HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6

[chemlud]

When I leave my own network, I'm a user and would use DoH, as it is not easy to block for admins.

When I'm in my own network, I'm an admin and hate DoH. But for the provider or anybody upstream (if he can open TLS traffic), it hardly makes a difference, if he filters for port 853 or the DNS providers by a list of IPs contacted on port 443 via DoH...

[JohnnyBeee]

Now that the "custom options" are gone for Unbound DNS since OPNsense 21.7, how do I configure Unbound DNS with DNSCRYPT-PROXY ?

[ingvarr]

Now that the "custom options" are gone for Unbound DNS since OPNsense 21.7, how do I configure Unbound DNS with DNSCRYPT-PROXY ?

It appears that the only straight way is Enable Forwarding Mode with DNSCrypt-Proxy being listed in system DNS.
Ugly and will also create madness with multiple WANs.

[nikkon]

On the 21.7.1 version the DoT doesn’t work easy. Required 3 service restarts. No idea why.
Once I define and enable the entries under Unbound -> DNS over TLS and enable 1 of them, dns is dead.

2021-08-14T15:37:31   unbound[96235]   [96235:0] info: mesh has 0 recursion states (0 with reply, 0 detached), 0 waiting replies, 21 recursion replies sent, 0 replies dropped, 0 states jostled out   
2021-08-14T15:37:31   unbound[96235]   [96235:0] info: server stats for thread 7: requestlist max 4 avg 0.545455 exceeded 0 jostled 0   
2021-08-14T15:37:31   unbound[96235]   [96235:0] info: server stats for thread 7: 146 queries, 125 answers from cache, 21 recursions, 1 prefetch, 0 rejected by ip ratelimiting

Finally it started working

https://1.1.1.1/help#eyJpc0NmIjoiTm8iLCJpc0RvdCI6IlllcyIsImlzRG9oIjoiTm8iLCJyZXNvbHZlcklwLTEuMS4xLjEiOiJZZXMiLCJyZXNvbHZlcklwLTEuMC4wLjEiOiJZZXMiLCJyZXNvbHZlcklwLTI2MDY6NDcwMDo0NzAwOjoxMTExIjoiTm8iLCJyZXNvbHZlcklwLTI2MDY6NDcwMDo0NzAwOjoxMDAxIjoiTm8iLCJkYXRhY2VudGVyTG9jYXRpb24iOiJBTVMiLCJpc1dhcnAiOiJObyIsImlzcE5hbWUiOiJDbG91ZGZsYXJlIiwiaXNwQXNuIjoiMTMzMzUifQ==

[JohnnyBeee]

Now that the "custom options" are gone for Unbound DNS since OPNsense 21.7, how do I configure Unbound DNS with DNSCRYPT-PROXY ?

It appears that the only straight way is Enable Forwarding Mode with DNSCrypt-Proxy being listed in system DNS.
Ugly and will also create madness with multiple WANs.

The only problem with that is the port. You cannot specify a port in the system settings and you cannot have 2 services listening on the same port (53).

So am I right to assume that the custom options have only disappeared from the configuration GUI but are still taken into account when entered in unbound.conf?

[ingvarr]

Now that the "custom options" are gone for Unbound DNS since OPNsense 21.7, how do I configure Unbound DNS with DNSCRYPT-PROXY ?

It appears that the only straight way is Enable Forwarding Mode with DNSCrypt-Proxy being listed in system DNS.
Ugly and will also create madness with multiple WANs.

The only problem with that is the port. You cannot specify a port in the system settings and you cannot have 2 services listening on the same port (53).

So am I right to assume that the custom options have only disappeared from the configuration GUI but are still taken into account when entered in unbound.conf?

Virtual IPs?

[crissi]

Regarding DNS Crypt Proxy with Unbound DNS – General Network Interfaces, should here be really selected All Interfaces or just specific, like LAN, VLAN and OpenVPN Connection?

What are further recommended Settings under Unbound DNS – Advanced?

Thx

[janci]

Advanced Configurations in https://docs.opnsense.org/manual/unbound.html#advanced-configurations
is describing new way to add custom option into unbound.

So I did create file
/usr/local/etc/unbound.opnsense.d/dns-crypt-forward.conf

with this content
server:
do-not-query-localhost: no

forward-zone:
   name: "."
   forward-addr: 127.0.0.1@5353
   forward-addr: ::1@5353

command configctl unbound check is OK with that


now, question is how to check if unbound is forwarding queries to dns-cryopt?

so trying these webs:
- http://verteiltesysteme.net/ saying OK
- https://dnsleaktest.com/ running extetended test and result is list of different DNS resolvers from different countries
- https://cmdns.dev.dns-oarc.net/ looks OK

[cmccallu]

Advanced Configurations in https://docs.opnsense.org/manual/unbound.html#advanced-configurations
is describing new way to add custom option into unbound.

So I did create file
/usr/local/etc/unbound.opnsense.d/dns-crypt-forward.conf

with this content
server:
do-not-query-localhost: no

forward-zone:
   name: "."
   forward-addr: 127.0.0.1@5353
   forward-addr: ::1@5353

command configctl unbound check is OK with that


now, question is how to check if unbound is forwarding queries to dns-cryopt?

so trying these webs:
- http://verteiltesysteme.net/ saying OK
- https://dnsleaktest.com/ running extetended test and result is list of different DNS resolvers from different countries
- https://cmdns.dev.dns-oarc.net/ looks OK

Thanks for all the setup details it worked great! The easiest way to see it was working was to look in Services: DNSCrypt-Proxy: Log / Queries and seeing entries appear!

[PlanetDyna]

Can I adopt this configuration 1:1? In this setup, the proxy and relay server have been connected. Or is that not intended?

https://codeberg.org/DecaTec/dnscrypt-proxy-config/commit/6dc93c83e3d7c2249075264bf7ca46ae54a83835

[karlson2k]

Version 23.7 needs some adoption as it has a small bug.

The configuration file must be:

server:
do-not-query-localhost: no

forward-zone:
   name: "."
   forward-addr: 127.0.0.1@5353
   forward-addr: ::1@5353

server:

Note duplicated server: at the end of the block

[0zzy]

I added the custom config like this:
server:
do-not-query-localhost: no

forward-zone:
   name: "."
   forward-addr: 127.0.0.1@5353
   forward-addr: ::1@5353


But I get an error:
root@OPNsense:/usr/local/etc/unbound.opnsense.d # configctl unbound check
[1697893333] unbound-checkconf[21658:0] error: duplicate forward zone . ignored.
no errors in /var/unbound/unbound.conf

what I'm doing wrong?

ok find the misconfiguration:
got also forwarding configured under Services: Unbound DNS: DNS over TLS
disabled both entries solved my problem.

[senser]

I have a stupid question: if you want secure DNS queries, why not just use DNS over TCL?

[0zzy]

@senser because it's not the only thing I want.
now it works, I don't have an idea what was wrong the last time.
I made any changes to the file after reading docs and tips.

[pitt1717]

just tried following this guide. i get the port in use error if i use 127.0.0.1:5353 and or ::1:5353. i currently have 0.0.0.0:5353 set and leak tests seems to wok, but i think this puts me in standalone mode. which would negate the need for unbound correct?
is there anyway to get the 127 and ::1 working?