English Forums > Tutorials and FAQs
HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
p1n0ck10:
[Updated on 10.03.2020]
Since opnsense 18.7.9 it is possible to use encrypted DNS with the opnsense-plugin "os-dnscrypt-proxy". Thanks to mimugmail (m.muenz@gmail.com). This plugin supports DNSCrypt (https://dnscrypt.info) and DNS over HTTPS (DoH) with DNSSEC and DNSBL.
Explanations and Differences:
DNSCrypt or DNS over HTTPS = protocol that authenticates communications between a dns-client and a dns-resolver. It encrypts the traffic and prevents dns spoofing or man-in-the-middle-attacks. DoH is standardized through IETF and standardport for resolvers is 443. DNSCrypt use different ports. Resolver on the internet often use ports like 443, 4443, 5443 or 8443 and is currently not standardized but has more privacy features.
DNSSEC = DNS Extension that allows a client to validate the dns response on supported domains and TLDs. Resolvers check the digital signature of dns responses.
DNSBL = Domain Name System Blacklists with RPZ (response policy zone) to block ads, trackers and malware domains.
This technique prevents not against ISP-censorship !!! because your browser requests for https has the Server Name Indication (SNI) unencrypted. Currently only Cloudflare and Firefox have implemented ESNI for testing. Tor or a VPN can solve this. Here the answer from the developer of DNSCrypt, Frank Denis:
https://superuser.com/questions/1318588/what-exactly-isp-can-see-when-someone-use-dnscrypt-proxy-with-dnscrypt-enabled-p
Scenario:
dnscrypt-proxy is only listen on the localhost addresses 127.0.0.1 (IPv4) and ::1 (IPv6) on port 5353 and handle the dns requests to the internet encrypted.
unbound dns forwards all queries to dnscrypt-proxy while itself is listening on all interfaces on port 53 (IPv4 + IPv6) and handle the dns requests for the local network unencrypted.
The reason behind that scenario is unbound dns can act as a dns-resolver for your lan with all his features. If you allow to register dhcp leases you can reach your clients via their hostnames and do not need to know their ip addresses. The dns traffic on the lan side is not encrypted because the most client's OS currently does not support this. For decentralization dnscrypt-proxy uses a pool of random servers from a public list. Normally is choosing automatically the fastest with the options you set (IPv4, IPv6, DNSCrypt, DoH, DNSSEC, NoLog, NoFilter). Every 3 hours it checks the fastest server again. You can shorten the time interval by running the existing cronjob under System/Settings/Cron "Download DNSCrypt-Proxy DNSBLs and restart". You only need dnscrypt-proxy because unbound dns (and also dnsmasq) has only limited support for DNSCrypt/DoH and DNSBL.
You can also configure dnscrypt-proxy as standalone dns-server. For this follow these instructions:
https://wiki.opnsense.org/manual/how-tos/dnscrypt-proxy.html
Install DNSCrypt-Proxy:
System/Firmware/Plugins
=> Install "os-dnscrypt-proxy"
Configuration DNSCrypt-Proxy:
Services/DNSCrypt-Proxy/Configuration/General
=> Check "Enable DNSCrypt-Proxy"
=> "Listen Address" is 127.0.0.1:5353 and [::1]:5353
=> Check "Use IPv4 Servers"
=> Check "Use IPv6 Servers"
=> Check "Use DNSCrypt Servers"
=> Check "Use DNS-over-HTTPS Servers"
=> Check "Require DNSSEC"
(see attachments "Services-DNSCrypt-Proxy_01.png", "Services-DNSCrypt-Proxy_02.png")
=> As "Fallback Resolver" you can use the standard Quad9 Server (9.9.9.9:53) or Cloudflare (1.1.1.1:53) or what ever you want.
Optional Configuration DNSCrypt-Proxy (manual Servers):
For some business usecases is it neccessary to use manual dns server for additional dns services from Cloudflare or Cisco Umbrella. For other reason you want to use specific servers from your country. If you use the "Server List" the options (DNSSEC, NoLog, NoFilter) will be ignored.
Services/DNSCrypt-Proxy/Configuration/General
=> On "Server List" you can enter the servernames from this public list https://dnscrypt.info/public-servers/.
use the exactly servernames and not any IP's
Cloudflare CDN (DoH) its one of the fastest but in the past another user has make the experience that some sites are not available like oneplus.com or postbank.de because DNSSEC was broken => seems to be fixed.
In that case you had to configure unbound dns to redirect the query for this domain to another dns server. This can be done on "Services/Unbound DNS/Overrides/Domain Overrides".
--- Code: ---cloudflare
cloudflare-ipv6
--- End code ---
Cisco/OpenDNS (DNSCrypt) for services like Cisco Umbrella.
--- Code: ---cisco
cisco-ipv6
--- End code ---
(see attachment "Services-DNSCrypt-Proxy_03.png")
Another option is to create your own server on Services/DNSCrypt-Proxy/Configuration/Servers.
Configuration Unbound DNS:
Services/Unbound DNS/General
=> Check "Enable Unbound"
=> Check "Enable DNSSEC Support"
=> Uncheck "DNS Query Forwarding"
=> Under "Custom options" you must configure unbound dns that is all forwarding to dnscrypt-proxy. I setup this for IPv4 + IPv6 because dnscrypt-proxy and unbound dns is listening on both addresses and in the original unbound.conf "interface-automatic" is set to yes, see:
ssh on opnsense: "cat /var/unbound/unbound.conf"
# Interface IP(s) to bind to
interface: 0.0.0.0
interface: ::0
interface-automatic: yes
User karlson2k figured out a solution where entries in "Services/Unbound DNS/Overrides/Domain Overrides" prevents unbound dns to start if you forward to dnscrypt-proxy. Writing "server:" at the beginning of "Custom options" solves this.
--- Quote from: karlson2k on January 13, 2020, 10:03:18 pm ---The reason is that domain overrides is included in unbound.conf before "Custom options" and domain overrides change section from "server:" to "forward-zone:".
To fix error in configuration, you need to add "server:" line before "do-not-query-localhost: no".
--- End quote ---
so the complete configuration looks like...
--- Code: ---server:
do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 127.0.0.1@5353
forward-addr: ::1@5353
--- End code ---
=> Choose "All (recommended)" on "Outgoing Network Interfaces". In the past you had the option "localhost" but this is removed since version 19.
Configuration System DNS-Server:
System/Settings/General
=> Check that no one "DNS Server" is configured
=> Uncheck "Allow DNS server list to be overridden by DHCP/PPP on WAN"
=> Uncheck "Do not use the local DNS service as a nameserver for this system"
(see attachment "System-Settings-General.png")
All is done!
Check if your DNS Configuration works correctly:
=> https://dnsleaktest.com
Check against dns-leaks and what dns-server you currently use
=> https://cmdns.dev.dns-oarc.net/
Check your dns features
=> https://internet.nl/test-connection/
If you use IPv6 and DNSSEC
=> http://www.dnssec-or-not.com/
If you use DNSSEC
=> https://tools.dnsstuff.com/
DNS-Tools and more
Recommendation to other Tutorial:
Forward all unencrypted dns traffic to OPNsense, see:
https://forum.opnsense.org/index.php?topic=9245.0
Kind Regards ;)
mimugmail:
Nice :)
gambrinus:
Thanks, p1n0ck10.
opnsenseuser:
--- Quote from: p1n0ck10 on December 13, 2018, 10:14:12 pm ---This technique prevents not against ISP-censorship !!! a VPN-Provider can solve this.
here the answer from the developer Frank Denis:
https://superuser.com/questions/1318588/what-exactly-isp-can-see-when-someone-use-dnscrypt-proxy-with-dnscrypt-enabled-p
--- End quote ---
First of all many thanks for this ingenious instruction.
I have two questions.
1. What settings should I make if I use a transparent proxy and at the same time have a few clients that do not use a transparent proxy and continue to receive their DNS request via unbound?
2. Now if my provider can read everything again which sense is behind this plugin to use?
Because the different servers the dnscrypt used I can enter myself also in the unbound dns server list and for that I don´t need this plugin.
thx
rené
p1n0ck10:
--- Quote from: opnsenseuser on December 16, 2018, 08:37:38 am ---1. What settings should I make if I use a transparent proxy and at the same time have a few clients that do not use a transparent proxy and continue to receive their DNS request via unbound?
--- End quote ---
Which Transparent Proxy do you mean? Web Proxy or DNS Proxy?
--- Quote from: opnsenseuser on December 16, 2018, 08:37:38 am ---2. Now if my provider can read everything again which sense is behind this plugin to use?
Because the different servers the dnscrypt used I can enter myself also in the unbound dns server list and for that I don´t need this plugin.
--- End quote ---
The sense of the plugin is to encrypt the DNS traffic over DNSCrypt or DoH (DNS over HTTPS). This in combination with DNSSEC checks the digital signature of DNS responses to verify that the data match what the zone owner initially configured. It makes DNS more secure against spoofing or changing the DNS-Records do you ask for. More Info here: https://dnscrypt.info/faq/
Navigation
[0] Message Index
[#] Next page
Go to full version