Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - directnupe

Pages 1 2 3 4

#16

General Discussion / Logs Re: Stuuby Fails To Boot on OPNsense 19.7.9

January 12, 2020, 09:34:00 AM

See here for solution to reported issue detailed below:

https://forum.opnsense.org/index.php?topic=15528.0

Dear francoand OPNsense Community,
Hello - this e-mail is in direct reply to your questions of a few days ago - those
specifically being :

What's the problem? / What is happening?

Well I hope that you are doing well. I have not heard from you in a few days
regarding the issue I have been having in being UNABLE to get Stubby to start
on OPNsense 19.7.9_1 - I set up OPNsense 19.7.9_1 on VMware Workstation 15.5.1,
and I was able to replicate the error which is responsible for Stubby failing to start.
This same error occurs on fresh install of OPNsense 19.7.9 on real hardware.
While OPNsense boots up - what appears on the screen are the contents of the
" /usr/local/etc/stubby/stubby.yml " file.
The message after stubby fails is to boot is below :

"Generic Error " could not parse config file " /usr/local/etc/stubby/stubby.yml "
Generic Error " /usr/local/etc/rc.d/stubby.sh " : Warning failed to start stubby

So, as I said in my earlier correspondence - I believe that that the issue lies within the
start up script. Perhaps, most importantly there needs to be a proper start script to
be written and placed in /etc/rc.conf.d/stubby location. To remind you this is what I have placed
within /etc/rc.conf.d/stubby file currently - see below :

stubby_enable="YES"
stubby_bootup_run="/usr/local/etc/rc.d/stubby.sh"

Oddly enough, the network shows that there is an internet connection even though
I am unable to browse the internet. So, I hope this helps in getting to the bottom
of this bug which prevents proper functioning of DOT ( getdns and stubby ) on
OPNsense 19.7.9_1. There may have been a change made as to how to implement and
produce start up scripts on OPNsense starting with OPNsense 19.7.9 - if so
this change was not announced in the release notes. I will ask this of you now Franco.
Also, I am asking which chmod command ( s ) do you suggest using to make both files
/usr/local/etc/rc.d/stubby.sh and /etc/rc.conf.d/stubby executable ?

Peace and God Bless,

directnupe

Tutorial showing My SetUp Instructions:

https://forum.opnsense.org/index.php?PHPSESSID=k6ivse7g94849ga6nk9r8kg9g5&topic=13487.0

#17

General Discussion / Re: Need Assistance With GETDNS

January 10, 2020, 01:38:22 PM

Dear franco,
Thanks for your reply - so I want to bring you up to speed. I have been in touch with Ryan Steinmetz aka zi - the port maintainer and developer of GETDNS. I am going to include what I wrote to him below along with the answers to your questions. Also, I am going to build my own GETDNS package and see how that works. My message to Zi ( aka Ryan ) below :

Dear Zi ( aka Ryan ),
Hello and thanks for your swift reply. I will do my best to
explain the issue which I am encountering on OPNsense 19.7.9
( a HardenedBSD derivative ). Please note that I am not an
expert and I am unable to send you any screen shots as this issue
only occurs when I install OPNsense on actual hardware computer.
From my best determination - the problem is that the start up script
( stubby.in ) which you were kind enough write - DOES NOT execute
( read run ) at boot time.
What I see on the screen on boot up are the full contents of the
/usr/local/etc/stubby/stubby.yml file being displayed on the screen instead
of the screen stating the message that the /usr/local/etc/rc.d/stubby.sh
is being stated and read. This did not happen up until I upgraded to
OPNsense 19.7.9 -
If you would - please read through my tutorial found here:
https://forum.opnsense.org/index.php?topic=13487.0 - the reason I ask
you to do this is so that you can see how I exactly set up GETDNS on
OPNsense from start to finish. From this overview, you might be able to see
where I may be making any errors. However, as I said this worked up until now.
So, maybe a new start up script ( stubby.in ) is needed - perhaps - I will leave
that up to you. I do run Unbound 1.9.6 on OpenWrt with no issues at all.
Lastly, I contacted Franco - chief developer at OPNsense - and asked his
assistance with issue and he wrote back with this reply ( and I quote ) :

Hi directnupe,
What's the contents of /etc/rc.conf.d/stubby ? Are you using our binary package with LibreSSL or OpenSSL?
Have you checked against the FreeBSD binary package?
Cheers,
Franco

Answer Part 1
To answer his questions the contents of my /etc/rc.conf.d/stubby is:
A -
stubby_enable="YES"
stubby_bootup_run="/usr/local/etc/rc.d/stubby.sh"

and
B -
I also tried modifying /etc/rc.conf.d/stubby contents as follows below :
from guide here https://docs.opnsense.org/development/backend/autorun.html

stubby_enable="YES"
stubby_opnsense_bootup_run="/usr/local/etc/rc.d/stubby.sh"

Neither of these worked even though choice A above worked flawlessly up until
OPNsense 19.7.9 -

Answer Part 2
Are you using our binary package with LibreSSL or OpenSSL?
Yes I am using OPNsense binary package with OpenSSL

Answer Part 3
Have you checked against the FreeBSD binary package?
Honestly I do not know how to do this - if you advise me how to do so
I will.

Thanks for all you do and God Bless,

directnupe

#18

General Discussion / Need Assistance With GETDNS

January 10, 2020, 02:03:03 AM

Dear franco and any who can assist -
Hello and I hope that you have been well. I am writing to you because I am having a slight issue with GETDNS and STUBBY - particularly this problem happens after I upgraded OPNsense to 19.7.9 ( HardenedBSD derivative ). The only issue I can possibly think of is that UNBOUND was recently upgraded to Unbound 1.9.6 -
In full disclosure I installed GETDNS and STUBBY on fresh VM and everything worked well and as expected.
I followed and wrote this guide :

https://forum.opnsense.org/index.php?topic=13487.0

Maybe the issue is with the custom /etc/rc.conf.d/stubby start up script needed
by OPNsense as I see that on REAL HARDWARE - the start up script does not
activate properly at boot time. Anyway, I hope to find the answer on this - the OPNsense Forum.

Thanks and God Bless,

directnupe

#19

General Discussion / Re: After 5 years - Where does OPNsense stand?

January 08, 2020, 04:41:36 AM

Franco - thanks for this well thought out exhaustive and comprehensive update as to
The State of The Union - God Bless To You and Yours and

Happy New Year,

directnupe

Quote from: franco on January 07, 2020, 02:56:11 PM
Happy new year,

Let me write a short answer for now...

While we had steady progress over the years 2019 was a bit quieter than usual. This has some non-technical factors but mostly it means the software works in a number of scenarios without a problem and while there will be always missing features there aren't a lot of open live bugs:

https://github.com/opnsense/core/issues?q=is%3Aopen+is%3Aissue+label%3Abug

Help is always appreciated and especially when it comes to the growing number of community support issues that are being raised which cannot be processed by the core team without taking all the time for maintaining and improving OPNsense:

https://github.com/opnsense/core/issues?page=1&q=is%3Aopen+is%3Aissue+label%3Asupport&utf8=%E2%9C%93

HBSD has gone through some structural changes this fall and FBSD 12.1 was only released in September, which made for a tight time frame for adoption of those OS updates, but this is still all doable in 2020.

OpenSSL 1.0.2 was deprecated a week ago, wich means 20.1 will have OpenSSL 1.1.1 instead which means TLSv1.3 support is finally viable. Python 2.7 suffers the same fate, but that has already been carried out for the most part in 19.7.

Documentation was comprehensively updated in 2019 and community contributions are rare which either means it not that important or sufficient for a majority of users. ;)

On the horizon is Suricata 5 and the improved ET rulesets, VXLAN and loopback device support. An MVC-based log viewer and already we have an all-improved health audit to find checksum errors in installed files and repair functionality.

i386 is being discontinued when we make the jump to HBSD 12.1 so that also counts as imminent progress. Some more changes and readjustments this year as well, but in general the track ahead is the same as always towards a smooth, reliable, and up-to-date firewall software distribution.

If for some the work done is not enough in the last ten major releases we've done, please go to the following archive and let us know how much is too much and how much is too little.

https://github.com/opnsense/changelog/tree/master/doc

Cheers,
Franco

#20

General Discussion / Re: 20.1 Beta ?

December 31, 2019, 08:11:04 PM

Dear mrancier,
Happy New Year and I wish you and yours well during the new decade. Yes - I second your thoughts around HardenedBSD 12 - However, there is an answer from franco on this topic found here :
https://forum.opnsense.org/index.php?topic=15350.0 - and I quote him " Plans changed due to a rough track towards 12.1. Announcement follows." This reply was posted on December 26, 2019. So, I guess that we will just have to wait a bit longer for 20.1 in any event.
Again Peace On Earth and God Bless -

directnupe

#21

Tutorials and FAQs / Re: HOW TO OpenVPN OPNsense CLIENT DEAD SIMPLE

December 07, 2019, 06:09:42 PM

Dear DataKnights,
Hello and Happy Holidays - please excuse the delay in my getting back to you regarding your inquiry. Now - as far as setting TorGuard DNS. You can follow this guide : https://torguard.net/article/254/pfsense-openvpn.html
; however skip / scroll down to :
Step 7:
Navigate to System > General Setup and set DNS Servers to:

104.223.91.194
104.223.91.210

That should suffice. I use DNS OVER TLS so that I am fully encrypted. You can see my guide / tutorial for that
solution here : https://forum.opnsense.org/index.php?PHPSESSID=k6ivse7g94849ga6nk9r8kg9g5&topic=13487.0

I hope this helps and Peace Always
directnupe

#22

Tutorials and FAQs / Re: HOW TO OpenVPN OPNsense CLIENT DEAD SIMPLE

October 05, 2019, 03:13:05 AM

Dear quirkyferret,
Hello and I hope that you are well. I suspect that the "simple" firewall rule which I detail in this tutorial is what is causing your inability to route the traffic in the manner you describe. Try this solution below - go to this page :
https://torguard.net/article/254/pfsense-openvpn.html -- and then set up your firewall rules as described in Step 6. Hopefully this will allow you to accomplish which you are out to achieve. See this guide if you wish which also describes the same firewall creation method : https://www.privateinternetaccess.com/helpdesk/guides/routers/pfsense/pfsense-2-4-3-setup-guide in Step 6

Peace
directnupe

#23

Tutorials and FAQs / Re: OPNSENSE DNS OVER TLS UPDATED NOW ! DEAD SIMPLE

September 09, 2019, 01:30:40 AM

Dear Serius,
I really am confused by your feedback / comments. All I can say is that literally thousands have followed this and related tutorials I have posted about DNS OVER TLS. Please provide more specific information regarding your setup. Honestly, this method should and will work if you follow the steps exactly as stated. Give it a fresh start, and if you have any further questions / issues - get back to me and I will do my best to assist you.
Peace,
directnupe

Dear krdk,
Hello and I hope that you are well. First off - you must configure and fine tune UNBOUND RESOLVER for your particular CPU - memory and so on in order to get the best results for DNS Resolution. I have a Dell Optiplex 7010 Intel(R) Core(TM) i5-3470S CPU @ 2.90GHz (4 cores) with 8G of Ram on which I run OPNsense. Here is the full Custom options: I use for UNBOUND ( you must adjust this for your hardware ) see here : https://nlnetlabs.nl/documentation/unbound/howto-optimise/ Here are the Custom options: :

tls-cert-bundle: "/etc/ssl/cert.pem"
hide-identity: yes
hide-version: yes
hide-trustanchor: yes
harden-glue: yes
harden-dnssec-stripped: yes
harden-large-queries: yes
harden-dnssec-stripped: yes
harden-short-bufsize: yes
harden-algo-downgrade: yes
num-threads: 4
interface-automatic: yes
msg-cache-slabs: 8m
rrset-cache-slabs: 8m
infra-cache-slabs: 8m
key-cache-slabs: 8m
rrset-cache-size: 256m
msg-cache-size: 128m
so-rcvbuf: 1m
unwanted-reply-threshold: 10000000
val-clean-additional: yes
use-caps-for-id: no
do-ip6: no
do-ip4: yes
do-tcp: yes
do-udp: yes
minimal-responses: yes
aggressive-nsec: yes
prefetch: yes
prefetch-key: yes
qname-minimisation: yes
qname-minimisation-strict: yes
rrset-roundrobin: yes
target-fetch-policy: "0 0 0 0 0"
max-udp-size: 3072
harden-below-nxdomain: yes
ip-ratelimit: 300
ip-ratelimit-factor: 10
incoming-num-tcp: 100
edns-buffer-size: 1472
outgoing-range: 8192

server:
do-not-query-localhost: no
forward-zone:
name: "." # Allow all DNS queries
forward-addr: 127.0.0.1@8069

Now, remember this is tailored and setup for my particular machine. As far as the stubby.yml files you can use these if you are in the US :

upstream_recursive_servers:
# IPV4 Servers
### DNS Privacy Test Servers ###
#The dns.cmrg.net DNS TLS Server A+ - CANADA
- address_data: 199.58.81.218
tls_auth_name: "dns.cmrg.net"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=
#The dns-nyc.aaflalo.me DNS TLS Server A+ - USA
- address_data: 168.235.81.167
tls_auth_name: "dns-nyc.aaflalo.me"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: KqzeDRgYePfKuZrKttwXM8I2Ej4kD6Sayh0kp4NWaJw=
### Anycast DNS Privacy Public Resolvers ###
#The security-filter-dns.cleanbrowsing.org DNS TLS Server # 1 A+
- address_data: 185.228.168.9
tls_auth_name: "security-filter-dns.cleanbrowsing.org"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: rb2O6hMTZZ/go/vOqyVLY2lATD9DkD6+BkKfJwYYMFw=
#The DNS Warden DNS TLS Secondary Server A+
- address_data: 116.203.35.255
tls_auth_name: "dot2.dnswarden.com"
tls_port: 443
tls_pubkey_pinset:
- digest: "sha256"
value: aPns02lcGrDxnJQcRSHN8Cfx0XG+IXwqy5ishTQtzR0=
## The DNS.SB DNS TLS Primary Server A+
- address_data: 185.222.222.222
tls_auth_name: "dns.sb"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: /qCm+kZoAyouNBtgd1MPMS/cwpN4KLr60bAtajPLt0k=
## The DNS.SB DNS TLS Secondary Server A+
- address_data: 185.184.222.222
tls_auth_name: "dns.sb"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: /qCm+kZoAyouNBtgd1MPMS/cwpN4KLr60bAtajPLt0k=

Also, you can and should take advantage of this new DNS OVER TLS provider. You need to sign up - it is a free service - ANYCAST and pretty much cutting edge. ANYCAST speeds up your DNS - Here it is NextDNS https://my.nextdns.io/configuration/19474f/setup

Lastly, I am send ing four ( 4 ) screen shots so you can see how to set up and configure UNBOUND - make sure the ports in stubby.yml matches the forward port you use for UNBOUND.

Peace and I am OUT !
directnupe

#24

Tutorials and FAQs / Re: OPNSENSE DNS OVER TLS UPDATED NOW ! DEAD SIMPLE

August 15, 2019, 12:03:36 AM

Dear firewall,
Sorry for the delay in replying - by the way Hello and I hope that you are well. The rationale I used in selecting these DNS Servers listed above is that they are rated A+ on https://www.immuniweb.com/ssl/?id=Su8SeUQ4 website. Moreover, I live in New York USA and there is one server "dns-nyc.aaflalo.me" which is based here. QNAME minimisation also is a significant factor in my selecting DNS Resolvers. dns.cmrg.net rates an A on port 443 and an A+ on port 853. These servers change over time - are upgraded and so on. So I will put dns.cmrg.net:853 back on the list. dns.cmrg.net:443 comes with this warning - The server has TLS 1.0 enabled. Since the 30th of June 2018 it is non-compliant with PCI DSS.
So speed is not my main or only concern. When OPNsense moves to OpenSSL 1.1.0 Series with the 20.0 version then TLSv1.3 protocol will also be fully supported. I use these servers now on OpenWRT and pfSense 2.5.0 as both ship with OpenSSL 1.1 variants. If you read this guide carefully - and even some of the older ones - I explained that Please disregard and do not use any guides and / or tutorials which pre-date this one
Also I explain in all the guides that VERY IMPORTANT TIP:
Please note that right at the top of the main DNS Privacy Test Servers Homepage ( https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers ) It Ominously Declares:
DoT servers The following servers are experimental DNS-over-TLS servers. So, you must constantly test and update your servers. I failed to do that with dns.cmrg.net and thanks for pointing that out. Look here : https://forum.opnsense.org/index.php?topic=12495.msg57456#msg57456 for information on testing DOT Servers

Peace,

directnupe

#25

Tutorials and FAQs / Re: HOW TO OpenVPN OPNsense CLIENT DEAD SIMPLE

August 02, 2019, 12:06:06 AM

Dear firetron,
Hello and I hope that you are well. I have seen the DHCP option you mention, but I find that this is not necessary.
Just follow this tutorial as detailed here and everything will work as described as laid out here. Have you tried to implement the configuration as put forth here ? - if not - do so and report back with your results. My prediction is that you will find that your OpenVPN Client will function as designed. My setup works flawlessly - otherwise, I would not have posted this tutorial in the first istance.
Peace and God Bless,
directnupe

#26

Tutorials and FAQs / OPNSENSE DNS OVER TLS UPDATED NOW ! DEAD SIMPLE

July 15, 2019, 07:06:36 PM

Dear Community,
First you all know the drill by now - " The Intro " we would all have a better world if we remember to practice the concept that - NOW ! is the time for all of US ( A ) to GET UP & GET INVLOVED and act with SOUL POWER ! - lyrics to sing along : https://genius.com/James-brown-get-up-get-into-it-get-involved-lyrics plus https://genius.com/James-brown-soul-power-lyrics and video : https://www.youtube.com/watch?v=1pvIarW3xHg Bonus JB : https://www.youtube.com/watch?v=v8TvBPshngE - Since version OPNsense 18.7 - you may install stubby and getdns on OPNsense by simply issuing command # pkg install getdns ( Special Thanks and Kudos to Franco and the marvelous OPNsense Development Team ) - Please disregard and do not use any guides and / or tutorials which pre-date this one which covers installation and configuration of DNS Privacy on OPNsense FireWall. This is an updated guide / tutorial which explains how to setup adding DNS-Over-TLS support for OPNsense. I run GetDns and Stubby forwarded to and integrated with Unbound. For those who wish to explore Stubby and GetDns - this method is the one recommended by DNSPRIVACY - see here :

https://getdnsapi.net/
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients#DNSPrivacyClients-Unbound - please read this carefully - you will note that it indicates : Unbound As A DNS TLS Client Features:Unbound can be run as a local caching forwarder, configured to use SSL upstream, however it cannot yet authenticate upstreams, re-use TCP/TLS connections, be configured for Opportunistic mode or send several of the privacy related options (padding, ECS privacy) etc. Some users combine Unbound (as a caching proxy with other features such as DNS Blacklisting) and Stubby (as a fully featured TLS forwarder).

I was asked by a still skeptical devotee of DOH
" What makes this way better than just running the DNS-over-https-proxy ?
My answer was : Read this and make your
decisions and conclusions concerning DOH vs DOT .
Here is the article below :
https://www.netmeister.org/blog/doh-dot-dnssec.html

Bottom Line Conclusion From Jan Schaumann - The Author of This Blog Entry :
For that, my current preference is quite clearly DNS-over-TLS:
I fear a bifurcation of DNS resolution by apps combined with the
push for using public resolvers with DoH will lead to a more complex
environment and threat model for many users.

Short Synopsis of DOH:
In other words , ( with DOH ) we gain the same
protections as with DoT for our web applications,
but leaves all other DNS traffic vulnerable.

Subsequently, as a matter of fact and in practice
with DNS OVER TLS ALL DNS traffic is invulnerable
and protected.This is why I run DOT and
eschew DOH on my OPNsense Router.

Further, Personally, I run GETDNS STUBBY and UNBOUND as
described here along with ( wait for it )
FireFox DOH along with Encrypted SNI - plus TLS v 1.3 in Stubby
and naturally a properly configured and encrypted VPN -

These are the reasons I choose to use GetDns and Stubby with Unbound. Those reasons being so that I can take full advantage of all of the most secure privacy features available when running DNS OVER TLS. What I give you here is the absolute best method of implementation and deployment of DNS OVER TLS. For any and all who may be wondering why DNS OVER TLS is all the rage - read this:
https://tenta.com/blog/post/2017/12/dns-over-tls-vs-dnscrypt I always set up DNS OVER TLS first before configuring OpenVPN and / or WireGuard on OPNsense - this DNS solution works flawlessly with either VPN protocol. So here we go. So go ahead and issue command # pkg install getdns in order to get started. After installing getdns which includes stubby follow the steps below.

1 - Now Ryan Steinmetz aka zi - the port maintainer and developer of this port was kind enough to include a start up script ( stubby.in ) for this package. See the stubby.in here in the raw : https://svnweb.freebsd.org/ports/head/dns/getdns/files/stubby.in?view=markup. All I had to do was ask him and he did for any and all who elect to use this great piece of FreeBSD software.

2 - Now to put all of this together, The stubby.in file is located here - /usr/local/etc/rc.d/stubby by default. First though Stubby needs Unbound root.key - run this command before getting started:
# su -m unbound -c /usr/local/sbin/unbound-anchor Then -
A - Issue this command :
# mv /usr/local/etc/rc.d/stubby /usr/local/etc/rc.d/stubby.sh
Make it executable - I run two commands - it works for me:
# chmod 744 /usr/local/etc/rc.d/stubby.sh # chmod a+x /usr/local/etc/rc.d/stubby.sh
B - Yes must enable Stubby Daemon in the file - open file by : nano /usr/local/etc/rc.d/stubby.sh
go to line 27 - : ${stubby_enable="NO"} change the setting to : ${stubby_enable="YES"} - that is all you have to do to this file. It comes pre-configured. Save and exit.

3 - You can and should also check real time status of DNS Privacy Servers as they are experimental and are not always stable - you can monitor DNS TLS Servers Real Time Status here below:
https://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/
I have read here: https://www.monperrus.net/martin/randomization-encryption-dns-requests that Also, it is good to set up some servers that listens on port 443 and others on port 853, so as to be resilient if you are on a network with blocked ports. You can also blend IPv4 and IPv6 addresses.

Now you must configure Stubby to resolve DNS OVER TLS - nano /usr/local/etc/stubby/stubby.yml
VERY IMPORTANT UPDATE: After checking, rechecking and the triple checking on this website mentioned above : https://www.immuniweb.com/ssl/?id=Su8SeUQ4 I have made some very serious discoveries regarding which DNS Privacy Test Servers to use. The bottom line that I strongly suggest you only choose to deploy servers which support the TLSv1.3 protocol. See here for information and importance of TLSv1.3 : https://kinsta.com/blog/tls-1-3/
I will save you some considerable leg work and post below the best configuration for your stubby.yml file. Here it is:
## All DNS Privacy Servers Below Tested and Updated On November 3 2020 With A+ Rating - 100% Perfecto Configuration on website: https://www.immuniweb.com/ssl/?id=Su8SeUQ4n ** These servers support the most recent and secure TLS protocol version of TLS 1.3 **
Good configuration - These server configurations support only TLSv1.2 and TLSv1.3 protocols - current most secure encryption.
# Also I have added the Country Locations of These DNS PRIVACY Servers using the Alpha 3 Code Format
# see country code lists here :
# https://www.nationsonline.org/oneworld/country_code_list.htm or https://www.iban.com/country-codes
# Use as many or as few depending on your specific needs

## Go Into SSH shell and enter : # nano /usr/local/etc/stubby/stubby.yml

resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
- GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
dnssec_return_status: GETDNS_EXTENSION_TRUE
tls_query_padding_blocksize: 128
edns_client_subnet_private : 1
idle_timeout: 9000
listen_addresses:
- 127.0.0.1@8053
tls_connection_retries: 5
tls_backoff_time: 900
timeout: 2000
round_robin_upstreams: 1
tls_ca_file: "/usr/local/share/certs/ca-root-nss.crt"

upstream_recursive_servers:
### IPV4 Servers ###
### DNS Privacy DOT Test Servers ###
## 1 - The getdnsapi.net DNS TLS Server A+ ( NLD )
- address_data: 185.49.141.37
tls_auth_name: "getdnsapi.net"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=
## 2 - The Surfnet/Sinodun DNS TLS Server #3 A+ ( NLD )
- address_data: 145.100.185.18
tls_port: 853
tls_auth_name: "dnsovertls3.sinodun.com"
tls_pubkey_pinset:
- digest: "sha256"
value: 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8=
## 3 - The The Surfnet/Sinodun DNS TLS Server A ( NLD )
- address_data: 145.100.185.15
tls_auth_name: "dnsovertls.sinodun.com"
tls_port: 443
tls_pubkey_pinset:
- digest: "sha256"
value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
## 4 - The The Surfnet/Sinodun DNS TLS Server #1 A ( NLD )
- address_data: 145.100.185.16
tls_auth_name: "dnsovertls1.sinodun.com"
tls_port: 443
tls_pubkey_pinset:
- digest: "sha256"
value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
## 5 - The dns.cmrg.net DNS TLS Server A+ ( CAN )
- address_data: 199.58.81.218
tls_auth_name: "dns.cmrg.net"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=
## 6 - The BlahDNS Japan DNS TLS Server A+ ( JPN )
- address_data: 45.32.55.94
tls_auth_name: "dot-jp.blahdns.com"
tls_port: 443
tls_pubkey_pinset:
- digest: "sha256"
value: gIoiNFxX1Nw+7/pVsmUKBU941bMBYjEYuB2T9drULOM=
## 7 - The BlahDNS German DNS TLS Server A+ ( USA Hosted In DEU )
- address_data: 159.69.198.101
tls_auth_name: "dot-de.blahdns.com"
tls_port: 443
tls_pubkey_pinset:
- digest: "sha256"
value: YZeyeJf/suAR2fMHLc9RDPkcQi/e8EEnzk5Y1N90QQE=
## 8 - The BlahDNS Finland DNS TLS Server A+ ( FIN )
- address_data: 95.216.212.177
tls_auth_name: "dot-fi.blahdns.com"
tls_port: 443
tls_pubkey_pinset:
- digest: "sha256"
value: PID8ufrN/lfloA6y/C+mpR8MT53GG6GkAd8k+RmgTwc=
## 9 - The BlahDNS Singapore DNS TLS Server A+ ( SGP )
- address_data: 139.180.141.57
tls_auth_name: "dot-sg.blahdns.com"
tls_port: 443
tls_pubkey_pinset:
- digest: "sha256"
value: iENlCR6FD7l71PESwzzBUGVgJ5MtJykG2F1fV1RyV4A=
## 10 - The dns.neutopia.org DNS TLS Server A+ ( FRA )
- address_data: 89.234.186.112
tls_auth_name: "dns.neutopia.org"
tls_port: 443
tls_pubkey_pinset:
- digest: "sha256"
value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=
## 11 - The Foundation for Applied Privacy DNS TLS Server #1 A+ ( AUT )
- address_data: 146.255.56.98
tls_auth_name: "dot1.applied-privacy.net"
tls_port: 443
tls_pubkey_pinset:
- digest: "sha256"
value: iPoeezj2bJ8n0ZgK7HWPy5g0E7nNB8ugiXGZOHslVMs=
## 12 - The Secure DNS Project by PumpleX DNS TLS Server #1 A+ ( GBR )
- address_data: 51.38.83.141
tls_auth_name: "dns.oszx.co"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: uWtC2lljtQnMVcmKS8mt7sWHuS5mFJ9TWdBDv4ti830=
# 13 - The dismail.de DNS TLS Server #1 A+ ( DEU )
- address_data: 80.241.218.68
tls_port: 853
tls_auth_name: "fdns1.dismail.de"
tls_pubkey_pinset:
- digest: "sha256"
value: MMi3E2HZr5A5GL+badqe3tzEPCB00+OmApZqJakbqUU=
## 14 - The dismail.de DNS TLS Server #2 A+ ( USA )
- address_data: 159.69.114.157
tls_port: 853
tls_auth_name: "fdns2.dismail.de"
tls_pubkey_pinset:
- digest: "sha256"
value: yJYDim2Wb6tbxUB3yA5ElU/FsRZZhyMXye8sXhKEd1w=
## 15 - The Lorraine Data Network DNS TLS Server A+ ( FRA )
- address_data: 80.67.188.188
tls_port: 443
tls_pubkey_pinset:
- digest: "sha256"
value: WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM=
## This certificate is currently expired which
## does not pose any concerns in SPKI mode
## (in practice with Stubby)
## Source : https://ldn-fai.net/serveur-dns-recursif-ouvert/
# 16 - The ibksturm.synology.me DNS TLS Server A+ ( CHE )
- address_data: 85.5.93.230
tls_auth_name: "ibksturm.synology.me"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: npNOnBcLbvZWZgdmcuFaEqYJbaGjBlHMf9DknDoIkgg=
## 17 - The dns.flatuslifir.is DNS TLS Server A+ ( ISL )
- address_data: 46.239.223.80
tls_auth_name: "dns.flatuslifir.is"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: YdmlL2GSokMgH/t506AaHtdfhoW+WAPVwv4dAWGXYMs=
### Publicly Available DOT Test Servers ###
## 18 - The ContainerPI.com - CPI DNS TLS Server A+ ( JPN )
- address_data: 45.77.180.10
tls_auth_name: "dns.containerpi.com"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: 0fDCu9NeTLXKniGX7Hqjq4PLqXV7kvxv04lAWs/dOHY=
## 19 - The FEROZ SALAM DNS TLS Server A+ ( GBR )
- address_data: 46.101.66.244
tls_auth_name: "doh.li"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: E3//wtQoI+p2eDg0+zEejPX3kHowMAUiLwGG6sGckFo=
## 20 - The Andrews & Arnold DNS TLS Server #1 A+ ( GBR )
- address_data: 217.169.20.23
tls_auth_name: "dns.aa.net.uk"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: N1HkO1CiKQiPYEoFjMMU/mgZc7PMPaVE016y5w8+hUg=
## 21 - The Andrews & Arnold DNS TLS Server #2 A+ ( GBR )
- address_data: 217.169.20.22
tls_auth_name: "dns.aa.net.uk"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: Rq21Y/YgMvw00ZzFGsiJKTEz0u9BBecPl0ns9oploKE=
## 22 - The dns.seby.io - Vultr DNS TLS Server A+ ( AUS )
- address_data: 45.76.113.31
tls_auth_name: "dot.seby.io"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: H13Su1659zEn0ZIblEShwjZO+M5gxKK2wXpVKQHgibM=
## 23 - The dns.seby.io - OVH DNS TLS Server A+ ( AUS )
- address_data: 139.99.222.72
tls_auth_name: "dot.seby.io"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: y8hXAlkRxglOPlYivo/S/E1EfNFoU9f/Uf4dQcXiHhg=
## 24 - The Digitale Gesellschaft DNS TLS Server #1 A+ ( CHE )
- address_data: 185.95.218.43
tls_auth_name: "dns.digitale-gesellschaft.ch"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: 831vfDRFtFD6GNs592KLJtGWy1174q+L9GrgLTiLEZo=
## 25 - The Digitale Gesellschaft DNS TLS Server #2 A+ ( CHE )
- address_data: 185.95.218.42
tls_auth_name: "dns.digitale-gesellschaft.ch"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: amK6e4lPnP+3bOVdh8unyfcLBsCNyPfvHAws+hXCrX4=
## 26 - The Antoine Aflalo DNS TLS Server #1 A+ ( USA )
- address_data: 168.235.81.167
tls_auth_name: "dns-nyc.aaflalo.me"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: +J+sm9pbtEYYrcm45xqRqsOKmFuwTFdfrct/n5N5Pzo=
## 27 - The Privacy-First DNS TLS Server #1 A+ ( JPN )
- address_data: 172.104.93.80
tls_auth_name: "jp.tiar.app"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: VVZwjDE4AgVuuGDxr3kja+u/0uw2LBoVeO5TH0tfTfU=
## 28 - The Privacy-First DNS TLS Server #2 A+ ( SGP Hosted In USA )
- address_data: 174.138.29.175
tls_auth_name: "dot.tiar.app"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: zI+rGvaSUWXd0uhG1w8ZgR2ZZCAVzfaLPgEg1R+ucfl=
## 29 - The ibuki.cgnat.net DNS TLS Server A+ ( USA )
- address_data: 35.198.2.76
tls_auth_name: "ibuki.cgnat.net"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: v1FqNAlDF1cvui9S6E1zGYOOiCON4JepZPbBeNqkAK0=
## 30 - The PI-DNS.COM West USA DNS TLS Server A+ ( USA )
- address_data: 45.67.219.208
tls_auth_name: "dot.westus.pi-dns.com"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: UqbpjW5q+T28xsDG0/QAlklvT39U5h+EtZ9l0/POwaw=
## 31 - The PI-DNS.COM DNS TLS East USA Server A+ ( USA )
- address_data: 185.213.26.187
tls_auth_name: "dot.eastus.pi-dns.com"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: OupxDACOoLzFnGNfDLsv+Y1KOU/94kfV9wWnpP1+19g=
## 32 - The PI-DNS.COM Central Europe DNS TLS Server A+ ( DEU )
- address_data: 88.198.91.187
tls_auth_name: "dot.centraleu.pi-dns.com"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: a5xHUXhJT/rl7c9F1qNJafxosDRFNFA+qlLvE8WN56M=
## 33 - The PI-DNS.COM North Europe DNS TLS Server A+ ( FIN )
- address_data: 95.216.181.228
tls_auth_name: "dot.northeu.pi-dns.com"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: uPFdDaPL7tML0mdZg23LiXyC5AWp+wS+mRsxbeXpK8k=
## 34 - The PI-DNS.COM East Australia DNS TLS Server A+ ( AUS )
- address_data: 45.63.30.163
tls_auth_name: "dot.eastau.pi-dns.com"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: wTfoz9ckLNEh8Z5+Z+87gLWV/OjNLXCBq1XYnLvmXDk=
## 35 - The PI-DNS.COM East Asia DNS TLS Server A+ ( USA )
- address_data: 66.42.33.135
tls_auth_name: "dot.eastas.pi-dns.com"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: yZvYIR4ivuMRoAD/P8RBcc5TC31BRmcnVJGULFZ4Ows=
## 36 - The Snopyta DNS TLS Server A+ ( FIN )
- address_data: 95.216.24.230
tls_auth_name: "fi.dot.dns.snopyta.org"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: CgI1BzAYzsdcueKIbt682Gu+QEN2z9KDMCLdD192FSA=
## 37 - The NixNet Uncensored Las Vegas DNS TLS Server A+ ( USA )
## - or use ( tls_auth_name: "adblock.lv1.dns.nixnet.xyz" )
- address_data: 209.141.34.95
tls_auth_name: "uncensored.lv1.dns.nixnet.xyz"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: d4gBa/F8dM8cWcCpisAzVTp0SGKAEdfsM/2gHe/xJlk=
## 38 - The NixNet Uncensored New York DNS TLS Server A+ ( USA )
## - or use ( tls_auth_name: "adblock.ny1.dns.nixnet.xyz" )
- address_data: 199.195.251.84
tls_auth_name: "uncensored.ny1.dns.nixnet.xyz"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: g1jYIvb7hZn98EN0dZszrwdqZTE7so7j6Kb8tvuZQDc=
## 39 - The NixNet Uncensored Luxembourg DNS TLS Server A+ ( LUX )
## - or use ( tls_auth_name: "adblock.lux1.dns.nixnet.xyz" )
- address_data: 104.244.78.231
tls_auth_name: "uncensored.lux1.dns.nixnet.xyz"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: 2Lx5gMhMV5DAfJKQcEJ+bL5RKFqgcPV/4gveSCMV6ps=
## 40 - The Lelux.fi DNS TLS Server A+ ( FRA Hosted In GBR )
- address_data: 51.158.147.50
tls_auth_name: "resolver-eu.lelux.fi"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: J9bGpxSju+xN7J9vu4W7+U6jzT1BpwoTCKMeqwf80u8=
## 41 - The Lightning Wire Labs DNS TLS Server A+ ( DEU )
- address_data: 81.3.27.54
tls_auth_name: "recursor01.dns.lightningwirelabs.com"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: 8jveGZnOPVo3ZEpqP373s58WRH802JRT6s7iG1JEMwY=
## 42 - The dnsforge.de DNS TLS Server #1 A+ ( DEU )
- address_data: 176.9.1.117
tls_auth_name: "dnsforge.de"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw=
## 43 - The dnsforge.de DNS TLS Server #2 A+ ( DEU )
- address_data: 176.9.93.198
tls_auth_name: "dnsforge.de"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw=
# 44 - The Freifunk München DNS TLS Server A+ ( DEU )
- address_data: 195.30.94.28
tls_auth_name: "doh.ffmuc.net"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: xDA3eGNf/X3vu9frKPawOAnVFIjIqjp9KxR5nd4ZrQQ=
## 45 - The CIRA Canadian Shield DNS TLS Servers A+ ( CAN )
- address_data: 149.112.121.10
tls_auth_name: "private.canadianshield.cira.ca"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: sXmZXPsnkbQMw68THpV0Tgh9zCe12TtXIinSTf7lkkw=
- address_data: 149.112.122.10
tls_auth_name: "private.canadianshield.cira.ca"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: sXmZXPsnkbQMw68THpV0Tgh9zCe12TtXIinSTf7lkkw=
# 46 - The dns.dnshome.de DNS TLS Server #1 A+ ( DEU )
- address_data: 185.233.106.232
tls_auth_name: "dns.dnshome.de"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: q5AkxgnWVCVjCUNUKl3aIBpGTfXF5GahE0RcncwbZoc=
- address_data: 185.233.107.4
tls_auth_name: "dns.dnshome.de"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: q5AkxgnWVCVjCUNUKl3aIBpGTfXF5GahE0RcncwbZoc=
## 47 - The Usable Privacy DNS TLS Server A+ ( DEU / AUT )
- address_data: 149.154.153.153
tls_auth_name: "adfree.usableprivacy.net"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: apo4E7JrhTTLL08Y3JLq68Gp6yG1TgHKtwaQKnhqWFs=
## 48 - The DeCloudUs DNS TLS Server A+ ( DEU )
- address_data: 176.9.199.152
tls_auth_name: "dot.decloudus.com"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: CIeKIadXRDK1slGmnnQzvC38rKBbcGaSyXMPG6leHJA=
## 49 - The Hurricane Electric DNS TLS Server A+ ( USA )
- address_data: 74.82.42.42
tls_auth_name: "ordns.he.net"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: G9pQNrYB98Wll0AmBF/GsMMn6gaDbXDnInV1je1MaPo=
## 50 - The Stéphane Bortzmeyer DNS TLS Server A+ ( FRA )
- address_data: 193.70.85.11
tls_auth_name: "dot.bortzmeyer.fr"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: eHAFsxc9HJW8QlJB6kDlR0tkTwD97X/TXYc1AzFkTFY=
## 51 - The LibreDNS DNS TLS Server #1 A+ ( IND )
- address_data: 116.202.176.26
tls_auth_name: "dot.libredns.gr"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: V0Y0pvWkAwOPkNSPxDyZd/vJ2bo40ylADWJFu/ubPlM=
## 52 - The LibreDNS DNS TLS Server #2 A+ ( IND )
- address_data: 116.202.176.26
tls_auth_name: "dot.libredns.gr"
tls_port: 854
tls_pubkey_pinset:
- digest: "sha256"
value: V0Y0pvWkAwOPkNSPxDyZd/vJ2bo40ylADWJFu/ubPlM=
### Anycast Publicly Available DOT Test Servers ###
## 53 - The DNSlify DNS TLS Servers A+ ( Anycast )
- address_data: 185.235.81.1
tls_auth_name: "doh.dnslify.com"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: w5AEEaNvoBOl4+QeDIuRaaL6ku+nZfrhZdB2f0lSITM=
- address_data: 185.235.81.2
tls_auth_name: "doh.dnslify.com"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: w5AEEaNvoBOl4+QeDIuRaaL6ku+nZfrhZdB2f0lSITM=
### DNS Privacy Anycast DOT Public Resolvers ###
## 54 - The DNS.SB DNS TLS Servers A+ ( Anycast )
- address_data: 185.222.222.222
tls_auth_name: "dns.sb"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: /qCm+kZoAyouNBtgd1MPMS/cwpN4KLr60bAtajPLt0k=
- address_data: 185.184.222.222
tls_auth_name: "dns.sb"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: /qCm+kZoAyouNBtgd1MPMS/cwpN4KLr60bAtajPLt0k=
## 55 - The DNSPod DNS TLS Server #1 A+ ( CHN )
- address_data: 162.14.21.178
tls_port: 853
tls_auth_name: "dns.pub"
tls_pubkey_pinset:
- digest: "sha256"
value: Q1JRqG379NbZYD6KcA+jl8co9wuQNhg/YmN4dLImQpM=
## 56 - The DNSPod DNS TLS Server #2 A+ ( CHN )
- address_data: 162.14.21.56
tls_port: 853
tls_auth_name: "doh.pub"
tls_pubkey_pinset:
- digest: "sha256"
value: Q1JRqG379NbZYD6KcA+jl8co9wuQNhg/YmN4dLImQpM=

# Set the acceptable ciphers for DNS over TLS. With OpenSSL 1.1.1 this list is
# for TLS1.2 and older only. Ciphers for TLS1.3 should be set with the
#tls_ciphersuites option. This option can also be given per upstream.
tls_cipher_list: "EECDH+AESGCM:EECDH+CHACHA20"
# Set the acceptable cipher for DNS over TLS1.3. OpenSSL >= 1.1.1 is required
# for this option. This option can also be given per upstream.
tls_ciphersuites: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
# Set the minimum acceptable TLS version. Works with OpenSSL >= 1.1.1 only.
# This option can also be given per upstream.
tls_min_version: GETDNS_TLS1_2
# Set the maximum acceptable TLS version. Works with OpenSSL >= 1.1.1 only.
# This option can also be given per upstream.
tls_max_version: GETDNS_TLS1_3

Save and Exit

Configure Stubby To Implement TLSv1.3 For OPNsense 20.1 And Above

Add this entry ( found directly above ) to the bottom of your stubby.yml
configuration file ( aka /usr/local/etc/stubby/stubby.yml ) -
make sure to skip a line after last entry before appending these settings:

Starting with OPNsense 20.1-RC1 in order for TLSv1.3 protocol to work properly
( read at all ) in your Stubby instance, OpenSSL 1.1.1 must be active and configured
in the kernel. OPNsense 20.1-RC1 and above does provide OpenSSL 1.1.1 support.
When you have OpenSSL 1.1.1 with TLSv1.3 support simply add the section above in order to set
Stubby to implement TLS1.3. The operative lines necessary are these two specifically
found at the bottom of the stubby.yml file above:

tls_ciphersuites: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
tls_max_version: GETDNS_TLS1_3

See below for TLS1.3 Support Check SSH Commands -

openssl s_client -connect 46.101.66.244:853

OR :

openssl s_client -connect 45.32.55.94:443

Read Out Will Be Verified By These Lines Below:

Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_CHACHA20_POLY1305_SHA256

OR :

Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384

Depending on Configuration on Tested DOT Server

Note: You will not get a readout indicating that the selected Tested DOT Server utilizes
TLS1.3. This is due to the fact that OPNsense 20.1 does not fully utilize OpenSSL 1.1.1 -
When you run command # openssl version - you will see that OPNsense 20.1 still runs on
OpenSSL 1.02 - This is slated to be fixed on the next major OPNsense release.

Lastly, you can and should take advantage of this new DNS OVER TLS provider.
You need to sign up and use configured settings in order to use it.
NextDNS is a free service - ANYCAST and pretty much cutting edge.
ANYCAST speeds up your DNS - Here it is:
NextDNS https://my.nextdns.io/signup

or feel free to use and test
NextDNS " Try it now for free " Feature
go to : https://nextdns.io/

I also strongly encourage you to subscribe to blockerDNS found here : https://blockerdns.com/
This new DOH / DNS OVER TLS provider is the fastest I have run across. blockerDNS is run by
Tambe Barsbay a seasoned, thorough and extremely proficient tech practitioner.
blockerDNS is based in the U.S. and its infrastructure is hosted on Google Cloud Platform
and DigitalOcean. You can view blockerDNS subscription options here : https://blockerdns.com/tryit -
Most significantly, Tambe stands by his claim that he offers " Instant support by phone or email ".
Overall blockerDNS is a great DNSPRIVACY DNS Service. Tip : The Mobile $0.99 per month option should
suffice for most home users. Links : https://tambeb.com/ https://blockerdns.com/blog
https://blockerdns.com/support https://blockerdns.com/overview

All of these name servers listed above DO NOT log ! repeat DO NOT log ! your DNS queries. In full disclosure some name servers claim to log traffic volume only. See here for details : https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers and look under " Logging " column.

Use either or both of these two methods to verify QNAME Minimisation
A - Run command : drill txt qnamemintest.internet.nl
and / or
B - Run command: dig txt qnamemintest.internet.nl +short and / or dig -t txt qnamemintest.internet.nl ( for more complete readout including DNSSEC results ).
AD = Authenticated Data (for DNSSEC only; indicates that the data was authenticated)
The results in any of these scenarios will show either:
"HOORAY - QNAME minimisation is enabled on your resolver :)!"
or "NO - QNAME minimisation is NOT enabled on your resolver :(."
Reference https://discourse.pi-hole.net/t/unbound-and-qname-minimisation/10038/4
You will and should get HOORAY ! - if you used the name servers listed in this guide for your Stubby configuration.

Note: Starting with Unbound 1.7.2 qname minimisation is enabled by default.
However, I still add these settings manually.
These settings are entered under Unbound " Custom Options":
qname-minimisation: yes
qname-minimisation-strict: yes
harden-below-nxdomain: yes

4 - In order to have OPNsense use default start up script ( /usr/local/etc/rc.d/stubby.sh ) at boot time you will have to create a boot time start up script for it in /etc/rc.conf.d/. Not to prolong this - do the following :

# touch /etc/rc.conf.d/stubby - create the needed new file
# nano /etc/rc.conf.d/stubby - in the new file enter the following two lines:

stubby_enable="YES"
stubby_bootup_run="/usr/local/etc/rc.d/stubby.sh"

Save and exit / then make the file executable - once again - works for me : # chmod 744 /etc/rc.conf.d/stubby # chmod a+x /etc/rc.conf.d/stubby

5- Now you must configure your Unbound DNS Server to use Stubby for DNS Over TLS.

UNBOUND GENERAL SETTINGS
Network Interfaces = Select ALL !

Under Custom options enter the following :
server:
do-not-query-localhost: no
forward-zone:
name: "." # Allow all DNS queries
forward-addr: 127.0.0.1@8053
## END OF ENTRY

Outgoing Network Interfaces = Select ALL !

Make Sure to NOT CHECK - DO NOT CHECK - the box for DNS Query Forwarding. Save and Apply Settings

Next -Under System > Settings > General Settings

Set the first DNS Server to 127.0.0.1 with no gateway selected /

Make sure that DNS server option

A - Allow DNS server list to be overridden by DHCP/PPP on WAN - Is Not I repeat - Is Not Checked !

and DNS server option

B - Do not use the DNS Forwarder/Resolver as a DNS server for the firewall Is Not - I repeat - Is Not Checked !

I now only run 127.0.0.1 ( Localhost ) configured as the only DNS SERVER on my WAN interface. If others were added to WAN, when I ran dig or drill commands /etc/resolv.conf allowed those addresses to be queried. I only want to use Stubby yml Name Servers for DNS TLS , so this was the determinative factor in my reasoning and decision.

- Save and Apply Settings

C'est Fini C'est Ci Bon C'est Magnifique

Reboot your router just to sure. Lastly, you can check your DNS at GRC DNS Nameserver Spoofability Test - DNSLeak.com - or any such service. Your results will render the DNS PRIVACY Name Servers which you selected in your stubby.yml configuration file. You are now running DNS OVER TLS with GETDNS plus STUBBY ( a fully featured TLS forwarder ) along with an Unbound DNS Caching Server.

VERY IMPORTANT TIP:
Please note that right at the top of the main DNS Privacy Test Servers Homepage ( https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers ) It Ominously Declares:
DoT servers
The following servers are experimental DNS-over-TLS servers.
Note that they are experimental offerings (mainly by individuals/small organisations) with no guarantees on the lifetime of the service, service level provided. The level of logging may also vary (see the individual websites where available) - the information here about logging has not been verified. Also note that the single SPKI pins published here for many of these servers are subject to change (e.g on Certificate renewal) and should be used with care!!
For these reasons it is most important to check and verify your SPKI pin(s) for TLS authentication manually yourself from time to time. There are sure fire methods to make sure that you are using the correct value for any upstream nameserver ( aka tls_pubkey_pinset value ) - Go to https://blahdns.com/ and scroll down to the section to the yellow section entitled What is DNS OVER TLS click on it and it will open up.
When you do it will state some general information, but what you want to pay attention to is this section:
How to get SPKI
Most Simple and Direct Method:
gnutls-cli --print-cert -p 853 159.69.198.101 | grep "pin-sha256" | head -1
And / Or With Adjustment For SSL Port and Address Being Tested
gnutls-cli --print-cert -p 443 159.69.198.101 | grep "pin-sha256" | head -1 - where you must pkg install gnutls
OR
echo | openssl s_client -connect '185.49.141.37:853' 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
Remember to change port to 443 or port for IPV6 if different than standard 853 where applicable.

https://www.dnsleaktest.com/ https://www.perfect-privacy.com/dns-leaktest https://cryptoip.info/dns-leak-test
https://www.grc.com/dns/dns.htm https://www.vpninsights.com/dns-leak-test and last but not least

https://cmdns.dev.dns-oarc.net/ for a thorough in depth DNS Test https://bash.ws/dnsleak/test/

Now all you need to do is run is a properly configured VPN Service. By doing so, running DNS over TLS with Stubby and GetDns will keep your VPN provider from spying on your encrypted DNS look ups - and also your DNS providers both the ISP ( replaced by encrypted Stubby ) and your Encrypted TLS DNS Service Provider will see your IP as the one from your encrypted tunneled VPN provider.
I am convinced this setup is the right strategy for both security and privacy. I think it to be the best practice for all those most serious about multi-layered cyber security.

Special thanks to all who helped me with this project.

Thank you all and God Bless Always In Peace,

directnupe

#27

Tutorials and FAQs / HOW TO OpenVPN OPNsense CLIENT DEAD SIMPLE

July 12, 2019, 10:08:29 PM

Dear Community,
As is my wont as of late along with my personal inclinations and indulgences - here we go with the intro: I know you got it - lyrics to sing along : https://genius.com/Bobby-byrd-i-know-you-got-soul-lyrics and video : https://www.youtube.com/watch?v=-aY4x5l2QzA and Bonus : Take This with you as as we stroll along : https://genius.com/Hank-ballard-from-the-love-side-lyrics and video : https://www.youtube.com/watch?v=zKKcArCApx0 - Hello and here is the tutorial which details exactly how to get the great Hardened BSD based Distro OPNsense up and running with TORGUARD OpenVPN Client. OPNsense found here: https://opnsense.org/about/features/ and downloads found here : https://opnsense.org/download/

A - To begin you need to get your OpenVPN configuration files from the TORGUARD website. To do so login your TORGUARD account then go to Tools ( along the top of Login Page ) from drop Down Menu click on OpenVPN Config Generator. On this page that opens up - select in order - VPN Server Hostname/IP, VPN Protocol, VPN Port, VPN Cipher, OpenVPN Build, and whether or not you want to require TLS 1.2 as a minimum. After entering your choices, click on green " Generate Config " Box and download and save the file as we will use this later on in this process to configure OpenVPN settings on OPNsense FireWall.

B -Open the downloaded file ( it normally has same random number - mine is 96 in this example ). The first piece you need from this file is the CA ( certificate authority ). TORGUARD has just updated their certificates and are also in the process of enabling IPV6 support. Things just keep getting better with TORGUARD. There are actually two certificates in file - along with a tls-auth key. Let me back up for a minute - I chose NJ server UDP protocol - port 1195 - sha256 - aes-256-gcm - Build OpenVPN 2.4 and above plus checked box for TLS 1.2 - Your file may have different options depending on how you choose to connect to TORGUARD Server.

C - Now - to proceed - the CA you want ( in this case ) is the first one listed. Here is a direct link to the CA in case you prefer to grab it by this method : https://torguard.net/downloads/ca.txt - After you have this certificate log into your OPNsense Firewall - you will be presented with the " Lobby: Dashboard " page. You can always get back to this page by clicking on " OPNsense Logo " at the uppermost left corner of page. This is where you find " The OPNsense Menu Settings " which is from where we will configure TORGUARD OpenVPN Client. I will be using the .ovpn file and server I mentioned earlier for the purposes of this tutorial going forward.

1 - Begin by entering the ca in the appropriate field. In order to this, first Click on > System. A sub-menu will will be revealed - look for for the entry labeled " Trust ". Click on " Trust " - from there another sub-menu pops up - In that sub-menu Click on " Authorities " so that we can add the TORGUARD-CA to our firewall. You will now be on a landing page entitled " System: Trust: Authorities ".

Follow the steps below:

Click on ( + ) Add in the uppermost right corner of this page.
Follow these instructions:

Method: Import an existing Certificate
Description: TORGUARD
Certificate data: ( enter ( copy and paste ) certificate data content between <ca> and </ca> from the CA mentioned above)

Click Save . ( Do not alter / enter anything else here - leave at defaults )

Now we need to configure OPNsense TORGUARD OpenVPN Client . Click on " OPNsense Logo " at the top of the left uppermost corner of the OPNsense Web Gui. . This action refreshes the Web Gui. which brings us back to the full Menu on the furthest most left column of the OPNsense Web Gui. Remember this as you can always get back to the full Menu by this method.

2 - Click on " VPN " in the left side vertical Menu. From the pop-up sub-menu Click on " OpenVpn ". From that pop-up sub-menu Click on " Clients ". When you click on " clients " you will be presented with the " VPN: OpenVPN: Clients " Landing page. In order to proceed,

Click on ( + ) Add in the uppermost right corner of this page.
Follow these instructions:

Once on this page- enter these are settings:

Disabled: Unchecked

Description: TORGUARD-NJ

Server mode: Peer to Peer ( SSL/TLS)

Protocol: UDP

Device mode: tun

Interface: WAN

Remote server: nj.east.usa.torguardvpnaccess.com Port: 1195

Select remote server at random : Unchecked

Retry DNS resolution: Checked
( Infinitely resolve remote server )

Proxy host or address: Blank

Proxy port: Blank

Proxy Authentication: none

Local port: Blank

User Authentication Settings:
User name/pass: ( from your TORGUARD Account )
Username: enter TORGUARD user name from Manual setup > userpass.txt file ( found on first line )
Password: enter TORGUARD password from Manual setup > userpass.txt file ( found on second line )

Renegotiate time : Blank

TLS Authentication: Leave this checked ( Uncheck box directly below it then enter tls-auth key from TORGUARD )

Automatically generate a shared TLS authentication key. ( Uncheck this box first and then enter tls-auth key from
OpenVPN Config you generated and downloaded at the very beginning )

Peer Certificate Authority: TORGUARD ( name will be the " Descriptive name " you gave CA in Step 1 )

Client Certificate: None ( Username and Password required)

Encryption Algorithm: AES-256-GCM (256 bit key, 128 bit block)

Auth digest algorithm: SHA256 (256-bit)

Hardware Crypto: No Crypto Hardware acceleration

IPv4 Tunnel Network : Blank

IPv6 Tunnel Network : Blank

IPv4 Remote Network : Blank

IPv6 Remote Network : Blank

Limit outgoing bandwidth : Blank

Compression: No Preference

Type-of-Service : Blank

Disable IPv6: Checked

Don't pull routes: Blank

Don't add/remove routes : Blank

Advanced configuration:

persist-key
persist-tun
remote-cert-tls server
reneg-sec 0
auth-retry interact
compress
auth-nocache
script-security 2
mute-replay-warnings
ncp-disable
key-direction 1
setenv CLIENT_CERT 0
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"

Verbosity level: 3 ( recommended )

Click Save.

You are redirected to VPN: OpenVPN: Clients Landing page and you should see a "green arrow" by "UDP nj.east.usa.torguardvpnaccess.com:1195 " in this example. Once you see this arrow, you will see that you are still in the OpenVPN pop-up sub-menu. Now, click on " Connection Status " in the OpenVPN pop-up sub-menu. This takes you to the VPN: OpenVPN: Connection Status Landing page. You should check under " Status " and make sure that it indicates that you tunnel is " up ".

3 - We now need to add a Hybrid Firewall Rule in order to get OPNsense TORGUARD OpenVPN fully up, running and completed.
We do this as follows. Once again, Click on " OPNsense Logo " at the op of the left uppermost corner of the OPNsense Web Gui - this action refreshes the Web Gui. which brings us back to the full Menu on the furthest most left column of the OPNsense Web Gui.
Follow these instructions:

A- Click on Firewall ( once again a pop-up sub-menu appears )
B - On that sub-menu click on NAT ( once again a pop-up sub-menu appears )
C - From that sub-menu click on Outbound ( you will now be presented with the Firewall: NAT: Outbound Landing page )

Once on the Firewall: NAT: Outbound Landing page, place a dot in the Hybrid outbound NAT rule generation
(automatically generated rules are applied after manual rules) radio button.Click Save ( which is located at the top of the page under the " Mode " section.

After clicking save, DO NOT ! - Repeat Do Not Click Apply ! at this time. Instead- Click on ( + ) Add in the uppermost right corner of this page. you will presented with the " Edit Advanced Outbound NAT entry " Landing page. Change the " Interface " setting from Wan to " OpenVPN " from the drop down menu. Also , for Description : enter ( Made For TORGUARD ). Do not touch or change anything else whatsoever on this page.

Click Save -and you will be redirected to the Firewall: NAT: Outbound Landing page. You will see at the very top of the page it says " The NAT configuration has been changed.You must apply the changes in order for them to take effect. " So, Click on Apply Changes at the top of the page. Done with Firewall Rules for OPNsense TORGUARD OpenVPN.

Once again, Click on " OPNsense Logo " at the top of the left uppermost corner of the OPNsense Web Gui - this action refreshes the Web Gui. which brings us back to the full Menu on the furthest most left column of the OPNsense Web Gui.
Follow these instructions:'

Click on " VPN " in the left side vertical Menu. From the pop-up sub-menu Click on " OpenVPN ".

A - Now, click on " Connection Status " in the OpenVPN pop-up sub-menu. you still should be up and running
B - From the same OpenVPN pop-up sub-menu - click on " Log File " and you should see that you are connected.

Good News ! I erroneously reported earlier that your WAN would not reboot without disabling OpenVPN Client using the Hybrid FireWall detailed in this tutorial. Actually, I was testing the setup on a an OPNsense VMware Work Station Machine. I can now emphatically state and assure you that your WAN will reboot if you use this setup ( along with Hybrid FireWall Rule ) on a real physical hardware installation. I disable all properties on the WAN interface when using Virtual Machines ( an old habit ) EXCEPT for VMware Bridge Protocol. This may be the problem when I deploy OPNsense on VMware Virtual Machine. I will test back and report back later. The good thing about VMware is that you can take snapshots, so you can always go back if you make an error. However, the BOTTOM LINE is that you can implement this guide on a hardware installation AS IS ! without any issues on OPNsense reboot. I will write up an updated tutorial for DNS OVER TLS WITH GETDNS+STUBBY on OPNsense. Since version OPNsense 18.7 - you may install stubby and getdns on OPNsense by simply issuing command # pkg install getdns - I am running DNS OVER TLS with OpenVPN now - and it works beautifully.

Lastly, in order to check that your are connected to TORGUARD - go to : https://torguard.net/whats-my-ip.php . At the very top of the page on the upper left hand side - click on " Check Now " and down under " Your Current Info " you will see your TORGUARD ROUTED OpenVPN IP Address - next to it you will see this : IP Address: 23.226.128.162 (Protected) - the key is you are now " Protected " which means that you are now successfully connected via TORGUARD OPNsense OpenVPN CLIENT. This setup will work with virtually any commercial OpenVPN Service Provider - trust me; I have tested a few others in addition to TORGUARD as outlined here in this tutorial. Remember that you may have to modify settings depending on your personal configuration and / or the features ( cryptography and so on ) that your commercial OpenVPN Service Provider supports and deploys.

Peace & Universal Love

#28

Tutorials and FAQs / Re: HOW TO WIREGUARD OPNsense CLIENT DEAD SIMPLE

July 11, 2019, 11:00:16 PM

Dear mimugmail.
First of all - Hello ! :) Pleased to make your acquaintance - and by all means I do appreciate all the work that you have in the development of WireGuard on OPNsense. Further, I want to thank you for availing me of the knowledge that opnsense-code ports and pkg install wireguard and pkg install wireguard-go options are available. That saves me a ton of work. I will work up a new tutorial which reflects those methods of installation and configuration of WireGuard on OPNsense.
As far as your comment observation : Last and most important thing, you didn't cover the creation of keys and how to exchange them, this is the most annoying part of WireGuard and that's why the handling of the plugin is so hard to understand. Well, this is where a whole confusing kettle of fish opens up ( at least for me ) and many others I am sure. You see when one ( in this case me ) uses a commercial VPN provider for their WireGuard Service and configuration files- there is no need for the creation of keys and how to exchange them As you cite in your tutorial here: https://www.routerperformance.net/opnsense-wireguard-plugin-azirevpn/ and I quote : " Normally the creation of a new server instance would create a new keypair. Since the keys with Azire are managed by them you have to include the private key from the text file you downloaded and set as Tunnel Address the one in the config. " So - from what I can gather this is sort of like OPENVPN - you can run your server and connect clients OR you can buy a subscription to a VPN Service Provider and connect to their servers ( using their keys and so on ) and run an OPENVPN Client solely.
I tried to make it clear in this tutorial that this is for commercial WireGuard Clients from providers which I listed in this guide - TorGuard, AzireVPN, VPN.ac, Mullvad, IVPN, are commercial VPN providers which offer LIVE ! WireGuard Services now. However, I can guarantee that this configuration works without me having to generate or exchange keys - that process is taken care of ( as you stated in your guide ) by Azire or whatever VPN service. As I said - this is what had me pulling my hair out. I will try to more plainly and emphatically make it clear that this setup is for Commercial WireGuard Clients ONLY !
Once again, I wish to thank you for all of your work and the information that you imparted to me regarding the options for installing wireguard and wireguard-go without having to go through the arduous task of building a package from scratch using FreeBSD Build Server. Maybe - someday - somehow we can make it clear that there are different methods of setting up WIREGUARD - this guy here even runs multiple instances of WIREGUARD : https://genneko.github.io/playing-with-bsd/networking/freebsd-wireguard-quicklook/ and I have seen others doing this as well in the OPNsense Forums - but all of this is way beyond me.
God Bless You and Yours Always In Peace and Grace,
directnupe

#29

Tutorials and FAQs / HOW TO WIREGUARD OPNsense CLIENT DEAD SIMPLE

July 11, 2019, 08:56:35 PM

Dear Community,
And I quote " Jimi ": I see that we meet again hmmm " see here: https://youtu.be/gFAQWjdCO8o and for the purpose as stated by the leader of The Family Stone " I Want To Take You Higher - see here : https://www.youtube.com/watch?v=1fQvlN8Aizw&pbjreload=101 Now after the intro - let's get down to business. This tutorial guide details dead simple GUARANTEED method(s) to get WIREGUARD Client up and running on OPNsense Firewall. I will explore the one I prefer first. Some of you may remember my work with GETDNS and STUBBY. Please read Mimugmail's comments ( the developer and maintainer of os-wireguard-devel plugin ) below in the first reply to this tutorial. He was kind enough to inform me of a few points so no one does extra work. Specifically, Mimugmail details methods for easier OPNsense ports installation and / or easier method to install WireGuard and WireGuard-Go packages. This installation is for commercial WireGuard Clients ONLY ! - where creation of keys and how to exchange them is not needed. The keys are generated and managed by your WireGuard VPN service provider - in my case - TorGuard.

1 - As per Mimugmail's advice you can choose to install WireGuard either through ports or pkg install method. From his reply : You can install wireguard just via # pkg install wireguard && pkg install wireguard-go. The pkg versions are always the latest which were available at the time of the release. The version you mention here is already in the ports tree but the pkg will be in the next minor release. To speed this up you could also do on your opnsense installation: # opnsense-code ports && cd /usr/ports/net/wireguard && make install - As I wanted the latest package ( I did not care to wait for pkg update on OPNsense and I do not like installing the entire OPNsense Ports collection on my OPNsnese Instance ) - I did the following and it worked out great.

2 - First install the necessary packages which are in the OPNsense repository by default with the command : # pkg install wireguard && pkg install wireguard-go - As Mimugmail points out, this will install latest versions of these packages. Ready to get this going and up and running then follow steps below.

3 - To begin you need to get your WIREGUARD configuration files from the TORGUARD website. To do so login your TORGUARD account then go to Tools ( along the top of Login Page ) from drop Down Menu click on Enable WIREGUARD Access. You will then be in your TorGuard Account Area. You will see this message along the top : Below is a list of WireGuard VPN Servers, Please click enable in front of the servers you like to connect to, and use the returned keys shown to connect. Currently, TORGUARD offers WIREGUARD Servers in USA - New York ( quite actually situated in Clifton, New Jersey ), Asia - Singapore and Europe - UK. Click on your preferred Server - Enable WIREGUARD. This will result in a green box below the now grayed out box - which states now Disable WIREGUARD- naturally leave your server enabled as you want to connect to the now enabled server. Next, Download Config file as the box allows you to do now that you have enabled your WIREGUARD Server. You will also see in the adjoining box the following :

Location VPN Server Keys Manage
USA - New York 1 159.xx.xxx.xx:xxx Server Public key: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
Your Private Key: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
Your Address: 10.xx.x.xxx/24

4 - Now I used this guide as the template for my manual installation of WIREGUARD on OPNsense see here : https://genneko.github.io/playing-with-bsd/networking/freebsd-wireguard-quicklook/ I will make this simple for you step by step. You may sing and / or hum along as we proceed.
A- First - configure WireGuard Client. TorGuard, AzireVPN, VPN.ac, Mullvad, IVPN, are commercial VPN providers which offer LIVE ! WireGuard Services now. I use TorGuard here is a sample file. Keys are dummies - only used for illustrative purposes in this tutorial- Use your real WireGuard configuration file here: Create file by command line - # nano /usr/local/etc/wireguard/wg0.conf - and enter the configuration file below ( copy and paste ) - substitute your real one. Save and Close. Done with this file.

# TorGuard WireGuard Config
[Interface]
PrivateKey = cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
ListenPort = 51820
DNS = 104.223.91.210
Address = 10.xx.x.xxx/24

[Peer]
PublicKey = 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
AllowedIPs = 0.0.0.0/0
Endpoint = 159.xx.xx.xxx:xxx
PersistentKeepalive = 25

B - Secondly, run command via SSH # wg-quick up wg0 ( wireguard-go is in package and this action creates wireguard interface ) You may also run # wireguard-go wg0 to create wg0 but I prefer the first method mentioned here.

5 - Configure WireGuard Service with rc.d - for automatic startup/shutdown of the tunnel. In order to achieve this there's already an rc.d script /usr/local/etc/rc.d/wireguard which came with the wireguard package. You need to issue this command : # mv /usr/local/etc/rc.d/wireguard /usr/local/etc/rc.d/wireguard.sh then enter the file - # nano /usr/local/etc/rc.d/wireguard.sh Then go to bottom of file - lines 46 and 47 - change : ${wireguard_enable="NO"} to : ${wireguard_enable="YES"} and then add wg0 on line 47
: ${wireguard_interfaces=""} to : ${wireguard_interfaces="wg0"} ( wgZero ) - Save and Close - Make it executable, I run two commands - it works for me: # chmod a+x /usr/local/etc/rc.d/wireguard.sh # chmod 744 /usr/local/etc/rc.d/wireguard.sh - Done with this file.

6 - In order to have OPNsense use default start up script ( /usr/local/etc/rc.d/wireguard.sh ) at boot time you will have to create a boot time start up script for it in /etc/rc.conf.d/. Not to prolong this - do the following : # nano /etc/rc.conf.d/wireguard - in the new file enter the following two lines:
wireguard_enable="YES"
wireguard_bootup_run="/usr/local/etc/rc.d/wireguard.sh" Save and Close - Make it executable- # chmod a+x /etc/rc.conf.d/wireguard # chmod 744 /etc/rc.conf.d/wireguard / Done with this file.

7 - Now head to OPNsense WEBGUI in order to configure Wireguard Interface ( created earlier ) and FireWall Rule. First, on Left Side WebGui Column - go to Interfaces > Assignments -you will see wg0 interface - click (+) add button /symbol. Once the wg0 interface is listed as OPT ( 1 - 2 depending on your setup ) - Click underneath it - - enter checks in " Prevent interface removal' and " Enabled " - and enter description - I call mine " WIRE " - DO NOTHING ELSE HERE ! Save and Apply - Done with this phase.
Second - Firewall Rule - on Left Side WebGui Column - go to Firewall > NAT > Outbound > Once on this Landing Page put a Dot in radio button Hybrid outbound NAT rule generation - Click on Save - Do Not - Repeat Do Not Click Save and Apply At This Time - Instead Click on Add (+) Button on right side top of page - on the page which opens change Interface from WAN in drop down menu to your Wireguard ( wg0 ) Interface - in my case " WIRE " as I labeled it in the description of the interface I added earlier. Next - Change Source Address to " Lan net " and Translation/target to Interface address. Enter " Description -e.g. " Made For Wire " now Click " Save " at bottom of page. You will be taken back to Firewall:Nat:Outbound Landing Page - Click on " Apply Changes " in right upper hand corner - Done with Firewall Rule for Lan. Repeat Firewall Rule Operation for all of your other Lan Interface Subnets if you choose to do so.

Your WireGuard Client is now installed and ready - you may enter command #
/usr/local/etc/rc.d/wireguard.sh restart in order to start it up. You may also reboot your OPNsense Router. Lastly, issue command # wg show which prints out your WireGuard Connection statistics and configuration. I will install wireguard via # pkg install wireguard && pkg install wireguard-go as my go to method in the future.

Peace and Grace Be Unto All God's Creation

#30

Tutorials and FAQs / Utmost Security For Those Who Deploy Stubby GETDNS

April 20, 2019, 07:05:11 PM

How Maintain Online Optimal Security - DNS OVER TLS Servers' SPKI pin(s) Maintenance and UpKeep -

See VERY IMPORTANT UPDATE: at end of this post for best DNS Privacy Test Servers configuration for STUBBY.

ForeThought: If you have figured out how to keep your DNS OVER TLS servers' SPKI pin(s) up to date and secure then skip to the last section where there is an excellent website : https://www.immuniweb.com/ssl/?id=Su8SeUQ4 for running an in depth SSL Security Test for all the servers you chose to deploy on your network.
My Dear Community,
There has been some understandable consternation and occasional grumblings concerning the hassles and difficulties inherent in having
to update and authenticate SPKI pin(s) when running DNS OVER TLS ( DNS Privacy Test Servers ). Towards making this process somewhat more
manageable and easier, I will share with you here some of the methods I employ towards achieving this goal.
First - I have found there are times where listed DNS Privacy Test Servers change their server IP's and / or hostnames from the ones listed found here: https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers ) on the official page for this project. A few are horribly outdated. In order to avoid falling into this pitfall, I suggest that you do the following periodically.

A - Enter this command from SSH - dig +short dot-jp.blahdns.com ( for example ). This will return the current IP address of the server.
In this case 108.61.201.119 - For instance I use a DNS OVER TLS server not mentioned on the DNS Privacy Test Server page - doh.defaultroutes.de - by running dig +short doh.defaultroutes.de - I confirmed the server address as 5.45.107.88. By the way the maintainer of this server mistakenly posted the SPKI pin for his server as the main Let's Encrypt Certificate - not the first one in the hierarchy. See below after I ran command - kdig -d @5.45.107.88 +tls-ca +tls-host=doh.defaultroutes.de example.com - the prinout read:

;; DEBUG: #1, CN=doh.defaultroutes.de
;; DEBUG: SHA-256 PIN: zYnx/ptyLlxHp9RQ5cHXbe2HJLXyZUT3A/lbyhd0B/M=
;; DEBUG: #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
;; DEBUG: SHA-256 PIN: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.

You see the first certificate is the correct one. While # 2 belongs to Let's Encrypt ( YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg= ) and is on all the certificates they issue and is valid for the next 697 days - you do the math. He in error listed the wrong PIN.

You may also issue the host command - host dot-jp.blahdns.com - which returns dot-jp.blahdns.com has address 108.61.201.119 and dot-jp.blahdns.com has IPv6 address 2001:19f0:7001:1ded:5400:1ff:fe90:945b
You may also use nslookup command which works both ways - nslookup dot-jp.blahdns.com returns both the IPv4 and IPV6 server addresses.
nslookup 108.61.201.119 this returned with an answer for the server being jp1.blahdns.com - this error is why you need to run more than method to validate your findings for your settings.
I chose BlahDNS because not too long ago they changed both their servers' IP and hostnames. In addition their SPKI pin(s) have been updated ( changed ). Many ( not all ) of these DNS Privacy Test Server providers use Let's Encrypt Certificates and as many of you well know these must be renewed every three months. I will address this as we continue along.
Lastly, if needs be for any reason try Googling the server hostname or IP address to see if either has been modified.

Secondly - Now let's move on to see if are DNS OVER TLS servers' SPKI pin(s) are verified as being current ( not expired ) and trusted.
A - The easiest and most straightforward method of attempting to do this is to issue this command: gnutls-cli --print-cert -p 443 108.61.201.119 - where 443 is the port I chose to connect to the dot-jp.blahdns.com DNS TLS server. If I selected to connect over port 853 the I would have issued - gnutls-cli --print-cert -p 853 108.61.201.119 . BlahDNS permits both ports 443 and 853 for TLS - see here for real time status and configuration of DNS Privacy Test Servers : https://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/ You must install
gnutls-utils in order to run the commands. The problem here is that at times the output will falsely state that the certificate is not trusted. However - if you look along the top the printout will tell you much of this needed information.

- subject `CN=dot-jp.blahdns.com', issuer `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', serial 0x04dc4acf35d3bc6a62c79b553835e66351ac, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-04-10 19:13:11 UTC', expires `2019-07-09 19:13:11 UTC', pin-sha256="B0mMSct7Bbz4E7Lk6BwXuVzdxA1KuYtDs8pw7uaPmB4="

The certificate is B0mMSct7Bbz4E7Lk6BwXuVzdxA1KuYtDs8pw7uaPmB4= and is good from 2019-04-10 19 until 2019-07-09 19. Run kdig below in order to see if the certificate is truly trusted.

B - The second method is to install knot-dig ( OpenWrt ) or Knot2 ( FreeBsd ) ( you need to be able to run kdig command ). keeping with our example: kdig -d @108.61.201.119 +tls-ca +tls-host=dot-jp.blahdns.com example.com - this methods prints the CN ( Certificate Name ) and SHA-256 PIN: B0mMSct7Bbz4E7Lk6BwXuVzdxA1KuYtDs8pw7uaPmB4= ( aka SPKI pin ) for this server. Also here we see from the printout:

;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.

C - The third method for getting DNS OVER TLS servers' SPKI pin(s) will give you the pin- but virtually nothing else. Issue command as follows: echo | openssl s_client -connect '108.61.201.119:853' 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 - The print out reads - B0mMSct7Bbz4E7Lk6BwXuVzdxA1KuYtDs8pw7uaPmB4= which is the correct certificate. However, you can not tell if it is expired or trusted. For example, Surfnet ( which is getdns ) has several servers. dnsovertls3.sinodun.com ( 145.100.185.18 ) currently has an expired certificate. When I run - echo | openssl s_client -connect '145.100.185.18:853' 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 - The printed out gives me the correct certificate - 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8= - However the certificate is expired. Running gnutls-cli --print-cert -p 853 145.100.185.18 - provides verification of expiration below:

- Certificate[0] info:
- subject `CN=dnsovertls3.sinodun.com', issuer `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', serial 0x030566ee19f2ef98451faa2322093fb000b3, RSA key 4096 bits, signed using RSA-SHA256, activated `2018-11-19 11:15:34 UTC', expires `2019-02-17. The certificate was good from 2018-11-19 until 2019-02-17. You can once again check real time status here: https://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/

Running kdig -d @145.100.185.18 +tls-ca +tls-host=dnsovertls3.sinodun.com example.com - The readout is below which confirms expiration:
;; DEBUG: TLS, The certificate is NOT trusted. The certificate chain uses expired certificate.

So you see you must combine methods listed above to be truly secure and encrypted when running DNS Privacy Test Servers which essentially depend and rely on proper DNS OVER TLS servers' SPKI pin(s) being up to date and trusted.
Finally the Bonus:
As I wandered over the internet in search of security - I came across this website : ImmuniWeb SSL Security Test found here:
https://www.immuniweb.com/ssl/?id=Su8SeUQ4 Once on the website, you may test your remote DNS OVER TLS Servers. At the top of the page - simply enter the server hostname and port that you are using to connect to the remote server. For example I would enter -
dot-jp.blahdns.com:443 in keeping with the example I have been using throughout this guide. This site will resent you with a rating of the server and its' features. It will also list the certificate - when it was activated - when is the expiration date and encryption protocols and so much more. By the way, dot-jp.blahdns.com earns an A+ ratings. DNS is the backbone of your network - stay safe and secure out there
while you and your loved ones peruse the world of cyber connectivity. With dot-jp.blahdns.com:443 I encountered errors getting the correct certificate information. When I entered dot-jp.blahdns.com alone - everything went fine. You may have to play around with the entries. This is why it is best to have multiple tools and methods to cross check your certificates aka DNS OVER TLS Servers' SPKI pin(s) - hostnames and IP addresses. For instance - I know from two of these methods - one being this website the other using gnutls-utils - that the certificate for DNS TLS SERVER doh.defaultroutes.de ( 5.45.107.88 ) will expire in four days on 2019-04-24.

VERY IMPORTANT UPDATE:
After checking, rechecking and the triple checking on this website mentioned above : https://www.immuniweb.com/ssl/?id=Su8SeUQ4 I have made some very serious discoveries regarding which DNS Privacy Test Servers to use. The bottom line that I strongly suggest you only choose to deploy servers which support the TLSv1.3 protocol. See here for information and importance of TLSv1.3 : https://kinsta.com/blog/tls-1-3/
I will save you some considerable leg work and post below the best configuration for your stubby.yml file. Here it is:

nano /usr/local/etc/stubby/stubby.yml

resolution_type: GETDNS_RESOLUTION_STUB
round_robin_upstreams: 1
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private: 1
idle_timeout: 60000
listen_addresses:
- 127.0.0.1@8053
dns_transport_list:
- GETDNS_TRANSPORT_TLS
tls_connection_retries: 5
tls_backoff_time: 900
timeout: 2000
upstream_recursive_servers:
# IPV4 Servers
### DNS Privacy Test Servers ###
## The Surfnet/Sinodun DNS TLS Server
- address_data: 145.100.185.18
tls_port: 853
tls_auth_name: "dnsovertls3.sinodun.com"
tls_pubkey_pinset:
- digest: "sha256"
value: 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8=
# The securedns.eu DNS TLS Server dot.securedns.eu
- address_data: 146.185.167.43
tls_auth_name: "ads-dot.securedns.eu"
tls_port: 443
tls_pubkey_pinset:
- digest: "sha256"
value: h3mufC43MEqRD6uE4lz6gAgULZ5/riqH/E+U+jE3H8g=
#The BlahDNS German DNS TLS Server
- address_data: 159.69.198.101
tls_auth_name: "dot-de.blahdns.com"
tls_port: 443
tls_pubkey_pinset:
- digest: "sha256"
value: GsfF6a28usi59J/pUUtqbyfmmyKE7+7OfzdLXzUt/Aw=
#The BlahDNS Japan DNS TLS Server
- address_data: 108.61.201.119
tls_auth_name: "dot-jp.blahdns.com"
tls_port: 443
tls_pubkey_pinset:
- digest: "sha256"
value: B0mMSct7Bbz4E7Lk6BwXuVzdxA1KuYtDs8pw7uaPmB4=
#The DNS Warden DNS TLS Primary Server
- address_data: 116.203.70.156
tls_auth_name: "dot1.dnswarden.com"
tls_port: 443
tls_pubkey_pinset:
- digest: "sha256"
value: deCWLScS/hqOKvzPDNr9JZdoBYsrWM7AWQ56biseGxA=
#The DNS Warden DNS TLS Secondary Server
- address_data: 116.203.35.255
tls_auth_name: "dot2.dnswarden.com"
tls_port: 443
tls_pubkey_pinset:
- digest: "sha256"
value: deCWLScS/hqOKvzPDNr9JZdoBYsrWM7AWQ56biseGxA=
#The Primary appliedprivacy.net DNS TLS Server
- address_data: 37.252.185.232
tls_auth_name: "dot1.appliedprivacy.net"
tls_port: 443
tls_pubkey_pinset:
- digest: "sha256"
value: ScYkwTIhR1AZGwAsy9Fgn+ET70+t8HR8giYq9abl7tA=
#The ibksturm DNS TLS Server
- address_data: 217.162.206.220
tls_auth_name: "ibksturm.synology.me"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: v9DZ6wtFZcs26wzq6lwHSlcV6o0Nvw/9pLiBarQJfQE=
#The dns.seby.io - Vultr DNS TLS Server
- address_data: 45.76.113.31
tls_auth_name: "dot.seby.io"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: xTjAOypMRG8ef7ZnQPk1TAku3xvtdQBPH+H3dCQyqDs=
#The Secure DNS Project by PumpleX DNS TLS Server
- address_data: 51.38.83.141
tls_auth_name: "dns.oszx.co"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: P/Auj1pm8MiUpeIxGcrEuMJOQV+pgPY0MR4awpclvT4=
#The edns.233py.com DNS TLS Server
- address_data: 47.101.136.37
tls_auth_name: "dns.233py.com"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: Aqo3emoFTNuVG85U26NnGJmjlTuUCm9H5cySw0HUYas=
#The Rubyfish Internet Tech DNS TLS Server
- address_data: 47.96.179.163
tls_port: 853
tls_auth_name: "uw-dns.rubyfish.cn"
tls_pubkey_pinset:
- digest: "sha256"
value: DBDigty3zDS7TN/zbQOmnjZ0qW+qbRVzlsDKSsTwSxo=
### Anycast DNS Privacy Public Resolvers ###
#Quad9 'secure' DNS TLS Secondary Server
- address_data: 149.112.112.112
tls_auth_name: "dns.quad9.net"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg=

Save and Exit - Then reboot your Router for changes to take effect

Peace,

directnupe

References : https://blahdns.com/ https://dns.seby.io/

Pages 1 2 3 4