configuring DoT or DoH

[robertkwild]

hi all,

just want to know whether opnsense supports configuring DoT DNS over TLS or DoH DNS over HTTPS

if so what one should i use for my ISP not to spy on me and see what im doing

thanks,
rob

[meyergru]

How about https://docs.opnsense.org/manual/unbound.html#dns-over-tls ?

[Botanist]

Download the plugin called os-dnscrypt-proxy and setup that, i recommend go to unbound and Query Forwarding to dnscrypt, that way you can still use unbound for local dns and to use its filter or blocklists.

I noticed that dnscrypt is so fast using doh.

[meyergru]

You can still use Unbound for local resolution if you use DoT for outside access - there is no need for an additional resolver.

[Botanist]

I realized i didnt answer all you questions.

my ISP not to spy on me and see what im doing

Well unless you use tor or a vpn that is impossible.
But DoH seems safer in my eyes, but DoT should be just as secure.
Either way all you isp would see is ip, ports, time and packagetype. Not even what if you went to facebook.com. But they might know that Facebook use 1.2.3.4 ip so that is a giveaway. But they cant really see much more. Time as in when you went there. Ofc how long.

Not to go into debate, but only you trust you vpn provider. Who says they dont do the same?

[Botanist]

You can still use Unbound for local resolution if you use DoT for outside access - there is no need for an additional resolver.

Yes ofc, but i do not recommend that. I tried it on many environments. And all is suffering bad performance, high latency. Not even sure it actually does what it supposed to?

[meyergru]

It does - and I do not see any latency issues with DNSbench.

BTW: your other post is misleading: The ISP actually can see what site you are accessing - and they do not even need you to use unencrypted DNS: Almost any website today uses TLS, but there still is SNI, so unless the website has ESNI or ECH, the name of the site still goes unencrypted, even if the target IP is not a dead giveaway in itself.

That is the reason why modern browsers do ECH and DoT/DoH by default. You do not need to configure that on your firewall.

You can check for all of that here: https://www.cloudflare.com/de-de/ssl/encrypted-sni/

[robertkwild]

so reading this guide

https://docs.opnsense.org/manual/unbound.html#dns-over-tls

il go here

services > unbound dns > dns over tls - add

fill it in with either cloudflare google or quad9

do i need to do the "advanced configurations"

this is DoT, is "os-dnscrypt-proxy" DoH

what one is better to use?

basically the reason why im asking is because I got from my ISP a block page when trying to access a website

I dont understand why i got a block page from them as im not using my ISP's DNS

under

system > settings > general

im using 8.8.8.8 and  1.1.1.1 and 9.9.9.9

and i have "unticked" both "dns server options"

allow dns server list to be overrridden by dhcp/ppp
do not use the local dns service as a nameserver

on my main pc i have changed my dns ip to that of my opnsense lan ip

[robertkwild]

nice, so now im using DoT

before i was using dns settings under system > settings > general

and when i went to

https://ipleak.net/

my dns was coming back as my isp's dns even tho i had it using google, quad9 or cloudflare

since i changed to DoT and refreshing the page my DNS now is google/quad9/cloudflare so all good

has anyone else experienced this

[Botanist]

It does - and I do not see any latency issues with DNSbench.

BTW: your other post is misleading: The ISP actually can see what site you are accessing - and they do not even need you to use unencrypted DNS: Almost any website today uses TLS, but there still is SNI, so unless the website has ESNI or ECH, the name of the site still goes unencrypted, even if the target IP is not a dead giveaway in itself.

That is the reason why modern browsers do ECH and DoT/DoH by default. You do not need to configure that on your firewall.

You can check for all of that here: https://www.cloudflare.com/de-de/ssl/encrypted-sni/

You absolutely right! It is a shame that ECH isnt better implemented though.
From my understanding ech is somewhat implemented into DNSCrypt. Ofc very few have implemented it server side as well. Making it mostly useless for now?

But i still stand by what i said with ubound being slow.

OP you should test these sites as well:
https://cmdns.dev.dns-oarc.net/
https://dnscheck.tools/ 

[robertkwild]

nice yeah i did

https://dnscheck.tools

and thats what got me down this rabbit hole, it was my ISP's DNS even tho i changed my system nameservers to quad9/google/cloudflare

but now its WoodyNet ie quad9 when i set up DoT

do i need to make a fw rule as it says on the page to block outgoing 53 ?

[meyergru]

You should not block it, but redirect it to your own DNS service, like discussed here:

https://forum.opnsense.org/index.php?topic=48710.0

That way, you essentially redirect any device that tries to use another DNS services to your OpnSense and block DoT and DoH, however, notice that this will break browser that want to use it, until you reconfigure them to use your own DNS.

[BrandyWine]

hi all,

just want to know whether opnsense supports configuring DoT DNS over TLS or DoH DNS over HTTPS

if so what one should i use for my ISP not to spy on me and see what im doing

thanks,
rob

Is there a need to use the fw as DNS server to your internal hosts?
If not then just configure your host or browser to do DOH.
The fw is just grabbing updates, so what is your ISP spying on? ISP would still see IP and such.
Next best thing is to vpn to someplace else.