OPNsense Forum

Archive => 20.7 Legacy Series => Topic started by: Massimo1993 on August 03, 2020, 01:19:17 pm

Title: [RESOLVED]DNS over TLS doesn't work
Post by: Massimo1993 on August 03, 2020, 01:19:17 pm
I've tried the new DNS over TLS function present in Miscelaneous but with 1.1.1.1@853 and 1.0.0.1@853 it doesn't work, there is no request on the 853 port and everything in port 53 is clear.

Then i've tried to use this custom config that should work but still same thing, no DNS over TLS and nothing on 853
Code: [Select]
server:
  minimal-responses: yes
  qname-minimisation: yes
  rrset-roundrobin: yes
  use-caps-for-id: yes
  tls-cert-bundle: /etc/ssl/cert.pem

forward-zone:
  name: "."
  forward-addr: 1.1.1.1@853
  forward-addr: 1.0.0.1@853
  forward-ssl-upstream: yes

Here there are my settings https://postimg.cc/gallery/fM2mBRh i've also disabled the rewrite of DNS in general config.
Title: Re: DNS over TLS doesn't work
Post by: mimugmail on August 03, 2020, 01:23:11 pm
can you disable custom settings, enable dot via view and post content of /var/unbound/unbound.conf
Title: Re: DNS over TLS doesn't work
Post by: Massimo1993 on August 03, 2020, 01:34:36 pm
can you disable custom settings, enable dot via view and post content of /var/unbound/unbound.conf
I've removed the custom settings, saved, added the 1.1.1.1@853 and 1.0.0.1@853 to the DNS over TLS form in miscellaneous, saved and restarted unbound

Here is the unbound.conf
https://pastebin.com/Gqt8vitF
Title: Re: DNS over TLS doesn't work
Post by: Massimo1993 on August 03, 2020, 02:34:50 pm
Apparently https://cloudflare-dns.com/help/ isn't accurate. I've tried spoofing on port udp 53 and tcp 853 and indeed it works.
Strangely any online test like this or tenta tells me it isn't covered by TLS, can't understand why.
Title: Re: DNS over TLS doesn't work
Post by: mimugmail on August 03, 2020, 02:39:58 pm
I thought you were not seeing packets on port 853 on WAN??
Title: Re: DNS over TLS doesn't work
Post by: Massimo1993 on August 03, 2020, 02:51:20 pm
I thought you were not seeing packets on port 853 on WAN??
Sorry i did check udp on 853 at first that's why i didn't see anything. Because the normal query where on udp on port 53
Title: Re: [RESOLVED]DNS over TLS doesn't work
Post by: aimdev on August 04, 2020, 07:23:53 pm
Hi
I am also having issues getting this to work.
Commenting out all forwarders in the Custom options pane, and then putting an ip address as such
in the Dns over TLS field on the Miscellaneous page
9.9.9.9
or
9.9.9.9@853
and saving, make no change to /var/unbound/unbound.conf, and resolving does not work.
Q1 which is the correct format 9.9.9.9 or 9.9.9.9@853?
Q2 why no change to the /var/unbound/unbound.conf file, are the entries held elsewhere?
Q3 Am I doing something stupid?

Thanks
Title: Re: [RESOLVED]DNS over TLS doesn't work
Post by: mimugmail on August 04, 2020, 08:17:07 pm
9.9.9.9@853 is correct. The file is called dot.conf
Title: Re: [RESOLVED]DNS over TLS doesn't work
Post by: aimdev on August 04, 2020, 08:25:45 pm
Hi
Thanks for that.
I have tried it earlier today, not working.
I did
enter ip address @853 on the miscellaneous page
Saved
Commented out all other server entries in the custom options
Saved
restarted unbound.
Does it need a reboot?
Title: Re: [RESOLVED]DNS over TLS doesn't work
Post by: mimugmail on August 04, 2020, 09:13:03 pm
Can you do a packet capture in port 853 on WAN? As previously said the online check doesnt work
Title: Re: [RESOLVED]DNS over TLS doesn't work
Post by: aimdev on August 04, 2020, 11:05:22 pm
Pre change (using servers in unbound.conf), traffic detected, sites resolved.
Post change, unbound.conf server's commented out.
A working dns added, checked in dot.conf.
server:
  tls-cert-bundle: /etc/ssl/cert.pem
forward-zone:
  name: "."
  forward-tls-upstream: yes
  forward-addr: 217.169.20.22@853
No traffic observed, no resolving.
Title: Re: [RESOLVED]DNS over TLS doesn't work
Post by: mimugmail on August 05, 2020, 06:04:22 am
And what was the content in unbound conf previously?
Title: Re: [RESOLVED]DNS over TLS doesn't work
Post by: aimdev on August 05, 2020, 08:23:34 am
Contents on unbound.conf, this works


server:
tls-cert-bundle: /etc/ssl/cert.pem

forward-zone:
name: "."

forward-tls-upstream: yes

#AandA
forward-addr:217.169.20.22@853
Title: Re: [RESOLVED]DNS over TLS doesn't work
Post by: mimugmail on August 05, 2020, 09:03:13 am
Hm, I dont see any difference  :o Can you post the full content of unbound.conf when custom removed and restart couple of time the daemon?

Maybe one of the apply buttons need some more push.
Title: Re: [RESOLVED]DNS over TLS doesn't work
Post by: aimdev on August 05, 2020, 09:08:08 am
OK, but it will be a few hours until I can get some downtime.
Can you confirm you want all of the custom entries removed, ie empty, and then add in the miscellaneous page the server ip@port.
Then do a few restarts of unbound and optionally a reboot, then post the complete unbound.conf.
Title: Re: [RESOLVED]DNS over TLS doesn't work
Post by: aimdev on August 06, 2020, 02:41:07 pm
Hi

Works now even post reboot.

Any ideas why, is it the parsing of the config file thats the issue?