OPNsense Forum
English Forums => Tutorials and FAQs => Topic started by: directnupe on May 23, 2018, 05:15:17 pm
-
Why I am so damn serious about DNS Privacy ( just watch these when you have time - all at once or in intervals - very educational ):
https://dnsprivacy.org/wiki/display/DP/IETF+DNS+Privacy+Tutorial
https://www.youtube.com/watch?v=JnxE5RPnyiE https://www.youtube.com/watch?v=2JeYIecfwdc
For all the doubters and naysayers concerning GETDNS and STUBBY - they are developed by NLnet Labs - the same folks who bring us Unbound, NSD, OPENDNSSEC and now GETDNS ( and STUBBY ) see here: https://www.nlnetlabs.nl/ https://www.nlnetlabs.nl/projects/getdns/
This tutorial assumes that you have already installed getdns-1.4.1 through Opnsense Ports. If you have not then you are in the wrong place and this is not for you. If you are installing DNS OVER TLS using GETDNS and STUBBY for the first time then getdns-1.4.2 will be installed as it is the current version in the Opnsense Ports collection. However, in either case you can read on if you would like to learn a little about the " OPNsense release engineering toolkit ". I would recommend you do.
For those who may wish to see the benefits of GETDNS and STUBBY plus FIRST TIME install and configuration tutorial - see original posts here:
https://forum.opnsense.org/index.php?topic=8611.0 to install from Opnsense Ports or go to https://forum.opnsense.org/index.php?topic=8759.0 for stand alone package - getdns-1.4.2 release will be installed in both instances
So if you have been paying attention getdns-1.4.2 release is out as of 05-11-2018. As I like staying up to date, I was confronted with the task of installing and updating GETDNS and Stubby on my Opnsense Firewall. As of Mon May 21 2018 getdns-1.4.2 is available though FreeBSD Ports - it was updated by Zi aka Ryan Steinmetz - the port maintainer and developer. I had to figure this out and I did and I will share that with you now.
So, Opnsense never stops in amazing me with how convenient and easy it is to use with FreeBsd Ports. Obviously, I had to update my ports collection in order to install ( upgrade ) to getdns-1.4.2. See changelog here: https://getdnsapi.net/releases/getdns-1-4-2/
The method to upgrade ports and more is a neat, nifty and clever little utility which Opnsense offers aptly entitled " OPNsense release engineering toolkit ".
The page and instructions are here: https://github.com/opnsense/tools . By using this wonderful manager you can do a hell of a lot. Much of which is beyond me to be frank. However, I did find that it will easily update my ( and your ) Opnsense Ports collection - which are totally synced with FreeBsd Ports. So here we go once again.
1 - It is necessary to reconfigure Unbound to stop using Stubby for DNS resolution. Go to System > Settings > General > and Check
option - A - Allow DNS server list to be overridden by DHCP/PPP on WAN ( Click Save ) . Then go to Services > Unbound DNS > General and then remove contents of Custom Options Box:
server:
do-not-query-localhost: no
forward-zone:
name: "." # Allow all DNS queries
forward-addr: 127.0.0.1@8053
Save and apply
2 - I then removed my getdns-1.4.1 port from Opnsense.
A- Issue command # cd /usr/ports/dns/getdns/ to go into appropriate port directory.
B - Then issue command # make deinstall clean
Now let the getdns-1.4.1 port finish its' process of being removed from your system. You will be prompted to remove files if no longer needed.
C - Remove the following files by issuing these commands: # rm /usr/local/etc/rc.d/stubby.sh # rm /usr/local/etc/stubby/stubby.yml and
# rm /etc/rc.conf.d/stubby
3 - Then upgrade all updates and upgrades and make sure that your Opnsense Box is fully up to date. This is always a recommended and safe way to go.
4 - You are now ready to install the " OPNsense release engineering toolkit " and update your Opnsense Ports collection in order to install getdns-1.4.2.
See here: https://github.com/opnsense/tools - the process is pretty straightforward.
A - issue command # pkg install git - ( this should already be installed and configured if you followed original post )
B - issue command # cd /usr
C - issue command # git clone https://github.com/opnsense/tools
D - issue command # cd tools
E - issue command # make update - ( this is where the magic happens as this command will update and upgrade outdated ports in your ports collection ). Simply, answer " yes " or continue if any prompts ask you for input. As I said earlier this toolkit is capable of many other operations. However, those are beyond the scope of this tutorial.
5 - Now you are ready to install getdns-1.4.2 port. All you need to do is refer to the original post here once again: https://forum.opnsense.org/index.php?topic=8611.0 - begin with Step 5 and follow each step from there and you will be up and running with getdns-1.4.2.
6 - Final thoughts: I really liked this tool. No portsnap fetch - No portsnap update - No PortMaster necessary or needed in order to manage Opnsense Ports. All you need is the " OPNsense release engineering toolkit ". Not only for GETDNS and STUBBY but for any other port you may choose to install on Opnsense. Thanks to Opnsense Developers one more again.
Peace as Always,
directnupe