Messages

Dear Franco,
Hello and I hope that you are well. I am just reporting back to you by way of feedback about the getdns package that Opnsense has made available via pkg install getdns. It works beautifully. I installed the package on Opnsense 18.7.7 and OPNsense 19.1.b_167-amd64 . As you had indicated, I did have to manually configure the three stubby files. However, all the dependencies were there.
Just one question. Do you want me to put up a post as to how to configure the package and more or less announce that getdns and stubby are available for installation by simply issuing the # pkg install getdns command as of OpnSense 18.7.7 ?

Peace,

directnupe

PS - You guys did a great job and I did read that you are working on a plugin for this. So, I for one respect, appreciate and grateful for your great work and dedication in keeping Opnsense on the cutting edge of internet security.

[THE CONFIGURATION]

Dear Franco,
Hello - and my reasoning in recommending that you use all options in getdns " make config " is because I am sure that is THE CONFIGURATION which is known to work absolutely. Now I have a few questions which I have and for you to consider as you migrate to making getdns available through # pkg install getdns on OpnSense 18.7.7.
1 - Will libidn-1.34.txz be made available in the OpnSense repositories?  libidn is needed by getdns and is currently not available in your repos at the time of my last installation of the getdns I created and installed on my OpnSense Box.
2-  How much configuring of the three main files necessary needed for getdns to run will be done after entering # pkg install getdns on OpnSense 18.7.7 ?
3 - For example, the stubby.in file is located here -  /usr/local/etc/rc.d/stubby by default after install from OpnSense Ports. I had to issue these two commands in order to correctly run getdns on OpnSense A - Stubby needs Unbound root.key : # su -m unbound -c /usr/local/sbin/unbound-anchor
B - mv /usr/local/etc/rc.d/stubby /usr/local/etc/rc.d/stubby.sh - I issued this command to make the stubby.in file a start up shell script and then issued commands to make /usr/local/etc/rc.d/stubby /usr/local/etc/rc.d/stubby.sh executable - chmod a+x /usr/local/etc/rc.d/stubby.sh
Also, will stubby be enabled by default on line 27 of /usr/local/etc/rc.d/stubby.sh  I had to change this manually : ${stubby_enable="NO"}  change the setting to  : ${stubby_enable="YES"} - This file is not enabled by default
Will all of these processes detailed above be achieved and working " out of the box " on your end by simply entering  # pkg install getdns ?
4 - I take it that the /usr/local/etc/stubby/stubby.yml will still be available and I imagine that you will provide instructions as to how to properly configure this file.
5 - The third file /usr/local/etc/rc.d/stubby.sh is the specific start up script / hook for Opnsense. So, are you going to have this pre-configured and set to run at boot time as well ? I had to create this file manually and make it executable as detailed in the process I sent to you earlier.
6 - Importantly, will you make available the information needed to have stubby and UNBOUND integrated properly to resolve DNS OVER TLS ?
7 - The the other issue is getdns and OpnSense upgrades. You originally contacted me about https://twitter.com/Ceeblows/status/1055804955028832256 and Chad's getdns and stubby install being broken by UNBOUND being upgraded to 1.8.1 on Opnsense 18.7.6 -
So, will getdns and stubby survive a similar upgrade scenario going forward if installed by your proposed implementation of # pkg install getdns on OpnSense 18.7.7 ?
These are a few things that I would like to know and I believe important for you to consider as you go forward with making getdns and stubby available for all of us on OpnSense 18.7.7.
I want to thank you for your considerable time, continued effort and leadership in making and keeping OpnSense at the forefront and vanguard of one of the finest Open Source FireWall Distros ever developed.

Peace and God Bless Always In Peace,

directnupe

[Libev]

Libev is a high-performance event loop/event model with lots of features.
It is modelled (very loosely) after libevent and the Event perl module,
but aims to be faster and more correct, and also more featureful. And
also smaller. - choose this in make config

libevent API for executing callback functions on events or timeouts
Currently, libevent supports /dev/poll, kqueue(2), event ports, select(2),
poll(2) and epoll(4). The internal event mechanism is completely independent
of the exposed event API, and a simple update of libevent can provide new
functionality without having to redesign the applications. As a result,
Libevent allows for portable application development and provides the most
scalable event notification mechanism available on an operating system.
Libevent can also be used for multi-threaded applications. - install it

libuv Multi-platform support library with a focus on asynchronous I/O - this is how getdns functions - choose it as well


As I said I install all 3 = no problems - I will add the following as I already wrote it up:

Dear Franco, I am confused - if you mean putting this package in your repository - https://www.4shared.com/file/2mddi4FNda/getdns-142_1.html - then it is already built and compiled with STUBBY and for UNBOUND 1.8.1
In order to get this running for user with not current getdns and stubby install on OpnSense they would follow these steps:

1 - Install these necessary dependencies to Opnsense before installing getdns-1.4.2.txz package
A-  #  pkg install libev
B - #  pkg add https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/libidn-1.34.txz
C - #  pkg install libuv

2 - The stubby.in file is located here -  /usr/local/etc/rc.d/stubby by default. First though Stubby needs Unbound root.key - run this command before getting started: # su -m unbound -c /usr/local/sbin/unbound-anchor   Then -
A - Issue this command : # mv /usr/local/etc/rc.d/stubby /usr/local/etc/rc.d/stubby.sh
Make it executable - I run two commands - it works for me:  # chmod 744 /usr/local/etc/rc.d/stubby.sh    # chmod a+x /usr/local/etc/rc.d/stubby.sh
B - Yes must enable Stubby Daemon in the file -  open file by : nano /usr/local/etc/rc.d/stubby.sh
go to line 27  -: ${stubby_enable="NO"}  change the setting to  : ${stubby_enable="YES"} - that is all you have to do to this file. It comes pre-configured. Save and exit.

3 - Now you must configure Stubby to resolve DNS OVER TLS - nano /usr/local/etc/stubby/stubby.yml

## Begin Sample /usr/local/etc/stubby/stubby.yml file configuration:
# This is a yaml version of the stubby configuration file (it replaces the
# json based stubby.conf file used in earlier versions of getdns/stubby).

resolution_type: GETDNS_RESOLUTION_STUB

dns_transport_list:
  - GETDNS_TRANSPORT_TLS

tls_authentication: GETDNS_AUTHENTICATION_REQUIRED

tls_query_padding_blocksize: 128

edns_client_subnet_private : 1

idle_timeout: 60000 # keep-alive for 1 min, for better performance

listen_addresses:
  - 127.0.0.1@8053   ## Stubby / Unbound ## Default Address/Port

round_robin_upstreams: 1

upstream_recursive_servers:
# IPV4 Servers
# The getdnsapi.net Server
  - address_data: 185.49.141.37
    tls_port: 853
    tls_auth_name: "getdnsapi.net"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=
# The Fondation RESTENA Server
  - address_data: 158.64.1.29
    tls_auth_name: "kaitain.restena.lu"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: 7ftvIkA+UeN/ktVkovd/7rPZ6mbkhVI7/8HnFJIiLa4=
### Test servers ###
## Surfnet/Sinodun Servers
  - address_data: 145.100.185.17
    tls_port: 853
    tls_auth_name: "dnsovertls2.sinodun.com"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: NAXBESvpjZMnPWQcrxa2KFIkHV/pDEIjRkA3hLWogSg=
# The securedns.eu Server
  - address_data: 146.185.167.43
    tls_auth_name: "dot.securedns.eu"
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: h3mufC43MEqRD6uE4lz6gAgULZ5/riqH/E+U+jE3H8g=
# The dns.cmrg.net Server
  - address_data: 199.58.81.218
    tls_port: 443
    tls_auth_name: "dns.cmrg.net"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=
# DNSPRIVACY.at Primary DNS TLS Server
  - address_data: 94.130.110.185
    tls_port: 853
    tls_auth_name: "ns1.dnsprivacy.at"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: vqVQ9TcoR9RDY3TpO0MTXw1YQLjF44zdN3/4PkLwtEY=
# DNSPRIVACY.at Secondary DNS TLS Server
  - address_data: 94.130.110.178
    tls_port: 853
    tls_auth_name: "ns2.dnsprivacy.at"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: s5Em89o0kigwfBF1gcXWd8zlATSWVXsJ6ecZfmBDTKg=
# The dns.neutopia.org Server
  - address_data: 89.234.186.112
    tls_port: 443
    tls_auth_name: "dns.neutopia.org"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=
### Anycast services ###
#Tenta ICANN DNS TLS Primary Server
  - address_data: 99.192.182.200
    tls_auth_name: "iana.tenta.io"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: nPzhfahBmQOFKbShlLBymTqPtZY31bPpKFnh0A86ys0=

4 - 14 - In order to have Opnsense use default start up script (  /usr/local/etc/rc.d/stubby.sh ) at boot time you will have to create a boot time start up script for it in /etc/rc.conf.d/. Not to prolong this - do the following :
# nano /etc/rc.conf.d/stubby   -   in the new file enter the following two lines:

stubby_enable="YES"
stubby_bootup_run="/usr/local/etc/rc.d/stubby.sh"

Save and exit / then make the file executable - once again - works for me :  # chmod 744 /etc/rc.conf.d/stubby    # chmod a+x /etc/rc.conf.d/stubby

5 - Now you must configure your  Unbound DNS Server to use Stubby for DNS Over TLS.

UNBOUND GENERAL SETTINGS
Network Interfaces =   WAN LAN ( all of your LAN interfaces if you have more than one ) And You Must Select  Localhost - repeat -  You Must Select  Localhost !

Under Custom options enter the following :
server:
do-not-query-localhost: no
forward-zone:
name: "."    # Allow all DNS queries
forward-addr: 127.0.0.1@8053
## END OF ENTRY

Outgoing Network Interfaces  =  Localhost

Make Sure to NOT CHECK - DO NOT CHECK -  the box for DNS Query Forwarding.  Save and Apply Settings

Next -Under System > Settings  > General Settings

Set the first DNS Server to 127.0.0.1   with no gateway selected  /   
Make sure that DNS server option:

A - Allow DNS server list to be overridden by DHCP/PPP on WAN -  Is Not I repeat - Is Not Checked !

and DNS server option

B -  Do not use the DNS Forwarder/Resolver as a DNS server for the firewall Is Not  - I repeat - Is Not Checked !

I now only run  127.0.0.1  ( Localhost ) configured as the only DNS SERVER on my WAN interface. If others were added to WAN, when I ran dig or drill commands /etc/resolv.conf allowed those addresses to be queried. I  only want to use Stubby yml Name Servers for DNS TLS , so this was the determinative factor in my reasoning and decision.

That's it - that what I would do if I could download the package I created and sent to you. By the way, I am willing to build, create and send you an OpnSense getdns and stubby package whenever the port is upgraded or you ask me to do so. That is if there is a need or demand for one. Ryan Steinmetz aka zi -  the port maintainer and developer of this  port was kind enough to help me with much of this, so I am happy to give back as well.

[yes that is correct. STUBBY is off in default setting.]

Dear Franco,
Hello - and yes that is correct. STUBBY is off in default setting. You must use " make config " to select that option. See here: https://www.freshports.org/dns/getdns/ and and note:
Library dependencies:
libexpat.so : textproc/expat2
libidn.so : dns/libidn
libldns.so : dns/ldns
libunbound.so : dns/unbound
There are no ports dependent upon this port

and :
===> The following configuration options are available for getdns-1.4.2_1:
     DOCS=on: Build and/or install documentation
     LIBEV=off: Build with libev extension
     LIBEVENT=off: Build with libevent extension
     LIBUV=off: Build with libuv extension
     STUBBY=off: Build with Stubby DNS/TLS resolver
===> Use 'make config' to modify these settings

So, I compile the GETDNS package with all the configuration options selected. OpnSense also makes hardening options pie relro safestack available. As getdns compiles and installs its' dependencies, I just select all the default options. You see that getdns builds against libunbound.so : dns/unbound among a few other dependencies.
I use OpnSense Tools to install Opnsense Ports which are synced with FreeBsd and ( Hardened BSD ) I do believe.
But once again the answer to your central question - STUBBY is not on by default in FreeBSD? - the answer is that in the default getdns port configuration settings the option to install STUBBY is off in all FreeBsd derivatives - that includes FreeBsd, Opnsense, PfSense and all others as far as I am aware of.

Once again - I hope that this helps. May God Bless You and Your Loved Ones,

Always In Peace,

directnupe

[https://forum.opnsense.org/index.php?topic=8759.0]

Dear Franco,
Hello and I hope that you are well. I am far from an expert in programming or software development. However, I will do my best to answer your questions. If you look at my tutorial here: https://forum.opnsense.org/index.php?topic=8759.0
You will see that I built the GETDNS STUBBY package on a FREEBSD BUILD SERVER. So you see that the building the package is done by utilizing the ports collection as this is the method to get all the Configuration Options that the full GETDNS package needs - especially STUBBY. GETDNS is built against and compiled against UNBOUND. Now, you good folks at OpnSense can ( I imagine ) put a fully compiled GETDNS package up in your repositories. Honestly, I was wondering why this is not done already.
There is an issue with some dependencies being missing when I install the GETDNS manually. Two are available in the Opnsense repos: libev and libuv and one I have to install from the FreeBsd repository with the command: pkg add https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/libidn-1.34.txz So, I do not know how you would address these missing dependencies.
As far as the files. There is a start up script that comes with the installation of the package and / or port : /usr/local/etc/rc.d/stubby - you can see what I do that file in the link I referenced at the top of my reply. The second is the /usr/local/etc/stubby/stubby.yml for configuring DNS OVER TLS options for STUBBY. Lastly OpnSense has the /etc/rc.conf.d/stubby file - the start up file for OpnSense particularly. I do not know how you could manage these files within Opnsense development team.  Finally, you can find and download the final product OpnSense Ports package getdns-142_1.txz here: https://www.4shared.com/s/f2mddi4FNda or here: https://www.4shared.com/file/2mddi4FNda/getdns-142_1.html
I hope that this helps in some way.

Feedback on the specific Tweet from Chad here: https://twitter.com/Ceeblows/status/1055804955028832256 The solution to this complaint I posted here : https://forum.opnsense.org/index.php?topic=10062.0 Topic: SOLVED - GETDNS AND STUBBY W/ OPNSENSE 18.7.6 and UNBOUND 1.8.1
The GETDNS port was specifically upgraded for UNBOUND 1.8.1 - So Chad did not seek - so he did not find. There are times that the package - well it is all explained in the post above.

Peace,

directnupe

[how do you confirm you are running 1.4.2_1 and not 1.4.2?]

Dear Nekromantik,
Hello and you are welcome. As far as your question how do you confirm you are running 1.4.2_1 and not 1.4.2?
the answer is that when you first go to configure GETDNS it will indicate the version. Also, the version of GETDNS on OpnSense and FreeBSD Ports is 1.4.2_1
So you could not install 1.4.2 even if you wanted to because it is no longer in the upstream FrreBsd or Opnsense repositories.
Just do it !  The way to check the version of any package installed or available in any FREEBSD Distro - is to to tyoe - pkg info - this command will list all packaged you have installed. To see a specific program - you add the package name to the command - for example in this case - pkg info getdns which will give you all the package release information and also let you know what version is installed on your Opnsense instance. Or which version of getdns is available for you to install in your repos. You will not find GETDNS in Opnsense default repos - that is why we must use Ports and or build getdns package through ports  in order to install getdns and stubby.

Peace and God Bless,

directnupe

[ALWAYS READ ENTIRE GUIDE FIRST BEFORE BEGINNING FOR BEST RESULTS]

Dear Community -

ALWAYS READ ENTIRE GUIDE FIRST BEFORE BEGINNING FOR BEST RESULTS

Some folks are dreading that upgrading to Opnsense 18.7.6 which ships with UNBOUND 1.8.1 breaks GETDNS and STUBBY. It ain't necessarily so ! Here are the solutions :

SECTION A
For Opnsense Ports Installation of GETDNS and STUBBY
1- If you installed GETDNS and STUBBY using Opnsense Ports - see this post :

https://forum.opnsense.org/index.php?topic=8748.0

The KEY is to remove GETDNS and STUBBY and all of the configuration files BEFORE YOU UPGRADE !

2 - Then upgrade to Opnsense 18.7.6 which will install UNBOUND 1.8.1

3 - Now re-install the upgraded GETDNS STUBBY port - which is now getdns-1.4.2_1 - this will compile being built against UNBOUND 1.8.1 - this is why the port was upgraded - that being to work with UNBOUND 1.8.1 -   getdns-1.4.2 was for UNBOUND 1.7.3 and - well - you get the picture if not check the screenshot below and / or go here: https://www.freshports.org/dns/getdns/ Note: Pay particular attention to this entry:

18 Sep 2018 18:24:05
Original commit files touched by this commit  1.4.2_1
Revision:480056
dns/unbound: update to 1.8.0
Bump PORTREVISION on to consumers due to library major version change

For instance I have a PfSense 2.4.4 Edge Router set up and it uses UNBOUND 1.7.3 and getdns 1.4.2_1 will break UNBOUND - as getdns 1.4.2 is what it needs. getdns 1.4.2_1 has different library requirements which are not suitable for UNBOUND 1.7.3 - so DNS resolution fails. This why you need to upgrade getdns on Opnsense 18.7.6 as it ships with UNBOUND 1.8.1.

4 - After your upgrade your port installation to getdns-1.4.2_1  All you need to do is refer to the original post here once again: https://forum.opnsense.org/index.php?topic=8611.0 - begin with Step 7 and follow each step from there and you will be up and running with getdns-1.4.2_1 and UNBOUND 1.8.1 on OpnSense 18.7.6

END SECTION A

SECTION B
For those who use STAND ALONE DNS OVER TLS STUBBY GETDNS PACKAGE
1 - It is necessary to reconfigure Unbound to stop using Stubby for DNS resolution. Go to System > Settings > General > and Check
     option - A - Allow DNS server list to be overridden by DHCP/PPP on WAN ( Click Save ) . Then go to Services > Unbound DNS > General  and then remove  contents of Custom Options Box:
server:
do-not-query-localhost: no
forward-zone:
name: "."    # Allow all DNS queries
forward-addr: 127.0.0.1@8053
Save and apply

2- After this you must delete the GETDNS package from Opnsense BEFORE YOU UPGRADE to 18.7.6
First - issue command - pkg delete getdns
You do that  ( from command line )  then follow these commands to remove configuration files.
Remove the following files by issuing these commands: # rm /usr/local/etc/rc.d/stubby.sh
# rm /usr/local/etc/stubby/stubby.yml and   
# rm /etc/rc.conf.d/stubby

3- Now upgrade to OpnSense 18.7.6 along with UNBOUND 1.8.1
Now all you need to do now is build and install  your new package getdns-1.4.2_1.txz
You do that by following the guide here - https://forum.opnsense.org/index.php?topic=8759.0
As Opnsense Tools installs FREEBSD synced ports on your FREEBSD Build Server - you will also get
getdns-1.4.2_1 - which is designed to work with UNBOUND 1.8.1
After you have built and have your getdns-1.4.2_1.txz package on your FREEBSD BUILD SERVER- go to Step 8 on this page once again : https://forum.opnsense.org/index.php?topic=8759.0

END SECTION B

SPECIAL CIRCUMSTANCES:
If you already have an existing FREEBSD Build Server and an outdated getdns port on it then you must  remove that  getdns port before building a new one. In order to accomplish that task see here : https://forum.opnsense.org/index.php?topic=8748.0 and follow and complete Step 2 Commands A & B . Now , since Opnsense Tools is already installed on your existing FREEBSD BUILD SERVER you need to update your ports collection. You do that by following these two  steps:  A - cd /usr/tools and B - make update - It is that simple. After the ports collection and everything is updated, you proceed thusly:
1 -  Go to this page : https://forum.opnsense.org/index.php?topic=8759.0 and complete procedures Step 6 and Step 7
2 - After creating your getdns-1.4.2_1.txz package on your FREEBSD BUILD SERVER simply go to Section B above in this tutorial and follow Steps 1, 2, and 3** in order to get your OpnSense Box up and running with getdns-1.4.2_1 and UNBOUND 1.8.1 on OpnSense 18.7.6

**( Obviously you can skip creating another getdns-1.4.2_1.txz package in Section B Step 3 as you have already done so by completing Item Number 1 above earlier on in this SPECIAL CIRCUMSTANCES section. This means that after you have upgraded your OpNsense Box to 18.7.6; you simply start and complete all tasks beginning with Step 8 here on this page : https://forum.opnsense.org/index.php?topic=8759.0  

END SPECIAL CIRCUMSTANCES

The two major things to remember are to to either de-install the GetDns port or delete the GETDNS  package PRIOR  to upgrading to Opnsense 18.7.6

Then upgrade port or build and re-install upgraded package depending on which method you first used to deploy GETDNS and STUBBY on your OpnSense box.

I hope this helps and I have done this myself and it is GUARANTEED to work!

Peace,

directnupe


Parting Thoughts:
For those who in the future may worry about GETDNS and STUBBY ever being being broken due to an UNBOUND DNS version being updated or upgraded, let me say this. You were not paying attention when I told you all from the very beginning that :

For all the doubters and naysayers concerning GETDNS and STUBBY - they are developed by NLnet Labs - the same folks who bring us Unbound, NSD, OPENDNSSEC and now GETDNS ( and STUBBY ) see here: https://www.nlnetlabs.nl/   https://www.nlnetlabs.nl/projects/getdns/

So, as NLnet Labs develops both UNBOUND and GETDNS ( along with STUBBY ) I am sure that they will do their best to make sure that both of these work well together.  If you notice GETDNS 1.4.2_1 has been out since mid September 2018 as has UNBOUND 1.8.0 The main issue and concern is when is the Distro that are using going to integrate and update these packages. For example, OpenWrt is on Unbound 1.8.2 and GETDNS 1.4.2_2 - while on Pfsense it's Unbound 1.7.3 and GETDNS 1.4.2
See here for further info: https://repology.org/metapackage/getdns/versions - even for FREEBSD  - it lists the Maintainer as zi@freebsd.org which is correct but lists GETDNS version as 1.4.2 - which is incorrect. We know that the current version for FREEBSD ports is GETDNS 1.4.2_1 - The major point is that NLnet Labs  is running " The Whole GETDNS STUBBY / UNBOUND Show " - so that is a good thing that one developer is handling all components needed for DNS OVER TLS ( aka DNS Privacy Project ).

Notice that this Commit was Submitted by jaap@NLnetLabs.nll (maintainer) in order to fix GETDNS so that it will work with new dns/unbound: update to 1.8.0 - which proves that NLnetLabs.nl is actively involved with development and maintenance of UNBOUND GETDNS and STUBBY

See here for FREEBSD GETDNS COMMIT FOR UNBOUND 1.8.1:

[SEE POST HERE FOR THE SOLUTION :https://forum.opnsense.org/index.php?topic=10062.0]

Dear Nekromantik,

SEE POST HERE FOR THE SOLUTION :

https://forum.opnsense.org/index.php?topic=10062.0


Dear Community -

ALWAYS READ ENTIRE GUIDE FIRST BEFORE BEGINNING FOR BEST RESULTS

Some folks are dreading that upgrading to Opnsense 18.7.6 which ships with UNBOUND 1.8.1 breaks GETDNS and STUBBY. It ain't necessarily so ! Here are the solutions :

SECTION A
For Opnsense Ports Installation of GETDNS and STUBBY
1- If you installed GETDNS and STUBBY using Opnsense Ports - see this post :

https://forum.opnsense.org/index.php?topic=8748.0

The KEY is to remove GETDNS and STUBBY and all of the configuration files BEFORE YOU UPGRADE !

2 - Then upgrade to Opnsense 18.7.6 which will install UNBOUND 1.8.1

3 - Now re-install the upgraded GETDNS STUBBY port - which is now getdns-1.4.2_1 - this will compile being built against UNBOUND 1.8.1 - this is why the port was upgraded - that being to work with UNBOUND 1.8.1 -   getdns-1.4.2 was for UNBOUND 1.7.3 and - well - you get the picture if not check the screenshot below and / or go here: https://www.freshports.org/dns/getdns/ Note: Pay particular attention to this entry:

18 Sep 2018 18:24:05
Original commit files touched by this commit  1.4.2_1
Revision:480056
dns/unbound: update to 1.8.0
Bump PORTREVISION on to consumers due to library major version change

For instance I have a PfSense 2.4.4 Edge Router set up and it uses UNBOUND 1.7.3 and getdns 1.4.2_1 will break UNBOUND - as getdns 1.4.2 is what it needs. getdns 1.4.2_1 has different library requirements which are not suitable for UNBOUND 1.7.3 - so DNS resolution fails. This why you need to upgrade getdns on Opnsense 18.7.6 as it ships with UNBOUND 1.8.1.

4 - After your upgrade your port installation to getdns-1.4.2_1  All you need to do is refer to the original post here once again: https://forum.opnsense.org/index.php?topic=8611.0 - begin with Step 7 and follow each step from there and you will be up and running with getdns-1.4.2_1 and UNBOUND 1.8.1 on OpnSense 18.7.6

SECTION B
For those who use STAND ALONE DNS OVER TLS STUBBY GETDNS PACKAGE
1 - It is necessary to reconfigure Unbound to stop using Stubby for DNS resolution. Go to System > Settings > General > and Check
     option - A - Allow DNS server list to be overridden by DHCP/PPP on WAN ( Click Save ) . Then go to Services > Unbound DNS > General  and then remove  contents of Custom Options Box:
server:
do-not-query-localhost: no
forward-zone:
name: "."    # Allow all DNS queries
forward-addr: 127.0.0.1@8053
Save and apply

2- After this you must delete the GETDNS package from Opnsense BEFORE YOU UPGRADE to 18.7.6
First - issue command - pkg delete getdns
You do that  ( from command line )  then follow these commands to remove configuration files.
Remove the following files by issuing these commands: # rm /usr/local/etc/rc.d/stubby.sh
# rm /usr/local/etc/stubby/stubby.yml and   
# rm /etc/rc.conf.d/stubby

3- Now upgrade to OpnSense 18.7.6 along with UNBOUND 1.8.1
Now all you need to do now is build and install  your new package getdns-1.4.2_1.txz
You do that by following the guide here - https://forum.opnsense.org/index.php?topic=8759.0
As Opnsense Tools installs FREEBSD synced ports on your FREEBSD Build Server - you will also get
getdns-1.4.2_1 - which is designed to work with UNBOUND 1.8.1
After you have built your getdns-1.4.2_1.txz package on your FREEBSD BUILD SERVER- go to Step 8

Special Circumstances:
If you already have an existing FREEBSD Build Server and an outdated getdns port on it then you must  remove that  getdns port before building a new one. In order to accomplish that task see here : https://forum.opnsense.org/index.php?topic=8748.0 and follow and complete Step 1 and Step 2 . Now , since Opnsense Tools is already installed on your existing FREEBSD BUILD SERVER you need to update your ports collection. You do that by following these two  steps:  A - cd /usr/tools and B - make update - It that simple. After the ports collection and everything is updated, you proceed thusly:
1 -  Go to this page : https://forum.opnsense.org/index.php?topic=8759.0 and complete procedures Step 6 and Step 7
2 - After creating your getdns-1.4.2_1.txz package on your FREEBSD BUILD SERVER simply go to Section B above in this tutorial and follow Steps 1, 2, and 3** in order to get your OpnSense Box up and running with getdns-1.4.2_1 and UNBOUND 1.8.1 on OpnSense 18.7.6

**( obviously you can skip creating another getdns-1.4.2_1.txz package in Step 3 as you have already done so earlier on in this process )

END PART B

The two major things to remember are to to either de-install the GetDns port or delete the GETDNS  package PRIOR  to upgrading to Opnsense 18.7.6

Then upgrade port or build and re-install upgraded package depending on which method you first used to deploy GETDNS and STUBBY on your OpnSense box.

I hope this helps and I have done this myself and it is GUARANTEED to work!

Peace,

directnupe


Parting Thoughts:
For those who in the future may worry about GETDNS and STUBBY ever being being broken due to an UNBOUND DNS version being updated or upgraded, let me say this. You were not paying attention when I told you all from the very beginning that :

For all the doubters and naysayers concerning GETDNS and STUBBY - they are developed by NLnet Labs - the same folks who bring us Unbound, NSD, OPENDNSSEC and now GETDNS ( and STUBBY ) see here: https://www.nlnetlabs.nl/   https://www.nlnetlabs.nl/projects/getdns/

So, as NLnet Labs develops both UNBOUND and GETDNS ( along with STUBBY ) I am sure that they will do their best to make sure that both of these work well together.  If you notice GETDNS 1.4.2_1 has been out since mid September 2018 as has UNBOUND 1.8.0 The main issue and concern is when is the Distro that are using going to integrate and update these packages. For example, OpenWrt is on Unbound 1.8.2 and GETDNS 1.4.2_2 - while on Pfsense it's Unbound 1.7.3 and GETDNS 1.4.2
See here for further info: https://repology.org/metapackage/getdns/versions - even for FREEBSD  - it lists the Maintainer as zi@freebsd.org which is correct but lists GETDNS version as 1.4.2 - which is incorrect. We know that the current version for FREEBSD ports is GETDNS 1.4.2_1 - The major point is that NLnet Labs  is running " The Whole GETDNS STUBBY / UNBOUND Show " - so that is a good thing that one developer is handling all components needed for DNS OVER TLS ( aka DNS Privacy Project ).

Notice that this Commit was Submitted by jaap@NLnetLabs.nll (maintainer) in order to fix GETDNS so that it will work with new dns/unbound: update to 1.8.0 - which proves that NLnetLabs.nl is actively involved with development and maintenance of UNBOUND GETDNS and STUBBY

See here for FREEBSD GETDNS COMMIT FOR UNBOUND 1.8.1:

Dear MultiCubic,
Hello and I am glad that you got this working. Look as you build GETDNS just select all the " Default Settings " once you have configured the initial screen. Normally, I select all the options available on the screen you show in your screenshot.
There will be other options like under libevent - and so on. Also, as GETDNS builds against UNBOUND - I have found that since GETDNS was updated from 1.4.2 to 1.4.2_1 and 1.4.2_2 now - UNBOUND 1.8.0 is the version GETDNS builds against. This is due to the upstream FREEBSD PORT being  modified. Opnsense UNBOUND version is still 1.7.3 - This caused a problem on both my Opnsense and Pfsense installations of GETDNS.
Finally - I had an old copy of GETDNS 1.4.2 - and I used that and everything worked fine. So, remember you are really compiling these packages - and a lot depends on what is in the upstream repositories - much of this is beyond our control.
So - save a package like I did on a USB stick or something  just in case they change the FREEBSD ports due to a package upgrade. remember this is FREEBSD package - not Opnsense - as even Opnsense ports are synced with FREEBSD PORTS.
Lastly, maybe I was wrong about " safestack " being on the initial GETDNS " make config " screen. However, safestack does appear while compiling GETDNS dependencies.

Peace -


directnupe

[Hardening Options]

Dear MultiCubic,
Hello - first I am glad that you got it working. As far as I know, Opnsense Ports always make those options Hardening Options - as Opnsense is based on HardenedBSD see here: https://hardenedbsd.org/ and here: http://installer.hardenedbsd.org/hardened_11_stable_master-LAST/ These options pie relro safestack are on by default in Opnsense Ports.
So, make sure that you are cloning https://github.com/opnsense/ports by way of using GitHub as detailed in this tutorial above. In any event, I hope that this helped you. How are your DNS TLS Name Servers working?

Peace and God Bless,

directnupe

[make.conf]

Dear MultiCubic,
The make.conf file was not working for a while. That was due to the fact that Opnsense was based on FreeBSD 11.1 and it had reached EOL. That situation is now fixed. As far as the resolvers go - yes you can use others. However, if you configure the ones listed in this guide properly in your /usr/local/etc/stubby/stubby.yml - you should have no problems with your DNS OVER TLS resolution.
But I am glad that you got it working. Also I have found that it is best to compile your GETDNS package or port with all the hardening options omitted. You know pie relro safestack - these are not in the FreeBsd Port -so try shutting them off. Lastly use a few qname-minimisation enabled ANYCAST name servers like CloudFlare and Tenta. That should help to fix your latency issues as well.

Peace,

directnupe

[https://cmdns.dev.dns-oarc.net/]

Dear Nekromantik.
Hello - you should check your DNS here : https://cmdns.dev.dns-oarc.net/ and see the features which are listed as being enabled on your resolver ( UNBOUND ). Look for TRANSPORT and you should see TCP which means that you are using DNS OVER TLS and DNS Features QNAME Minimisation which indicates UNBOUND DNS query name minimisation privacy features are in effect.
I have found that the test you mention -: https://tenta.com/test/ is not the best way of testing your DNS attributes. I believe that https://tenta.com/test/ is set up to only fully approve of and verify ( and I guess test ) Tenta DNS and its' browser.
Also, with qname-minimisation enabled your resolver ( UNBOUND ) is set up to minimise the amount of data sent from the DNS resolver to the authoritative name server and in addition with  randomize_upstreams: 1 option set in STUBBY - then the DNS TLS Stub resolver aka STUBBY will instruct stubby to distribute queries across all available name servers - key word being available. So theoretically DNS name servers will respond in the fastest way possible - meaning that all the name servers may not be queried as qname-minimisation and qname-minimisation-strict limit the amount of data being sent and received between UNBOUND ( and STUBBY ) and the upstream DNS OVER TLS name servers you have configured in your /usr/local/etc/stubby/stubby.yml configuration file. Hope this helps.

Peace,

directnupe

[https://forum.opnsense.org/index.php?topic=8759.msg44156#msg44156]

Dear user7654,
Please read this reply which I wrote to another with a similar issue:

https://forum.opnsense.org/index.php?topic=8759.msg44156#msg44156

See here for UNBOUND setup before installing GETDNS and STUBBY:

https://www.tecmint.com/install-configure-pfblockerng-dns-black-listing-in-pfsense/

You should be able to resolve everything before starting process.

I enter 127.0.0.1 and Tenta ICANN nameservers 99.192.182.200 and 66.244.159.200 under System > General Setup > DNS Server Settings > DNS Servers during initial setup. Also follow these two steps as well during setup of your system initially:

A - Allow DNS server list to be overridden by DHCP/PPP on WAN -  Is Not I repeat - Is Not Checked !

and DNS server option

B -  Do not use the DNS Forwarder/Resolver as a DNS server for the firewall Is Not  - I repeat - Is Not Checked !

I hope this helps.

Peace,

directnupe

PS - make sure that you set hostname and domain up under Administration
also under UNBOUND > General Settings - you might see how DNS works if you check BOX for " register dhcp leases in the dns resolver " 

see here:
https://www.bytesizedalex.com/pfsense-dns-resolution-for-dhcp-leases/
and
https://forum.netgate.com/topic/17915/enable-registration-of-dhcp-client-names-in-dns-not-working/12

https://www.netgate.com/docs/pfsense/dns/unbound-dns-resolver.html

[before]

Dear Nekromantik,
Hello and I hope that you are well. I will try to help you; however this may be difficult without knowing exactly how you have set up UNBOUND ( your DNS RESOLVER ) before you installed and configured GETDNS, STUBBY and UNBOUND.
Normally, you should have everything working - specifically in your case - UNBOUND should already be resolving your clients with local hostnames before setting this up.
If you have - then all GETDNS and STUBBY does is act as a stub forwarder - read here:  'Stubby' is an application that acts as a local DNS Privacy stub resolver (using DNS-over-TLS).  and here: Stubby runs as a daemon on the local machine sending DNS queries to resolvers over an encrypted TLS connections providing increased privacy for the user.
Subsequently, if you have UNBOUND setup properly you should not CHECK the box for DNS Query Forwarding because that would mean that you are using the System's DNS under General Setup instead of /usr/local/etc/stubby/stubby.yml designated DNS PRIVACY Name Servers. Make sure that 127.0.0.1@8053 is used in both STUBBY and UNBOUND configurations - they must match both address and port.

try this for settings Under Custom options for UNBOUND :
You should " Optimize Unbound " - especially increase size of cache among other things see guide here and adjust for your System's memory , number of cores and so on- see here: https://nlnetlabs.nl/documentation/unbound/howto-optimise/ for basic guide

hide-identity: yes
hide-version: yes
hide-trustanchor: yes
harden-glue: yes
harden-dnssec-stripped: yes
harden-referral-path: yes
num-threads: 4
interface-automatic: yes
msg-cache-slabs: 8m
rrset-cache-slabs: 8m
infra-cache-slabs: 8m
key-cache-slabs: 8m
rrset-cache-size: 256m
msg-cache-size: 128m
infra-cache-numhosts: 100000
so-rcvbuf: 1m
unwanted-reply-threshold: 10000
val-clean-additional: yes
use-caps-for-id: yes
do-ip6: no
do-ip4: yes
do-tcp: yes
minimal-responses: yes
prefetch: yes
prefetch-key: yes
qname-minimisation: yes
qname-minimisation-strict: yes
harden-below-nxdomain: yes
max-udp-size: 2048
rrset-roundrobin: yes
target-fetch-policy: "0 0 0 0 0"

Change Bold Face entries to match your OpnSense System.

Hope this helps - but make sure UNBOUND is configured properly. GETDNS and STUBBY are just forwarders.  Double Check if you have followed Step 11 correctly:

11- Now you must configure your  Unbound DNS Server to use Stubby for DNS Over TLS.

UNBOUND GENERAL SETTINGS
Network Interfaces =   WAN LAN ( all of your LAN interfaces if you have more than one ) And You Must Select  Localhost - repeat -  You Must Select  Localhost !

Under Custom options enter the following :
server:
do-not-query-localhost: no
forward-zone:
name: "."    # Allow all DNS queries
forward-addr: 127.0.0.1@8053
## END OF ENTRY

Outgoing Network Interfaces  =  Localhost

Make Sure to NOT CHECK - DO NOT CHECK -  the box for DNS Query Forwarding.  Save and Apply Settings

Next -Under System > Settings  > General Settings

Set the first DNS Server to 127.0.0.1   with no gateway selected  /
 
Make sure that DNS server option

A - Allow DNS server list to be overridden by DHCP/PPP on WAN -  Is Not I repeat - Is Not Checked !

and DNS server option

B -  Do not use the DNS Forwarder/Resolver as a DNS server for the firewall Is Not  - I repeat - Is Not Checked !

Peace and God Bless,

directnupe

PS - make sure that you set hostname and domain up under Administration
also under UNBOUND > General Settings - you might see how DNS works if you check BOX for " register dhcp leases in the dns resolver "

see here:
https://www.bytesizedalex.com/pfsense-dns-resolution-for-dhcp-leases/
and
https://forum.netgate.com/topic/17915/enable-registration-of-dhcp-client-names-in-dns-not-working/12

https://www.netgate.com/docs/pfsense/dns/unbound-dns-resolver.html

[https://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/]

Dear jclendineng,
Hello and I hope that you are well. I appreciate your feedback and I am glad that this configuration is working well for you.
As far as IPV6 goes - I will be honest as I do not use it. However the way I put this together is as follows:
1 - First go to this page -  https://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/( I mentioned this in tutorials to add GET and STUBBY ).
2 - Next Look along the top row - start with Configuration Matrix this lists the specific DNS PRIVACY Name Servers.
3 - Go to the first Name Server listed under Configuration Matrix - dnsovertls.sinodun.com - then look for V6 then Go across to the QNAME min column. In this instance, you will see that dnsovertls.sinodun.com does not have QNAME minimisation enabled.
4 - Repeat this process for each and every DNS PRIVACY Name Server listed under Configuration Matrix
V6. You also can ( should ) refer to this page as it details proper layout and examples - parts may be a bit outdated. However, there is much useful information.
https://github.com/getdnsapi/stubby/blob/release/0.2.3/stubby.yml.example This is why it is best to to go with " LIVE MONITORING " page for the most current status and features of DNS PRIVACY Name Servers.
once again here: https://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/

In order to save you some time - here is a list of IPV6 DNS PRIVACY Name Servers which are QNAME minimisation enabled:

This list contains in order Hostname for TLS authentication, IP address, TLS Port ( s ) and SPKI pin

getdnsapi.net     2a04:b900:0:100::37   853   foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S=

cloudflare-dns.com  2606:4700:4700::1111( or 1001 ) 853  yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=

kaitain.restena.lu  2001:a18:1::29  853   7ftvIkA+UeN/ktVkovd/7rPZ6mbkhVI7/8HnFJIiLa4=

dnsovertls2.sinodun.com  2001:610:1:40ba:145:100:185:17  853  NAXBESvpjZMnPWQcrxa2KFIkHV/pDEIjRkA3hLWogSg=

dns.cmrg.net  2001:470:1c:76d::53  53053/853/ or 443  5zFN3smRPuHIlM/8L+hANt99LW26T97RFHqHv90awjo=

dot.securedns.eu  2a03:b0c0:0:1010::e9a:3001  853/443     h3mufC43MEqRD6uE4lz6gAgULZ5/riqH/E+U+jE3H8g=

ns1.dnsprivacy.at   2a01:4f8:c0c:3c03::2  853  vqVQ9TcoR9RDY3TpO0MTXw1YQLjF44zdN3/4PkLwtEY=

ns2.dnsprivacy.at  2a01:4f8:c0c:3bfc::2  853      s5Em89o0kigwfBF1gcXWd8zlATSWVXsJ6ecZfmBDTKg=

dns.neutopia.org   2a00:5884:8209::2  853 /443  wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=
   
PS -
Tenta DNS OVER TLS does not support IPV6 as of yet - but keep checking the DNS PRIVACY Monitoring Page as these things change frequently and all the time. This whole process is relatively new after all. In this case, use Local host 127.0.0.1 and  Cloudflare 1.1.1.1 and 1.0.0.1 DNS SERVERS under System > General Setup > DNS Server Settings > DNS Servers. Cloudflare supports DNS OVER TLS as well. I am not quite sure if you should enter Cloudflare DNS IPV6 Name Servers ( 2606:4700:4700::1111 and 2606:4700:4700::1001 ) here in the case you are using IPV6 blended with IPV4 or IPV6 exclusively.

Peace,

directnupe