OPNsense Forum

Archive => 21.7 Legacy Series => Topic started by: ryp43 on August 06, 2021, 06:34:25 pm

Title: How to use setting under Unbound:"Verfiy if CN in certficate matches"
Post by: ryp43 on August 06, 2021, 06:34:25 pm

Would like to know what shall be entered under the setting under Unbound: "Verfiy if CN in certficate matches" for Cloudflare DNS?

Also, the setting is terribly misspelled.

Title: Re: How to use setting under Unbound:"Verfiy if CN in certficate matches"
Post by: ryp43 on August 06, 2021, 07:04:03 pm

Figured it out - it's CNAME of a DNS server. For Cloudflare, it's 'one.one.one.one'

Title: Re: How to use setting under Unbound:"Verfiy if CN in certficate matches"
Post by: franco on August 06, 2021, 09:42:58 pm

Not entirely the CNAME in the DNS sense, but rather the hostname to verify in the SSL certificate.

https://github.com/opnsense/core/commit/d824e7163b0 ;)


Cheers,
Franco

Title: Re: How to use setting under Unbound:"Verfiy if CN in certficate matches"
Post by: ryp43 on August 06, 2021, 09:56:07 pm

Sorry, for calling it "terrible". but you missed the "certificate" misspelling

Title: Re: How to use setting under Unbound:"Verfiy if CN in certficate matches"
Post by: franco on August 06, 2021, 10:01:21 pm

No problem at all. Missed this one. Thanks again!

https://github.com/opnsense/core/commit/25b98610


Cheers,
Franco

Title: Re: How to use setting under Unbound:"Verfiy if CN in certficate matches"
Post by: mnaim on August 13, 2021, 02:35:24 pm

Based on this https://developers.cloudflare.com/1.1.1.1/dns-over-tls
cloudflare-dns.com is correct CN in certificate

Title: Re: How to use setting under Unbound:"Verfiy if CN in certficate matches"
Post by: hushcoden on August 14, 2021, 09:49:19 pm

1.1.1.1 / 1.0.0.1  <--> cloudflare-dns.com

Block malware:
1.1.1.2 / 1.0.0.2  <--> security.cloudflare-dns.com

EDIT:
Block malware and adult content:
1.1.1.3 / 1.0.0.3  <--> family.cloudflare-dns.com

Title: Re: How to use setting under Unbound:"Verfiy if CN in certficate matches"
Post by: adk20 on November 27, 2021, 10:48:49 pm

This setting prevents unbound from starting on my box:

1.1.1.3 / 1.0.0.3  <--> security.cloudflare-dns.com

Any idea what other CN I could try?

Thanks a heap!

EDIT
family.cloudflare-dns.com seems to work. However, unbound failed to start automatically but required a manual restart after adding the DoT CN.
/EDIT

Title: Re: How to use setting under Unbound:"Verfiy if CN in certficate matches"
Post by: hushcoden on November 28, 2021, 11:54:38 am

Thanks adk20, I've amended my post  8)

Title: Re: How to use setting under Unbound:"Verfiy if CN in certficate matches"
Post by: GiantJack on December 12, 2021, 09:37:31 pm

Hi !
May I ask how to check if the provided "verify CN" works fine ?
I tried to figure out what to use with quad9...I found it may be dns.quad9.net...can I confirm this with opnsense logs or something?

Title: Re: How to use setting under Unbound:"Verfiy if CN in certficate matches"
Post by: Gary7 on December 13, 2021, 06:17:09 am

I took a look at the cloudflare.com SSL certificates.
Here is the list of addresses, Common Names, and Subject Alternative Names (SAN)

Cloudflare SSL certificates

Addresses: 1.1.1.1  &  1.0.0.1
Common name: cloudflare-dns.com
                SAN: DNS Name=cloudflare-dns.com
                        DNS Name=*.cloudflare-dns.com
                        DNS Name=one.one.one.one
                        IP Address=1.1.1.1
                        IP Address=1.0.0.1
                        IP Address=162.159.36.1
                        IP Address=162.159.46.1
                        IP Address=2606:4700:4700:0000:0000:0000:0000:1111
                        IP Address=2606:4700:4700:0000:0000:0000:0000:1001
                        IP Address=2606:4700:4700:0000:0000:0000:0000:0064
                        IP Address=2606:4700:4700:0000:0000:0000:0000:6400


Addresses:  1.1.1.2  &  1.0.0.2
Common name: security.cloudflare-dns.com
                SAN: IP Address=2606:4700:4700:0000:0000:0000:0000:1112
                        IP Address=2606:4700:4700:0000:0000:0000:0000:1002
                        DNS Name=security.cloudflare-dns.com
                        DNS Name=*.security.cloudflare-dns.com
                        IP Address=1.1.1.2
                        IP Address=1.0.0.2

Addresses:  1.1.1.3  &  1.0.0.3
Common name: family.cloudflare-dns.com
                SAN: IP Address=2606:4700:4700:0000:0000:0000:0000:1113
                        IP Address=2606:4700:4700:0000:0000:0000:0000:1003
                        DNS Name=family.cloudflare-dns.com
                        DNS Name=*.family.cloudflare-dns.com
                        IP Address=1.1.1.3
                        IP Address=1.0.0.3

Title: Re: How to use setting under Unbound:"Verfiy if CN in certficate matches"
Post by: ryp43 on December 13, 2021, 07:47:59 am

Thanks, wasn't aware of these 4

IP Address=162.159.36.1
IP Address=162.159.46.1
IP Address=2606:4700:4700:0000:0000:0000:0000:0064
IP Address=2606:4700:4700:0000:0000:0000:0000:6400

https://ssl-tools.net/webservers/cloudflare-dns.com