OPNsense Forum
Archive => 20.7 Legacy Series => Topic started by: decalpha on September 28, 2020, 01:08:31 pm
-
I have this set-up in with 20.1.x
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853 # Cloudflare DNS
forward-addr: 1.0.0.1@853 # Cloudflare DNS
How to set-up the same in 20.7.3 ?
-
Backup custom, remove custom, go to Misc submenu and add 1.1.1.1@853,1.0.0.1@853
-
Backup custom, remove custom, go to Misc submenu and add 1.1.1.1@853,1.0.0.1@853
Thanks, am assuming:
1. Save configuration before upgrade.
2. Upgrade.
3. Remove from custom
4. Add entries under Misc.
-
Correct
-
Hi, don't get it. I've 20.7.3 running, Custom Options are still available in Unbound.
Please elaborate.
br
-
Hi, don't get it. I've 20.7.3 running, Custom Options are still available in Unbound.
Please elaborate.
br
Yes it's still available, whats the deal?
-
Correct
Thanks.
-
Hi, sorry my fault, I misunderstand the question.
One question, is certificate verification, e.g 185.95.218.42@853#dns.digitale-gesellschaft.ch supported?
br
-
It's not yet in there, sorry
-
Hi, sorry my fault, I misunderstand the question.
One question, is certificate verification, e.g 185.95.218.42@853#dns.digitale-gesellschaft.ch supported?
br
Yes, this works if you use the custom options. Frankly, there is no point in doing DoT if you aren't also validating the certs. I am back to using Unbound as a recursive server, so I am no longer doing DoT, but this was my working config before I switched. Just choose which DNS provider you want to use and delete the rest.
tls-cert-bundle: "/etc/ssl/cert.pem"
forward-zone:
name: "."
forward-tls-upstream: yes
# Quad9 - No EDNS
forward-addr: 2620:fe::fe@853#dns.quad9.net
forward-addr: 2620:fe::9@853#dns.quad9.net
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net
# Quad9 - EDNS
forward-addr: 2620:fe::11@853#dns.quad9.net
forward-addr: 2620:fe::fe:11@853#dns.quad9.net
forward-addr: 9.9.9.11@853#dns.quad9.net
forward-addr: 149.112.112.11@853#dns.quad9.net
# Cloudflare DNS
forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
# Comcast
forward-addr: 2001:558:fe21:6b:96:113:151:145@853#dot.xfinity.com
forward-addr: 96.113.151.145@853#dot.xfinity.com
# Google
forward-addr: 2001:4860:4860::8888@853#dns.google
forward-addr: 2001:4860:4860::8844@853#dns.google
forward-addr: 8.8.8.8@853#dns.google
forward-addr: 8.8.4.4@853#dns.google
-
Hi,
I've it configured via Custom Options ;)
br
-
Hello, I've just jumped into Opnsense and first up is trying to stop the dns leaks (next will be a Wireguard server). In my previous rig I've relied on dnsmasq and stubby DoT, but I'm trying to setup Unbound and getting confused. Is there a howto for it or a better hardened privacy method? Sorry for the greenhorn intrusion. :)
I have verified unbound working, I have added DoT servers in Unbound->miscellaneous. DNSSEC is enabled. Do I still need to add something into the custom field, download a cert package? Do i need unbound-plus?
-
Unbound-plus is gone .. it's now part of the core system
-
Thanks, glad DoT is working so simply on Opensense. Great work!
-
If i am right, its enough to just add the TLS-enabled DNS-servers to the DNS servers-list under
[System] -> [Settings] -> [General]
AND enabling DNSSEC under
[Services] -> [Unbound DNS] -> [General].
I just noticed this, because "Domain signature validation (DNSSEC)" on the following test page turned from red to green after i just enablded DNSSEC: http://conn.internet.nl/connection/
Seems there is no need to enter TLS-enabled Servers under [Services] -> [Unbound DNS] -> [Miscellaneous].
Can one confirm this?
If you verify it, remember that "TTL for Host cache entries"-value under
[Services] -> [Unbound DNS] -> [Advanced]
is 15min, so set it to 1min to test ist.
Or is it just because my default ISP-Gateway (Vodafone) supports DNSSEC?
-
If i am right, its enough to just add the TLS-enabled DNS-servers to the DNS servers-list under
[System] -> [Settings] -> [General]
AND enabling DNSSEC under
[Services] -> [Unbound DNS] -> [General].
I just noticed this, because "Domain signature validation (DNSSEC)" on the following test page turned from red to green after i just enablded DNSSEC: http://conn.internet.nl/connection/
Seems there is no need to enter TLS-enabled Servers under [Services] -> [Unbound DNS] -> [Miscellaneous].
Can one confirm this?
If you verify it, remember that "TTL for Host cache entries"-value under
[Services] -> [Unbound DNS] -> [Advanced]
is 15min, so set it to 1min to test ist.
Or is it just because my default ISP-Gateway (Vodafone) supports DNSSEC?
Nope, DNS-over-TLS and DNSSEC are completely different things. With DNS-over-TLS you need servers and additional commands as outlined above....
-
OK, thanks for reply.
So, should i leave DNSSEC disabled when i want to use DNS over TLS?
I added DNS servers to [System] -> [Settings] -> [General] and disabled "Allow DNS server list to be overridden by DHCP/PPP on WAN" (46.182.19.48 + 185.95.218.42 + 185.95.218.43)
I also enabled DNSSEC and i added DoT-Servers to [UnBound DNS] -> [Misc] like "46.182.19.48@853 5.9.164.112@853".
How can i verify, that DNS over TLS is used as standard DNS service?
-
The config you have now should not work for DNS-over-TLS. Remove the servers from "System" - "Settings" "General" and start over with the complete text for the unbound Custom Options as posted above (but choose your DNS servers wisely)...
You can do a package capture on WAN port 853, there you can see if DNS-over-TLS is used. The log of unbound is hard to read...
DNSSEC not provided by many DNS servers, but in theory you could use it in addition to DNS-over-TLS.
-
Hi there,
Thank you very much for this information. So far I can get this working now with all kind of DoT servers with ipv4 addresses.
But as soon as I put under [UnBound DNS]->[Misc] an ipv6 address and restart unbound, my log file gets flooded with
unbound[99672]: [99672:1] debug: rtt=2494
unbound[99672]: [99672:1] debug: servselect ip4 1.0.0.1 port 853 (len 16)
unbound[99672]: [99672:1] debug: selrtt 275
unbound[99672]: [99672:1] debug: sending to target: <.> 2606:4700:4700::1001#853
--> unbound[99672]: [99672:1] error: outgoing tcp: bind: Can't assign requested address
unbound[99672]: [99672:1] debug: ip6 2606:4700:4700::1111 port 853 (len 28)
unbound[99672]: [99672:1] debug: ip4 1.1.1.1 port 853 (len 16)
unbound[99672]: [99672:1] debug: servselect ip6 2606:4700:4700::1111 port 853 (len 28)(see marked line -->)
Any idea how to get this working too?
Thanks a lot
BR br
-
Do you have ipv6? Does your DNS server support it? Why would you want to use it, if ipv4 works perfectly fine?
"Doc, it hurts so much when I press her!" "Why do you press there?"
-
Hmmmm 8)
Yes, I have ipv6 (what sense would it make otherwise to ask for a DoT ipv6 server??). And yes we are in course to transition towards an ipv6 only set up. And yes according to the spec of Unbound, DoT should also work over ipv6. The used ipv6 DNS server addresses are valid ones from the DoT providers.
If I would follow your logic, then we would much likely still use Telex for text messaging. Opnsense' great ipv6 capabilities is one of the main differentiator against many other firewalls around.
Br br
-
...then good luck with this half-bake protocol ;-)
Maybe better to open a new thread though...
-
... and this 'new' topic DoT with ipv6 is already there
https://forum.opnsense.org/index.php?topic=20670.0 (https://forum.opnsense.org/index.php?topic=20670.0)
However, the interest was unfortunately not too high ;)
Br br
-
You can do a package capture on WAN port 853, there you can see if DNS-over-TLS is used. The log of unbound is hard to read...
DNSSEC not provided by many DNS servers, but in theory you could use it in addition to DNS-over-TLS.
Good idea!
I captured outgoing WAN-traffic and destination port 853 with normal log level. There is not much to read with normal log level, because of the TLS encryption. All you can see is:
1 0.000000 123.123.123.123 5.9.164.112 TLSv1.2 132 Application Data
2 0.017167 5.9.164.112 123.123.123.123 TLSv1.2 386 Application Data
3 0.017193 123.123.123.123 5.9.164.112 TCP 56 22792 %u2192 853 [ACK] Seq=77 Ack=331 Win=507 Len=0 TSval=2814304945 TSecr=256810250
4 0.017292 123.123.123.123 5.9.164.112 TLSv1.2 138 Application Data
5 0.034172 5.9.164.112 123.123.123.123 TLSv1.2 349 Application Data
6 0.034188 123.123.123.123 5.9.164.112 TCP 56 22792 %u2192 853 [ACK] Seq=159 Ack=624 Win=508 Len=0 TSval=2814304965 TSecr=256810267
7 0.034279 123.123.123.123 46.182.19.48 TLSv1.2 143 Application Data
8 0.057196 46.182.19.48 123.123.123.123 TLSv1.2 284 Application Data
9 0.057229 123.123.123.123 46.182.19.48 TCP 56 22086 %u2192 853 [ACK] Seq=88 Ack=229 Win=508 Len=0 TSval=2911856615 TSecr=699134859
You can find a list of some servers for DNS over TLS in the german wikipedia (http://You can find a list of some servers for DNS over TLS in the german wikipedia) which also includes servers from digitalcourage.de and digitale-gesellschaft.ch . Those shuld be trausful.
I removed all servers from [System] -> [Settings] -> [General] and disabled DNSSEC again.
I will also block Port 53 from outgoing WAN-traffic for standard DNS querys. This should prevent a unnoticed fallback. Here is the rule:
Block - int WAN - out - IPv4+v6 - TCP - src any - dest WAN net - destport DNS
-
Hi,
just for my understanding.
If I want to use DoT with unbound I have to insert under Custom Options in the General section the text posted above.
But what is the field DNS over TLS Servers in the Miscellaneous chapter good for? Or is this at the moment just a place holder for a later update of unbound?
Regards Chris
-
Check this site: https://www.cloudflare.com/en-gb/ssl/encrypted-sni/
I am just doing this with Unbound and I get a positive result on the "Secure DNS" check above;
Remove DNS Servers from System > Settings > General.
Add 1.1.1.1@853 1.0.0.1@853 under Services > Unbound DNS > Miscellaneous
VoilĂ .
-
Can I confirm there is currently no way (OPNsense 21.1.4) to specify the hostname for DoT DNS servers with the web gui (Services > Unbound DNS > Miscellaneous > DNS over TLS Servers)?
At the moment I have specified the DoT servers under Services > Unbound DNS > Custom Options (e.g. 1.1.1.1@853#cloudflare-dns.com).
What is the point of using DoH if you can't specify the hostname to verify the certificate of the DoH server? If your ISP was intercepting DoH traffic for 1.1.1.1 etc, you would have no way to know this.
See this post for full config to do it the manual way: https://forum.opnsense.org/index.php?topic=19345.msg89172#msg89172
-
Can I confirm there is currently no way (OPNsense 21.1.4) to specify the hostname for DoT DNS servers with the web gui (Services > Unbound DNS > Miscellaneous > DNS over TLS Servers)?
Yes, still not supported.
At the moment I have specified the DoT servers under Services > Unbound DNS > Custom Options (e.g. 1.1.1.1@853#cloudflare-dns.com).
Correct, but Unbound custom options will be removed in 21.7.
Also see: https://github.com/opnsense/core/pull/4858
-
Correct, but Unbound custom options will be removed in 21.7.
Also see: https://github.com/opnsense/core/pull/4858
Source please :)
-
You mean a source for "custom options will be removed"? Official roadmap: https://opnsense.org/about/road-map/
(It's in the 'planned' stage, so "will probably be removed" would indeed be more accurate.)
<edit>
Hm, the roadmap says "advanced" configuration removal, not "custom". Franco often mentioned that the custom options will eventually be removed (and so does the help text), so I thought that would be it. But now I'm not sure anymore. There is an Unbound "Advanced" configuration page, but why would you remove that? Clarification welcome.
</edit>
<edit2>
"Advanced configuration" and "Custom options" get mixed up on GitHub, too: https://github.com/opnsense/core/issues/4327
So yes, I'm pretty sure the roadmap item is actually about the custom options now getting finally removed.
</edit2>