HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6

[mimugmail]

No, but manual addition

[thg0432]

so essentially just add dns servers in via static ip mappings?  I have my kids devices mapped, but I was hoping to set it via range or group setting rather than manually per device.  I hope this could be a future feature.  It would be great for parental control features and being able to drill down for reports that are generated per user.

[mimugmail]

Just use Port redirection for kids IPs to make use of it. Rest could go with usual DNS

[DoomSalamander]

While I would love to use dnscrypt I can't because of some websites apperently having broken dnssec support like postbank.de see https://community.cloudflare.com/t/problem-with-oneplus-com-and-postbank-de/29232. I currently use dns over tls and there happends the same with dnssec enabled but I can configure a override to get those sites working. I don't know how I can make this work with dnssec and dnscrypt set up because you can only use unbound overrides if "do-not-query-localhost: no" isn't being used. If anyone knows how to make it work please let me know.

[p1n0ck10]

While I would love to use dnscrypt I can't because of some websites apperently having broken dnssec support like postbank.de see https://community.cloudflare.com/t/problem-with-oneplus-com-and-postbank-de/29232. I currently use dns over tls and there happends the same with dnssec enabled but I can configure a override to get those sites working. I don't know how I can make this work with dnssec and dnscrypt set up because you can only use unbound overrides if "do-not-query-localhost: no" isn't being used. If anyone knows how to make it work please let me know.

You must configure Unbound DNS to redirect this query to another DNS-Resolver. Example with Quad9 DNS.
Copy this to your Custom Config:

Code: [Select]

server:
do-not-query-localhost: no

forward-zone:
   name: "postbank.com"
   forward-addr: 9.9.9.9
forward-zone:
   name: "postbank.de"
   forward-addr: 9.9.9.9
forward-zone:
   name: "."
   forward-addr: ::1@5353
   forward-addr: 127.0.0.1@5353

with this config i can resolve postbank.com and postbank.de

Kind Regards

[DoomSalamander]

Thank you very much! Seems to work flawlessly. You should add that to your tutorial and mention that some sites may have broken dnssec support and you can add them that way as an exception.

[p1n0ck10]

Thank you very much! Seems to work flawlessly. You should add that to your tutorial and mention that some sites may have broken dnssec support and you can add them that way as an exception.

This problem seems to be only at Cloudflare but its caused by Postbank
Another options is to use Quad9 DNS Server in the Server List of the DNSCrypt-Proxy Plugin on OPNsense

Code: [Select]

quad9-dnscrypt-ip6-filter-pri
quad9-dnscrypt-ip4-filter-pri

Then you don't have to add exceptions to the custom config in Unbound DNS. But Quad9 seems to be more slowly.

Kind Regards

[DoomSalamander]

This problem seems to be only at Cloudflare.
Another options is to use Quad9 DNS Server in the Server List of the DNSCrypt-Proxy Plugin on OPNsense

Yeah I read that too that this only happens with cloudflare. Apparently of their IETF implantation of DNSSEC. I wanted to use cloudflare because of their speed.

[p1n0ck10]

i have updated the tutorial...

The different  between Cloudflare and Quad9 is that Cloudflare use QNAME Minimisation and Quad9 not and Quad9 is slower. Results on https://cmdns.dev.dns-oarc.net/

Cloudflare:
(see Attachment: Cloudflare_DNS-Results.png)
https://forum.opnsense.org/index.php?action=dlattach;topic=10670.0;attach=7441;image

Quad9:
(see Attachment: Quad9_DNS-Results.png)
https://forum.opnsense.org/index.php?action=dlattach;topic=10670.0;attach=7443;image

[p1n0ck10]

@mimugmail:
i have tried to configure the exceptions under Services/DNSCrypt-Proxy/Configuration/Forwarders
but it don't work. In my opinion this would be the right place? Have you any ideas?

[mimugmail]

Sorry, can't follow. What exactly do you want to achieve.

[p1n0ck10]

Sorry, can't follow. What exactly do you want to achieve.

If you use Cloudflare in the Server List you can't access the Domains postbank.com and postbank.de. My idea was to redirect the DNS query to another Server (example Quad9). If i use this on Unbound DNS it works. If i configure this in the DNSCrypt-Proxy under Forwarders it don't work.

[vip-123]

Old - Post but was reading up on the "Server List" if you want to manually use known servers like "cloudflare"

Noticed that when I add 1.1.1.1 / 1.1.1.1:53 it fails with something like no servers found.

the list does seem to work when typing cloudflare lower case then it saves and works.

SNI Still not encrypted but still a vast improvement for my testing.

- The sites not loading issue.
(figure off topic but might as well attempt to explain what I'm guess Issue is in this particular Case)

That I found is the firewall on the remote site blocking origination countries / geo IPs
I do this to on many firewalls like meraki and others.

trick is some sites are pulling css / fonts and other items from IPs that are not located in referenced IPs by Geo and if your rule is set to something like only allow these counties and deny all other traffic.  then you get the above kind of issue.

basically the bank is blocking certain countries from access.
you might be in .de however your request when using CF is routed through another country like (example) spain/france/etc for speed / backbone performance - then that might be a blocked inbound ..

the firewall for the bank is blocking inbound from either CF proxy due to too many hits from their proxy IP (which is common for a webserver that doesn't understand to strip back to the originators actual IP)

(/figure off topic but might as well attempt to explain what I'm guess Issue is in this particular Case)

[dpshak]

HELP!?!

I've googled around, hunted high and low, and STILL haven't found an answer...I'm not sure that this is the right forum for this question, BUT it concerns the topic of what I'm trying to do.  If I'm in the wrong place, feel free to move me!

First off, I'm new to both OPNSense and *BSD.  I found my way here via the 'Security Now' podcast.  Steve Gibson mentioned pfSense in a recent podcast; he was talking about his SG1100 router equipped with pfSense and also mentioned that pfSense could be installed on a router or spare PC - the spare PC caught my attention!    After investigating, I ruled out pfSense because the machine that I intended to use is an OLD, Intel P4 system - pfSense seems to have deprecated support for 32bit machines.  After more googling, I discovered that OPNSense was another fork of the old mOnOwall firewall AND it still supports 32bit machines. 

The reason that 'spare PC' caught my attention: I started dual booting WindowsXP and Gentoo Linux back in the early 2000s.  When XP hit its' expiration date, I moved completely over to Gentoo Linux.  That old P4 has been gathering dust and I decided I wanted to turn it into a firewall/router box.  I had the router side working, more or less, when other things came up.  So I never finished it.  When I discovered OPNSense, and realized it did EVERYTHING that I wanted, out-of-the-box, I decided to have at it.

So; 3 weeks later, after much fiddling (and googling) around, I have a working system!  Getting my primary and secondary wireless network up and running was a P.I.T.A!!!  (I have a Netgear WNR3500 and a Linksys WRT-54G, both running DD-WRT variants, that provide my primary and secondary WiFi networks.)  So, that brings me to my question...

I want to use DNSCrypt-Proxy on my OPNSense box.  EVERYTHING I've found says: go to System->Firmware->Plugins and install DNSCrypt-Proxy.  It DOES NOT exist on my box!!!  I tried changing 'repository' locations and updating, but NO DNSCrypt-Proxy in 'Plugins'!  Eventually, after reading through these forums, I found a post that helped me bring 'ports' into that box.  In turn, I was able to intall DNSCrypt-Proxy2.  HOWEVER, that's all CLI stuff.  It's installed as a 'package' on my machine and doesn't show up in the 'Services' menu.  Being a Gentoo Linux user, I'm not adverse to fiddling around with config files but, as the OP said, I REALLY don't want to mix config file setup with GUI configurations...  So, the question is: why is this NOT showing up as a plugin in System->Firmware->Plugins and, where can I go to make this happen?  If I CAN'T make this happen, is there a preferred 'how-to tutorial' site that I can go to, to configure this manually?

This is what's in the box:

Code: [Select]

OPNsense 19.7.4_1-i386
FreeBSD 11.2-RELEASE-p14-HBSD
OpenSSL 1.0.2s 28 May 2019and the initial install was: OPNsense-19.7-OpenSSL-vga-i386.img (downloaded form OPNSense website), installed on a bootable USB drive.

TIA!!!   

[mimugmail]

Dnscrypt depends on Go language and Go is not compatible to i386 Sorry Dude ...