Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
SOLVED (DNS Privacy Project) DNS OVER TLS WITH GETDNS+STUBBY OPNSENSE PORTS
« previous
next »
Print
Pages: [
1
]
Author
Topic: SOLVED (DNS Privacy Project) DNS OVER TLS WITH GETDNS+STUBBY OPNSENSE PORTS (Read 13024 times)
directnupe
Jr. Member
Posts: 58
Karma: 19
SOLVED (DNS Privacy Project) DNS OVER TLS WITH GETDNS+STUBBY OPNSENSE PORTS
«
on:
May 02, 2018, 12:19:54 am »
This Guide/Tutorial Is Deprecated Except For QNAME Minimisation and VERY IMPORTANT TIP Sections Below
for informational purposes.
Please Go to
https://forum.opnsense.org/index.php?topic=13487.0
for New Updated Guide for DNS OVER TLS
on OPNsense.
The stubby.yml configuration file below is properly configured along with being up to date with the best DNS PRIVACY SERVERS.
Why I am so damn serious about DNS Privacy ( just watch these when you have time - all at once or in intervals - very educational ):
https://dnsprivacy.org/wiki/display/DP/IETF+DNS+Privacy+Tutorial
https://www.youtube.com/watch?v=JnxE5RPnyiE
https://www.youtube.com/watch?v=2JeYIecfwdc
Active work is also underway at the IETF on DNS-over-HTTP (DOH) but today the only method standardized by the IETF is DNS-over-TLS. In the world of encryption, it's always safer to go with standardized protocols that have gone through a rigorous review process. Unfortunately DNSCrypt has not been standardized yet, and some of the ways it uses cryptography are unusual.
For all the doubters and naysayers concerning GETDNS and STUBBY - they are developed by NLnet Labs - the same folks who bring us Unbound, NSD, OPENDNSSEC and now GETDNS ( and STUBBY ) see here:
https://www.nlnetlabs.nl/
https://www.nlnetlabs.nl/projects/getdns
Dear Opnsense Community,
Hello and I hope that all is well with all. This is a guide / tutorial which explains how to setup adding DNS-Over-TLS support for Opnsense. I run GetDns and Stubby forwarded to and integrated with Unbound. For those who wish to explore Stubby and GetDns - this method is the one recommended by DNSPRIVACY - see here :
https://getdnsapi.net/
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients#DNSPrivacyClients-Unbound
- please read this carefully - you will note that it indicates :
Unbound As A DNS TLS Client Features:
Unbound can be run as a local caching forwarder, configured to use SSL upstream, however it cannot yet authenticate upstreams, re-use TCP/TLS connections, be configured for Opportunistic mode or send several of the privacy related options (padding, ECS privacy) etc. Some users combine Unbound (as a caching proxy with other features such as DNS Blacklisting) and Stubby (as a fully featured TLS forwarder).
These are the reasons I choose to use GetDns and Stubby with Unbound. Those reasons being so that I can take full advantage of all of the most secure privacy features available when running DNS OVER TLS. What I give you here is the absolute best method of implementation and deployment of DNS OVER TLS. For any and all who may be wondering why DNS OVER TLS is all the rage - read this:
https://tenta.com/blog/post/2017/12/dns-over-tls-vs-dnscrypt
So here we go.
Before you begin, I would strongly implore you to check for all updates and upgrades and make sure that your Opnsense Box is fully up to date. This is always a recommended and safe way to go.
1 - You can install GetDns and Stubby from Opnsense Ports. Located here -
https://github.com/opnsense/ports/tree/master/dns/getdns
A -
By the way, you will notice that you can can install getdns by issuing command " pkg install getdns ". However, if you do this it will not install Stubby. The only method to get Stubby installed is through FreeBsd Ports and using " make config " option. Stubby is essential - please read the following:
https://dnsprivacy.org/wiki/display/DP/About+Stubby
Stubby' is an application that acts as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver increasing end user privacy. Stubby is developed by the getdns project.
2 - First you must install Opnsense Ports - which is a wonderful feature from Opnsense Developers. Here is how to do just that.
A - pkg install git / you must then configure git.
B - Configuring Git Example - Issue Commands
#
git config --global user.name
"jhon"
#
git config --global user.email
"jhon@example.com"
#
git config --global core.editor
"nano"
You can check that your updates went through by looking at your configuration settings with:
#
git config --list
Example Output
user.name=jhon
user.email=jhon@example.com
core.editor=nano
3 - Proceed and complete Opnsense Ports install with the following commands: ( Note that is designed for Opnsense 18.7 Variants; however, I believe that it will work with all Opnsense versions - but I have not tested that proposition. )
# cd /usr
# git clone
https://github.com/opnsense/ports
## wait for ports to install - then after go to next step
# cd /etc
# fetch
https://raw.githubusercontent.com/opnsense/tools/master/config/18.7/make.conf
4 - As Opnsense Ports from GitHub are synced with FreeBsd Ports the rest may be familiar to many of you who use or have used FreeBsd. The GetDns Port page here -
https://www.freshports.org/dns/getdns/
5 - If you read carefully you must use " make config ' in order to install the Stubby Daemon along with Getdns.
A - So first - enter Ports directory command
# cd /usr/ports/dns/getdns/
B - Then command to configure installation options
# make config
6 - After entering the " make config " command you will be presented with the Options Screen - select them all except SAFESTACK. After selecting options, press enter OK or whatever to accept the options you just selected. You will now be back in ports directory for getdns port:
#/usr/ports/dns/getdns/
Now issue command:
# make install clean
Let the installation run until it is done. After the installation completes, reenter the /root directory -
command #cd /root - or start new SSH session in order to configure Stubby and integrate it with Unbound.
7 - Now
Ryan Steinmetz aka zi
- the port maintainer and developer of this port was kind enough to include a start up script ( stubby.in ) for this package. See the stubby.in here in the raw :
https://svnweb.freebsd.org/ports/head/dns/getdns/files/stubby.in?view=markup
. All I had to do was ask him and he did for any and all who elect to use this great piece of FreeBsd software.
8 - Now to put all of this together, The stubby.in file is located here - /usr/local/etc/rc.d/stubby by default. First though Stubby needs Unbound root.key - run this command before getting started:
# su -m unbound -c /usr/local/sbin/unbound-anchor Then -
A - Issue this command :
# mv /usr/local/etc/rc.d/stubby /usr/local/etc/rc.d/stubby.sh
Make it executable - I run two commands - it works for me:
# chmod 744 /usr/local/etc/rc.d/stubby.sh # chmod a+x /usr/local/etc/rc.d/stubby.sh
B - Yes must enable Stubby Daemon in the file - open file by : nano /usr/local/etc/rc.d/stubby.sh
go to line 27 -
: ${stubby_enable="NO"} change the setting to : ${stubby_enable="YES"} - that is all you have to do to this file. It comes pre-configured. Save and exit.
9 - You can and should also check real time status of DNS Privacy Servers as they are experimental and are not always stable - you can monitor DNS TLS Servers Real Time Status here below:
https://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/
I have read here:
https://www.monperrus.net/martin/randomization-encryption-dns-requests
that Also, it is good to set up some servers that listens on port 443 and others on port 853, so as to be resilient if you are on a network with blocked ports. You can also blend IPv4 and IPv6 addresses.
Now you must configure Stubby to resolve DNS OVER TLS - nano /usr/local/etc/stubby/stubby.yml
VERY IMPORTANT UPDATE:
After checking, rechecking and the triple checking on this website mentioned above :
https://www.immuniweb.com/ssl/?id=Su8SeUQ4
I have made some very serious discoveries regarding which DNS Privacy Test Servers to use. The bottom line that I strongly suggest you only choose to deploy servers which support the TLSv1.3 protocol. See here for information and importance of TLSv1.3 :
https://kinsta.com/blog/tls-1-3/
## All DNS Privacy Servers Below Tested On November 3 With A+ Rating - 100% Perfecto Configuration on website:
https://www.immuniweb.com/ssl/?id=Su8SeUQ4n
# Also I have added the Country Locations of These DNS PRIVACY Servers using the Alpha 3 Code Format
# see country code lists here :
#
https://www.iban.com/country-codes
# Use as many or as few depending on your specific needs
I will save you some considerable leg work and post below the best configuration for your stubby.yml file. Here it is:
nano /usr/local/etc/stubby/stubby.yml
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
- GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
dnssec_return_status: GETDNS_EXTENSION_TRUE
tls_query_padding_blocksize: 128
edns_client_subnet_private : 1
idle_timeout: 9000
listen_addresses:
- 127.0.0.1@8053
tls_connection_retries: 5
tls_backoff_time: 900
timeout: 2000
round_robin_upstreams: 1
tls_ca_file: "/usr/local/share/certs/ca-root-nss.crt"
upstream_recursive_servers:
### IPV4 Servers ###
### DNS Privacy DOT Test Servers ###
## 1 - The getdnsapi.net DNS TLS Server A+ ( NLD )
- address_data: 185.49.141.37
tls_auth_name: "getdnsapi.net"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=
## 2 - The Surfnet/Sinodun DNS TLS Server #3 A+ ( NLD )
- address_data: 145.100.185.18
tls_port: 853
tls_auth_name: "dnsovertls3.sinodun.com"
tls_pubkey_pinset:
- digest: "sha256"
value: 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8=
## 3 - The The Surfnet/Sinodun DNS TLS Server A ( NLD )
- address_data: 145.100.185.15
tls_auth_name: "dnsovertls.sinodun.com"
tls_port: 443
tls_pubkey_pinset:
- digest: "sha256"
value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
## 4 - The The Surfnet/Sinodun DNS TLS Server #1 A ( NLD )
- address_data: 145.100.185.16
tls_auth_name: "dnsovertls1.sinodun.com"
tls_port: 443
tls_pubkey_pinset:
- digest: "sha256"
value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
## 5 - The dns.cmrg.net DNS TLS Server A+ ( CAN )
- address_data: 199.58.81.218
tls_auth_name: "dns.cmrg.net"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=
## 6 - The BlahDNS Japan DNS TLS Server A+ ( JPN )
- address_data: 45.32.55.94
tls_auth_name: "dot-jp.blahdns.com"
tls_port: 443
tls_pubkey_pinset:
- digest: "sha256"
value: gIoiNFxX1Nw+7/pVsmUKBU941bMBYjEYuB2T9drULOM=
## 7 - The BlahDNS German DNS TLS Server A+ ( USA Hosted In DEU )
- address_data: 159.69.198.101
tls_auth_name: "dot-de.blahdns.com"
tls_port: 443
tls_pubkey_pinset:
- digest: "sha256"
value: YZeyeJf/suAR2fMHLc9RDPkcQi/e8EEnzk5Y1N90QQE=
## 8 - The BlahDNS Finland DNS TLS Server A+ ( FIN )
- address_data: 95.216.212.177
tls_auth_name: "dot-fi.blahdns.com"
tls_port: 443
tls_pubkey_pinset:
- digest: "sha256"
value: PID8ufrN/lfloA6y/C+mpR8MT53GG6GkAd8k+RmgTwc=
## 9 - The BlahDNS Singapore DNS TLS Server A+ ( SGP )
- address_data: 139.180.141.57
tls_auth_name: "dot-sg.blahdns.com"
tls_port: 443
tls_pubkey_pinset:
- digest: "sha256"
value: iENlCR6FD7l71PESwzzBUGVgJ5MtJykG2F1fV1RyV4A=
## 10 - The dns.neutopia.org DNS TLS Server A+ ( FRA )
- address_data: 89.234.186.112
tls_auth_name: "dns.neutopia.org"
tls_port: 443
tls_pubkey_pinset:
- digest: "sha256"
value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=
## 11 - The Foundation for Applied Privacy DNS TLS Server #1 A+ ( AUT )
- address_data: 146.255.56.98
tls_auth_name: "dot1.applied-privacy.net"
tls_port: 443
tls_pubkey_pinset:
- digest: "sha256"
value: iPoeezj2bJ8n0ZgK7HWPy5g0E7nNB8ugiXGZOHslVMs=
## 12 - The Secure DNS Project by PumpleX DNS TLS Server #1 A+ ( GBR )
- address_data: 51.38.83.141
tls_auth_name: "dns.oszx.co"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: uWtC2lljtQnMVcmKS8mt7sWHuS5mFJ9TWdBDv4ti830=
# 13 - The dismail.de DNS TLS Server #1 A+ ( DEU )
- address_data: 80.241.218.68
tls_port: 853
tls_auth_name: "fdns1.dismail.de"
tls_pubkey_pinset:
- digest: "sha256"
value: MMi3E2HZr5A5GL+badqe3tzEPCB00+OmApZqJakbqUU=
## 14 - The dismail.de DNS TLS Server #2 A+ ( USA )
- address_data: 159.69.114.157
tls_port: 853
tls_auth_name: "fdns2.dismail.de"
tls_pubkey_pinset:
- digest: "sha256"
value: yJYDim2Wb6tbxUB3yA5ElU/FsRZZhyMXye8sXhKEd1w=
## 15 - The Lorraine Data Network DNS TLS Server A+ ( FRA )
- address_data: 80.67.188.188
tls_port: 443
tls_pubkey_pinset:
- digest: "sha256"
value: WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM=
## This certificate is currently expired which
## does not pose any concerns in SPKI mode
## (in practice with Stubby)
## Source :
https://ldn-fai.net/serveur-dns-recursif-ouvert/
# 16 - The ibksturm.synology.me DNS TLS Server A+ ( CHE )
- address_data: 85.5.93.230
tls_auth_name: "ibksturm.synology.me"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: npNOnBcLbvZWZgdmcuFaEqYJbaGjBlHMf9DknDoIkgg=
## 17 - The dns.flatuslifir.is DNS TLS Server A+ ( ISL )
- address_data: 46.239.223.80
tls_auth_name: "dns.flatuslifir.is"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: YdmlL2GSokMgH/t506AaHtdfhoW+WAPVwv4dAWGXYMs=
### Publicly Available DOT Test Servers ###
## 18 - The ContainerPI.com - CPI DNS TLS Server A+ ( JPN )
- address_data: 45.77.180.10
tls_auth_name: "dns.containerpi.com"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: 0fDCu9NeTLXKniGX7Hqjq4PLqXV7kvxv04lAWs/dOHY=
## 19 - The FEROZ SALAM DNS TLS Server A+ ( GBR )
- address_data: 46.101.66.244
tls_auth_name: "doh.li"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: E3//wtQoI+p2eDg0+zEejPX3kHowMAUiLwGG6sGckFo=
## 20 - The Andrews & Arnold DNS TLS Server #1 A+ ( GBR )
- address_data: 217.169.20.23
tls_auth_name: "dns.aa.net.uk"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: N1HkO1CiKQiPYEoFjMMU/mgZc7PMPaVE016y5w8+hUg=
## 21 - The Andrews & Arnold DNS TLS Server #2 A+ ( GBR )
- address_data: 217.169.20.22
tls_auth_name: "dns.aa.net.uk"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: Rq21Y/YgMvw00ZzFGsiJKTEz0u9BBecPl0ns9oploKE=
## 22 - The dns.seby.io - Vultr DNS TLS Server A+ ( AUS )
- address_data: 45.76.113.31
tls_auth_name: "dot.seby.io"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: H13Su1659zEn0ZIblEShwjZO+M5gxKK2wXpVKQHgibM=
## 23 - The dns.seby.io - OVH DNS TLS Server A+ ( AUS )
- address_data: 139.99.222.72
tls_auth_name: "dot.seby.io"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: y8hXAlkRxglOPlYivo/S/E1EfNFoU9f/Uf4dQcXiHhg=
## 24 - The Digitale Gesellschaft DNS TLS Server #1 A+ ( CHE )
- address_data: 185.95.218.43
tls_auth_name: "dns.digitale-gesellschaft.ch"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: 831vfDRFtFD6GNs592KLJtGWy1174q+L9GrgLTiLEZo=
## 25 - The Digitale Gesellschaft DNS TLS Server #2 A+ ( CHE )
- address_data: 185.95.218.42
tls_auth_name: "dns.digitale-gesellschaft.ch"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: amK6e4lPnP+3bOVdh8unyfcLBsCNyPfvHAws+hXCrX4=
## 26 - The Antoine Aflalo DNS TLS Server #1 A+ ( USA )
- address_data: 168.235.81.167
tls_auth_name: "dns-nyc.aaflalo.me"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: +J+sm9pbtEYYrcm45xqRqsOKmFuwTFdfrct/n5N5Pzo=
## 27 - The Privacy-First DNS TLS Server #1 A+ ( JPN )
- address_data: 172.104.93.80
tls_auth_name: "jp.tiar.app"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: VVZwjDE4AgVuuGDxr3kja+u/0uw2LBoVeO5TH0tfTfU=
## 28 - The Privacy-First DNS TLS Server #2 A+ ( SGP Hosted In USA )
- address_data: 174.138.29.175
tls_auth_name: "dot.tiar.app"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: zI+rGvaSUWXd0uhG1w8ZgR2ZZCAVzfaLPgEg1R+ucfl=
## 29 - The ibuki.cgnat.net DNS TLS Server A+ ( USA )
- address_data: 35.198.2.76
tls_auth_name: "ibuki.cgnat.net"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: v1FqNAlDF1cvui9S6E1zGYOOiCON4JepZPbBeNqkAK0=
## 30 - The PI-DNS.COM West USA DNS TLS Server A+ ( USA )
- address_data: 45.67.219.208
tls_auth_name: "dot.westus.pi-dns.com"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: UqbpjW5q+T28xsDG0/QAlklvT39U5h+EtZ9l0/POwaw=
## 31 - The PI-DNS.COM DNS TLS East USA Server A+ ( USA )
- address_data: 185.213.26.187
tls_auth_name: "dot.eastus.pi-dns.com"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: OupxDACOoLzFnGNfDLsv+Y1KOU/94kfV9wWnpP1+19g=
## 32 - The PI-DNS.COM Central Europe DNS TLS Server A+ ( DEU )
- address_data: 88.198.91.187
tls_auth_name: "dot.centraleu.pi-dns.com"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: a5xHUXhJT/rl7c9F1qNJafxosDRFNFA+qlLvE8WN56M=
## 33 - The PI-DNS.COM North Europe DNS TLS Server A+ ( FIN )
- address_data: 95.216.181.228
tls_auth_name: "dot.northeu.pi-dns.com"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: uPFdDaPL7tML0mdZg23LiXyC5AWp+wS+mRsxbeXpK8k=
## 34 - The PI-DNS.COM East Australia DNS TLS Server A+ ( AUS )
- address_data: 45.63.30.163
tls_auth_name: "dot.eastau.pi-dns.com"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: wTfoz9ckLNEh8Z5+Z+87gLWV/OjNLXCBq1XYnLvmXDk=
## 35 - The PI-DNS.COM East Asia DNS TLS Server A+ ( USA )
- address_data: 66.42.33.135
tls_auth_name: "dot.eastas.pi-dns.com"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: yZvYIR4ivuMRoAD/P8RBcc5TC31BRmcnVJGULFZ4Ows=
## 36 - The Snopyta DNS TLS Server A+ ( FIN )
- address_data: 95.216.24.230
tls_auth_name: "fi.dot.dns.snopyta.org"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: CgI1BzAYzsdcueKIbt682Gu+QEN2z9KDMCLdD192FSA=
## 37 - The NixNet Uncensored Las Vegas DNS TLS Server A+ ( USA )
## - or use ( tls_auth_name: "adblock.lv1.dns.nixnet.xyz" )
- address_data: 209.141.34.95
tls_auth_name: "uncensored.lv1.dns.nixnet.xyz"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: d4gBa/F8dM8cWcCpisAzVTp0SGKAEdfsM/2gHe/xJlk=
## 38 - The NixNet Uncensored New York DNS TLS Server A+ ( USA )
## - or use ( tls_auth_name: "adblock.ny1.dns.nixnet.xyz" )
- address_data: 199.195.251.84
tls_auth_name: "uncensored.ny1.dns.nixnet.xyz"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: g1jYIvb7hZn98EN0dZszrwdqZTE7so7j6Kb8tvuZQDc=
## 39 - The NixNet Uncensored Luxembourg DNS TLS Server A+ ( LUX )
## - or use ( tls_auth_name: "adblock.lux1.dns.nixnet.xyz" )
- address_data: 104.244.78.231
tls_auth_name: "uncensored.lux1.dns.nixnet.xyz"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: 2Lx5gMhMV5DAfJKQcEJ+bL5RKFqgcPV/4gveSCMV6ps=
## 40 - The Lelux.fi DNS TLS Server A+ ( FRA Hosted In GBR )
- address_data: 51.158.147.50
tls_auth_name: "resolver-eu.lelux.fi"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: J9bGpxSju+xN7J9vu4W7+U6jzT1BpwoTCKMeqwf80u8=
## 41 - The Lightning Wire Labs DNS TLS Server A+ ( DEU )
- address_data: 81.3.27.54
tls_auth_name: "recursor01.dns.lightningwirelabs.com"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: 8jveGZnOPVo3ZEpqP373s58WRH802JRT6s7iG1JEMwY=
## 42 - The dnsforge.de DNS TLS Server #1 A+ ( DEU )
- address_data: 176.9.1.117
tls_auth_name: "dnsforge.de"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw=
## 43 - The dnsforge.de DNS TLS Server #2 A+ ( DEU )
- address_data: 176.9.93.198
tls_auth_name: "dnsforge.de"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw=
# 44 - The Freifunk München DNS TLS Server A+ ( DEU )
- address_data: 195.30.94.28
tls_auth_name: "doh.ffmuc.net"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: xDA3eGNf/X3vu9frKPawOAnVFIjIqjp9KxR5nd4ZrQQ=
## 45 - The CIRA Canadian Shield DNS TLS Servers A+ ( CAN )
- address_data: 149.112.121.10
tls_auth_name: "private.canadianshield.cira.ca"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: sXmZXPsnkbQMw68THpV0Tgh9zCe12TtXIinSTf7lkkw=
- address_data: 149.112.122.10
tls_auth_name: "private.canadianshield.cira.ca"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: sXmZXPsnkbQMw68THpV0Tgh9zCe12TtXIinSTf7lkkw=
# 46 - The dns.dnshome.de DNS TLS Server #1 A+ ( DEU )
- address_data: 185.233.106.232
tls_auth_name: "dns.dnshome.de"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: q5AkxgnWVCVjCUNUKl3aIBpGTfXF5GahE0RcncwbZoc=
- address_data: 185.233.107.4
tls_auth_name: "dns.dnshome.de"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: q5AkxgnWVCVjCUNUKl3aIBpGTfXF5GahE0RcncwbZoc=
## 47 - The Usable Privacy DNS TLS Server A+ ( DEU / AUT )
- address_data: 149.154.153.153
tls_auth_name: "adfree.usableprivacy.net"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: apo4E7JrhTTLL08Y3JLq68Gp6yG1TgHKtwaQKnhqWFs=
## 48 - The DeCloudUs DNS TLS Server A+ ( DEU )
- address_data: 176.9.199.152
tls_auth_name: "dot.decloudus.com"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: CIeKIadXRDK1slGmnnQzvC38rKBbcGaSyXMPG6leHJA=
## 49 - The Hurricane Electric DNS TLS Server A+ ( USA )
- address_data: 74.82.42.42
tls_auth_name: "ordns.he.net"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: G9pQNrYB98Wll0AmBF/GsMMn6gaDbXDnInV1je1MaPo=
## 50 - The Stéphane Bortzmeyer DNS TLS Server A+ ( FRA )
- address_data: 193.70.85.11
tls_auth_name: "dot.bortzmeyer.fr"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: eHAFsxc9HJW8QlJB6kDlR0tkTwD97X/TXYc1AzFkTFY=
## 51 - The LibreDNS DNS TLS Server #1 A+ ( IND )
- address_data: 116.202.176.26
tls_auth_name: "dot.libredns.gr"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: V0Y0pvWkAwOPkNSPxDyZd/vJ2bo40ylADWJFu/ubPlM=
## 52 - The LibreDNS DNS TLS Server #2 A+ ( IND )
- address_data: 116.202.176.26
tls_auth_name: "dot.libredns.gr"
tls_port: 854
tls_pubkey_pinset:
- digest: "sha256"
value: V0Y0pvWkAwOPkNSPxDyZd/vJ2bo40ylADWJFu/ubPlM=
### Anycast Publicly Available DOT Test Servers ###
## 53 - The DNSlify DNS TLS Servers A+ ( Anycast )
- address_data: 185.235.81.1
tls_auth_name: "doh.dnslify.com"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: w5AEEaNvoBOl4+QeDIuRaaL6ku+nZfrhZdB2f0lSITM=
- address_data: 185.235.81.2
tls_auth_name: "doh.dnslify.com"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: w5AEEaNvoBOl4+QeDIuRaaL6ku+nZfrhZdB2f0lSITM=
### DNS Privacy Anycast DOT Public Resolvers ###
## 54 - The DNS.SB DNS TLS Servers A+ ( Anycast )
- address_data: 185.222.222.222
tls_auth_name: "dns.sb"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: /qCm+kZoAyouNBtgd1MPMS/cwpN4KLr60bAtajPLt0k=
- address_data: 185.184.222.222
tls_auth_name: "dns.sb"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: /qCm+kZoAyouNBtgd1MPMS/cwpN4KLr60bAtajPLt0k=
## 55 - The DNSPod DNS TLS Server #1 A+ ( CHN )
- address_data: 162.14.21.178
tls_port: 853
tls_auth_name: "dns.pub"
tls_pubkey_pinset:
- digest: "sha256"
value: Q1JRqG379NbZYD6KcA+jl8co9wuQNhg/YmN4dLImQpM=
## 56 - The DNSPod DNS TLS Server #2 A+ ( CHN )
- address_data: 162.14.21.56
tls_port: 853
tls_auth_name: "doh.pub"
tls_pubkey_pinset:
- digest: "sha256"
value: Q1JRqG379NbZYD6KcA+jl8co9wuQNhg/YmN4dLImQpM=
# Set the acceptable ciphers for DNS over TLS. With OpenSSL 1.1.1 this list is
# for TLS1.2 and older only. Ciphers for TLS1.3 should be set with the
#tls_ciphersuites option. This option can also be given per upstream.
tls_cipher_list: "EECDH+AESGCM:EECDH+CHACHA20"
# Set the acceptable cipher for DNS over TLS1.3. OpenSSL >= 1.1.1 is required
# for this option. This option can also be given per upstream.
tls_ciphersuites: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
# Set the minimum acceptable TLS version. Works with OpenSSL >= 1.1.1 only.
# This option can also be given per upstream.
tls_min_version: GETDNS_TLS1_2
# Set the maximum acceptable TLS version. Works with OpenSSL >= 1.1.1 only.
# This option can also be given per upstream.
tls_max_version: GETDNS_TLS1_3
Save and Exit
Lastly, you can and should take advantage of this new DNS OVER TLS provider.
You need to sign up and use configured settings in order to use it.
NextDNS is a free service - ANYCAST and pretty much cutting edge.
ANYCAST speeds up your DNS - Here it is:
NextDNS
https://my.nextdns.io/configuration/19474f/setup
All of these name servers listed above DO NOT log ! repeat DO NOT log ! your DNS queries.
In full disclosure some name servers claim to log traffic volume only. See here for details :
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
and look under " Logging " column.
Use either or both of these two methods to verify QNAME Minimisation
A - Run command :
drill txt qnamemintest.internet.nl
and / or
B - Run command:
dig txt qnamemintest.internet.nl +short
and / or
dig -t txt qnamemintest.internet.nl
( for more complete readout including DNSSEC results ).
AD = Authenticated Data (for DNSSEC only; indicates that the data was authenticated)
The results in any of these scenarios will show either:
"HOORAY - QNAME minimisation is enabled on your resolver
!”
or “NO - QNAME minimisation is NOT enabled on your resolver
.”
Reference
https://discourse.pi-hole.net/t/unbound-and-qname-minimisation/10038/4
You will and should get HOORAY ! - if you used the name servers listed in this guide for your Stubby configuration.
Note: Starting with Unbound 1.7.2 qname minimisation is enabled by default.
However, I still add these settings manually.
These settings are entered under Unbound " Custom Options":
qname-minimisation: yes
qname-minimisation-strict: yes
harden-below-nxdomain: yes
10 - In order to have Opnsense use default start up script ( /usr/local/etc/rc.d/stubby.sh ) at boot time you will have to create a boot time start up script for it in /etc/rc.conf.d/. Not to prolong this - do the following :
# nano /etc/rc.conf.d/stubby - in the new file enter the following two lines:
stubby_enable="YES"
stubby_bootup_run="/usr/local/etc/rc.d/stubby.sh"
Save and exit / then make the file executable - once again - works for me : # chmod 744 /etc/rc.conf.d/stubby # chmod a+x /etc/rc.conf.d/stubby
11- Now you must configure your Unbound DNS Server to use Stubby for DNS Over TLS.
UNBOUND GENERAL SETTINGS
Network Interfaces = WAN LAN ( all of your LAN interfaces if you have more than one ) And You Must Select Localhost - repeat - You Must Select Localhost !
Under Custom options enter the following :
server:
do-not-query-localhost: no
forward-zone:
name: "." # Allow all DNS queries
forward-addr: 127.0.0.1@8053
## END OF ENTRY
Outgoing Network Interfaces = Localhost
Make Sure to NOT CHECK - DO NOT CHECK - the box for DNS Query Forwarding. Save and Apply Settings
Next -Under System > Settings > General Settings
Set the first DNS Server to 127.0.0.1 with no gateway selected /
Make sure that DNS server option
A - Allow DNS server list to be overridden by DHCP/PPP on WAN - Is Not I repeat - Is Not Checked !
and DNS server option
B - Do not use the DNS Forwarder/Resolver as a DNS server for the firewall Is Not - I repeat - Is Not Checked !
I now only run
127.0.0.1
( Localhost ) configured as the
only DNS SERVER on my WAN interface
. If others were added to WAN, when I ran dig or drill commands
/etc/resolv.conf
allowed those addresses to be queried. I only want to use
Stubby yml Name Servers for DNS TLS
, so this was the determinative factor in my reasoning and decision.
- Save and Apply Settings
C'est Fini C'est Ci Bon C'est Magnifique
Reboot your router just to sure. Lastly, you can check your DNS at GRC Spoofability Test - DNS Leak - or any such service.
Your results will render the DNS PRIVACY Name Servers which you selected in your stubby.yml configuration file. You are now running DNS OVER TLS with GETDNS plus STUBBY ( a fully featured TLS forwarder ) along with an Unbound DNS Caching Server.
VERY IMPORTANT TIP:
Please note that right at the top of the main DNS Privacy Test Servers Homepage (
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
) It Ominously Declares:
DoT servers
The following servers are experimental DNS-over-TLS servers.
Note that they are experimental offerings (mainly by individuals/small organisations) with no guarantees on the lifetime of the service, service level provided. The level of logging may also vary (see the individual websites where available) - the information here about logging has not been verified.
Also note that the single SPKI pins published here for many of these servers are subject to change (e.g on Certificate renewal) and should be used with care!!
For these reasons it is most important to
check and verify your SPKI pin(s) for TLS authentication manually yourself from time to time.
There are sure fire methods to make sure that you are using the correct value for any upstream nameserver ( aka tls_pubkey_pinset value ) - Go to
https://blahdns.com/
and scroll down to the section to the yellow section entitled
What is DNS OVER TLS
click on it and it will open up.
When you do it will state some general information, but what you want to pay attention to is this section:
How to get SPKI
gnutls-cli --print-cert -p 853 185.49.141.37
- where you must
pkg install gnutls
OR
echo | openssl s_client -connect '185.49.141.37:853' 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
Remember to change port to 443 or port for IPV6 if different than standard 853 where applicable.
https://www.dnsleaktest.com/
https://www.perfect-privacy.com/dns-leaktest
https://www.grc.com/dns/dns.htm
https://www.vpninsights.com/dns-leak-test
and last but not least
https://cmdns.dev.dns-oarc.net/
for a thorough in depth DNS Test
https://bash.ws/dnsleak/test/
Now all you need to do is run is a properly configured VPN Service. By doing so, running DNS over TLS with Stubby and GetDns will keep your VPN provider from spying on your encrypted DNS look ups - and also your DNS providers both the ISP ( replaced by encrypted Stubby ) and your Encrypted TLS DNS Service Provider will see your IP as the one from your encrypted tunneled VPN provider.
I am convinced this setup is the right strategy for both security and privacy. I think it to be the best practice for all those most serious about multi-layered cyber security.
Special thanks to all who helped me with this project.
Thank you all and God Bless Always In Peace,
directnupe
PS -
If you have already installed getdns-1.4.1 then you can see here for how to update:
** BONUS DNS OVER TLS: UPDATE Opnsense Ports for getdns-1.4.2**
https://forum.opnsense.org/index.php?topic=8748.msg38928#msg38928
«
Last Edit: November 03, 2020, 02:28:33 pm by directnupe
»
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: SOLVED (DNS Privacy Project) DNS OVER TLS WITH GETDNS+STUBBY OPNSENSE PORTS
«
Reply #1 on:
October 26, 2018, 06:50:36 pm »
Hi,
As per
https://twitter.com/Ceeblows/status/1055804955028832256
we should probably add the required packages to the OPNsense repository. Which ones are needed? And how much manual effort can be skipped to make future errors or removal of essential setting / files less likely?
Cheers,
Framco
Logged
directnupe
Jr. Member
Posts: 58
Karma: 19
Re: SOLVED (DNS Privacy Project) DNS OVER TLS WITH GETDNS+STUBBY OPNSENSE PORTS
«
Reply #2 on:
November 04, 2018, 05:43:50 pm »
Dear Franco,
Hello and I hope that you are well. I am far from an expert in programming or software development. However, I will do my best to answer your questions. If you look at my tutorial here:
https://forum.opnsense.org/index.php?topic=8759.0
You will see that I built the GETDNS STUBBY package on a FREEBSD BUILD SERVER. So you see that the building the package is done by utilizing the ports collection as this is the method to get all the Configuration Options that the full GETDNS package needs - especially STUBBY. GETDNS is built against and compiled against UNBOUND. Now, you good folks at OpnSense can ( I imagine ) put a fully compiled GETDNS package up in your repositories. Honestly, I was wondering why this is not done already.
There is an issue with some dependencies being missing when I install the GETDNS manually. Two are available in the Opnsense repos:
libev and libuv
and one I have to install from the FreeBsd repository with the command: pkg add
https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/libidn-1.34.txz
So, I do not know how you would address these missing dependencies.
As far as the files. There is a start up script that comes with the installation of the package and / or port :
/usr/local/etc/rc.d/stubby
- you can see what I do that file in the link I referenced at the top of my reply. The second is the
/usr/local/etc/stubby/stubby.yml
for configuring DNS OVER TLS options for STUBBY. Lastly OpnSense has the
/etc/rc.conf.d/stubby
file - the start up file for OpnSense particularly. I do not know how you could manage these files within Opnsense development team. Finally, you can find and download the final product
OpnSense Ports
package getdns-142_1.txz
here:
https://www.4shared.com/s/f2mddi4FNda
or here:
https://www.4shared.com/file/2mddi4FNda/getdns-142_1.html
I hope that this helps in some way.
Feedback on the specific Tweet from Chad
here:
https://twitter.com/Ceeblows/status/1055804955028832256
The solution to this complaint I posted here :
https://forum.opnsense.org/index.php?topic=10062.0
Topic:
SOLVED - GETDNS AND STUBBY W/ OPNSENSE 18.7.6 and UNBOUND 1.8.1
The GETDNS port was specifically upgraded for UNBOUND 1.8.1 - So Chad did not seek - so he did not find. There are times that the package - well
it is all explained in the post above
.
Peace,
directnupe
«
Last Edit: November 04, 2018, 06:34:49 pm by directnupe
»
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: SOLVED (DNS Privacy Project) DNS OVER TLS WITH GETDNS+STUBBY OPNSENSE PORTS
«
Reply #3 on:
November 04, 2018, 06:49:11 pm »
Thanks for the response. Do I see this right:
We add getdns package to OPNsense build and set option STUBBY as it is not on by default in FreeBSD?
Cheers,
Framco
Logged
directnupe
Jr. Member
Posts: 58
Karma: 19
Re: SOLVED (DNS Privacy Project) DNS OVER TLS WITH GETDNS+STUBBY OPNSENSE PORTS
«
Reply #4 on:
November 04, 2018, 07:33:51 pm »
Dear Franco,
Hello - and
yes that is correct. STUBBY is off in default setting.
You must use
" make config "
to select that option. See here:
https://www.freshports.org/dns/getdns/
and and
note:
Library dependencies:
libexpat.so : textproc/expat2
libidn.so : dns/libidn
libldns.so : dns/ldns
libunbound.so : dns/unbound
There are no ports dependent upon this port
and :
===> The following
configuration options
are available for getdns-1.4.2_1:
DOCS=on: Build and/or install documentation
LIBEV=off: Build with libev extension
LIBEVENT=off: Build with libevent extension
LIBUV=off: Build with libuv extension
STUBBY=off: Build with Stubby DNS/TLS resolver
===> Use 'make config' to modify these settings
So, I compile the GETDNS package with
all the configuration options selected.
OpnSense also makes hardening options
pie relro safestack
available.
As getdns compiles and installs its' dependencies, I just select all the default options.
You see that getdns builds against
libunbound.so : dns/unbound
among a few other dependencies.
I use OpnSense Tools to install Opnsense Ports which are synced with FreeBsd and ( Hardened BSD ) I do believe.
But once again the answer to your central question - STUBBY is not on by default in FreeBSD? -
the answer is that in the default getdns port configuration settings the option to install STUBBY is off
in all FreeBsd derivatives - that includes
FreeBsd, Opnsense, PfSense
and all others as far as I am aware of.
Once again - I hope that this helps. May God Bless You and Your Loved Ones,
Always In Peace,
directnupe
«
Last Edit: November 04, 2018, 07:40:32 pm by directnupe
»
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: SOLVED (DNS Privacy Project) DNS OVER TLS WITH GETDNS+STUBBY OPNSENSE PORTS
«
Reply #5 on:
November 04, 2018, 09:44:53 pm »
Hi,
Ok, so
https://github.com/opnsense/tools/commit/efcc2b899
> So, I compile the GETDNS package with all the configuration options selected.
LIBEV, LIBEVENT, LIBUV are still off. Are any of these strictly needed? We'd like to keep it simple.
Cheers,
Franco
Logged
directnupe
Jr. Member
Posts: 58
Karma: 19
Re: SOLVED (DNS Privacy Project) DNS OVER TLS WITH GETDNS+STUBBY OPNSENSE PORTS
«
Reply #6 on:
November 05, 2018, 02:11:17 am »
Libev
is a high-performance event loop/event model with lots of features.
It is modelled (very loosely) after libevent and the Event perl module,
but aims to be faster and more correct, and also more featureful. And
also smaller. -
choose this in make config
libevent API for executing callback functions on events or timeouts
Currently, libevent supports /dev/poll, kqueue(2), event ports, select(2),
poll(2) and epoll(4). The internal event mechanism is completely independent
of the exposed event API, and a simple update of libevent can provide new
functionality without having to redesign the applications. As a result,
Libevent allows for portable application development and provides the most
scalable event notification mechanism available on an operating system.
Libevent
can also be used for multi-threaded applications. -
install it
libuv
Multi-platform support library with a focus on asynchronous I/O - this is how getdns functions -
choose it as well
As I said I install all 3 = no problems - I will add the following as I already wrote it up:
Dear Franco, I am confused - if you mean putting this package in your repository -
https://www.4shared.com/file/2mddi4FNda/getdns-142_1.html
- then it is already built and compiled with STUBBY and for UNBOUND 1.8.1
In order to get this running for user with not current getdns and stubby install on OpnSense they would follow these steps:
1 - Install these necessary dependencies to Opnsense before installing getdns-1.4.2.txz package
A- # pkg install libev
B - # pkg add
https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/libidn-1.34.txz
C - # pkg install libuv
2 - The stubby.in file is located here - /usr/local/etc/rc.d/stubby by default. First though Stubby needs Unbound root.key - run this command before getting started: # su -m unbound -c /usr/local/sbin/unbound-anchor Then -
A - Issue this command : # mv /usr/local/etc/rc.d/stubby /usr/local/etc/rc.d/stubby.sh
Make it executable - I run two commands - it works for me: # chmod 744 /usr/local/etc/rc.d/stubby.sh # chmod a+x /usr/local/etc/rc.d/stubby.sh
B - Yes must enable Stubby Daemon in the file - open file by : nano /usr/local/etc/rc.d/stubby.sh
go to line 27 -: ${stubby_enable="NO"} change the setting to : ${stubby_enable="YES"} - that is all you have to do to this file. It comes pre-configured. Save and exit.
3 - Now you must configure Stubby to resolve DNS OVER TLS - nano /usr/local/etc/stubby/stubby.yml
## Begin Sample /usr/local/etc/stubby/stubby.yml file configuration:
# This is a yaml version of the stubby configuration file (it replaces the
# json based stubby.conf file used in earlier versions of getdns/stubby).
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
- GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private : 1
idle_timeout: 60000 # keep-alive for 1 min, for better performance
listen_addresses:
- 127.0.0.1@8053 ## Stubby / Unbound ## Default Address/Port
round_robin_upstreams: 1
upstream_recursive_servers:
# IPV4 Servers
# The getdnsapi.net Server
- address_data: 185.49.141.37
tls_port: 853
tls_auth_name: "getdnsapi.net"
tls_pubkey_pinset:
- digest: "sha256"
value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=
# The Fondation RESTENA Server
- address_data: 158.64.1.29
tls_auth_name: "kaitain.restena.lu"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: 7ftvIkA+UeN/ktVkovd/7rPZ6mbkhVI7/8HnFJIiLa4=
### Test servers ###
## Surfnet/Sinodun Servers
- address_data: 145.100.185.17
tls_port: 853
tls_auth_name: "dnsovertls2.sinodun.com"
tls_pubkey_pinset:
- digest: "sha256"
value: NAXBESvpjZMnPWQcrxa2KFIkHV/pDEIjRkA3hLWogSg=
# The securedns.eu Server
- address_data: 146.185.167.43
tls_auth_name: "dot.securedns.eu"
tls_port: 443
tls_pubkey_pinset:
- digest: "sha256"
value: h3mufC43MEqRD6uE4lz6gAgULZ5/riqH/E+U+jE3H8g=
# The dns.cmrg.net Server
- address_data: 199.58.81.218
tls_port: 443
tls_auth_name: "dns.cmrg.net"
tls_pubkey_pinset:
- digest: "sha256"
value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=
# DNSPRIVACY.at Primary DNS TLS Server
- address_data: 94.130.110.185
tls_port: 853
tls_auth_name: "ns1.dnsprivacy.at"
tls_pubkey_pinset:
- digest: "sha256"
value: vqVQ9TcoR9RDY3TpO0MTXw1YQLjF44zdN3/4PkLwtEY=
# DNSPRIVACY.at Secondary DNS TLS Server
- address_data: 94.130.110.178
tls_port: 853
tls_auth_name: "ns2.dnsprivacy.at"
tls_pubkey_pinset:
- digest: "sha256"
value: s5Em89o0kigwfBF1gcXWd8zlATSWVXsJ6ecZfmBDTKg=
# The dns.neutopia.org Server
- address_data: 89.234.186.112
tls_port: 443
tls_auth_name: "dns.neutopia.org"
tls_pubkey_pinset:
- digest: "sha256"
value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=
### Anycast services ###
#Tenta ICANN DNS TLS Primary Server
- address_data: 99.192.182.200
tls_auth_name: "iana.tenta.io"
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: nPzhfahBmQOFKbShlLBymTqPtZY31bPpKFnh0A86ys0=
4 - 14 - In order to have Opnsense use default start up script ( /usr/local/etc/rc.d/stubby.sh ) at boot time you will have to create a boot time start up script for it in /etc/rc.conf.d/. Not to prolong this - do the following :
# nano /etc/rc.conf.d/stubby - in the new file enter the following two lines:
stubby_enable="YES"
stubby_bootup_run="/usr/local/etc/rc.d/stubby.sh"
Save and exit / then make the file executable - once again - works for me : # chmod 744 /etc/rc.conf.d/stubby # chmod a+x /etc/rc.conf.d/stubby
5 - Now you must configure your Unbound DNS Server to use Stubby for DNS Over TLS.
UNBOUND GENERAL SETTINGS
Network Interfaces = WAN LAN ( all of your LAN interfaces if you have more than one ) And You Must Select Localhost - repeat - You Must Select Localhost !
Under Custom options enter the following :
server:
do-not-query-localhost: no
forward-zone:
name: "." # Allow all DNS queries
forward-addr: 127.0.0.1@8053
## END OF ENTRY
Outgoing Network Interfaces = Localhost
Make Sure to NOT CHECK - DO NOT CHECK - the box for DNS Query Forwarding. Save and Apply Settings
Next -Under System > Settings > General Settings
Set the first DNS Server to 127.0.0.1 with no gateway selected /
Make sure that DNS server option:
A - Allow DNS server list to be overridden by DHCP/PPP on WAN - Is Not I repeat - Is Not Checked !
and DNS server option
B - Do not use the DNS Forwarder/Resolver as a DNS server for the firewall Is Not - I repeat - Is Not Checked !
I now only run 127.0.0.1 ( Localhost ) configured as the only DNS SERVER on my WAN interface. If others were added to WAN, when I ran dig or drill commands /etc/resolv.conf allowed those addresses to be queried. I only want to use Stubby yml Name Servers for DNS TLS , so this was the determinative factor in my reasoning and decision.
That's it - that what I would do if I could download the package I created and sent to you. By the way, I am willing to build, create and send you an OpnSense getdns and stubby package whenever the port is upgraded or you ask me to do so. That is if there is a need or demand for one. Ryan Steinmetz aka zi - the port maintainer and developer of this port was kind enough to help me with much of this, so I am happy to give back as well.
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: SOLVED (DNS Privacy Project) DNS OVER TLS WITH GETDNS+STUBBY OPNSENSE PORTS
«
Reply #7 on:
November 05, 2018, 08:10:31 am »
Despite the unsettled question of not what these libraries do but why they are needed I've added all of them since they are already available through our packages:
https://github.com/opnsense/tools/commit/a27087a53b5
That means with 18.7.7 onwards installing stubby/getdns is as simple as:
# pkg install getdns
Cheers,
Franco
Logged
directnupe
Jr. Member
Posts: 58
Karma: 19
Re: SOLVED (DNS Privacy Project) DNS OVER TLS WITH GETDNS+STUBBY OPNSENSE PORTS
«
Reply #8 on:
November 05, 2018, 06:15:16 pm »
Dear Franco,
Hello - and my reasoning in recommending that you use all options in getdns " make config " is because I am sure that is
THE CONFIGURATION
which is known to work absolutely. Now I have a few questions which I have and for you to consider as you migrate to making getdns available through # pkg install getdns on OpnSense 18.7.7.
1 - Will libidn-1.34.txz be made available in the OpnSense repositories?
libidn
is needed by getdns and is currently not available in your repos at the time of my last installation of the getdns I created and installed on my OpnSense Box.
2- How much configuring of the three main files necessary needed for getdns to run will be done after entering # pkg install getdns on OpnSense 18.7.7 ?
3 - For example,
the stubby.in file is located here - /usr/local/etc/rc.d/stubby by default
after install from OpnSense Ports. I had to issue these two commands in order to correctly run getdns on OpnSense A - Stubby needs Unbound root.key :
# su -m unbound -c /usr/local/sbin/unbound-anchor
B -
mv /usr/local/etc/rc.d/stubby /usr/local/etc/rc.d/stubby.sh
- I issued this command
to make the stubby.in file a start up shell script
and then issued commands to make /usr/local/etc/rc.d/stubby /usr/local/etc/rc.d/stubby.sh executable -
chmod a+x /usr/local/etc/rc.d/stubby.sh
Also, will stubby be enabled by default on line 27 of /usr/local/etc/rc.d/stubby.sh I had to change this manually : ${stubby_enable="NO"}
change the setting to : ${stubby_enable="YES"}
- This file is not enabled by default
Will all of these processes detailed above be achieved and working " out of the box " on your end by simply entering # pkg install getdns ?
4 - I take it that the /usr/local/etc/stubby/stubby.yml will still be available and I imagine that
you will provide instructions
as to how to properly configure this file.
5 - The third file
/usr/local/etc/rc.d/stubby.sh
is the specific start up script / hook for Opnsense. So, are you going to have this
pre-configured and set to run at boot time
as well ? I had to create this file manually and make it executable as detailed in the process I sent to you earlier.
6 - Importantly, will you make available the information needed to have
stubby and UNBOUND integrated properly to resolve DNS OVER TLS
?
7 - The the other issue is
getdns and OpnSense upgrades.
You originally contacted me about
https://twitter.com/Ceeblows/status/1055804955028832256
and Chad's getdns and stubby install being broken by UNBOUND being upgraded to 1.8.1 on Opnsense 18.7.6 -
So,
will getdns and stubby survive a similar upgrade scenario
going forward if installed by your proposed implementation of # pkg install getdns on OpnSense 18.7.7 ?
These are a few things that I would like to know and I believe important for you to consider as you go forward with making getdns and stubby available for all of us on OpnSense 18.7.7.
I want to thank you for your considerable time, continued effort and leadership
in making and keeping OpnSense at the forefront and vanguard of
one of the finest Open Source FireWall Distros ever developed.
Peace and God Bless Always In Peace,
directnupe
«
Last Edit: November 05, 2018, 06:17:13 pm by directnupe
»
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: SOLVED (DNS Privacy Project) DNS OVER TLS WITH GETDNS+STUBBY OPNSENSE PORTS
«
Reply #9 on:
November 06, 2018, 11:18:12 pm »
Hi directnupe,
1) yes
2) none
3) it's all manual. that's why we build plugins around services to automate this and make it update-proof.
4) we build plugins, not provide descriptions for third party service configuration. if the yaml file is in the package it'll be there...
5) use plugins
6) use plugins, raise tickets when plugin is missing a spot for integration
7) the packages will, manual configuration and package modification will not
The best way to deal with any integration is:
1. Request binary package inclusion
2. Build a plugin
3. Upstream the plugin
And from there on out it keeps working... even through config backup / restore.
Cheers,
Franco
Logged
directnupe
Jr. Member
Posts: 58
Karma: 19
Re: SOLVED (DNS Privacy Project) DNS OVER TLS WITH GETDNS+STUBBY OPNSENSE PORTS
«
Reply #10 on:
November 10, 2018, 04:34:06 am »
Dear Franco,
Hello and I hope that you are well. I am just reporting back to you by way of feedback about the getdns package that Opnsense has made available via pkg install getdns. It works beautifully. I installed the package on Opnsense 18.7.7 and OPNsense 19.1.b_167-amd64 . As you had indicated, I did have to manually configure the three stubby files. However, all the dependencies were there.
Just one question. Do you want me to put up a post as to how to configure the package and more or less announce that getdns and stubby are available for installation by simply issuing the # pkg install getdns command as of OpnSense 18.7.7 ?
Peace,
directnupe
PS - You guys did a great job and I did read that you are working on a plugin for this. So, I for one respect, appreciate and grateful for your great work and dedication in keeping Opnsense on the cutting edge of internet security.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
SOLVED (DNS Privacy Project) DNS OVER TLS WITH GETDNS+STUBBY OPNSENSE PORTS