Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
Unbound DoT not working
« previous
next »
Print
Pages: [
1
]
Author
Topic: Unbound DoT not working (Read 5028 times)
NeoDragon
Newbie
Posts: 17
Karma: 0
Unbound DoT not working
«
on:
September 06, 2021, 09:22:39 pm »
Hi all,
I'm fairly new to opnsense and have been pretty pleased so far.
However, I can't get unbound DoT working alonside Adguard for some unknown reason.
Test at
https://tenta.com/test
shows that I'm indeed using Quad9 upstream with DNSSEC but without TLS even thought it is configured under Services>Unbound DNS>DNS over TLS
Can anybody help?
For references, I've used this particular topic over these forums to setup adguard + unbound
https://forum.opnsense.org/index.php?topic=22162.0
Logged
Fright
Hero Member
Posts: 1777
Karma: 164
Re: Unbound DoT not working
«
Reply #1 on:
September 07, 2021, 07:30:23 pm »
hi
don't think any leak test site can tell anything about the connection between your opnsense and forwarder.
it can only say something about the connection between the server making the request to the authoritative server and authoritative server.
Logged
NeoDragon
Newbie
Posts: 17
Karma: 0
Re: Unbound DoT not working
«
Reply #2 on:
September 09, 2021, 12:04:38 am »
Shouldn't the site able to test/tell me if the requests are sent with tls or not? It does with DNSSEC .
Logged
Fright
Hero Member
Posts: 1777
Karma: 164
Re: Unbound DoT not working
«
Reply #3 on:
September 09, 2021, 01:50:22 pm »
yes, but not from the first (forwarding) server to the upstream. only from the last (resolving) server to the authoritative one.
the page code on the tenta.com site tells the browser to make some xhr-requests to resources with different names. at the time of name resolution, it is logged from which servers the request for this name came and which extensions were used (dnssec etc.).
but the request does not come from your server, it comes from the quad9 servers (or servers used by quad9 for further forwarding. imho google and quad9 uses dnssec by default and dont use DoT for resolving).
so tenta.com doesn't know anything about opnsense<->quad9 connection.
«
Last Edit: September 09, 2021, 01:55:17 pm by Fright
»
Logged
NeoDragon
Newbie
Posts: 17
Karma: 0
Re: Unbound DoT not working
«
Reply #4 on:
September 10, 2021, 11:18:56 pm »
Thanks for the explanation !
Is there any way to confirm DoT is working from unbound to quad9 then?
Logged
opnfwb
Sr. Member
Posts: 331
Karma: 47
Re: Unbound DoT not working
«
Reply #5 on:
September 11, 2021, 05:55:36 am »
You can check that the firewall is pushing DNS queries to Quad9 on port 853.
First, make sure that your settings are correct as per the screenshot below. Then you can go to the firewall states page and search for '853' and you should see many outbound connections to Quad9's IPs on port 853. They should all be TCP connections, not UDP.
Logged
Fright
Hero Member
Posts: 1777
Karma: 164
Re: Unbound DoT not working
«
Reply #6 on:
September 11, 2021, 07:08:32 am »
@NeoDragon
also you can do a INTERFACES: DIAGNOSTICS: PACKET CAPTURE to make sure the traffic is encrypted.
or you can simply raise the log level to 4 (SERVICES: UNBOUND DNS: ADVANCED), then the unbound log will contain records about the upstream connection and upstream authentication. but onbound has problems with quad9 certs logging (
https://github.com/NLnetLabs/unbound/issues/527
), so I would not recommend leaving the verb 4 after debugging
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
Unbound DoT not working