English Forums > Tutorials and FAQs

OPNSENSE DNS OVER TLS UPDATED NOW ! DEAD SIMPLE

<< < (2/2)

directnupe:
Dear Serius,
I really am confused by your feedback / comments. All I can say is that literally thousands have followed this and related tutorials I have posted about DNS OVER TLS. Please provide more specific information regarding your setup. Honestly, this method should and will work if you follow the steps exactly as stated. Give it a fresh start, and if you have any further questions / issues - get back to me and I will do my best to assist you.
Peace,
directnupe


Dear krdk,
Hello and I hope that you are well. First off - you must configure and fine tune UNBOUND RESOLVER  for your particular CPU - memory and so on in order to get the best results for DNS Resolution. I have a Dell Optiplex 7010 Intel(R) Core(TM) i5-3470S CPU @ 2.90GHz (4 cores) with 8G of Ram on which I run OPNsense. Here is the full Custom options: I use for UNBOUND ( you must adjust this for your hardware ) see here : https://nlnetlabs.nl/documentation/unbound/howto-optimise/ Here are the Custom options: :

tls-cert-bundle: "/etc/ssl/cert.pem"
hide-identity: yes
hide-version: yes
hide-trustanchor: yes
harden-glue: yes
harden-dnssec-stripped: yes
harden-large-queries: yes
harden-dnssec-stripped: yes
harden-short-bufsize: yes
harden-algo-downgrade: yes
num-threads: 4
interface-automatic: yes
msg-cache-slabs: 8m
rrset-cache-slabs: 8m
infra-cache-slabs: 8m
key-cache-slabs: 8m
rrset-cache-size: 256m
msg-cache-size: 128m
so-rcvbuf: 1m
unwanted-reply-threshold: 10000000
val-clean-additional: yes
use-caps-for-id: no
do-ip6: no
do-ip4: yes
do-tcp: yes
do-udp: yes
minimal-responses: yes
aggressive-nsec: yes
prefetch: yes
prefetch-key: yes
qname-minimisation: yes
qname-minimisation-strict: yes
rrset-roundrobin: yes
target-fetch-policy: "0 0 0 0 0"
max-udp-size: 3072
harden-below-nxdomain: yes
ip-ratelimit: 300
ip-ratelimit-factor: 10
incoming-num-tcp: 100
edns-buffer-size: 1472
outgoing-range: 8192

server:
do-not-query-localhost: no
forward-zone:
 name: "."    # Allow all DNS queries
 forward-addr: 127.0.0.1@8069

Now, remember this is tailored and setup for my particular machine. As far as the stubby.yml files you can use these if you are in the US :

upstream_recursive_servers:
# IPV4 Servers
### DNS Privacy Test Servers ###
#The dns.cmrg.net DNS TLS Server  A+ - CANADA
  - address_data: 199.58.81.218
    tls_auth_name: "dns.cmrg.net"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=
#The dns-nyc.aaflalo.me DNS TLS Server     A+ - USA
  - address_data: 168.235.81.167
    tls_auth_name: "dns-nyc.aaflalo.me"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: KqzeDRgYePfKuZrKttwXM8I2Ej4kD6Sayh0kp4NWaJw=
### Anycast DNS Privacy Public Resolvers ###
#The security-filter-dns.cleanbrowsing.org  DNS TLS Server # 1     A+
  - address_data: 185.228.168.9
    tls_auth_name: "security-filter-dns.cleanbrowsing.org"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: rb2O6hMTZZ/go/vOqyVLY2lATD9DkD6+BkKfJwYYMFw=
#The DNS Warden DNS TLS Secondary Server   A+
  - address_data: 116.203.35.255
    tls_auth_name: "dot2.dnswarden.com"
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: aPns02lcGrDxnJQcRSHN8Cfx0XG+IXwqy5ishTQtzR0=
## The DNS.SB DNS TLS Primary Server   A+
  - address_data: 185.222.222.222
    tls_auth_name: "dns.sb"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: /qCm+kZoAyouNBtgd1MPMS/cwpN4KLr60bAtajPLt0k=
## The DNS.SB DNS TLS Secondary Server   A+
  - address_data: 185.184.222.222
    tls_auth_name: "dns.sb"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: /qCm+kZoAyouNBtgd1MPMS/cwpN4KLr60bAtajPLt0k=

Also, you can and should take advantage of this new DNS OVER TLS provider. You need to sign up - it is a free service - ANYCAST and pretty much cutting edge. ANYCAST speeds up your DNS - Here it is NextDNS https://my.nextdns.io/configuration/19474f/setup

Lastly, I am send ing four ( 4 ) screen shots so you can see how to set up and configure UNBOUND - make sure the ports in stubby.yml matches the forward port you use for UNBOUND.

Peace and I am OUT !
directnupe

spetrillo:
Have you moved the custom options section into the miscellaneous section when you add the plugin for Unbound support of TLS? Second is there a document available for those of us that do not want to use Stubby?

Bard:
This is a great writeup - and I'm really wanting to implement this.  I'm a full n00b with opnsense so bear with me.  I'm currently running unbound/bind.  I really like the filtering options in bind eg: force safe search etc. etc. with kids in the house.  That being said, it seems that if I want to use this method of DNS over TLS or something like DNSCrypt, I have to give up the filtering of bind?  Is there a way to keep it all?

Ochimo:
I have tried this a number of times. Each time I setup the 127.0.0.1 in both the custom settings and the DNS servers as my only DNS, I lose the ability to communicate. If I undo the 127.0.0.1 in unbound custom settings and set the DNS to cloudflare, I regain access. I figure I must be doing something wrong. Can anyone suggest anything?

transmissionend:
Hello lovely Opnsense forum,

I know this post is a little bit old, but I would like to post the actually configuration.


# install

--- Code: ---pkg install getdns

--- End code ---
# if you use DNSSEC aktually, there is no need for you to use the command down there for initial the trust anchor from unbound, ten there it is allready
# if you doesn't use it to day, use the folowing command:

--- Code: ---su -m unbound -c /usr/local/sbin/unbound-anchor

--- End code ---
# configure stubby to run - from NO to YES

--- Code: ---nano /usr/local/etc/rc.d/stubby

--- End code ---

--- Code: ---: ${stubby_enable="YES"}

--- End code ---

## write config
# i use the preconfigured config
# first, in there are functional comments for almost all commands.
# second, this commands comes with mostly useful preconfigured strings / variables

--- Code: ---nano /usr/local/etc/stubby/stubby.yml

--- End code ---
# add / rewrite the the following commands:

--- Code: ---# dnssec_return_status: GETDNS_EXTENSION_TRUE
# the stuby doku don't know this command -> older versions also?
# actually the command is this:

dnssec: GETDNS_EXTENSION_TRUE # remove #

listen_addresses:
  - 127.0.0.1@8053 # add specific port
  #-  0::1 # important!: if you don't use ipv6 -> comment out;
  # if you use ipv6 the set the right port; for example: "- 0::1@8053"
 # otherwise unbound can't srart, becouse without port, stubby uses the same port: 53, and stubby start faster then unbound after a reboot

# tls_ca_path: "/usr/local/share/certs/ca-root-nss.crt"
tls_ca_file: "/usr/local/share/certs/ca-root-nss.crt" # add this line

# for not sequentially using the listed upstreamserver,
# but for randomly using
round_robin_upstreams: 1 # add this line

dnssec_trust_anchors: "/usr/local/sbin/unbound-anchor" # add the right path

tls_cipher_list: "EECDH+AESGCM:EECDH+CHACHA20" # remove #
tls_ciphersuites: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" # remove # be aware: Use it only with OpenSSL; don't use it with LibreSSL -> see supplement
tls_min_version: GETDNS_TLS1_2 # remove #


--- End code ---

You can use the test servers in the yml file, but i have add almost all servers from the post below.

# now two methods to  verify QNAME minimisation
drill txt qnamemintest.internet.nl
# or
dig txt qnamemintest.internet.nl +short
# The results in any of these scenarios will show either:
"HOORAY - QNAME minimisation is enabled on your resolver :)!"
# or
"NO - QNAME minimisation is NOT enabled on your resolver :(."
# Reference from the post below:

--- Quote ---https://discourse.pi-hole.net/t/unbound-and-qname-minimisation/10038/4
# You will and should get HOORAY ! - if you used the name servers listed in this guide for your Stubby configuration.
    # Note: Starting with Unbound 1.7.2 qname minimisation is enabled by default.
    # However, I still add these settings manually.
    # These settings are entered under Unbound " Custom Options":
    qname-minimisation: yes
    qname-minimisation-strict: yes
    harden-below-nxdomain: yes

--- End quote ---
I doesn't found these three variables in the standard config in /var/unbound/* and the unbound documentation is not really informative =) :
https://unbound.readthedocs.io/en/latest/topics/privacy/qname-minimisation.html
These are the facts why i add there to the unbound config also (GUI).
After upgrade to 21.1, unbound want start with these three commands (if unbound doesn't start, you can check the config with
--- Code: ---unbound-checkconf /var/unbound/unbound.conf
--- End code ---
) also i removed it and test the command below again:


--- Code: ---
dig txt qnamemintest.internet.nl +short

--- End code ---

..you should see the hoooray again =)

After you save the config in the GUI, you can find it in

--- Code: ---
nano /var/unbound/unbound.conf

--- End code ---

# set a startscript to run the stubby script ( /usr/local/etc/rc.d/stubby) after boot

--- Code: ---nano /etc/rc.conf.d/stubby

--- End code ---


--- Code: ---stubby_enable="YES"
stubby_bootup_run="/usr/local/etc/rc.d/stubby"

--- End code ---

# Save and exit , then make the file executable

--- Code: ---chmod 755 /etc/rc.conf.d/stubby

--- End code ---
# I don't know why directnupe set permissions with chmod to 744 and then set the permissions with a+x to 755???
# Anyway, thanks to directnupe to the introduction!

# Now you must configure your Unbound DNS Server to use Stubby for DNS Over TLS

"UNBOUND" "GENERAL SETTINGS"
"Network Interfaces" =  Select ALL !

# Under Custom options enter the following below the three Qname variables:

--- Code: ---server:
do-not-query-localhost: no
forward-zone:
 name: "."    # Allow all DNS queries
 forward-addr: 127.0.0.1@8053

--- End code ---

# set

"Outgoing Network Interfaces" = Select ALL !

# Make sure the box for "DNS Query Forwarding" is unchecked
# Save and Apply Settings
# Next go to

"System" > "Settings"  > "General Settings"

# and set the first DNS Server to

127.0.0.1

# with

"no gateway"

# selected

# Make sure that DNS server option

"Allow DNS server list to be overridden by DHCP/PPP on WAN"

# is unchecked
# and DNS server option

"Do not use the DNS Forwarder/Resolver as a DNS server for the firewall"

# is unchecked also
# save all

# log in to ssh and check stubby works perfectly
# run:


--- Code: ---stubby -l

--- End code ---

# go to GUI under
"DNS check"
# and check out an ip from a website
# after this, go to ssh terminal and check the logs (stubby -l)
# is everything is fine (ip and logs), then restart opnsene and enjoy
# note: it is a good idea to check the DoT DNS servers in stubby.yml every half year

Afterwords, it is a good idea to check these boxes in Unbound :
hide-identity and hide-version.

So I hope this post trigger you to run DoT with verification and not only unbund to use Dot without verification.

kind regards

transmissionend


supplement / usecase LibreSSL:

1. At the moment, you can't use LibreSSL with the "tls_ciphersuites". This command isn't working.
If you use the command, stubby can't resolve any DNS query. You get the message:  "This LIbreSSL version does not support configurating cipher suites"

2. When you moved from OpenSSL to LibreSSL, you have to set stubby to enable again: "/usr/local/etc/rc.d/stubby"

Navigation

[0] Message Index

[*] Previous page