HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6

[p1n0ck10]

[Updated on 10.03.2020]

Since opnsense 18.7.9 it is possible to use encrypted DNS with the opnsense-plugin "os-dnscrypt-proxy". Thanks to mimugmail (m.muenz@gmail.com). This plugin supports DNSCrypt (https://dnscrypt.info) and DNS over HTTPS (DoH) with DNSSEC and DNSBL.


Explanations and Differences:
DNSCrypt or DNS over HTTPS = protocol that authenticates communications between a dns-client and a dns-resolver. It encrypts the traffic and prevents dns spoofing or man-in-the-middle-attacks. DoH is standardized through IETF and standardport for resolvers is 443. DNSCrypt use different ports. Resolver on the internet often use ports like 443, 4443, 5443 or 8443 and is currently not standardized but has more privacy features.
DNSSEC = DNS Extension that allows a client to validate the dns response on supported domains and TLDs. Resolvers check the digital signature of dns responses.
DNSBL = Domain Name System Blacklists with RPZ (response policy zone) to block ads, trackers and malware domains.

This technique prevents not against ISP-censorship !!! because your browser requests for https has the Server Name Indication (SNI) unencrypted. Currently only Cloudflare and Firefox have implemented ESNI for testing. Tor or a VPN can solve this. Here the answer from the developer of DNSCrypt, Frank Denis:
https://superuser.com/questions/1318588/what-exactly-isp-can-see-when-someone-use-dnscrypt-proxy-with-dnscrypt-enabled-p


Scenario:
dnscrypt-proxy is only listen on the localhost addresses 127.0.0.1 (IPv4) and ::1 (IPv6) on port 5353 and handle the dns requests to the internet encrypted.
unbound dns forwards all queries to dnscrypt-proxy while itself is listening on all interfaces on port 53 (IPv4 + IPv6) and handle the dns requests for the local network unencrypted.

The reason behind that scenario is unbound dns can act as a dns-resolver for your lan with all his features. If you allow to register dhcp leases you can reach your clients via their hostnames and do not need to know their ip addresses. The dns traffic on the lan side is not encrypted because the most client's OS currently does not support this. For decentralization dnscrypt-proxy uses a pool of random servers from a public list. Normally is choosing automatically the fastest with the options you set (IPv4, IPv6, DNSCrypt, DoH, DNSSEC, NoLog, NoFilter). Every 3 hours it checks the fastest server again. You can shorten the time interval by running the existing cronjob under System/Settings/Cron "Download DNSCrypt-Proxy DNSBLs and restart". You only need dnscrypt-proxy because unbound dns (and also dnsmasq) has only limited support for DNSCrypt/DoH and DNSBL.

You can also configure dnscrypt-proxy as standalone dns-server. For this follow these instructions:
https://wiki.opnsense.org/manual/how-tos/dnscrypt-proxy.html


Install DNSCrypt-Proxy:
System/Firmware/Plugins
=> Install "os-dnscrypt-proxy"


Configuration DNSCrypt-Proxy:
Services/DNSCrypt-Proxy/Configuration/General
=> Check "Enable DNSCrypt-Proxy"
=> "Listen Address" is 127.0.0.1:5353 and [::1]:5353
=> Check "Use IPv4 Servers"
=> Check "Use IPv6 Servers"
=> Check "Use DNSCrypt Servers"
=> Check "Use DNS-over-HTTPS Servers"
=> Check "Require DNSSEC"
(see attachments "Services-DNSCrypt-Proxy_01.png", "Services-DNSCrypt-Proxy_02.png")



=> As "Fallback Resolver" you can use the standard Quad9 Server (9.9.9.9:53) or Cloudflare (1.1.1.1:53) or what ever you want.


Optional Configuration DNSCrypt-Proxy (manual Servers):
For some business usecases is it neccessary to use manual dns server for additional dns services from Cloudflare or Cisco Umbrella. For other reason you want to use specific servers from your country. If you use the "Server List" the options (DNSSEC, NoLog, NoFilter) will be ignored.

Services/DNSCrypt-Proxy/Configuration/General
=> On "Server List" you can enter the servernames from this public list https://dnscrypt.info/public-servers/.
use the exactly servernames and not any IP's

Cloudflare CDN (DoH) its one of the fastest but in the past another user has make the experience that some sites are not available like oneplus.com or postbank.de because DNSSEC was broken => seems to be fixed.
In that case you had to configure unbound dns to redirect the query for this domain to another dns server. This can be done on "Services/Unbound DNS/Overrides/Domain Overrides".

Code Select Expand


cloudflare
cloudflare-ipv6


Cisco/OpenDNS (DNSCrypt) for services like Cisco Umbrella.

Code Select Expand


cisco
cisco-ipv6


(see attachment "Services-DNSCrypt-Proxy_03.png")


Another option is to create your own server on Services/DNSCrypt-Proxy/Configuration/Servers.


Configuration Unbound DNS:
Services/Unbound DNS/General
=> Check "Enable Unbound"
=> Check "Enable DNSSEC Support"
=> Uncheck "DNS Query Forwarding"
=> Under "Custom options" you must configure unbound dns that is all forwarding to dnscrypt-proxy. I setup this for IPv4 + IPv6 because dnscrypt-proxy and unbound dns is listening on both addresses and in the original unbound.conf "interface-automatic" is set to yes, see:

ssh on opnsense: "cat /var/unbound/unbound.conf"
# Interface IP(s) to bind to
interface: 0.0.0.0
interface: ::0
interface-automatic: yes

User karlson2k figured out a solution where entries in "Services/Unbound DNS/Overrides/Domain Overrides" prevents unbound dns to start if you forward to dnscrypt-proxy. Writing "server:" at the beginning of "Custom options" solves this.

The reason is that domain overrides is included in unbound.conf before "Custom options" and domain overrides change section from "server:" to "forward-zone:".
To fix error in configuration, you need to add "server:" line before "do-not-query-localhost: no".

so the complete configuration looks like...

Code Select Expand


server:
do-not-query-localhost: no

forward-zone:
   name: "."
   forward-addr: 127.0.0.1@5353
   forward-addr: ::1@5353


=> Choose "All (recommended)" on "Outgoing Network Interfaces". In the past you had the option "localhost" but this is removed since version 19.


Configuration System DNS-Server:
System/Settings/General
=> Check that no one "DNS Server" is configured
=> Uncheck "Allow DNS server list to be overridden by DHCP/PPP on WAN"
=> Uncheck "Do not use the local DNS service as a nameserver for this system"
(see attachment "System-Settings-General.png")



All is done!

Check if your DNS Configuration works correctly:
=> https://dnsleaktest.com
Check against dns-leaks and what dns-server you currently use
=> https://cmdns.dev.dns-oarc.net/
Check your dns features
=> https://internet.nl/test-connection/
If you use IPv6 and DNSSEC
=> http://www.dnssec-or-not.com/
If you use DNSSEC
=> https://tools.dnsstuff.com/
DNS-Tools and more


Recommendation to other Tutorial:
Forward all unencrypted dns traffic to OPNsense, see:
https://forum.opnsense.org/index.php?topic=9245.0


Kind Regards  ;)

[mimugmail]

Nice :)

[gambrinus]

Thanks, p1n0ck10.

[opnsenseuser]

This technique prevents not against ISP-censorship !!! a VPN-Provider can solve this.
here the answer from the developer Frank Denis:
https://superuser.com/questions/1318588/what-exactly-isp-can-see-when-someone-use-dnscrypt-proxy-with-dnscrypt-enabled-p

First of all many thanks for this ingenious instruction.
I have two questions.

1. What settings should I make if I use a transparent proxy and at the same time have a few clients that do not use a transparent proxy and continue to receive their DNS request via unbound?

2. Now if my provider can read everything again which sense is behind this plugin to use?
Because the different servers the dnscrypt used I can enter myself also in the unbound dns server list and for that I don´t need this plugin.

thx
rené

[p1n0ck10]

1. What settings should I make if I use a transparent proxy and at the same time have a few clients that do not use a transparent proxy and continue to receive their DNS request via unbound?

Which Transparent Proxy do you mean? Web Proxy or DNS Proxy?

2. Now if my provider can read everything again which sense is behind this plugin to use?
Because the different servers the dnscrypt used I can enter myself also in the unbound dns server list and for that I don´t need this plugin.

The sense of the plugin is to encrypt the DNS traffic over DNSCrypt or DoH (DNS over HTTPS). This in combination with DNSSEC checks the digital signature of DNS responses to verify that the data match what the zone owner initially configured. It makes DNS more secure against spoofing or changing the DNS-Records do you ask for. More Info here: https://dnscrypt.info/faq/

[opnsenseuser]

1. What settings should I make if I use a transparent proxy and at the same time have a few clients that do not use a transparent proxy and continue to receive their DNS request via unbound?

Which Transparent Proxy do you mean? Web Proxy or DNS Proxy?

1. Squid http(s) proxy with cert (yes, web)

2. What can i do to give the provider no way to read my surfing behavior?
You wrote something about vpn dns!
I currently do not use vpn.
Is this still possible ?
And is there any instructions for opnsense?

[p1n0ck10]

1. What settings should I make if I use a transparent proxy and at the same time have a few clients that do not use a transparent proxy and continue to receive their DNS request via unbound?

Which Transparent Proxy do you mean? Web Proxy or DNS Proxy?

Squid http(s) proxy with cert (yes, web)

Web Proxy and DNS are different things. Transparent Web Proxy catch all your clients to HTTP and HTTPS requests when you have set a NAT-Rule. Your clients will still ask for DNS even if you use the Transparent Web Proxy. In the Web Proxy you can add blocklists, too. Without DNS you can't resolve names in the internet. So DNS is a important component to search the Internet and should be encrypted like HTTPS.

2. What can i do to give the provider no way to read my surfing behavior?
You wrote something about vpn dns!
I currently do not use vpn.
Is this still possible ?
And is there any instructions for opnsense?

(all traffic not only for DNS) The opnsense-plugin "os-tor" (https://www.torproject.org/) can solve this or a VPN-Provider. First you must read what VPN-Provider do you prefer and which features it has and what do you need. here two examples:
https://nordvpn.com
https://www.perfect-privacy.com/

The most VPN-Provider supports normal IPsec and OpenVPN. OPNsense can do that ;-)

[PaoPao]

Do I have to change anything for the Bind PlugIn to work together?

[donatom3]

So follow the instructions in here and make sure that unbound is pointing to port 53530 (default for BIND).

Bind doesn't let you put in port numbers for the forwarders so you have to edit the config file.
Go to the BIND service page first and fill in 127.0.0.1 and ::1 in the forwarders section.
Also make sure DNSSEC Validation is "Auto". Now hit Save
Then you need to edit /usr/local/etc/namedb/named.conf to add in the ports for the forwarders to point to dnscrypt. I like using winscp to ssh to the unit and doing this in a txt editor but do it however you'd like
Now you should have a forwarders line
This is what my forwarder line looks like after adding in the port numbers.
forwarders    { 127.0.0.1 port 5353; ::1 port 5353; };
Basically I just added " port 5353" to the end of each forwarder IP.

It appears to be working for me. All the leak tests give me the same result I got when I was just using dnscrypt and BIND appears.

Only quirk I had is the first time after installing bind and dnscrypt-proxy I could not start dnscrypt-proxy service without restarting opnsense. After the restart it appeared to work fine.

[mimugmail]

You can also add an alias 127.0.0.8 and listen dnscrypt to this IP with port 53. Will also work ...

[donatom3]

You can also add an alias 127.0.0.8 and listen dnscrypt to this IP with port 53. Will also work ...

Yes that would make it easier so you wouldn't have to edit the file. I wish I thought of doing it that way.

[rickg3]

Thanks for the tutorial. I am always looking for ways to improve DNS security.
I know enough about networking to be dangerous. You tutorial was easy to follow and get working.

I am curious though. Before, I used Cloudflare and Google for DNS and that is reflected in DNS tests. Now when I check DNS it appears that I am using random servers, but the provider comes back as Cloudflare. I assume the fastest server available is responding but the request is encrypted?

[mimugmail]

Yes, it chooses fastest one, but you can also use manual server (with next version)

[rickg3]

Had to give up on this plugin. While I like the idea, I had too many DNS lookup failures.

[mimugmail]

And why should they be related to the plugin? If it works it works .. if you have something wrong, nothing works.