SOLVED (DNS Privacy Project) DNS OVER TLS WITH GETDNS+STUBBY OPNSENSE PORTS

Started by directnupe, May 05, 2018, 08:27:52 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
October 27, 2018, 12:18:43 AM #15
just to let people know, if you upgrade to latest version of opnsense you will looe stubby.
they updated unbound to 1.8.1 and after update the binary for stubby gets deleted
October 27, 2018, 03:54:56 AM #16 Last Edit: October 29, 2018, 04:06:09 AM by directnupe
Dear Nekromantik,

SEE POST HERE FOR THE SOLUTION :

https://forum.opnsense.org/index.php?topic=10062.0


Dear Community -

ALWAYS READ ENTIRE GUIDE FIRST BEFORE BEGINNING FOR BEST RESULTS

Some folks are dreading that upgrading to Opnsense 18.7.6 which ships with UNBOUND 1.8.1 breaks GETDNS and STUBBY. It ain't necessarily so ! Here are the solutions :

SECTION A
For Opnsense Ports Installation of GETDNS and STUBBY
1- If you installed GETDNS and STUBBY using Opnsense Ports - see this post :

https://forum.opnsense.org/index.php?topic=8748.0

The KEY is to remove GETDNS and STUBBY and all of the configuration files BEFORE YOU UPGRADE !

2 - Then upgrade to Opnsense 18.7.6 which will install UNBOUND 1.8.1

3 - Now re-install the upgraded GETDNS STUBBY port - which is now getdns-1.4.2_1 - this will compile being built against UNBOUND 1.8.1 - this is why the port was upgraded - that being to work with UNBOUND 1.8.1 -   getdns-1.4.2 was for UNBOUND 1.7.3 and - well - you get the picture if not check the screenshot below and / or go here: https://www.freshports.org/dns/getdns/ Note: Pay particular attention to this entry:

18 Sep 2018 18:24:05
Original commit files touched by this commit  1.4.2_1
Revision:480056
dns/unbound: update to 1.8.0
Bump PORTREVISION on to consumers due to library major version change

For instance I have a PfSense 2.4.4 Edge Router set up and it uses UNBOUND 1.7.3 and getdns 1.4.2_1 will break UNBOUND - as getdns 1.4.2 is what it needs. getdns 1.4.2_1 has different library requirements which are not suitable for UNBOUND 1.7.3 - so DNS resolution fails. This why you need to upgrade getdns on Opnsense 18.7.6 as it ships with UNBOUND 1.8.1.

4 - After your upgrade your port installation to getdns-1.4.2_1  All you need to do is refer to the original post here once again: https://forum.opnsense.org/index.php?topic=8611.0 - begin with Step 7 and follow each step from there and you will be up and running with getdns-1.4.2_1 and UNBOUND 1.8.1 on OpnSense 18.7.6

SECTION B
For those who use STAND ALONE DNS OVER TLS STUBBY GETDNS PACKAGE
1 - It is necessary to reconfigure Unbound to stop using Stubby for DNS resolution. Go to System > Settings > General > and Check
     option - A - Allow DNS server list to be overridden by DHCP/PPP on WAN ( Click Save ) . Then go to Services > Unbound DNS > General  and then remove  contents of Custom Options Box:
server:
do-not-query-localhost: no
forward-zone:
name: "."    # Allow all DNS queries
forward-addr: 127.0.0.1@8053
Save and apply

2- After this you must delete the GETDNS package from Opnsense BEFORE YOU UPGRADE to 18.7.6
First - issue command - pkg delete getdns
You do that  ( from command line )  then follow these commands to remove configuration files.
Remove the following files by issuing these commands: # rm /usr/local/etc/rc.d/stubby.sh
# rm /usr/local/etc/stubby/stubby.yml and   
# rm /etc/rc.conf.d/stubby

3- Now upgrade to OpnSense 18.7.6 along with UNBOUND 1.8.1
Now all you need to do now is build and install  your new package getdns-1.4.2_1.txz
You do that by following the guide here - https://forum.opnsense.org/index.php?topic=8759.0
As Opnsense Tools installs FREEBSD synced ports on your FREEBSD Build Server - you will also get
getdns-1.4.2_1 - which is designed to work with UNBOUND 1.8.1
After you have built your getdns-1.4.2_1.txz package on your FREEBSD BUILD SERVER- go to Step 8

Special Circumstances:
If you already have an existing FREEBSD Build Server and an outdated getdns port on it then you must  remove that  getdns port before building a new one. In order to accomplish that task see here : https://forum.opnsense.org/index.php?topic=8748.0 and follow and complete Step 1 and Step 2 . Now , since Opnsense Tools is already installed on your existing FREEBSD BUILD SERVER you need to update your ports collection. You do that by following these two  steps:  A - cd /usr/tools and B - make update - It that simple. After the ports collection and everything is updated, you proceed thusly:
1 -  Go to this page : https://forum.opnsense.org/index.php?topic=8759.0 and complete procedures Step 6 and Step 7
2 - After creating your getdns-1.4.2_1.txz package on your FREEBSD BUILD SERVER simply go to Section B above in this tutorial and follow Steps 1, 2, and 3** in order to get your OpnSense Box up and running with getdns-1.4.2_1 and UNBOUND 1.8.1 on OpnSense 18.7.6

**( obviously you can skip creating another getdns-1.4.2_1.txz package in Step 3 as you have already done so earlier on in this process )

END PART B

The two major things to remember are to to either de-install the GetDns port or delete the GETDNS  package PRIOR  to upgrading to Opnsense 18.7.6

Then upgrade port or build and re-install upgraded package depending on which method you first used to deploy GETDNS and STUBBY on your OpnSense box.

I hope this helps and I have done this myself and it is GUARANTEED to work!

Peace,

directnupe


Parting Thoughts:
For those who in the future may worry about GETDNS and STUBBY ever being being broken due to an UNBOUND DNS version being updated or upgraded, let me say this. You were not paying attention when I told you all from the very beginning that :

For all the doubters and naysayers concerning GETDNS and STUBBY - they are developed by NLnet Labs - the same folks who bring us Unbound, NSD, OPENDNSSEC and now GETDNS ( and STUBBY ) see here: https://www.nlnetlabs.nl/   https://www.nlnetlabs.nl/projects/getdns/

So, as NLnet Labs develops both UNBOUND and GETDNS ( along with STUBBY ) I am sure that they will do their best to make sure that both of these work well together.  If you notice GETDNS 1.4.2_1 has been out since mid September 2018 as has UNBOUND 1.8.0 The main issue and concern is when is the Distro that are using going to integrate and update these packages. For example, OpenWrt is on Unbound 1.8.2 and GETDNS 1.4.2_2 - while on Pfsense it's Unbound 1.7.3 and GETDNS 1.4.2
See here for further info: https://repology.org/metapackage/getdns/versions - even for FREEBSD  - it lists the Maintainer as zi@freebsd.org which is correct but lists GETDNS version as 1.4.2 - which is incorrect. We know that the current version for FREEBSD ports is GETDNS 1.4.2_1 - The major point is that NLnet Labs  is running " The Whole GETDNS STUBBY / UNBOUND Show " - so that is a good thing that one developer is handling all components needed for DNS OVER TLS ( aka DNS Privacy Project ).

Notice that this Commit was Submitted by jaap@NLnetLabs.nll (maintainer) in order to fix GETDNS so that it will work with new dns/unbound: update to 1.8.0 - which proves that NLnetLabs.nl is actively involved with development and maintenance of UNBOUND GETDNS and STUBBY

See here for FREEBSD GETDNS COMMIT FOR UNBOUND 1.8.1:
October 27, 2018, 01:24:00 PM #17
thanks
how do you confirm you are running 1.4.2_1 and not 1.4.2?
October 27, 2018, 01:59:56 PM #18 Last Edit: October 27, 2018, 09:16:10 PM by directnupe
Dear Nekromantik,
Hello and you are welcome. As far as your question how do you confirm you are running 1.4.2_1 and not 1.4.2?
the answer is that when you first go to configure GETDNS it will indicate the version. Also, the version of GETDNS on OpnSense and FreeBSD Ports is 1.4.2_1
So you could not install 1.4.2 even if you wanted to because it is no longer in the upstream FrreBsd or Opnsense repositories.
Just do it !  The way to check the version of any package installed or available in any FREEBSD Distro - is to to tyoe - pkg info - this command will list all packaged you have installed. To see a specific program - you add the package name to the command - for example in this case - pkg info getdns which will give you all the package release information and also let you know what version is installed on your Opnsense instance. Or which version of getdns is available for you to install in your repos. You will not find GETDNS in Opnsense default repos - that is why we must use Ports and or build getdns package through ports  in order to install getdns and stubby.

Peace and God Bless,

directnupe
April 05, 2019, 07:02:40 AM #19 Last Edit: April 15, 2019, 10:53:31 AM by Margotvinson
I have read the whole thread but my question is that Is Changing DNS Server Settings is still working? I have found the solution and if I Reset IP Configuration I resolved the issue easily. Is it useful to do?
Resource Link: https://validedge.com/dns_probe_finished_bad_config/
April 05, 2019, 09:59:10 AM #20
A more lightweight approach to DNS-over -TLS is described here:

https://forum.opnsense.org/index.php?topic=7811.0


Working fine with openSSL, needs some care on 19.1.4 with LibreSSL

https://forum.opnsense.org/index.php?topic=11657.msg55526#msg55526
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
April 06, 2019, 01:46:42 AM #21
I had been using what is described in:
  https://forum.opnsense.org/index.php?topic=7811.0
since it was proposed and it worked fine until 19.1.4 and 19.1.5, but now results in DNS leaks while using VPN. The logs actually look OK, but various DNS leak test fail. I even rebuilt unbound 1.8.1 manually as proposed in the other thread but that didn't change anything. I really liked using this DNS TLS stuff, but I need to get rid of it just to fix the leak.
July 09, 2019, 12:46:01 AM #22 Last Edit: July 09, 2019, 03:05:34 AM by Amanaki
Hi all,

Using this guide, I am trying to get Stubby / GetDNS running on my machine but I have come across an issue in step # 3 which is preventing me from going further.

My fresh install:

OPNsense 19.1.10-amd64
FreeBSD 11.2-RELEASE-p10-HBSD
OpenSSL 1.0.2s 28 May 2019
Unbound 1.9.2

This is the step I am having problems with:

Code Select
Step 3: - Proceed and complete Opnsense Ports install with the following commands: ( Note that is designed for Opnsense 18.7 Variants; however, I believe that it will work with all Opnsense versions - but I have not tested that proposition. )

# cd /etc
# fetch https://raw.githubusercontent.com/opnsense/tools/master/config/18.7/make.conf

Returns the following errors:

Code Select
root@OPNsense:~ # cd /etc
root@OPNsense:/etc # fetch https://raw.githubusercontent.com/opnsense/tools/master/config/19.1/make.conf
fetch: https://raw.githubusercontent.com/opnsense/tools/master/config/19.1/make.conf: No address record
root@OPNsense:/etc # fetch https://raw.githubusercontent.com/opnsense/tools/master/config/19.1/make.conf
fetch: https://raw.githubusercontent.com/opnsense/tools/master/config/19.1/make.conf: No address record

As can be seen, I tried modifying the path provided in the guide but it won't work in the command line. I am not sure what is wrong. Perhaps I have missed something with all the changes.

Help please!
July 09, 2019, 09:17:16 AM #23
Step 1: fix your internet connectivity.
Step 2: # pkg install getdns
Step 3: (already done installing)


Cheers,
Franco
July 10, 2019, 02:09:44 AM #24
Hey franco,

Many thanks for your help.

I managed to get all the way through the installation phase. It's a shame the mods to this section didn't provide an update to compliment the excellent guide(s) written by @directnupe.

Now I am just trying to figure out how to select localhost on the interfaces section when the option to select it is no longer there! Another change perhaps??

Many thanks,
Amanaki
Print
Go Up Pages 1 2
User actions