OPNsense Forum

English Forums => Tutorials and FAQs => Topic started by: directnupe on July 18, 2018, 10:28:02 pm

Title: New Native Unbound DNS-Over-TLS Feature Starting With UNBOUND 1.7.1
Post by: directnupe on July 18, 2018, 10:28:02 pm

Manually installing an openssl package from FreeBSD is asking for trouble. You'll have two instances of OpenSSL on the system, and that won't change the fact that Unbound is compiled against the base OpenSSL.
There isn't much we can do about this except to wait for OpenSSL 1.1.x to go in FreeBSD base, or try to convince Unbound devs to find a way to validate it without using a function only available in OpenSSL 1.1.x.


Hello All,
This will have to wait until OpenSSL 1.1.x is included in OpnSense or Unbound devs to find a way to validate it without using a function only available in OpenSSL 1.1.x
First, read this quote from Daniel Aleksandersen - the author of the first article referenced in this post entitled
" Actually secure DNS over TLS in Unbound ".

You’ll find quite a few blog posts and tutorials on how to configure encrypted DNS over TLS forwarding in Unbound. I’ve yet to find a single one that actually sets up TLS securely with certificate domain validation, however. Without TLS certificate domain validation your DNS can still be intercepted, monitored, or manipulated by a man-in-the-middle attacker with nothing more than a self-signed certificate. Here is how you set it up more securely.

I am the guy - directnupe - who wrote the guides - https://forum.opnsense.org/index.php?topic=8579.0
and https://forum.opnsense.org/index.php?topic=8759.0
You also can leave out GETDNS and STUBBY for DNS OVER TLS. This works on Unbound 1.7.1 and above. Opnsense (if you are current)runs Unbound 1.7.1 and above.

For DNS-Over-TLS support to Opnsense with Unbound without GETDNS and STUBBY -
see these articles - https://www.ctrl.blog/entry/unbound-tls-forwarding and https://www.monperrus.net/martin/randomization-encryption-dns-requests
In Opnsense the ca-certificates package is installed from the security/ca_root_nss package on FreeBSD. The final install path of that package is /etc/ssl/cert.pem .
The full path of /ca_root_nss is /usr/local/share/certs/ca-root-nss.crt. You can check that  this symlink exists on your system by running this command:
ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem - you should get return - " File exists "
So actually as the title of the article says in order to " Actually secure DNS over TLS in Unbound "
you should configure Unbound thusly:

UNBOUND GENERAL SETTINGS
Network Interfaces =   WAN LAN ( all of your LAN interfaces if you have more than one ) And You Must Select  Localhost - repeat -  You Must Select  Localhost !

Next go to UNBOUND GENERAL SETTINGS > Custom Options and enter:

server:
access-control: 127.0.0.0/8 allow # install unbound-control
interface: 127.0.0.1
minimal-responses: yes
cache-max-ttl: 14400
cache-min-ttl: 900
do-tcp: yes
hide-identity: yes
hide-version: yes
minimal-responses: yes
prefetch: yes
qname-minimisation: yes
rrset-roundrobin: yes
use-caps-for-id: yes
verbosity: 1
tls-cert-bundle: "/etc/ssl/cert.pem" # For Opnsense/FreeBsd

forward-zone:
name: "." # Allow all DNS queries

forward-addr: 145.100.185.15@443#dnsovertls.sinodun.com
forward-addr: 145.100.185.16@443#dnsovertls1.sinodun.com
forward-addr: 94.130.110.185@853#ns1.dnsprivacy.at
forward-addr: 185.49.141.37@853#getdnsapi.net
forward-addr: 199.58.81.218@443#dns.cmrg.net
forward-addr: 94.130.110.178@853#ns2.dnsprivacy.at
forward-ssl-upstream: yes

Outgoing Network Interfaces  =  WAN

Make Sure to NOT CHECK - DO NOT CHECK -  the box for DNS Query Forwarding.  Save and Apply Settings

Next -Under System > Settings  > General Settings

Set the first DNS Server to 127.0.0.1   with no gateway selected  /   
Make sure that DNS server option:

A - Allow DNS server list to be overridden by DHCP/PPP on WAN -  Is Not I repeat - Is Not Checked !

and DNS server option

B -  Do not use the DNS Forwarder/Resolver as a DNS server for the firewall Is Not  - I repeat - Is Not Checked !

Optionally, I entered 127.0.0.1 along with  Freenom World DNS Servers ( 80.80.80.80 and 80.80.81.81 )  under System > General Setup > DNS Server Settings > DNS Servers. Things Will Work Fine and as Intended. I have found that is best to use these DNS addresses for your System. http://www.freenom.world/en/index.html?lang=en

 -  Save and Apply Settings

I use GetDns Stubby and Unbound - so this is not how I employ DNS-Over-TLS ( see first 2 links above if you wish to take a look at that option )

Peace and God Bless,

directnupe