Sanity Check on Unbound/Cloudflare Config

Started by fakebizprez, June 19, 2025, 05:33:02 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 19, 2025, 05:33:02 PM
I'm using Unbound w/ Cloudflare for DNS over TLS. I just want to make sure there is nothing out of whack in my config.

Sometimes the clients on our VPN server have issues when this DNS over TLS config is activated:

Code Select
[services.unbound.dns_over_tls]
use_system_nameservers = false

[[services.unbound.dns_over_tls.forwarding]]
enabled = true
domain = ""
server_ip = "1.1.1.1"
server_port = 853
forward_first = false
verify_cn = "dns.cloudflare.com"
description = "IPv4 DoT"

[[services.unbound.dns_over_tls.forwarding]]
enabled = true
domain = ""
server_ip = "1.0.0.1"
server_port = 853
forward_first = false
verify_cn = "dns.cloudflare.com"
description = "IPv4 DoT Backup"

[[services.unbound.dns_over_tls.forwarding]]
enabled = true
domain = ""
server_ip = "2606:4700:4700::1111"
server_port = 853
forward_first = false
verify_cn = "dns.cloudflare.com"
description = "IPv6 DoT"

[[services.unbound.dns_over_tls.forwarding]]
enabled = true
domain = ""
server_ip = "2606:4700:4700::1001"
server_port = 853
forward_first = false
verify_cn = "dns.cloudflare.com"
description = "IPv6 DoT Backup"
Founder & President of linehaul.ai - a logistics and technology services provider.
June 19, 2025, 05:33:56 PM #1
It's worth mentioning I used to use `one.one.one.one` but I was told that is incorrect.
Founder & President of linehaul.ai - a logistics and technology services provider.
June 19, 2025, 06:30:51 PM #2
Whoever told me that was incorrect was wrong because there are there are connectivity issues unless I'm i'm using `one.one.one.one`

Just confirmed. 🙃
Founder & President of linehaul.ai - a logistics and technology services provider.
June 19, 2025, 06:58:04 PM #3
I think the official CN for Cloudflare DNS is "cloudflare-dns.com", not "dns.cloudflare.com", see: https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-tls/. Thus, your certificate verification could fail, although IDK if Cloudflare uses multi-domain certificates.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
June 19, 2025, 07:54:29 PM #4 Last Edit: June 19, 2025, 07:56:04 PM by fakebizprez
Quote from: meyergru on June 19, 2025, 06:58:04 PMI think the official CN for Cloudflare DNS is "cloudflare-dns.com", not "dns.cloudflare.com", see: https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-tls/. Thus, your certificate verification could fail, although IDK if Cloudflare uses multi-domain certificates.

they have so many it gets confusing but this is from the link you sent me:
Quotekdig -d @1.1.1.1 +tls-ca +tls-host=one.one.one.one example.com
Founder & President of linehaul.ai - a logistics and technology services provider.
June 19, 2025, 07:55:54 PM #5 Last Edit: June 19, 2025, 07:58:30 PM by meyergru
Look at line 4 of the example in my link. You will find the CN of the certificate there.

Also:

Code Select
# openssl s_client -connect 1.1.1.1:853
CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare-dns.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare-dns.com
   i:C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan  2 00:00:00 2025 GMT; NotAfter: Jan 21 23:59:59 2026 GMT
 1 s:C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 30 00:00:00 2021 GMT; NotAfter: Mar 29 23:59:59 2031 GMT
 2 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug  1 12:00:00 2013 GMT; NotAfter: Jan 15 12:00:00 2038 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGozCCBYugAwIBAgIQAn3IxeFylK7J7T9nco6KCDANBgkqhkiG9w0BAQsFADBZ
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTMwMQYDVQQDEypE
aWdpQ2VydCBHbG9iYWwgRzIgVExTIFJTQSBTSEEyNTYgMjAyMCBDQTEwHhcNMjUw
MTAyMDAwMDAwWhcNMjYwMTIxMjM1OTU5WjByMQswCQYDVQQGEwJVUzETMBEGA1UE
CBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQ
Q2xvdWRmbGFyZSwgSW5jLjEbMBkGA1UEAxMSY2xvdWRmbGFyZS1kbnMuY29tMFkw
EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgIDx3suTAqNAfpWyuepPf8ujMsY8MuNg
AnqCjTcmBwdrQC5OCZsWlzY/o/KV7gKb1KG0tYyULpFGeYzqW4bKhqOCBBcwggQT
MB8GA1UdIwQYMBaAFHSFgMBmx9833s+9KTeqAx2+7c0XMB0GA1UdDgQWBBQrL4SD
o+Zp6VTA5bC2nx/NthivqDCBpgYDVR0RBIGeMIGbghJjbG91ZGZsYXJlLWRucy5j
b22CFCouY2xvdWRmbGFyZS1kbnMuY29tgg9vbmUub25lLm9uZS5vbmWHBAEAAAGH
BAEBAQGHBKKfJAGHBKKfLgGHECYGRwBHAAAAAAAAAAAAEAGHECYGRwBHAAAAAAAA
AAAAERGHECYGRwBHAAAAAAAAAAAAAGSHECYGRwBHAAAAAAAAAAAAZAAwPgYDVR0g
BDcwNTAzBgZngQwBAgIwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2Vy
dC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIDiDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwgZ8GA1UdHwSBlzCBlDBIoEagRIZCaHR0cDovL2NybDMuZGlnaWNl
cnQuY29tL0RpZ2lDZXJ0R2xvYmFsRzJUTFNSU0FTSEEyNTYyMDIwQ0ExLTEuY3Js
MEigRqBEhkJodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9iYWxH
MlRMU1JTQVNIQTI1NjIwMjBDQTEtMS5jcmwwgYcGCCsGAQUFBwEBBHsweTAkBggr
BgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFEGCCsGAQUFBzAChkVo
dHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9iYWxHMlRMU1JT
QVNIQTI1NjIwMjBDQTEtMS5jcnQwDAYDVR0TAQH/BAIwADCCAX0GCisGAQQB1nkC
BAIEggFtBIIBaQFnAHUADleUvPOuqT4zGyyZB7P3kN+bwj1xMiXdIaklrGHFTiEA
AAGUKVlm1gAABAMARjBEAiBDu8Jtj839F3/yqeYqHAuX/QgQqJt8erZr7Dznzik3
bwIgL9ZqNIIgrnluYOTYrwa2iM4S0eDPilETVJtidHeWhlQAdgBkEcRspBLsp4kc
ogIuALyrTygH1B41J6vq/tUDyX3N8AAAAZQpWWaBAAAEAwBHMEUCIQDZZeS1rC2H
TJcC7RSFNd1B+MgTpRuR4GBl3HuakEBylgIgAXN1hDwDEGW76y/CX69p2T+37ynk
5Echmou2KGABSioAdgBJnJtp3h187Pw23s2HZKa4W68Kh4AZ0VVS++nrKd34wwAA
AZQpWWaSAAAEAwBHMEUCIQDhCdnSDU+zRPZX45GbZZEV8RrEpGs2cbTBoMqC2W5s
fgIgdMtZlrh33Tu1P5SIpdz7t4R4hsxPVpIaTLWJqw+QL4MwDQYJKoZIhvcNAQEL
BQADggEBAJw2xIAXRfEnrUY1o6eMgJRd6j/h7sDf4J4a0cYYIyquBDsRUOaX12QQ
WcmoovD/paaOCjsEZOiYx3uu28/n0aPeSx9dc+tTwTsnnk6yw7bQ12d5wm2obnVO
l512YW6Yo3wd+9hZKltR+HTpieALI6vyYFSilPRuWzP8jdDFZPPTY2xMyohGfF5L
1eThceOjvGJ+S1zP+kDNmR9gfCy5e4rS/eazo6jrJ+JBsulEFzWEOMX5633VZGwZ
1z2IXx4dPWvrnsQivoqrWkzxqclruP1H3CKmnDFvUSZvl2s6CIZzE2r0SMjNclQU
Jxhfg2tICXdV4LYjx24laEzZVxoCE+Y=
-----END CERTIFICATE-----
subject=C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare-dns.com
issuer=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4161 bytes and written 377 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
June 19, 2025, 08:00:01 PM #6
i got tied up at work, but i'll check afterwards. I think i recall them using both one.one.one.one and cloudflare-dns.com; one as a backup and one as a primary.

We're going to be transitioning from Wireguard to Cloudflare's ZeroTrust/Access WARP platform by Q4, and then we'll have another DNS from them that comes with Carrier Grade NAT. I'll be practicing my captcha skills until then.
Founder & President of linehaul.ai - a logistics and technology services provider.
Print
Go Up Pages1
User actions