Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
Unbound DoT uncertainty
« previous
next »
Print
Pages: [
1
]
Author
Topic: Unbound DoT uncertainty (Read 2596 times)
Imnot A Robot
Newbie
Posts: 28
Karma: 0
Unbound DoT uncertainty
«
on:
December 09, 2021, 05:48:34 pm »
The 1.1.1.1/help webpage shows "NO" on using DNS over TLS. However, Connectivity to Resolver IP Address is "YES"
I guess it's a Cloudflare engineering issue as per this post:
https://community.cloudflare.com/t/cloudflare-dot-and-dnssec/118414/17
Still, any concerns with this log?
[65483:1] info: Verified that unsigned response is INSECURE
[65483:1] info: NSEC3s for the referral proved no DS.
[65483:1] info: reply from <.> 1.1.1.1#853
I already have FIREWALL and NAT>PORT FORWARD rules for port 53 as per OPNsense forum:
https://forum.opnsense.org/index.php?topic=9245.0
Do I have to include port 853 rules anywhere in the firewall?
Thanks,
Chris
21.7.6
Logged
sp33dy
Newbie
Posts: 39
Karma: 2
Re: Unbound DoT uncertainty
«
Reply #1 on:
December 25, 2021, 10:55:46 am »
i´m having simlar problem, it have been working but it is not anymore i found out when i randomly checked the 1.1.1.1/help page
021-12-25T10:55:06 unbound[60183] [60183:0] info: Verified that unsigned response is INSECURE
2021-12-25T10:55:06 unbound[60183] [60183:0] info: NSEC3s for the referral proved no DS.
2021-12-25T10:55:06 unbound[60183] [60183:0] info: resolving amazonaws.com. DS IN
2021-12-25T10:55:06 unbound[60183] [60183:0] info: Verified that unsigned response is INSECURE
2021-12-25T10:55:06 unbound[60183] [60183:0] info: NSEC3s for the referral proved no DS.
2021-12-25T10:55:06 unbound[60183] [60183:0] info: resolving netflix.com. DS IN
2021-12-25T10:55:06 unbound[60183] [60183:0] info: query response was ANSWER
2021-12-25T10:55:06 unbound[60183] [60183:0] info: reply from <.> 9.9.9.10#853
ideas?
Logged
Qotom i7-7500u 16gb 128ssd
Reactive
Newbie
Posts: 2
Karma: 1
Re: Unbound DoT uncertainty
«
Reply #2 on:
December 27, 2021, 01:41:05 am »
I'm finding that if I turn off DNSSEC it works. From what I have read elsewhere DNSSEC becomes irrelivant if using DoT. I'm not sure if that is correct.
I'd love it if someone set up a simple, correct guide on how to get DoT up and running with CF. A lot of config options have changed from the gui being updated and I cant really make heads or tails of it anymore.
I have it running, i'm just not sure if it's the correct way, as it seems to choke a bit sometimes.
Logged
KHE
Full Member
Posts: 229
Karma: 18
Re: Unbound DoT uncertainty
«
Reply #3 on:
December 27, 2021, 08:52:13 am »
Quote from: Reactive on December 27, 2021, 01:41:05 am
From what I have read elsewhere DNSSEC becomes irrelivant if using DoT.
Ah, WRONG.
DoT, DoH and DoQ only takes care of the privacy of your DNS Querys.
DNSSEC takes care of the authenticity of the answer.
More here:
https://www.netmeister.org/blog/doh-dot-dnssec.html
.
KH
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
Unbound DoT uncertainty
