"Quote from: opnfwb on November 04, 2021, 11:43:45 PMQuote from: comet on November 04, 2021, 07:33:54 PMWith all due respect and I don't mean this negatively but this shows you haven't look in to how DoT works. You'll either need a pinset or ideally, avoid using a pinset and instead have the TLS connection match with the dns name issued to the certificate so that the resolver can verify that the queries are actually coming from an intended source (dns.quad9.net, one.one.one.one, etc. etc.). This is no doubt more complicated than "regular" DNS, but then again so is an Unbound resolver (which OPNsense ships with by default) compared to a dnsmasq based forwarder configuration in most consumer gear.
Thank you for explaining all that. I took a look at the Unbound configuration and saw what you are talking about, the only thing I don't really understand is that there is a field for "Verify CN" (the help tip is "Verify if CN in certificate matches this value") but I am not sure what you are supposed to put there. If you look at the list of servers in the top post there is nothing indicated as a "CN"; I do see that most have "tls_pubkey_pinset" entries but I assume that's not the same thing.Quote from: comet on November 04, 2021, 07:33:54 PMStubby ships with a default config. The DoT providers that you wish to use will need to be your own decision. It's quite normal to not ship a list of defaults because people may not want them or even worse, they could end up being monetized and not in a user's interest for privacy. Again the rule here is if you're going to enable DoT, you'll need to do a small amount of searching to understand it and make the choice which provider you think has your best interests in mind. I wouldn't expect OPNsense devs, or anyone else for that matter, to do that for me.
The other thing is there are no default or suggested entries; ..... Or failing that, a link to an article somewhere that contains that information.
Again not trying to sound like a "let me google that for you" post but this is all covered extensively here in the forums over many years (DoT was first launched with an Unbound update back in April 2018).
Basic info here and some config examples (note, the config isn't needed because new OPNsense does that for you with the DoT GUI page): https://www.ctrl.blog/entry/unbound-tls-forwarding.html
A discussion about the two major DoT providers, CloudFlare and Quad9, and additional input from Quad9's management. CloudFlare also posts in that thread with their input.: https://www.snbforums.com/threads/cloud9-dns.56918/Quote from: comet on November 04, 2021, 07:33:54 PMIf you just want working and reliable DoT with minimal configuration, the built in DoT GUI page in OPNsense is the way to go. Choose a DoT provider, input their port, IP, DNS name and you're up and running.
Maybe DNS over TLS is too new, or there really are that few servers that support it, if so I apologize if I am asking for too much, but I am just trying to understand if this is something that is possible. As for the comment about the article being for those "that wish to try something a bit more performant than Unbound DoT", I guess I would say that while I suppose everyone would like maximum performance (however they define that), not everyone has the time, patience, or ability to learn how to tweak things to the very max (that's as true of computer networking as it is of mechanical things such as car engines). I would just be happy if it works reliably and doesn't become a bottleneck to network traffic.
You also need to be aware of the differences between a resolver and a forwarder. Anytime you go DoT, you're always putting all of your trust in the provider you choose to forward your queries to. You're essentially abdicating the resolver portion of Unbound and just having it forward all of its queries to a chosen provider. Yes, they will be encrypted so that your ISP can't see them, but the provider can still decrypt and see them. So you're exchanging anonymity at the DNS level for anonymity between your ISP and your DNS traffic.
OPNsense ships by default in resolver mode, which means all of your DNS queries are sent in plaintext so that your ISP (or anyone else) in the middle can potentially see them, but the queries are sent randomly to hundreds of various root servers and the local Unbound service within OPNsense resolves them and caches them. OPNsense also has two easy check boxes during the initial setup to enable DNSSEC in resolver mode, which adds an additional layer of security from the root resolvers (there's those nice check boxes again ;) ) The likelihood that a single DNS provider would be able to get enough metadata on your network activity would be reduced, at the expense of everyone else being able to potentially see it on the wire. It's always a trade off. You need to educate yourself and decide. And yes, most people just give up and use consumer gear or just use the defaults at this stage in the game.
Thanks for taking the time and patience to try to explain things to do guy. God Bless You. Check out my new work :
https://forum.opnsense.org/index.php?topic=25614.0
Peace
