OPNsense Forum

Archive => 21.7 Legacy Series => Topic started by: NeoDragon on September 06, 2021, 09:22:39 pm

Title: Unbound DoT not working
Post by: NeoDragon on September 06, 2021, 09:22:39 pm

Hi all,

I'm fairly new to opnsense and have been pretty pleased so far.
However, I can't get unbound DoT working alonside Adguard for some unknown reason.
Test at https://tenta.com/test (https://tenta.com/test) shows that I'm indeed using Quad9 upstream with DNSSEC but without TLS even thought it is configured under Services>Unbound DNS>DNS over TLS

Can anybody help?

For references, I've used this particular topic over these forums to setup adguard + unbound
https://forum.opnsense.org/index.php?topic=22162.0 (https://forum.opnsense.org/index.php?topic=22162.0)

Title: Re: Unbound DoT not working
Post by: Fright on September 07, 2021, 07:30:23 pm

hi
don't think any leak test site can tell anything about the connection between your opnsense and forwarder.
it can only say something about the connection between the server making the request to the authoritative server and authoritative server.

Title: Re: Unbound DoT not working
Post by: NeoDragon on September 09, 2021, 12:04:38 am

Shouldn't the site able to test/tell me if the requests are sent with tls or not? It does with DNSSEC .

Title: Re: Unbound DoT not working
Post by: Fright on September 09, 2021, 01:50:22 pm

yes, but not from the first (forwarding) server to the upstream. only from the last (resolving) server to the authoritative one.
the page code on the tenta.com site tells the browser to make some xhr-requests to resources with different names. at the time of name resolution, it is logged from which servers the request for this name came and which extensions were used (dnssec etc.).
but the request does not come from your server, it comes from the quad9 servers (or servers used by quad9 for further forwarding. imho google and quad9 uses dnssec by default and dont use DoT for resolving).
so tenta.com doesn't know anything about opnsense<->quad9 connection.

Title: Re: Unbound DoT not working
Post by: NeoDragon on September 10, 2021, 11:18:56 pm

Thanks for the explanation !

Is there any way to confirm DoT is working from unbound to quad9 then?

Title: Re: Unbound DoT not working
Post by: opnfwb on September 11, 2021, 05:55:36 am

You can check that the firewall is pushing DNS queries to Quad9 on port 853.

First, make sure that your settings are correct as per the screenshot below. Then you can go to the firewall states page and search for '853' and you should see many outbound connections to Quad9's IPs on port 853. They should all be TCP connections, not UDP.

Title: Re: Unbound DoT not working
Post by: Fright on September 11, 2021, 07:08:32 am

@NeoDragon
also you can do a INTERFACES: DIAGNOSTICS: PACKET CAPTURE to make sure the traffic is encrypted.

or you can simply raise the log level to 4 (SERVICES: UNBOUND DNS: ADVANCED), then the unbound log will contain records about the upstream connection and upstream authentication. but onbound has problems with  quad9 certs logging (https://github.com/NLnetLabs/unbound/issues/527), so I would not recommend leaving the verb 4 after debugging