HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6

[franco]

It's compatible, but we keep the i386 version light so that it keeps building faster. Please also note that OPNsense 20.1 (January 2020) will remove i386 altogether as planned a long time ago.


Cheers,
Franco

[dpshak]

Dnscrypt depends on Go language and Go is not compatible to i386 :( Sorry Dude ...

It's compatible, but we keep the i386 version light so that it keeps building faster. Please also note that OPNsense 20.1 (January 2020) will remove i386 altogether as planned a long time ago.

Cheers,
Franco

Well then...I guess that's a good excuse to upgrade the motherboard!   ;D   The board in that machine IS about 15 years old!

In the mean time: I have a FreeBSD 13.0-Current install running in Virtualbox so I can get some education on *BSD.  If I understand the *BSD system correctly, this would be the equivalent of the 'testing' branch in Linux. 

I learn best by doing, which is why I chose Gentoo when I converted to Linux.   To this day, I run ' ~AMD64' (testing branch) on MY machine.  Periodically, I run into problems but, fixing those problems is the best way, IMHO to learn more about the system!  So, by installing a 'testing' branch, I will learn more about how *BSD works!  :)

Thanks franco, and mimugmail, for your responses!  :)

[mimugmail]

When you install 13 you wont get any binary updates, it's usually only for testing the current state (correct me if I'm wrong Franco). You should install 12.0, there are not many features and it's way better supported.

It's not like with linux that you have bleeding edge wifi or graphic adapters when running 13 :)

[Mr.Goodcat]

For some odd reason the guide doesn't work for me. After activating the plugin URLs are no longer resoved. I'm on the latest version of OPN and have two WAN interfaces. There are rules on the LAN interface to allow packets going to ports 53 and 5353 on the firewall itself. Any ideas?

[mimugmail]

Are only interested in DNSBL?

[Mr.Goodcat]

I'm trying to switch to DoH, right now i'm using DoT via unbound.

[l0stnyc]

Are you using unbound and dnscrypt for DOH?  Or just using dnscrypt as standalone? 

When using unbound and dnscrypt as per the instructions in the first post (but unchecking DNSSEC in unbound) it works fine.  However when trying to use dnscrypt as standalone DNS listening on port 53, it also doesnt work.  To be more specific it works for a bit then nothing resolves.  I'm not sure why.

[Mr.Goodcat]

I tried both, neither works.
Thanks for the hint regarding unchecking DNSSEC in unbound! However it still won't resolve any addresses :( Either I'm missing something or there are issues when using multi-WAN (fallback, not load balancing).
My settings are in attachment in case anyone is kind enough to check (I re-activeted DNSSEC in unbound and uncommented the custom options to reactivate DoT for now) :)

[mimugmail]

Outgoing interface WAN doesnt make sense when it forwards to dnscrypt on localhost? Do you have ipv6 on WAN?

[Mr.Goodcat]

I have two VLANs, one each per ISP. WAN uses IPv4+6 and WAN_elem IPv4.

You were right, the outgoing interface had to be changed to reach DNSCrypt at localhost. It's pretty obvious if you think about it, yet I completely missed it :P Thank you!

[mimugmail]

Glad you did it :)

[WhosTheBosch]

I've setup everything in this guide. It's worked great and appears to be doing it's job. I've selected only Cloudflare for my DNScrypt provider. However, when I go to Cloudflare's help page it shows me that I'm not connected and DNS over HTTPS isn't working. I was wondering if you might know why?

I use the 1.1.1.1 test page: https://1.1.1.1/help/

[mimugmail]

Can you check the logs after dnscrypt-proxy restart if there is something interesting?

[WhosTheBosch]

Unbound settings:

Code Select Expand


Network interfaces: All local ones
CheckDNSSec Support
Check DHCP Registration
Check DHCP Static Mappings
Local Zone Type: Transparent
Outgoing Network Interfaces: All local ones
- Note I had this set to WAN when I was using pfSense but it doesn't work for me here

do-not-query-localhost: no

forward-zone:
   name: "."
   forward-addr: 127.0.0.1@5353


Can you check the logs after dnscrypt-proxy restart if there is something interesting?

Nothing that I could see:

Code Select Expand


[2019-12-08 08:53:59] [NOTICE] dnscrypt-proxy is ready - live servers: 1
[2019-12-08 08:53:59] [NOTICE] Server with the lowest initial latency: cloudflare (rtt: 3ms)
[2019-12-08 08:53:59] [NOTICE] [cloudflare] OK (DoH) - rtt: 3ms
[2019-12-08 08:53:59] [NOTICE] Now listening to 127.0.0.1:5353 [TCP]
[2019-12-08 08:53:59] [NOTICE] Now listening to 127.0.0.1:5353 [UDP]
[2019-12-08 08:53:59] [NOTICE] Loading the set of forwarding rules from [forwarding-rules.txt]
[2019-12-08 08:53:59] [NOTICE] Loading the set of cloaking rules from [cloaking-rules.txt]
[2019-12-08 08:53:57] [NOTICE] Loading the set of blocking rules from [blacklist.txt]
[2019-12-08 08:53:57] [NOTICE] Firefox workaround initialized
[2019-12-08 08:53:57] [NOTICE] Loading the set of whitelisting rules from [whitelist.txt]
[2019-12-08 08:53:57] [NOTICE] Source [public-resolvers.md] loaded
[2019-12-08 08:53:57] [NOTICE] Network connectivity detected
[2019-12-08 08:53:57] [NOTICE] dnscrypt-proxy 2.0.31
[2019-12-08 08:23:19] [NOTICE] Server with the lowest initial latency: cloudflare (rtt: 4ms)


When I visit https://1.1.1.1/help in Firefox (Note I have uBlock Origin installed), I also get the same message from Edge though about DoH not working.

Code Select Expand


[2019-12-08 09:00:48] 192.168.1.1 ae55910f-9418-4ad0-b84e-8635371cbcf5.cloudflareresolve.com.cdn.cloudflare.net AAAA SYNTH 0ms -
[2019-12-08 09:00:48] 192.168.0.1 ae55910f-9418-4ad0-b84e-8635371cbcf5.cloudflareresolve.com.cdn.cloudflare.net AAAA SYNTH 0ms -
[2019-12-08 09:00:48] 192.168.4.1 ae55910f-9418-4ad0-b84e-8635371cbcf5.cloudflareresolve.com.cdn.cloudflare.net AAAA SYNTH 0ms -
[2019-12-08 09:00:48] 192.168.0.1 ae55910f-9418-4ad0-b84e-8635371cbcf5.cloudflareresolve.com.cdn.cloudflare.net AAAA SYNTH 0ms -
[2019-12-08 09:00:48] 192.168.4.1 ae55910f-9418-4ad0-b84e-8635371cbcf5.cloudflareresolve.com.cdn.cloudflare.net AAAA SYNTH 0ms -
[2019-12-08 09:00:48] 192.168.2.1 ae55910f-9418-4ad0-b84e-8635371cbcf5.cloudflareresolve.com.cdn.cloudflare.net DS PASS 9ms cloudflare
[2019-12-08 09:00:48] 192.168.3.1 ae55910f-9418-4ad0-b84e-8635371cbcf5.cloudflareresolve.com.cdn.cloudflare.net AAAA SYNTH 0ms -
[2019-12-08 09:00:48] 192.168.2.1 ae55910f-9418-4ad0-b84e-8635371cbcf5.cloudflareresolve.com.cdn.cloudflare.net A PASS 4ms cloudflare
[2019-12-08 09:00:48] 192.168.4.1 ae55910f-9418-4ad0-b84e-8635371cbcf5.cloudflareresolve.com.cdn.cloudflare.net A PASS 4ms cloudflare
[2019-12-08 09:00:48] 192.168.9.1 ae55910f-9418-4ad0-b84e-8635371cbcf5.map.cloudflareresolve.com A PASS 10ms cloudflare
[2019-12-08 09:00:48] 192.168.4.1 ae55910f-9418-4ad0-b84e-8635371cbcf5.map.cloudflareresolve.com A PASS 33ms cloudflare
[2019-12-08 09:00:48] 192.168.4.1 is-doh.cloudflareresolve.com.cdn.cloudflare.net DS PASS 0ms -
[2019-12-08 09:00:48] 192.168.1.1 is-doh.cloudflareresolve.com DS PASS 1ms -
[2019-12-08 09:00:48] 192.168.2.1 is-doh.cloudflareresolve.com.cdn.cloudflare.net DS PASS 0ms -
[2019-12-08 09:00:48] 192.168.0.1 is-doh.cloudflareresolve.com DS PASS 1ms -
[2019-12-08 09:00:48] 192.168.0.1 is-doh.cloudflareresolve.com.cdn.cloudflare.net DS PASS 0ms -
[2019-12-08 09:00:48] 192.168.4.1 is-doh.cloudflareresolve.com DS PASS 1ms -
[2019-12-08 09:00:48] 192.168.1.1 is-doh.cloudflareresolve.com.cdn.cloudflare.net DS PASS 0ms -
[2019-12-08 09:00:48] 192.168.2.1 is-doh.cloudflareresolve.com DS PASS 1ms -
[2019-12-08 09:00:48] 192.168.0.1 is-doh.cloudflareresolve.com.cdn.cloudflare.net DS PASS 0ms -
[2019-12-08 09:00:48] 192.168.9.1 is-doh.cloudflareresolve.com DS PASS 1ms -
[2019-12-08 09:00:48] 192.168.4.1 is-doh.cloudflareresolve.com.cdn.cloudflare.net DS PASS 0ms -
[2019-12-08 09:00:48] 192.168.2.1 is-doh.cloudflareresolve.com DS PASS 1ms -
[2019-12-08 09:00:48] 192.168.3.1 is-doh.cloudflareresolve.com.cdn.cloudflare.net DS PASS 0ms -
[2019-12-08 09:00:48] 192.168.2.1 is-doh.cloudflareresolve.com DS PASS 1ms -
[2019-12-08 09:00:48] 192.168.4.1 is-doh.cloudflareresolve.com.cdn.cloudflare.net DS PASS 0ms -
[2019-12-08 09:00:48] 192.168.4.1 is-doh.cloudflareresolve.com DS PASS 1ms -
[2019-12-08 09:00:48] 192.168.3.1 is-doh.cloudflareresolve.com.cdn.cloudflare.net DS PASS 0ms -
[2019-12-08 09:00:48] 192.168.0.1 is-doh.cloudflareresolve.com DS PASS 1ms -
[2019-12-08 09:00:48] 192.168.4.1 is-doh.cloudflareresolve.com.cdn.cloudflare.net DS PASS 0ms -
[2019-12-08 09:00:48] 192.168.4.1 is-doh.cloudflareresolve.com DS PASS 1ms -
[2019-12-08 09:00:48] 192.168.0.1 ae55910f-9418-4ad0-b84e-8635371cbcf5.is-doh.cloudflareresolve.com A PASS 6ms cloudflare
[2019-12-08 09:00:48] 192.168.3.1 ae55910f-9418-4ad0-b84e-8635371cbcf5.is-dot.cloudflareresolve.com A PASS 7ms cloudflare
[2019-12-08 09:00:48] 192.168.2.1 ae55910f-9418-4ad0-b84e-8635371cbcf5.is-dot.cloudflareresolve.com A PASS 34ms cloudflare
[2019-12-08 09:00:48] 192.168.2.1 is-cf.cloudflareresolve.com.cdn.cloudflare.net DS PASS 0ms -
[2019-12-08 09:00:48] 192.168.0.1 is-cf.cloudflareresolve.com DS PASS 1ms -
[2019-12-08 09:00:48] 192.168.4.1 is-cf.cloudflareresolve.com.cdn.cloudflare.net DS PASS 0ms -
[2019-12-08 09:00:48] 192.168.0.1 is-cf.cloudflareresolve.com DS PASS 1ms -
[2019-12-08 09:00:48] 192.168.3.1 is-cf.cloudflareresolve.com.cdn.cloudflare.net DS PASS 0ms -
[2019-12-08 09:00:48] 192.168.2.1 is-cf.cloudflareresolve.com DS PASS 1ms -
[2019-12-08 09:00:48] 192.168.3.1 is-cf.cloudflareresolve.com.cdn.cloudflare.net DS PASS 0ms -
[2019-12-08 09:00:48] 192.168.0.1 is-cf.cloudflareresolve.com DS PASS 1ms -
[2019-12-08 09:00:48] 192.168.0.1 is-cf.cloudflareresolve.com.cdn.cloudflare.net DS PASS 0ms -
[2019-12-08 09:00:48] 192.168.4.1 ae55910f-9418-4ad0-b84e-8635371cbcf5.is-cf.cloudflareresolve.com A PASS 77ms cloudflare
[2019-12-08 09:00:48] 192.168.4.1 is-cf.cloudflareresolve.com DS PASS 2ms -
[2019-12-08 09:00:48] 192.168.2.1 ae55910f-9418-4ad0-b84e-8635371cbcf5.is-cf.cloudflareresolve.com A PASS 19ms cloudflare


[mimugmail]

Can you check with tcpdump on WAN If you see DNS traffic on 53 or just 443.