1
General Discussion / Re: DNS over nonstandard port?
« on: December 07, 2022, 02:14:46 am »
Well, that was odd...
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Yes. I would suggest DNS over TLS which uses port 853, which will even encrypt your DNS queries.
Check your browser: https://www.cloudflare.com/en-gb/ssl/encrypted-sni/ before you start.
Probably fails on multiple checks? Do not bother with the "Encrypted SNI" for now.
This is how I have done it - atleast how I think I've done it.
System > Settings > General : REMOVE any DNS Server you have listed here. Click Save.
Go to Services > Unbound DNS > General.
* Enable Unbound
* Enable DNSSEC Support
This is from the top of my head, but make sure those things are checked. Listen port should be 53 and you should be listening on all interfaces. Do not worry the WAN etc., everything is blocked by the default firewall rules.
Hm, then go to Miscellaneous under Unbound and add servers which supports TLS. You have to specify the adresse in server@port fashion:
Write 1.1.1.1@853 and press Enter.
Probably add atleast one more, 1.0.0.1@853.
Click Save.
I do not know what platform you are on; Windows? Flush your DNS with CMD: ipconfig /flushdns
Grab a cup of coffee.
Go to Firewall > Log Files > Live View. Click the drop down Menu which says "action". Choose dst_port, remove the text "pass" and write 853 and click the + symbol.
Now as you go to your LAN client and visit websites and ping stuffs, like ping microsoft.com or any other website- you should see traffic gets populated to either one of your DNS servers you have defined under Miscellaneous.
Verify which DNS server you are using with nslookup, "nslookup hltv.org".
Check your browser again? https://www.cloudflare.com/en-gb/ssl/encrypted-sni/
Now. If clients were to not use your OPNsense as a DNS server (they do not honor the DNS Server provided in the DHCP offer), you could do NAT Port forwarding from your LAN interface and redirect every traffic (UDP/TCP) destined for !LAN@53, to be redirected to 127.0.0.1 port 53.
You could check if any traffic is going out, by doing the Live View in the Firewall logs as mentioned above, and change port to 53.
That way, if you have a client which use for instance 8.8.8.8 as a DNS server, you'll redirect this request to your OPNSense Unbound DNS service. And voilà, the upstream DNS which will be 1.1.1.1 serves this request over TLS.
Try this and see if anything of it makes any sense
Yay, first post.