OPNsense Forum

Archive => 20.1 Legacy Series => Topic started by: tokade on April 24, 2020, 12:48:13 pm

Title: DoT with unbound-plus in 20.1.5
Post by: tokade on April 24, 2020, 12:48:13 pm

Hi all,

after upgrading to 20.1.5 the unbound-plus plugin should have "Add DNS over TLS (DoT) support" as the changelog says. In the WebGui are new fields for private domains and DNS over TLS Servers.

I got the following settings in the custom field of unbound:

Code: [Select]

server:
    private-domain: "dbl.spamhaus.org"
    private-domain: "sbl.spamhaus.org"
    private-domain: "xbl.spamhaus.org"
    private-domain: "zen.spamhaus.org"
    private-domain: "bl.spamcop.net"
    private-domain: "XXXXX"
    private-domain: "YYYYY"
    private-domain: "ZZZZ"
    do-not-query-localhost: no
forward-zone:
    name: "."
        forward-addr: 1.1.1.1@853 # cloudflare
        forward-addr: 2606:4700:4700::1001@853 # cloudflare
         forward-addr: 185.49.141.37@853 #getdnsapi.net
         forward-addr: 2a04:b900:0:100::38@853 #getdnsapi.net
         forward-addr: 2a03:b0c0:0:1010::e9a:3001@853 # SecureDNS.eu
          forward-ssl-upstream: yes
How can I convert this to the new fields and what standard unbound parameters have to be set or unset to use DoT with the plus plugin? Have I to keep any parameter still in the custom field? Is there any documentation?

Kind regards
Torsten

Title: Re: DoT with unbound-plus in 20.1.5
Post by: stefanpf on April 24, 2020, 04:01:15 pm

I guess you have to remove the custom options first and enter private-domains and Forwarder after that.

It generates two config files that are included in the main config:

Code: [Select]

root@gw:/var/unbound/etc # less miscellaneous.conf
server:
private-domain: dbl.spamhaus.org
root@gw:/var/unbound/etc # less dot.conf
server:
  tls-cert-bundle: /etc/ssl/cert.pem
forward-zone:
  name: "."
  forward-ssl-upstream: yes
  forward-addr: 1.1.1.1@853


But there seems to be a bug at the validation of "DNS over TLS Servers".
I'm not able to enter more than one value at the moment.

Title: Re: DoT with unbound-plus in 20.1.5
Post by: chemlud on April 24, 2020, 05:31:06 pm

Same here, I tried CSV of three DoT servers, but get a validation error.

I only updated my testing machine yet to find the correct DNS settings in this unbound plus... Apparently nothing in the documentation on the plugin yet.

Title: Re: DoT with unbound-plus in 20.1.5
Post by: tokade on April 24, 2020, 05:40:03 pm

Thx for your answers, so I gonna wait with changing my configuration, since it is a production system.

Title: Re: DoT with unbound-plus in 20.1.5
Post by: mimugmail on April 24, 2020, 07:35:35 pm

Theres an error in validation which only allows one server. I will Push an update

Title: Re: DoT with unbound-plus in 20.1.5
Post by: chemlud on April 25, 2020, 03:11:26 pm

Many thanks! btw: is there any tick box for DoT? Do I need to tick forwarding (I guess: yes)? Which other options should be passed to unbound for DoT?

I currently use these settings:

Code: [Select]

do-tcp: yes
do-ip6: no
qname-minimisation: yes
qname-minimisation-strict: yes
harden-below-nxdomain: yes

forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr:159.69.198.101@853
forward-addr: 46.182.19.48@853
forward-addr: 146.185.167.43@853
forward-addr: 89.233.43.71@853

Title: Re: DoT with unbound-plus in 20.1.5
Post by: mimugmail on April 25, 2020, 05:36:29 pm

I will rewrite the menu again next week :)

Title: Re: DoT with unbound-plus in 20.1.5
Post by: chemlud on April 29, 2020, 03:35:03 pm

...will you post an update here when you're done? :-)

Title: Re: DoT with unbound-plus in 20.1.5
Post by: agh1701 on April 29, 2020, 04:19:50 pm

You you should update your system.  I did and it looks like i got the update but, it still will not take more than one address.

Title: Re: DoT with unbound-plus in 20.1.5
Post by: mimugmail on April 29, 2020, 04:58:30 pm

20.1.6 will ship it