HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6

[WhosTheBosch]

Can you check with tcpdump on WAN If you see DNS traffic on 53 or just 443.

Ya, I did that earlier, nothing on 53, although I also have a firewall rule blocking it for external networks and only allowing it for internal.

Code Select Expand


tcpdump -ni ix0 port 53
listening on ix0
0 packets captured
130285 packets received by filter
0 packets dropped by kernel

tcpdump -ni ix0 port 443
listening on ix0
3109 packets captured
2318077 packets received by filter
0 packets dropped by kernel

...
11:00:31.179125 IP 1.0.0.1:443 > WAN_IP:17505: flags [.] ack 18163, win 63, length 0
11:00:31.179377 IP 1.0.0.1:443 > WAN_IP:17505: flags [F.] seq 53635, ack 18162, win 63, length 0


tcpdump -ni ix0 host 1.0.0.1 and port 443 - I get a whole bunch more 1.0.0.1:443 traffic.

[mimugmail]

Then it's surely an error at Cloudfare not detecting it as encrypted ...

[sol]

are you using pihole by any chance?
I have the same issue.

[WhosTheBosch]

Then it's surely an error at Cloudfare not detecting it as encrypted ...

That's what I'm thinking, I just wanted to check to make sure I didn't have any settings wrong though.

are you using pihole by any chance?
I have the same issue.

No, I'm just using the settings from the first post here that use Unbound as a forwarder to DNScrypt which then uses DNS over HTTPS to Cloudflare (in my case) to resolve.

[WhosTheBosch]

Question: Will this setup cause any issues with setting up Dynamic DNS? On the DDNS creation page it says:

"You must configure a DNS server in System: General setup or allow the DNS server list to be overridden by DHCP/PPP on WAN for dynamic DNS updates to work."

But with this setup both of those are not done.

[WhosTheBosch]

Question: Will this setup cause any issues with setting up Dynamic DNS? On the DDNS creation page it says:

"You must configure a DNS server in System: General setup or allow the DNS server list to be overridden by DHCP/PPP on WAN for dynamic DNS updates to work."

But with this setup both of those are not done.

At least with Namecheap Dynamic DNS this works.

[homenetworkguy]

I found the original instructions helpful. The server list is what I was stuck on the most. I didn't realize you had to enter the name of the server rather than the IP address. It makes sense because there are sometimes multiple options per DNS server (like Quad9).

One gotcha I would like to mention in case someone finds it useful. I am running the MDNS Repeater service (so that I can make use of certain services across VLANs like being able to autodiscover and access my printer/scanner across VLANs). This service runs on port 5353 which is the default value for the dnscrypt-proxy plugin. The dnscrypt-proxy service would not start unless I changed the port to something else. Once I changed the default port and updated my configuration in the Unbound settings, I was up and running!

[p1n0ck10]

I have updated the Tutorial...

Happy New Year to All  ;) 8)

[karlson2k]

A few additions/corrections.

If you use any domain overrides in Unbound then provided recipe will result in failed to (re)start Unbound.
The reason is that domain overrides is included in unbound.conf before "Custom" options and domain overrides change section from "server:" to "forward-zone:".
To fix error in configuration, you need to add "server:" line before "do-not-query-localhost: no"

Also, if you are not worried about a few leaked DNS requests, you can use option "forward-first: yes" so if DNSCrypt-Proxy is failed (or not started yet), Unbound will fallback to normal resolving. This gives you a much more stable but a bit less private configuration.

Also make sure that you did not set any specific "Outgoing Network Interfaces" otherwise Unbound will fail to connect to loopback addresses.

My resulting "Custom options" for Unbound:

Code Select Expand

server:
    do-not-query-localhost: no

forward-zone:
    name: "."
    forward-addr: 127.0.0.1@5353
    forward-first: yes


[p1n0ck10]

Thanks for the additional informations. I had no problems over 1 year with this config and also opnsense has this in his official documentation, see:
https://wiki.opnsense.org/manual/how-tos/dnscrypt-proxy.html?

domain overrides change section from "server:" to "forward-zone:".
To fix error in configuration, you need to add "server:" line before "do-not-query-localhost: no"

I have 1 override in unbound and all works fine. But People who has problems can try to write "server:" at the beginning on "custom options". This already exists in unbound.conf.

Also, if you are not worried about a few leaked DNS requests, you can use option "forward-first: yes" so if DNSCrypt-Proxy is failed (or not started yet), Unbound will fallback to normal resolving. This gives you a much more stable but a bit less private configuration.

If DNSCrypt does not start i want to know that. For me this is not an option that unbound use a fallback resolver or forwards dns query to the systems dns. Maybe you don't know that encrypted dns fails over weeks. DNSCrypt has a fallback resolver.

Also make sure that you did not set any specific "Outgoing Network Interfaces" otherwise Unbound will fail to connect to loopback addresses.

In the past i choosed "localhost" on Outgoing Network Interface because i had the assurance that traffic goes to DNSCrypt but this is removed since opnsense 19. Now you must choose "All".

Kind Regards

[cake]

The geoip with alias's addition to OpnSense came at a good time. According to ipleak.net mine was using a dnscrypt server in China. Seems like a bad idea. I had no idea dnscrypt-proxy servers in cn were add to the official list.

[p1n0ck10]

The geoip with alias's addition to OpnSense came at a good time. According to ipleak.net mine was using a dnscrypt server in China. Seems like a bad idea. I had no idea dnscrypt-proxy servers in cn were add to the official list.

thats why you can use your trusted and favorite servers on "Server List" ;-)

[karlson2k]

Thanks for the additional informations. I had no problems over 1 year with this config and also opnsense has this in his official documentation, see:
https://wiki.opnsense.org/manual/how-tos/dnscrypt-proxy.html?

Official documentation also needs to be fixed.

domain overrides change section from "server:" to "forward-zone:".
To fix error in configuration, you need to add "server:" line before "do-not-query-localhost: no"

I have 1 override in unbound and all works fine. But People who has problems can try to write "server:" at the beginning on "custom options". This already exists in unbound.conf.

This will work if you have host override. But any single domain override will break it.

On the other hand, even if you don't have any overrides, line "server:" will not harm anything.

So safe and future-proof solution is to add "server:". In this case configuration will not break after future changes, which can include domain overrides.

Also make sure that you did not set any specific "Outgoing Network Interfaces" otherwise Unbound will fail to connect to loopback addresses.

In the past i choosed "localhost" on Outgoing Network Interface because i had the assurance that traffic goes to DNSCrypt but this is removed since opnsense 19. Now you must choose "All".

Yes, it must be set to "All". Otherwise configuration will not work.
It worth to mention it in your "HOWTO".
I spent some time before figured out why my configuration doesn't work at all.

[cake]

The geoip with alias's addition to OpnSense came at a good time. According to ipleak.net mine was using a dnscrypt server in China. Seems like a bad idea. I had no idea dnscrypt-proxy servers in cn were add to the official list.

thats why you can use your trusted and favorite servers on "Server List" ;-)

Thank you,  I will now. :-)

[p1n0ck10]

karlson2k:
This will work if you have host override. But any single domain override will break it.

On the other hand, even if you don't have any overrides, line "server:" will not harm anything.

So safe and future-proof solution is to add "server:". In this case configuration will not break after future changes, which can include domain overrides.

thats correct. I have only 1 host override. i will add this to the Tutorial. Thank you for the explanations.

karlson2k:
Yes, it must be set to "All". Otherwise configuration will not work.
It worth to mention it in your "HOWTO".
I spent some time before figured out why my configuration doesn't work at all.

thats already in the Tutorial ;-)