OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of p1n0ck10 »
  • Show Posts »
  • Topics
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Topics - p1n0ck10

Pages: [1]
1
German - Deutsch / DNSCrypt-Proxy Plugin manuelle DNS-Resolver festlegen
« on: December 14, 2018, 02:57:16 am »
Hallo Zusammen,

nachdem ich ganz erfreut war das es nun ein eigenes Plugin für DNSCrypt gibt hab ich mich gleich mal hingesetzt und dieses mit Unbound konfiguriert und ein kleines HowTo geschrieben.
https://forum.opnsense.org/index.php?topic=10670.0

was ich aber noch nicht herausgefunden hab wie ich über die GUI die Resolver manuell festlegen kann. Diese werden standardmäßig automatisch ausgesucht. Hier wäre es gut wenn ich welche selber festlegen könnt, wie z.B. die von OpenDNS um optional Dienste wie Cisco Umbrella nutzen zu können. Diese sollten auch DNSCrypt unterstützen.

IPv4: 208.67.222.222
IPv4: 208.67.220.220
IPv6: 2620:119:35::35
IPv6: 2620:119:53::53

unter https://wiki.archlinux.org/index.php/Dnscrypt-proxy hab ich herausgefunden das dies in der config /usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml möglich sei. Diese will und kann ich nicht anpassen weil nach einem Neustart der OPNsense diese neu geschrieben wird.

>>
To manually set which server is used, edit dnscrypt-proxy.toml and uncomment the server_names variable, selecting one or more of the servers. For example, to use Cloudflare's servers:
Code: [Select]
server_names = ['cloudflare', 'cloudflare-ipv6']<<

die Namen stehen in der /usr/local/etc/dnscrypt-proxy/public-resolvers.md drin. z.B. für Cisco wäre es dann:
Code: [Select]
server_names = ['cisco', 'cisco-ipv6']
@mimugmail geht das in der aktuellen Plugin-Version?

Danke und viele Grüße


2
Tutorials and FAQs / HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
« on: December 13, 2018, 10:14:12 pm »
[Updated on 10.03.2020]

Since opnsense 18.7.9 it is possible to use encrypted DNS with the opnsense-plugin "os-dnscrypt-proxy". Thanks to mimugmail (m.muenz@gmail.com). This plugin supports DNSCrypt (https://dnscrypt.info) and DNS over HTTPS (DoH) with DNSSEC and DNSBL.


Explanations and Differences:
DNSCrypt or DNS over HTTPS = protocol that authenticates communications between a dns-client and a dns-resolver. It encrypts the traffic and prevents dns spoofing or man-in-the-middle-attacks. DoH is standardized through IETF and standardport for resolvers is 443. DNSCrypt use different ports. Resolver on the internet often use ports like 443, 4443, 5443 or 8443 and is currently not standardized but has more privacy features.
DNSSEC = DNS Extension that allows a client to validate the dns response on supported domains and TLDs. Resolvers check the digital signature of dns responses.
DNSBL = Domain Name System Blacklists with RPZ (response policy zone) to block ads, trackers and malware domains.

This technique prevents not against ISP-censorship !!! because your browser requests for https has the Server Name Indication (SNI) unencrypted. Currently only Cloudflare and Firefox have implemented ESNI for testing. Tor or a VPN can solve this. Here the answer from the developer of DNSCrypt, Frank Denis:
https://superuser.com/questions/1318588/what-exactly-isp-can-see-when-someone-use-dnscrypt-proxy-with-dnscrypt-enabled-p


Scenario:
dnscrypt-proxy is only listen on the localhost addresses 127.0.0.1 (IPv4) and ::1 (IPv6) on port 5353 and handle the dns requests to the internet encrypted.
unbound dns forwards all queries to dnscrypt-proxy while itself is listening on all interfaces on port 53 (IPv4 + IPv6) and handle the dns requests for the local network unencrypted.

The reason behind that scenario is unbound dns can act as a dns-resolver for your lan with all his features. If you allow to register dhcp leases you can reach your clients via their hostnames and do not need to know their ip addresses. The dns traffic on the lan side is not encrypted because the most client's OS currently does not support this. For decentralization dnscrypt-proxy uses a pool of random servers from a public list. Normally is choosing automatically the fastest with the options you set (IPv4, IPv6, DNSCrypt, DoH, DNSSEC, NoLog, NoFilter). Every 3 hours it checks the fastest server again. You can shorten the time interval by running the existing cronjob under System/Settings/Cron "Download DNSCrypt-Proxy DNSBLs and restart". You only need dnscrypt-proxy because unbound dns (and also dnsmasq) has only limited support for DNSCrypt/DoH and DNSBL.

You can also configure dnscrypt-proxy as standalone dns-server. For this follow these instructions:
https://wiki.opnsense.org/manual/how-tos/dnscrypt-proxy.html


Install DNSCrypt-Proxy:
System/Firmware/Plugins
=> Install "os-dnscrypt-proxy"


Configuration DNSCrypt-Proxy:
Services/DNSCrypt-Proxy/Configuration/General
=> Check "Enable DNSCrypt-Proxy"
=> "Listen Address" is 127.0.0.1:5353 and [::1]:5353
=> Check "Use IPv4 Servers"
=> Check "Use IPv6 Servers"
=> Check "Use DNSCrypt Servers"
=> Check "Use DNS-over-HTTPS Servers"
=> Check "Require DNSSEC"
(see attachments "Services-DNSCrypt-Proxy_01.png", "Services-DNSCrypt-Proxy_02.png")



=> As "Fallback Resolver" you can use the standard Quad9 Server (9.9.9.9:53) or Cloudflare (1.1.1.1:53) or what ever you want.


Optional Configuration DNSCrypt-Proxy (manual Servers):
For some business usecases is it neccessary to use manual dns server for additional dns services from Cloudflare or Cisco Umbrella. For other reason you want to use specific servers from your country. If you use the "Server List" the options (DNSSEC, NoLog, NoFilter) will be ignored.

Services/DNSCrypt-Proxy/Configuration/General
=> On "Server List" you can enter the servernames from this public list https://dnscrypt.info/public-servers/.
use the exactly servernames and not any IP's

Cloudflare CDN (DoH) its one of the fastest but in the past another user has make the experience that some sites are not available like oneplus.com or postbank.de because DNSSEC was broken => seems to be fixed.
In that case you had to configure unbound dns to redirect the query for this domain to another dns server. This can be done on "Services/Unbound DNS/Overrides/Domain Overrides".
Code: [Select]
cloudflare
cloudflare-ipv6

Cisco/OpenDNS (DNSCrypt) for services like Cisco Umbrella.
Code: [Select]
cisco
cisco-ipv6

(see attachment "Services-DNSCrypt-Proxy_03.png")


Another option is to create your own server on Services/DNSCrypt-Proxy/Configuration/Servers.


Configuration Unbound DNS:
Services/Unbound DNS/General
=> Check "Enable Unbound"
=> Check "Enable DNSSEC Support"
=> Uncheck "DNS Query Forwarding"
=> Under "Custom options" you must configure unbound dns that is all forwarding to dnscrypt-proxy. I setup this for IPv4 + IPv6 because dnscrypt-proxy and unbound dns is listening on both addresses and in the original unbound.conf "interface-automatic" is set to yes, see:

ssh on opnsense: "cat /var/unbound/unbound.conf"
# Interface IP(s) to bind to
interface: 0.0.0.0
interface: ::0
interface-automatic: yes

User karlson2k figured out a solution where entries in "Services/Unbound DNS/Overrides/Domain Overrides" prevents unbound dns to start if you forward to dnscrypt-proxy. Writing "server:" at the beginning of "Custom options" solves this.
Quote from: karlson2k on January 13, 2020, 10:03:18 pm
The reason is that domain overrides is included in unbound.conf before "Custom options" and domain overrides change section from "server:" to "forward-zone:".
To fix error in configuration, you need to add "server:" line before "do-not-query-localhost: no".


so the complete configuration looks like...
Code: [Select]
server:
do-not-query-localhost: no

forward-zone:
   name: "."
   forward-addr: 127.0.0.1@5353
   forward-addr: ::1@5353

=> Choose "All (recommended)" on "Outgoing Network Interfaces". In the past you had the option "localhost" but this is removed since version 19.


Configuration System DNS-Server:
System/Settings/General
=> Check that no one "DNS Server" is configured
=> Uncheck "Allow DNS server list to be overridden by DHCP/PPP on WAN"
=> Uncheck "Do not use the local DNS service as a nameserver for this system"
(see attachment "System-Settings-General.png")



All is done!

Check if your DNS Configuration works correctly:
=> https://dnsleaktest.com
Check against dns-leaks and what dns-server you currently use
=> https://cmdns.dev.dns-oarc.net/
Check your dns features
=> https://internet.nl/test-connection/
If you use IPv6 and DNSSEC
=> http://www.dnssec-or-not.com/
If you use DNSSEC
=> https://tools.dnsstuff.com/
DNS-Tools and more


Recommendation to other Tutorial:
Forward all unencrypted dns traffic to OPNsense, see:
https://forum.opnsense.org/index.php?topic=9245.0


Kind Regards  ;)

3
German - Deutsch / Web Proxy + IPv6
« on: November 28, 2018, 01:57:54 am »
Hallo Zusammen,

ich möchte gerne den Web Proxy Transparent in meinem Netzwerk verwenden um Funktionen wie Webfilter, Blacklists und Virusscanner zu verwenden. Dies am besten für IPv4 + IPv6.
ich hab zwar schon die Suchfunktion betätigt und die Doku unter
https://wiki.opnsense.org/manual/how-tos/proxytransparent.html
aber nichts wirkliches zu dem Thema mit IPv6 gefunden deswegen wär ich froh hier ein paar Hinweise zu bekommen... ::)

Zu meiner OPNsense Konfiguration:
ich hab ein DualStack-Anschluss mit IPv4 + IPv6 von Vodafone. OPNsense für IPv6 konfiguriert. Läuft soweit alles. Meine Clients bekommen eine IPv6-Adresse vom Provider. Getestet unter
http://ipv6-test.com (siehe Anhang: Ergebniss_ipv6-test.com.jpg) und
http://test-ipv6.com (ergibt 10/10 Punkten)
Web Proxy Transparent konfiguriert mit Port-Forwarding der HTTP und HTTPS Ports auf die lokale IPv4 127.0.0.1 und IPv6 ::1 der OPNsense sodass der Web Proxy auf Port 3128 und 3129 verwendet wird. Sobald ich die NAT-Regeln dazu aktiv schalte komme ich aber nicht mehr mit einer IPv6 Adresse ins Internet siehe
http://wieistmeineip.de oder eine reine IPv6 Seite wie z.B. https://ipv6.google.com kann nicht mehr angesurft werden.

Wisst ihr ob und wie der Web Proxy mit IPv6 funktioniert?

Vielen Dank schonmal im Voraus  ;)

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2