HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6

Started by p1n0ck10, December 13, 2018, 10:14:12 PM

Previous topic - Next topic
Print
Go Down Pages 1 ... 4 5 6 7 8 9
User actions
January 26, 2020, 07:01:11 PM #75
does this replace using stubby?
January 26, 2020, 08:52:04 PM #76 Last Edit: February 27, 2020, 03:34:09 AM by p1n0ck10
Quote from: Nekromantik on January 26, 2020, 07:01:11 PM
does this replace using stubby?

stubby uses DoT and dnscrypt-proxy uses DNSCrypt or DoH and optional DNSBL. difficult to say what is better. depend of privat/business yousecase. i think DoH for client <-> resolver requests and DoT for server <-> resolver requests. DNSCrypt seems not so populate but has more privacy features. you don't can use both for the same ports. only with different and then you must handle the request from the clients. i like the option from dnscypt-proxy to use an own serverlist from trusted server and it always use the fastest. DoH seems to be the fastest way because existing technologies and knowledge for https requests can be used for this. loadbalancer, haproxies, not blocked ports...
with an cronjob on opnsense you can restart the service from dnscrypt-proxy every 15min or 30min and it use the fastest server again. for me a good combination. all can be configured over the gui. Not necessary to install packages over cli.
If you use the firewall only for you and you are the only admin thats ok to configure the firewall with custom configurations if you know what you do.
If you use the firewall for customers/other admins or only not familiar with deep firewall knowledge its diffcult to handle custom options and manual installations of packages. stability, troubleshooting. some configs over gui. some over cli... not really supportet and so on...

but this is only my experience ;-)
January 28, 2020, 08:24:06 PM #77
thanks
March 02, 2020, 04:10:15 AM #78
How to redirect all traffic to forward traffic to Unbound DNS/DNSCrypt  Current I have rule that

Interface LAN
Protocol TCP/UDP
Source LAN Net
Destination ANY
Destination port range DNS.

Or is related to the article that you have posted that would work with HOWTO - Redirect all DNS Requests to Opnsense injunction with you current article?
thanks
March 04, 2020, 01:23:03 AM #79
Quote from: chain on March 02, 2020, 04:10:15 AM
How to redirect all traffic to forward traffic to Unbound DNS/DNSCrypt  Current I have rule that

Interface LAN
Protocol TCP/UDP
Source LAN Net
Destination ANY
Destination port range DNS.

Or is related to the article that you have posted that would work with HOWTO - Redirect all DNS Requests to Opnsense injunction with you current article?
thanks

It is good explained in the HOWTO - Redirect all DNS Requests to Opnsense. It is only a recommendation and they are not dependent to each other. It should be a NAT Rule => "Firewall/NAT/Port Forward" and destination is "invert" + "Local Firewall Address" that means if your clients uses not the local firewall address for unencrypted dns (Port 53) it redirects the request to opnsense. If some clients in your network uses encrypted dns it would not apply.

I think you have a normal rule that is not correct...

March 04, 2020, 04:41:45 AM #80
So the rule should look like this that I have include
March 04, 2020, 05:24:01 PM #81
March 15, 2020, 09:35:57 PM #82 Last Edit: March 15, 2020, 10:18:40 PM by xpendable
Hello,

I just finished setting up DNScrypt-proxy on OPNsense with unbound following the provided guide, and it works great with the exception of not being able to verify DoH is enabled through cloudflare's site for example. Most likely because it knows nothing about the local DNS setup and how it's being routed through OPNsense. However I see that a local DoH server can be setup via DNScrypt-proxy: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Local-DoH

I've taken a look at the dnscrypt-proxy.toml configuration file located in /usr/local/etc/dnscrypt-proxy, however there is no section called local_doh. I assume that any changes via the OPNsense GUI would overwrite any changes done manually via the config file? Perhaps an update to the os-dnscrypt-proxy plugin could be made to allow this configuration through the GUI?

EDIT: I missed this part in the wiki near the bottom (don't pay attention to the "Secure DNS" column, the green mark will only be shown when using Cloudflare). So I guess that check will never work unless pointing to cloudflare directly, but I suppose this would be the local solution in order to enable ESNI in Firefox when using DoH. Which may be debatable on it's current usefullness due to it's lack of implementation.
August 19, 2020, 01:42:03 AM #83
Install DNSCrypt-Proxy:
System/Firmware/Plugins
=> Install "os-dnscrypt-proxy"

is the plugin discontinued?
For me trying to use on OPNsense 2.1.9 the plugin (os-dnscrypt-proxy) is missing on the plugin list.
August 19, 2020, 07:29:32 AM #84
i386?
August 19, 2020, 01:57:12 PM #85
yes sure i386, but that shouldn't be a problem.

Version 18.7 still had the plugin in the i386 pepository
http://mirror.wjcomms.co.uk/opnsense/FreeBSD:11:i386/18.7/latest/Latest/

So it is apparently feasible in terms of programming?
August 19, 2020, 08:16:29 PM #86
I think it depends on Go which is now unsupported in i386
August 23, 2020, 09:45:53 AM #87
Quote from: mimugmail on December 25, 2018, 07:55:19 AM
You can also add an alias 127.0.0.8 and listen dnscrypt to this IP with port 53. Will also work ...

How Do I do this for IPv6 please?

Virtual IP for ::8 ??

Greets

Byte
August 23, 2020, 10:07:08 AM #88
::1
August 23, 2020, 10:39:49 AM #89
Quote from: mimugmail on August 23, 2020, 10:07:08 AM
::1

I doesn´t understand this.

127.0.0.1 doesn´t  work, because unbound dns ist listen to Port 53.
So I set 127.0.0.8 as virtual IP and listen do Port 53.

So ::1 doesn´t work, because unbound DNS listen to Port 53,
so I need another virtual IP for listen to Port 53.
e.g. ::8 Port 53 ???


Greets

Byte
Print
Go Up Pages 1 ... 4 5 6 7 8 9
User actions