OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Tutorials and FAQs (Moderator: fabian) »
  • HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
« previous next »
  • Print
Pages: 1 [2] 3 4 5

Author Topic: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6  (Read 12063 times)

cake

  • Newbie
  • *
  • Posts: 42
  • Karma: 12
    • View Profile
Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
« Reply #15 on: January 25, 2019, 04:23:02 am »
This is great! Many thanks to the dev mimugmail (m.muenz@gmail.com) and for the tutorial!
I had a little trouble with it not starting when I entered some dns servers in the list at https://dnscrypt.info/public-servers/
I ended up looking at the log located in
Code: [Select]
cat /var/log/dnscrypt-proxy/dnscrypt-proxy.log and choosing 3 of the resolvers that worked. I am wondering if one of the resolvers goes down, will this stop dnsproxy from starting at boot?

I went a different route from the tutorial in first post, I set up a Virtual IP in Firewall --> Virtual IP
I used: IP Alias | loopback | 127.0.0.2
Then configured the DNSCrypt plugin to use 127.0.0.2:53 (and deleted the default ones)
Lastly I headed over to  System --> Settings --> General and put 127.0.0.2 in the in the DNS Server box.

My test at https://www.dnsleaktest.com showed my dns queries are using dnscrypt. :-)

One feature request is to be able edit the verb for the log and also to show the log in the GUI.
Thanks again for this plugin!
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 3064
  • Karma: 219
    • View Profile
Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
« Reply #16 on: January 25, 2019, 05:58:19 am »
Log in the UI is already under review, perhaps with 19.1.
The default behavior is to use the fastest two servers, and it checks every hour which one is the fastest, so no problem :)
Logged
IRC: mimugmail
Twitter: mimu_muc
WWW: www.routerperformance.net

p1n0ck10

  • Newbie
  • *
  • Posts: 25
  • Karma: 3
    • View Profile
Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
« Reply #17 on: January 28, 2019, 11:55:22 pm »
Quote from: cake on January 25, 2019, 04:23:02 am

I had a little trouble with it not starting when I entered some dns servers in the list at
I ended up looking at the log located in
Code: [Select]
cat /var/log/dnscrypt-proxy/dnscrypt-proxy.log and choosing 3 of the resolvers that worked. I am wondering if one of the resolvers goes down, will this stop dnsproxy from starting at boot?

Lastly I headed over to  System --> Settings --> General and put 127.0.0.2 in the in the DNS Server box.

One feature request is to be able edit the verb for the log and also to show the log in the GUI.

Thanks again for this plugin!

I only recommend unbound and dnscrypt in this way what i wrote because i'm not a fan to have to many DNS-resolver between clients and internet. makes little bit difficult to solve dns errors. i have testet many DNS-resolver from the public list  https://dnscrypt.info/public-servers/
The best way is to use the automatic option because the fastest and a pool of random servers is used. If you use the manuell configuration of servers i only recommend cloudflare and cisco (opendns) because these are dnsproviders with bigger infrastructure behind the szene. Cisco (opendns) has the disadvantage thats not using DNSSEC.
The best DNS results on https://cmdns.dev.dns-oarc.net i achieved with cloudflare.

I don't know why you using 127.0.0.2 in the configuration of system/settings/general. In my opinion opnsense uses localhost as default dns-resolver. The dns-resolver in system/settings/general is normally configured with external dns resolver. that job makes dnscrypt. in my configuration is the way.
opnsense => localhost = unbound => forwarding mode to dnscrypt. thats it

Good too hear that the log is coming to the GUI  ;)
Logged

malkovich78

  • Newbie
  • *
  • Posts: 6
  • Karma: 0
    • View Profile
Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
« Reply #18 on: February 02, 2019, 09:33:40 pm »
Hi,

After reading all configuration guides for dnscrypt-proxy plugin and several testing I wasn't able to make it work with unbound, only with dnsmaq and dnscrypt-proxy instance running on 127.0.0.2:53 and 127.0.0.2 as the only dns server on System-> settings; but with this configuration I found a problem because on boot dnsmasq is started before dnscrypt-proxy so system can't resove domains. Creating an script to start dnscrypt-proxy before dnsmasq at boot time finally solved it.
I hope this info may be useful to others.

Regards.
Logged

zaggynl

  • Newbie
  • *
  • Posts: 14
  • Karma: 1
    • View Profile
Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
« Reply #19 on: March 20, 2019, 08:59:24 pm »
I'm running into the same issue.
I can enable and start Unbound but it will not start after adding Advanced Settings part per: https://wiki.opnsense.org/manual/how-tos/dnscrypt-proxy.html
Code: [Select]
do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 127.0.0.1@5353

No error messages appear in webui or log.
I can start unbound from shell with -d -v, it shows no errors at that time in shell or in ui log.

Goal is to forward incoming requests to my pihole VM, which should get its DNS replies from dnscrypt on opnsense.
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 9036
  • Karma: 619
    • View Profile
Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
« Reply #20 on: March 20, 2019, 09:23:16 pm »
I'm guessing same Unbound problem as Bind has:

> When you are using Overrides in Unbound you can not use ``do-not-query-localhost``.


Cheers,
Franco
Logged

zaggynl

  • Newbie
  • *
  • Posts: 14
  • Karma: 1
    • View Profile
Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
« Reply #21 on: March 21, 2019, 12:40:53 pm »
Quote from: franco on March 20, 2019, 09:23:16 pm
I'm guessing same Unbound problem as Bind has:

> When you are using Overrides in Unbound you can not use ``do-not-query-localhost``.


Cheers,
Franco

Thanks for the reply, I have a number of Overrides, after removing the do-not-query-localhost line Unbound starts!
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 3064
  • Karma: 219
    • View Profile
Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
« Reply #22 on: March 21, 2019, 02:34:44 pm »
Overrides can also be done via dnscrypt-proxy if you need them. Also Adblocking is now available vial the plugin itself.
Logged
IRC: mimugmail
Twitter: mimu_muc
WWW: www.routerperformance.net

zaggynl

  • Newbie
  • *
  • Posts: 14
  • Karma: 1
    • View Profile
Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
« Reply #23 on: March 22, 2019, 12:45:35 pm »
Quote from: mimugmail on March 21, 2019, 02:34:44 pm
Overrides can also be done via dnscrypt-proxy if you need them. Also Adblocking is now available vial the plugin itself.

Thanks.
Had a look at using dnscrypt-proxy alone but the webui of pihole proved to be more featured.
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 3064
  • Karma: 219
    • View Profile
Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
« Reply #24 on: March 22, 2019, 12:54:29 pm »
Indeed :)
Logged
IRC: mimugmail
Twitter: mimu_muc
WWW: www.routerperformance.net

p1n0ck10

  • Newbie
  • *
  • Posts: 25
  • Karma: 3
    • View Profile
Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
« Reply #25 on: March 22, 2019, 03:32:35 pm »
Hi All,

strange. I have 1 entry in the Host Override in Unbound and have no issues with "do-not-query-localhost: no"

great that DNSBL is implemented in the dnycrypt proxy. thanks mimugmail  ;)
Logged

cake

  • Newbie
  • *
  • Posts: 42
  • Karma: 12
    • View Profile
Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
« Reply #26 on: April 18, 2019, 03:04:41 pm »
Does anybody get server timeouts after a few days or so?  I start dnscrypt and after a couple days most servers are timeout according to the log. Not sure how to investigate. Maybe I start with making the log more verbose?
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 3064
  • Karma: 219
    • View Profile
Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
« Reply #27 on: April 18, 2019, 09:31:08 pm »
But does it switch to other ones?
Logged
IRC: mimugmail
Twitter: mimu_muc
WWW: www.routerperformance.net

cake

  • Newbie
  • *
  • Posts: 42
  • Karma: 12
    • View Profile
Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
« Reply #28 on: April 19, 2019, 01:41:17 am »
Yes it does switch, maybe I have a setting wrong or some other configuration.
Here is a bit of a log, you can see at first 3 have a timeout, and 6 hours later 11 servers are timeout.
Code: [Select]
[2019-04-18 19:56:57] [NOTICE] Source [public-resolvers.md] loaded
[2019-04-18 19:56:57] [NOTICE] dnscrypt-proxy 2.0.19
[2019-04-18 19:56:57] [NOTICE] Loading the set of whitelisting rules from [whitelist.txt]
[2019-04-18 19:56:57] [NOTICE] Loading the set of blocking rules from [blacklist.txt]
[2019-04-18 19:56:57] [NOTICE] Loading the set of cloaking rules from [cloaking-rules.txt]
[2019-04-18 19:56:57] [NOTICE] Loading the set of forwarding rules from [forwarding-rules.txt]
[2019-04-18 19:56:57] [NOTICE] Now listening to 127.0.0.2:53 [UDP]
[2019-04-18 19:56:57] [NOTICE] Now listening to 127.0.0.2:53 [TCP]
[2019-04-18 19:56:57] [NOTICE] Now listening to 192.168.44.4:53 [UDP]
[2019-04-18 19:56:57] [NOTICE] Now listening to 192.168.44.4:53 [TCP]
[2019-04-18 19:56:58] [NOTICE] [arvind-io] OK (crypto v2) - rtt: 256ms
[2019-04-18 19:56:58] [NOTICE] [bottlepost-dns-nl] OK (crypto v2) - rtt: 286ms
[2019-04-18 19:57:00] [NOTICE] [charis] TIMEOUT
[2019-04-18 19:57:00] [NOTICE] [cpunks-ru] OK (crypto v1) - rtt: 313ms
[2019-04-18 19:57:01] [NOTICE] [cs-ch] OK (crypto v2) - rtt: 312ms
[2019-04-18 19:57:01] [NOTICE] [cs-swe] OK (crypto v2) - rtt: 293ms
[2019-04-18 19:57:01] [NOTICE] [cs-nl] OK (crypto v2) - rtt: 213ms
[2019-04-18 19:57:01] [NOTICE] [cs-nl2] OK (crypto v2) - rtt: 169ms
[2019-04-18 19:57:02] [NOTICE] [cs-fi] OK (crypto v2) - rtt: 200ms
[2019-04-18 19:57:02] [NOTICE] [cs-pl] OK (crypto v2) - rtt: 295ms
[2019-04-18 19:57:02] [NOTICE] [cs-dk] OK (crypto v2) - rtt: 206ms
[2019-04-18 19:57:02] [NOTICE] [cs-it] OK (crypto v2) - rtt: 170ms
[2019-04-18 19:57:02] [NOTICE] [cs-fr] OK (crypto v2) - rtt: 158ms
[2019-04-18 19:57:03] [NOTICE] [cs-fr2] OK (crypto v2) - rtt: 160ms
[2019-04-18 19:57:03] [NOTICE] [cs-pt] OK (crypto v2) - rtt: 211ms
[2019-04-18 19:57:03] [NOTICE] [cs-hk] OK (crypto v2) - rtt: 361ms
[2019-04-18 19:57:03] [NOTICE] [cs-ro] OK (crypto v2) - rtt: 191ms
[2019-04-18 19:57:03] [NOTICE] [cs-mo] OK (crypto v2) - rtt: 205ms
[2019-04-18 19:57:04] [NOTICE] [cs-lv] OK (crypto v2) - rtt: 202ms
[2019-04-18 19:57:04] [NOTICE] [cs-uk] OK (crypto v2) - rtt: 165ms
[2019-04-18 19:57:04] [NOTICE] [cs-de] OK (crypto v2) - rtt: 162ms
[2019-04-18 19:57:04] [NOTICE] [cs-de2] OK (crypto v2) - rtt: 169ms
[2019-04-18 19:57:04] [NOTICE] [cs-ca] OK (crypto v2) - rtt: 218ms
[2019-04-18 19:57:05] [NOTICE] [cs-ca2] OK (crypto v2) - rtt: 291ms
[2019-04-18 19:57:05] [NOTICE] [cs-usny] OK (crypto v2) - rtt: 274ms
[2019-04-18 19:57:05] [NOTICE] [cs-usil] OK (crypto v2) - rtt: 274ms
[2019-04-18 19:57:05] [NOTICE] [cs-usnv] OK (crypto v2) - rtt: 216ms
[2019-04-18 19:57:08] [NOTICE] [cs-uswa] TIMEOUT
[2019-04-18 19:57:08] [NOTICE] [cs-usdc] OK (crypto v2) - rtt: 264ms
[2019-04-18 19:57:08] [NOTICE] [cs-ustx] OK (crypto v2) - rtt: 242ms
[2019-04-18 19:57:08] [NOTICE] [cs-usga] OK (crypto v2) - rtt: 250ms
[2019-04-18 19:57:09] [NOTICE] [cs-usnc] OK (crypto v2) - rtt: 258ms
[2019-04-18 19:57:09] [NOTICE] [cs-usca] OK (crypto v2) - rtt: 209ms
[2019-04-18 19:57:09] [NOTICE] [cs-usor] OK (crypto v2) - rtt: 272ms
[2019-04-18 19:57:09] [NOTICE] [d0wn-is-ns2] OK (crypto v1) - rtt: 235ms
[2019-04-18 19:57:10] [NOTICE] [d0wn-tz-ns1] OK (crypto v1) - rtt: 392ms
[2019-04-18 19:57:10] [NOTICE] [de.dnsmaschine.net] OK (crypto v2) - rtt: 204ms
[2019-04-18 19:57:10] [NOTICE] [dnscrypt.ca-1] OK (crypto v2) - rtt: 297ms
[2019-04-18 19:57:11] [NOTICE] [dnscrypt.ca-2] OK (crypto v2) - rtt: 288ms
[2019-04-18 19:57:11] [NOTICE] [dnscrypt.eu-dk] OK (crypto v2) - rtt: 205ms
[2019-04-18 19:57:11] [NOTICE] [dnscrypt.eu-nl] OK (crypto v1) - rtt: 301ms
[2019-04-18 19:57:11] [NOTICE] [dnscrypt.me] OK (crypto v2) - rtt: 180ms
[2019-04-18 19:57:11] [NOTICE] [dnscrypt.nl-ns0] OK (crypto v2) - rtt: 196ms
[2019-04-18 19:57:12] [NOTICE] [dnscrypt.uk-ipv4] OK (crypto v2) - rtt: 282ms
[2019-04-18 19:57:12] [NOTICE] [ev-va] OK (crypto v2) - rtt: 274ms
[2019-04-18 19:57:12] [NOTICE] [ev-to] OK (crypto v2) - rtt: 270ms
[2019-04-18 19:57:12] [NOTICE] [freetsa.org] OK (crypto v1) - rtt: 256ms
[2019-04-18 19:57:13] [NOTICE] [ibksturm] OK (crypto v2) - rtt: 453ms
[2019-04-18 19:57:13] [NOTICE] [ipredator] OK (crypto v1) - rtt: 194ms
[2019-04-18 19:57:13] [NOTICE] [opennic-ethservices] OK (crypto v1) - rtt: 261ms
[2019-04-18 19:57:14] [NOTICE] [opennic-ethservices2] OK (crypto v1) - rtt: 259ms
[2019-04-18 19:57:14] [NOTICE] [opennic-luggs] OK (crypto v1) - rtt: 284ms
[2019-04-18 19:57:14] [NOTICE] [opennic-luggs2] OK (crypto v1) - rtt: 287ms
[2019-04-18 19:57:14] [NOTICE] [publicarray-au] OK (crypto v2) - rtt: 176ms
[2019-04-18 19:57:17] [NOTICE] [qag.me] TIMEOUT
[2019-04-18 19:57:17] [NOTICE] [quad9-dnscrypt-ip4-nofilter-pri] OK (crypto v1) - rtt: 160ms
[2019-04-18 19:57:17] [NOTICE] [quad9-dnscrypt-ip4-nofilter-alt] OK (crypto v1) - rtt: 158ms
[2019-04-18 19:57:19] [NOTICE] [qualityology.com] TIMEOUT
[2019-04-18 19:57:19] [NOTICE] [scaleway-fr] OK (crypto v2) - rtt: 162ms
[2019-04-18 19:57:19] [NOTICE] [securedns] OK (crypto v1) - rtt: 284ms
[2019-04-18 19:57:20] [NOTICE] [soltysiak] OK (crypto v1) - rtt: 280ms
[2019-04-18 19:57:20] [NOTICE] [suami] OK (crypto v2) - rtt: 161ms
[2019-04-18 19:57:20] [NOTICE] [trashvpn.de] OK (crypto v2) - rtt: 169ms
[2019-04-18 19:57:20] [NOTICE] [ventricle.us] OK (crypto v2) - rtt: 275ms
[2019-04-18 19:57:22] [NOTICE] [opennic-bongobow] TIMEOUT
[2019-04-18 19:57:22] [NOTICE] [opennic-R4SAS] OK (crypto v2) - rtt: 191ms
[2019-04-18 19:57:22] [NOTICE] Server with the lowest initial latency: cs-fr (rtt: 158ms)
[2019-04-18 19:57:22] [NOTICE] dnscrypt-proxy is ready - live servers: 61
[2019-04-18 20:57:25] [NOTICE] [charis] TIMEOUT
[2019-04-18 20:57:31] [NOTICE] [cs-uswa] OK (crypto v2) - rtt: 289ms
[2019-04-18 20:57:40] [NOTICE] [qag.me] TIMEOUT
[2019-04-18 20:57:42] [NOTICE] [qualityology.com] TIMEOUT
[2019-04-18 20:57:46] [NOTICE] [opennic-bongobow] TIMEOUT
[2019-04-18 20:58:01] [NOTICE] Server with the lowest initial latency: cs-fr (rtt: 158ms)
[2019-04-18 21:58:04] [NOTICE] [charis] TIMEOUT
[2019-04-18 21:58:18] [NOTICE] [qag.me] TIMEOUT
[2019-04-18 21:58:20] [NOTICE] [qualityology.com] TIMEOUT
[2019-04-18 21:58:24] [NOTICE] [opennic-bongobow] TIMEOUT
[2019-04-18 21:58:39] [NOTICE] Server with the lowest initial latency: cs-fr (rtt: 158ms)
[2019-04-18 22:58:42] [NOTICE] [charis] TIMEOUT
[2019-04-18 22:58:57] [NOTICE] [qag.me] TIMEOUT
[2019-04-18 22:58:59] [NOTICE] [qualityology.com] TIMEOUT
[2019-04-18 22:59:02] [NOTICE] [opennic-bongobow] TIMEOUT
[2019-04-18 22:59:17] [NOTICE] Server with the lowest initial latency: scaleway-fr (rtt: 159ms)
[2019-04-18 23:59:19] [NOTICE] [charis] TIMEOUT
[2019-04-18 23:59:25] [NOTICE] [cs-lv] TIMEOUT
[2019-04-18 23:59:27] [NOTICE] [cs-de] TIMEOUT
[2019-04-18 23:59:38] [NOTICE] [qag.me] TIMEOUT
[2019-04-18 23:59:40] [NOTICE] [qualityology.com] TIMEOUT
[2019-04-18 23:59:44] [NOTICE] [opennic-bongobow] TIMEOUT
[2019-04-18 23:59:50] [NOTICE] [cs-lv] TIMEOUT
[2019-04-18 23:59:52] [NOTICE] [cs-de] TIMEOUT
[2019-04-19 00:00:02] [NOTICE] Server with the lowest initial latency: cs-fr2 (rtt: 158ms)
[2019-04-19 01:00:05] [NOTICE] [charis] TIMEOUT
[2019-04-19 01:00:10] [NOTICE] [cs-lv] TIMEOUT
[2019-04-19 01:00:12] [NOTICE] [cs-de] TIMEOUT
[2019-04-19 01:00:16] [NOTICE] [cs-uswa] TIMEOUT
[2019-04-19 01:00:25] [NOTICE] [qag.me] TIMEOUT
[2019-04-19 01:00:27] [NOTICE] [qualityology.com] TIMEOUT
[2019-04-19 01:00:30] [NOTICE] [opennic-bongobow] TIMEOUT
[2019-04-19 01:00:37] [NOTICE] [cs-lv] TIMEOUT
[2019-04-19 01:00:39] [NOTICE] [cs-de] TIMEOUT
[2019-04-19 01:00:51] [NOTICE] [cs-uswa] TIMEOUT
[2019-04-19 01:00:51] [NOTICE] Server with the lowest initial latency: cs-fr2 (rtt: 158ms)
[2019-04-19 02:00:54] [NOTICE] [charis] TIMEOUT
[2019-04-19 02:01:00] [NOTICE] [cs-lv] TIMEOUT
[2019-04-19 02:01:02] [NOTICE] [cs-de] TIMEOUT
[2019-04-19 02:01:05] [NOTICE] [cs-uswa] TIMEOUT
[2019-04-19 02:01:12] [NOTICE] [ibksturm] TIMEOUT
[2019-04-19 02:01:16] [NOTICE] [qag.me] TIMEOUT
[2019-04-19 02:01:18] [NOTICE] [qualityology.com] TIMEOUT
[2019-04-19 02:01:22] [NOTICE] [opennic-bongobow] TIMEOUT
[2019-04-19 02:01:28] [NOTICE] [cs-lv] TIMEOUT
[2019-04-19 02:01:30] [NOTICE] [cs-de] TIMEOUT
[2019-04-19 02:01:42] [NOTICE] [cs-uswa] TIMEOUT
Logged

thg0432

  • Newbie
  • *
  • Posts: 10
  • Karma: 2
    • View Profile
Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
« Reply #29 on: April 22, 2019, 05:03:10 pm »
is it possible to have dnscrypt have a different set of DNS server(s) for an ip range? 
Logged

  • Print
Pages: 1 [2] 3 4 5
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Tutorials and FAQs (Moderator: fabian) »
  • HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2019 All rights reserved
  • SMF 2.0.15 | SMF © 2017, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2