-12-08 08:53:59] [NOTICE] Server with the lowest initial latency: cloudflare (rtt: 3ms)
[2019-12-08 08:53:59] [NOTICE] [cloudflare] OK (DoH) - rtt: 3ms
[2019-12-08 08:53:59] [NOTICE] Now listening to 127.0.0.1:5353 [TCP]
[2019-12-08 08:53:59] [NOTICE] Now listening to 127.0.0.1:5353 [UDP]
[2019-12-08 08:53:59] [NOTICE] Loading the set of forwarding rules from [forwarding-rules.txt]
[2019-12-08 08:53:59] [NOTICE] Loading the set of cloaking rules from [cloaking-rules.txt]
[2019-12-08 08:53:57] [NOTICE] Loading the set of blocking rules from [blacklist.txt]
[2019-12-08 08:53:57] [NOTICE] Firefox workaround initialized
[2019-12-08 08:53:57] [NOTICE] Loading the set of whitelisting rules from [whitelist.txt]
[2019-12-08 08:53:57] [NOTICE] Source [public-resolvers.md] loaded
[2019-12-08 08:53:57] [NOTICE] Network connectivity detected
[2019-12-08 08:53:57] [NOTICE] dnscrypt-proxy 2.0.31
[2019-12-08 08:23:19] [NOTICE] Server with the lowest initial latency: cloudflare (rtt: 4ms)

When I visit https://1.1.1.1/help in Firefox (Note I have uBlock Origin installed), I also get the same message from Edge though about DoH not working.

Code: [Select]
[2019-12-08 09:00:48] 192.168.1.1 ae55910f-9418-4ad0-b84e-8635371cbcf5.cloudflareresolve.com.cdn.cloudflare.net AAAA SYNTH 0ms -
[2019-12-08 09:00:48] 192.168.0.1 ae55910f-9418-4ad0-b84e-8635371cbcf5.cloudflareresolve.com.cdn.cloudflare.net AAAA SYNTH 0ms -
[2019-12-08 09:00:48] 192.168.4.1 ae55910f-9418-4ad0-b84e-8635371cbcf5.cloudflareresolve.com.cdn.cloudflare.net AAAA SYNTH 0ms -
[2019-12-08 09:00:48] 192.168.0.1 ae55910f-9418-4ad0-b84e-8635371cbcf5.cloudflareresolve.com.cdn.cloudflare.net AAAA SYNTH 0ms -
[2019-12-08 09:00:48] 192.168.4.1 ae55910f-9418-4ad0-b84e-8635371cbcf5.cloudflareresolve.com.cdn.cloudflare.net AAAA SYNTH 0ms -
[2019-12-08 09:00:48] 192.168.2.1 ae55910f-9418-4ad0-b84e-8635371cbcf5.cloudflareresolve.com.cdn.cloudflare.net DS PASS 9ms cloudflare
[2019-12-08 09:00:48] 192.168.3.1 ae55910f-9418-4ad0-b84e-8635371cbcf5.cloudflareresolve.com.cdn.cloudflare.net AAAA SYNTH 0ms -
[2019-12-08 09:00:48] 192.168.2.1 ae55910f-9418-4ad0-b84e-8635371cbcf5.cloudflareresolve.com.cdn.cloudflare.net A PASS 4ms cloudflare
[2019-12-08 09:00:48] 192.168.4.1 ae55910f-9418-4ad0-b84e-8635371cbcf5.cloudflareresolve.com.cdn.cloudflare.net A PASS 4ms cloudflare
[2019-12-08 09:00:48] 192.168.9.1 ae55910f-9418-4ad0-b84e-8635371cbcf5.map.cloudflareresolve.com A PASS 10ms cloudflare
[2019-12-08 09:00:48] 192.168.4.1 ae55910f-9418-4ad0-b84e-8635371cbcf5.map.cloudflareresolve.com A PASS 33ms cloudflare
[2019-12-08 09:00:48] 192.168.4.1 is-doh.cloudflareresolve.com.cdn.cloudflare.net DS PASS 0ms -
[2019-12-08 09:00:48] 192.168.1.1 is-doh.cloudflareresolve.com DS PASS 1ms -
[2019-12-08 09:00:48] 192.168.2.1 is-doh.cloudflareresolve.com.cdn.cloudflare.net DS PASS 0ms -
[2019-12-08 09:00:48] 192.168.0.1 is-doh.cloudflareresolve.com DS PASS 1ms -
[2019-12-08 09:00:48] 192.168.0.1 is-doh.cloudflareresolve.com.cdn.cloudflare.net DS PASS 0ms -
[2019-12-08 09:00:48] 192.168.4.1 is-doh.cloudflareresolve.com DS PASS 1ms -
[2019-12-08 09:00:48] 192.168.1.1 is-doh.cloudflareresolve.com.cdn.cloudflare.net DS PASS 0ms -
[2019-12-08 09:00:48] 192.168.2.1 is-doh.cloudflareresolve.com DS PASS 1ms -
[2019-12-08 09:00:48] 192.168.0.1 is-doh.cloudflareresolve.com.cdn.cloudflare.net DS PASS 0ms -
[2019-12-08 09:00:48] 192.168.9.1 is-doh.cloudflareresolve.com DS PASS 1ms -
[2019-12-08 09:00:48] 192.168.4.1 is-doh.cloudflareresolve.com.cdn.cloudflare.net DS PASS 0ms -
[2019-12-08 09:00:48] 192.168.2.1 is-doh.cloudflareresolve.com DS PASS 1ms -
[2019-12-08 09:00:48] 192.168.3.1 is-doh.cloudflareresolve.com.cdn.cloudflare.net DS PASS 0ms -
[2019-12-08 09:00:48] 192.168.2.1 is-doh.cloudflareresolve.com DS PASS 1ms -
[2019-12-08 09:00:48] 192.168.4.1 is-doh.cloudflareresolve.com.cdn.cloudflare.net DS PASS 0ms -
[2019-12-08 09:00:48] 192.168.4.1 is-doh.cloudflareresolve.com DS PASS 1ms -
[2019-12-08 09:00:48] 192.168.3.1 is-doh.cloudflareresolve.com.cdn.cloudflare.net DS PASS 0ms -
[2019-12-08 09:00:48] 192.168.0.1 is-doh.cloudflareresolve.com DS PASS 1ms -
[2019-12-08 09:00:48] 192.168.4.1 is-doh.cloudflareresolve.com.cdn.cloudflare.net DS PASS 0ms -
[2019-12-08 09:00:48] 192.168.4.1 is-doh.cloudflareresolve.com DS PASS 1ms -
[2019-12-08 09:00:48] 192.168.0.1 ae55910f-9418-4ad0-b84e-8635371cbcf5.is-doh.cloudflareresolve.com A PASS 6ms cloudflare
[2019-12-08 09:00:48] 192.168.3.1 ae55910f-9418-4ad0-b84e-8635371cbcf5.is-dot.cloudflareresolve.com A PASS 7ms cloudflare
[2019-12-08 09:00:48] 192.168.2.1 ae55910f-9418-4ad0-b84e-8635371cbcf5.is-dot.cloudflareresolve.com A PASS 34ms cloudflare
[2019-12-08 09:00:48] 192.168.2.1 is-cf.cloudflareresolve.com.cdn.cloudflare.net DS PASS 0ms -
[2019-12-08 09:00:48] 192.168.0.1 is-cf.cloudflareresolve.com DS PASS 1ms -
[2019-12-08 09:00:48] 192.168.4.1 is-cf.cloudflareresolve.com.cdn.cloudflare.net DS PASS 0ms -
[2019-12-08 09:00:48] 192.168.0.1 is-cf.cloudflareresolve.com DS PASS 1ms -
[2019-12-08 09:00:48] 192.168.3.1 is-cf.cloudflareresolve.com.cdn.cloudflare.net DS PASS 0ms -
[2019-12-08 09:00:48] 192.168.2.1 is-cf.cloudflareresolve.com DS PASS 1ms -
[2019-12-08 09:00:48] 192.168.3.1 is-cf.cloudflareresolve.com.cdn.cloudflare.net DS PASS 0ms -
[2019-12-08 09:00:48] 192.168.0.1 is-cf.cloudflareresolve.com DS PASS 1ms -
[2019-12-08 09:00:48] 192.168.0.1 is-cf.cloudflareresolve.com.cdn.cloudflare.net DS PASS 0ms -
[2019-12-08 09:00:48] 192.168.4.1 ae55910f-9418-4ad0-b84e-8635371cbcf5.is-cf.cloudflareresolve.com A PASS 77ms cloudflare
[2019-12-08 09:00:48] 192.168.4.1 is-cf.cloudflareresolve.com DS PASS 2ms -
[2019-12-08 09:00:48] 192.168.2.1 ae55910f-9418-4ad0-b84e-8635371cbcf5.is-cf.cloudflareresolve.com A PASS 19ms cloudflare
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: mimugmail on December 08, 2019, 11:31:18 am
Can you check with tcpdump on WAN If you see DNS traffic on 53 or just 443.
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: WhosTheBosch on December 08, 2019, 12:11:17 pm
Can you check with tcpdump on WAN If you see DNS traffic on 53 or just 443.

Ya, I did that earlier, nothing on 53, although I also have a firewall rule blocking it for external networks and only allowing it for internal.

Code: [Select]
tcpdump -ni ix0 port 53
listening on ix0
0 packets captured
130285 packets received by filter
0 packets dropped by kernel

tcpdump -ni ix0 port 443
listening on ix0
3109 packets captured
2318077 packets received by filter
0 packets dropped by kernel

...
11:00:31.179125 IP 1.0.0.1:443 > WAN_IP:17505: flags [.] ack 18163, win 63, length 0
11:00:31.179377 IP 1.0.0.1:443 > WAN_IP:17505: flags [F.] seq 53635, ack 18162, win 63, length 0

tcpdump -ni ix0 host 1.0.0.1 and port 443 - I get a whole bunch more 1.0.0.1:443 traffic.
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: mimugmail on December 08, 2019, 03:28:56 pm
Then it's surely an error at Cloudfare not detecting it as encrypted ...
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: sol on December 08, 2019, 04:04:18 pm
are you using pihole by any chance?
I have the same issue.
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: WhosTheBosch on December 08, 2019, 11:02:17 pm
Then it's surely an error at Cloudfare not detecting it as encrypted ...

That's what I'm thinking, I just wanted to check to make sure I didn't have any settings wrong though.

are you using pihole by any chance?
I have the same issue.

No, I'm just using the settings from the first post here that use Unbound as a forwarder to DNScrypt which then uses DNS over HTTPS to Cloudflare (in my case) to resolve.
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: WhosTheBosch on December 08, 2019, 11:05:21 pm
Question: Will this setup cause any issues with setting up Dynamic DNS? On the DDNS creation page it says:

Quote
"You must configure a DNS server in System: General setup or allow the DNS server list to be overridden by DHCP/PPP on WAN for dynamic DNS updates to work."

But with this setup both of those are not done.
Title: Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
Post by: WhosTheBosch on December 09, 2019, 08:09:50 am
Question: Will this setup cause any issues with setting up Dynamic DNS? On the DDNS creation page it says:

Quote
"You must configure a DNS server in System: General setup or allow the DNS server list to be overridden by DHCP/PPP on WAN for dynamic DNS updates to work."

But with this setup both of those are not done.

At least with Namecheap Dynamic DNS this works.