OPNsense Forum
Archive => 21.7 Legacy Series => Topic started by: OnTheGrind on September 01, 2021, 06:18:23 pm
-
Hello,
I've trying to follow the directions and tutorials written to set this up (including searching this forum). However, the directions always get to the part where you enter information in the "Custom Field". This option no longer exists in V 21.7, so I am unsure how to proceed past this.
If its possible for anyone to check my current setup via attached pics to make sure its correct up to this point, then clarify the steps right where the custom box happens, I would greatly appreciate it. I'd like to get DNS-over-TLS working with cloudflare/1.1.1.1 as a practical matter and learning experience.
Trying to and prefer to use 1.1.1.2 and 1.0.0.2 since my wife uses windows work laptops at home and this is supposed to help block malware. However, I am not sure if this block supports DNS over TLS like 1.1.1.1 and 1.0.0.1.
Thanks for reading at least.
Here is hardware probe (if needed for whatever reason): https://bsd-hardware.info/?probe=2e846a7ec4
Question with this: Is no communication controller driver a serious issue? Obviously its working despite. Thanks.
Attached screenshots of current General DNS and Services Unbound pages that are relevant via IMGBB.com due to image limits sizes and amount on the board.
System -> Settings -> General -> https://ibb.co/6WwfLch
Services -> DHCPv4 -> LAN -> https://ibb.co/d6mJW5H
Services -> DHCPv4 -> LAN -> https://ibb.co/VMXnz7J
Services -> Unbound -> General -> https://ibb.co/DRbHSR8
Services -> Unbound -> Advanced -> https://ibb.co/WNhQ63P
Services -> Unbound -> Advanced -> https://ibb.co/pyMYqMS
Services -> Unbound -> DNS-Over-TLS -> https://ibb.co/GCQWmRZ
Album -> https://ibb.co/album/21b330
Thank you.
-
Hi OnTheGrind,
I followed the instructions from here and it worked fine https://homenetworkguy.com/how-to/configure-dns-over-tls-unbound-opnsense/ (https://homenetworkguy.com/how-to/configure-dns-over-tls-unbound-opnsense/)
Let me know if it works for you.
Bye...
-
@OnTheGrind
It looks good to me (I've also attached my 'Advanced' and 'DoT' config.
@muchacha_grande
That's a previous OPNsense release and the Unbound settings have now slightly changed
-
You are right @hushcoden, I forgot to mention that now DoT servers are set on set separately of each other.
-
I'm using Unbound with DNSoverTLS in a different way but works without problem.
It is a more convoluted way. I'm using a pi-hole in front of the clients but can work without it.
Apart from that the main difference is that I use mimugmail's repo to make Unbound's additional "custom options" AND dyndns for Stubby. Stubby is the part of it that allows a lot of DoT options that are not in OPN UI.
If all you are missing are the "custom field" options then all you need is mimugmail's repo and that field brings it back.
-
Hi OnTheGrind,
I followed the instructions from here and it worked fine https://homenetworkguy.com/how-to/configure-dns-over-tls-unbound-opnsense/ (https://homenetworkguy.com/how-to/configure-dns-over-tls-unbound-opnsense/)
Let me know if it works for you.
Bye...
I followed that website, double checked the router settings, computer, and browser (addons, privacy, etc). I believe its working now according to cloudflare. Their website now says "YES" for DNS-over-TLS via https://cloudflare-dns.com/help/ . Pic attached
I think my computer DNS was overriding the unbound. Since when you make a request in your browsers, the first DNS value checked is the computers.
Thank you for the reply. Thank you for the help. You forced me to go over everything again with fresh eyes and lack of frustration.
@OnTheGrind
It looks good to me (I've also attached my 'Advanced' and 'DoT' config.
@muchacha_grande
That's a previous OPNsense release and the Unbound settings have now slightly changed
Filled in or removed anything not matching, Including adding QUAD 9 and switching to 1.0.0.2 and 1.1.1.2. It seems to be working now via attached picked. But now my OCD is like, how do I enable DoH?
Thanks for the reply.
I'm using Unbound with DNSoverTLS in a different way but works without problem.
It is a more convoluted way. I'm using a pi-hole in front of the clients but can work without it.
Apart from that the main difference is that I use mimugmail's repo to make Unbound's additional "custom options" AND dyndns for Stubby. Stubby is the part of it that allows a lot of DoT options that are not in OPN UI.
If all you are missing are the "custom field" options then all you need is mimugmail's repo and that field brings it back.
I'm looking at Stubby right now. Interesting. I was finally able to get it to work. Thanks for the reply.
(https://ibb.co/ggQKnrn)
https://ibb.co/ggQKnrn
-
Good, I'm glad you made it work.
Here is in case you want to have a look https://forum.opnsense.org/index.php?topic=23236.0 (https://forum.opnsense.org/index.php?topic=23236.0) but it looks like you don't need it if your current setup is sufficient.
You are correct in that a user can still bypass Unbound's DoT without firewall rules. That's the next part if you need it/want it.
-
I followed the instructions from here and it worked fine https://homenetworkguy.com/how-to/configure-dns-over-tls-unbound-opnsense/ (https://homenetworkguy.com/how-to/configure-dns-over-tls-unbound-opnsense/)
As other have mentioned, those instructions appear to be for a slightly older version. Now under Unbound DNS in the left hand menu there is a sub-page for DNS over TLS, which appears to make it easy to add this feature. However if you go there and click + to add a server, it asks for the Server IP and Server Port, both of which are pretty self-explanatory, but there is also a field that says "Verify CN" (the help text says, "Verify if CN in certificate matches this value"). There is nothing that indicates whether this is an optional value, and no explanation of how you would find a CN for any particular DNS over TLS server. Does anyone know how to fill this in correctly? Can you just ignore it, and is it safe to do that?
-
Hi,
if I remember correctly, if you leave it empty, no check is done.
If you fill it in, then you must use the Common Name (CN) of the DoT resolver, so its DNS name ;-)
E.g.:
1.1.1.1 CN: cloudflare-dns.com or 1dot1dot1dot1.cloudflare-dns.com or one.one.one.one
9.9.9.9 CN: dns.quad9.net
2620:fe::fe CN: dns.quad9.net
8.8.8.8 CN: dns.google
89.233.43.71 CN: unicast.censurfridns.dk
...
Depending on the certificate, more than one name might resolve to one IP and work. See the cloudflare one.
KH
-
Thank you, I very much appreciate this clear and simple explanation!
-
Dear Opnsense community,
I am facing the same issue -- DoT does not work for me. I've configured unbound exactly as in reply #2 but I can see in the logs that unbound is still connecting to port 53. DNSSEC does work, though.
Should I remove the DNS server entries under Systems > Settings > General?
Any guidance is much appreciated.
-
Should I remove the DNS server entries under Systems > Settings > General?
Yes, see my post with screenshots above.
-
Please ignore my previous post -- removing the DNS entries under System did the trick.
This is something that might be worth documenting somewhere or adding it to the Unbound tool tips -- just my tuppence.