DNS OVER TLS ABSOLUTE BEST CONFIGURATION FOR STUBBY IPV4 AND/OR IPV6

[directnupe]

This tutorial speaks for itself

Supplement for Topics: https://forum.opnsense.org/index.php?topic=8579.0 https://forum.opnsense.org/index.php?topic=8759.0 and https://forum.opnsense.org/index.php?topic=8611.0

These are the best DNS PRIVACY NAME SERVERS for the detailed reasons listed below.

Edit your /usr/local/etc/stubby/stubby.yml - SSH and enter nano /usr/local/etc/stubby/stubby.yml - Use this Stubby configuration below:

#This link below for Stubby with Unbound Resolver :
#See here for how to configure Stubby:
#https://github.com/getdnsapi/stubby

resolution_type: GETDNS_RESOLUTION_STUB

dns_transport_list:
  - GETDNS_TRANSPORT_TLS

tls_authentication: GETDNS_AUTHENTICATION_REQUIRED

tls_query_padding_blocksize: 128

edns_client_subnet_private : 1

idle_timeout: 60000 # keep-alive for 1 min, for better performance

listen_addresses:
  - 127.0.0.1@8053   ## Stubby / Unbound ## Default Address/Port

round_robin_upstreams: 1

upstream_recursive_servers:
# IPV4 Servers
# The getdnsapi.net Server
  - address_data: 185.49.141.37
    tls_port: 853
    tls_auth_name: "getdnsapi.net"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=
# The Fondation RESTENA Server
  - address_data: 158.64.1.29
    tls_auth_name: "kaitain.restena.lu"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: 7ftvIkA+UeN/ktVkovd/7rPZ6mbkhVI7/8HnFJIiLa4=
### Test servers ###
## Surfnet/Sinodun Servers
  - address_data: 145.100.185.17
    tls_port: 853
    tls_auth_name: "dnsovertls2.sinodun.com"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: NAXBESvpjZMnPWQcrxa2KFIkHV/pDEIjRkA3hLWogSg=
# The securedns.eu Server
  - address_data: 146.185.167.43
    tls_auth_name: "dot.securedns.eu"
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: h3mufC43MEqRD6uE4lz6gAgULZ5/riqH/E+U+jE3H8g=
# The dns.cmrg.net Server
  - address_data: 199.58.81.218
    tls_port: 443
    tls_auth_name: "dns.cmrg.net"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=
# DNSPRIVACY.at Primary DNS TLS Server
  - address_data: 94.130.110.185
    tls_port: 853
    tls_auth_name: "ns1.dnsprivacy.at"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: vqVQ9TcoR9RDY3TpO0MTXw1YQLjF44zdN3/4PkLwtEY=
# DNSPRIVACY.at Secondary DNS TLS Server
  - address_data: 94.130.110.178
    tls_port: 853
    tls_auth_name: "ns2.dnsprivacy.at"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: s5Em89o0kigwfBF1gcXWd8zlATSWVXsJ6ecZfmBDTKg=
# The dns.neutopia.org Server
  - address_data: 89.234.186.112
    tls_port: 443
    tls_auth_name: "dns.neutopia.org"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=
### Anycast services ###
#Tenta ICANN DNS TLS Primary Server
  - address_data: 99.192.182.200
    tls_auth_name: "iana.tenta.io"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: nPzhfahBmQOFKbShlLBymTqPtZY31bPpKFnh0A86ys0=

All of these name servers listed above DO NOT log ! repeat DO NOT log ! your DNS queries. In full disclosure some name servers claim to log traffic volume only. See here for details : https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers and look under " Logging " column.

DNS query name minimisation to improve privacy, along with DNS resolution speed and accuracy - Run Test After Completing Full Setup. These name servers listed above help to consistently ensure QNAME Minimisation functions as designed within UNBOUND ( The idea is to minimise the amount of data sent from the DNS resolver to the authoritative name server. )

Use either or both of these two methods to verify QNAME Minimisation
A - Run command : drill txt qnamemintest.internet.nl
and / or
B - Run command: dig txt qnamemintest.internet.nl +short and / or dig -t txt qnamemintest.internet.nl ( for more complete readout including DNSSEC results ). AD = Authenticated Data (for DNSSEC only; indicates that the data was authenticated)
The results in any of these scenarios will show either:
"HOORAY - QNAME minimisation is enabled on your resolver !”
or “NO - QNAME minimisation is NOT enabled on your resolver .”
Reference https://discourse.pi-hole.net/t/unbound-and-qname-minimisation/10038/4
You will and should get HOORAY ! - if you used the name servers listed in this guide for your Stubby configuration.

Note: Starting with Unbound 1.7.2 qname minimisation is enabled by default.
However, I still add these settings manually.
These settings are entered under Unbound " Custom Options":
qname-minimisation: yes
qname-minimisation-strict: yes
harden-below-nxdomain: yes

Configure your Unbound DNS Server to use Stubby for DNS Over TLS.

UNBOUND GENERAL SETTINGS
Network Interfaces = WAN LAN ( all of your LAN interfaces if you have more than one ) And You Must Select Localhost - repeat - You Must Select Localhost !

Under Custom options enter the following :
server:
do-not-query-localhost: no
forward-zone:
name: "." # Allow all DNS queries
forward-addr: 127.0.0.1@8053

Outgoing Network Interfaces = Localhost

Make Sure to NOT CHECK - DO NOT CHECK - the box for DNS Query Forwarding. Save and Apply Settings

Next -Under System > Settings > General Settings

Set the first DNS Server to 127.0.0.1 with no gateway selected /

Make sure that DNS server option

A - Allow DNS server list to be overridden by DHCP/PPP on WAN - Is Not I repeat - Is Not Checked !

and DNS server option

B - Do not use the DNS Forwarder/Resolver as a DNS server for the firewall Is Not - I repeat - Is Not Checked !

Optionally, along with 127.0.0.1 enter Tenta nameservers 99.192.182.200 and 99.192.182.100 under System > General Setup > DNS Server Settings > DNS Servers. Things Will Work Fine and as Intended. Your DNS will still resolve using the upstream name servers you selected in stubby.yml - I have found that it is best to use Tenta name servers as " custom DNS servers " for the System. I chose Tenta DNS because their name servers support both emerging DNS privacy standards - DNS-over-TLS, and DNS-over-HTTPS, which both provide last mile encryption to keep your DNS queries private and free from tampering. Tenta DNS also is the only AnyCast DOT service which includes built-in BGP integration, offering single engine convenience for DNS Anycasting with QNAME minimisation enabled on its' name servers by default. Main benefits of Tenta DNS as the backbone name servers on OpnSense:
A - Stop ISPs from spying on your browser history. DNS-over-TLS adds a layer of encryption over your DNS requests, keeping your ISP from seeing which websites you visit.

B - Stay private online. Tenta DNS logs a counter instead of queries so your data stays private. No one, not even Tenta, has access to your browsing data. These are the folks that developed and support the Tenta Browser see here: https://github.com/tenta-browser/tenta-dns and read About Tenta section at the very bottom of the page.
https://tenta.com/dns-setup-guides

Enjoy,

directnupe

[jclendineng]

Would this work with IPV6 as well? Thank you so much for the tutorial, set this up last night and it works very well.

[directnupe]

Dear jclendineng,
Hello and I hope that you are well. I appreciate your feedback and I am glad that this configuration is working well for you.
As far as IPV6 goes - I will be honest as I do not use it. However the way I put this together is as follows:
1 - First go to this page -  https://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/( I mentioned this in tutorials to add GET and STUBBY ).
2 - Next Look along the top row - start with Configuration Matrix this lists the specific DNS PRIVACY Name Servers.
3 - Go to the first Name Server listed under Configuration Matrix - dnsovertls.sinodun.com - then look for V6 then Go across to the QNAME min column. In this instance, you will see that dnsovertls.sinodun.com does not have QNAME minimisation enabled.
4 - Repeat this process for each and every DNS PRIVACY Name Server listed under Configuration Matrix
V6. You also can ( should ) refer to this page as it details proper layout and examples - parts may be a bit outdated. However, there is much useful information.
https://github.com/getdnsapi/stubby/blob/release/0.2.3/stubby.yml.example This is why it is best to to go with " LIVE MONITORING " page for the most current status and features of DNS PRIVACY Name Servers.
once again here: https://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/

In order to save you some time - here is a list of IPV6 DNS PRIVACY Name Servers which are QNAME minimisation enabled:

This list contains in order Hostname for TLS authentication, IP address, TLS Port ( s ) and SPKI pin

getdnsapi.net     2a04:b900:0:100::37   853   foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S=

cloudflare-dns.com  2606:4700:4700::1111( or 1001 ) 853  yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=

kaitain.restena.lu  2001:a18:1::29  853   7ftvIkA+UeN/ktVkovd/7rPZ6mbkhVI7/8HnFJIiLa4=

dnsovertls2.sinodun.com  2001:610:1:40ba:145:100:185:17  853  NAXBESvpjZMnPWQcrxa2KFIkHV/pDEIjRkA3hLWogSg=

dns.cmrg.net  2001:470:1c:76d::53  53053/853/ or 443  5zFN3smRPuHIlM/8L+hANt99LW26T97RFHqHv90awjo=

dot.securedns.eu  2a03:b0c0:0:1010::e9a:3001  853/443     h3mufC43MEqRD6uE4lz6gAgULZ5/riqH/E+U+jE3H8g=

ns1.dnsprivacy.at   2a01:4f8:c0c:3c03::2  853  vqVQ9TcoR9RDY3TpO0MTXw1YQLjF44zdN3/4PkLwtEY=

ns2.dnsprivacy.at  2a01:4f8:c0c:3bfc::2  853      s5Em89o0kigwfBF1gcXWd8zlATSWVXsJ6ecZfmBDTKg=

dns.neutopia.org   2a00:5884:8209::2  853 /443  wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=
   
PS -
Tenta DNS OVER TLS does not support IPV6 as of yet - but keep checking the DNS PRIVACY Monitoring Page as these things change frequently and all the time. This whole process is relatively new after all. In this case, use Local host 127.0.0.1 and  Cloudflare 1.1.1.1 and 1.0.0.1 DNS SERVERS under System > General Setup > DNS Server Settings > DNS Servers. Cloudflare supports DNS OVER TLS as well. I am not quite sure if you should enter Cloudflare DNS IPV6 Name Servers ( 2606:4700:4700::1111 and 2606:4700:4700::1001 ) here in the case you are using IPV6 blended with IPV4 or IPV6 exclusively.

Peace,

directnupe

[jclendineng]

Thanks!  I only ask because I am using DNS over TLS for all ipv4 requests but I most likely am leaking ipv6 since I am tracking WAN and therefore using my ISP ipv6 dns I would assume.