How to use DNS over TLS in 20.7.3

chemlud · January 07, 2021, 11:45:23 AM

Quote from: Layer8 on January 07, 2021, 11:33:31 AM
If i am right, its enough to just add the TLS-enabled DNS-servers to the DNS servers-list under

[System] -> [Settings] -> [General]

AND enabling DNSSEC under

[Services] -> [Unbound DNS] -> [General].

I just noticed this, because "Domain signature validation (DNSSEC)" on the following test page turned from red to green after i just enablded DNSSEC: http://conn.internet.nl/connection/

Seems there is no need to enter TLS-enabled Servers under [Services] -> [Unbound DNS] -> [Miscellaneous].

Can one confirm this?

If you verify it, remember that "TTL for Host cache entries"-value under

[Services] -> [Unbound DNS] -> [Advanced]

is 15min, so set it to 1min to test ist.

Or is it just because my default ISP-Gateway (Vodafone) supports DNSSEC?

Nope, DNS-over-TLS and DNSSEC are completely different things. With DNS-over-TLS you need servers and additional commands as outlined above....

Layer8 · January 07, 2021, 12:20:25 PM

OK, thanks for reply.

So, should i leave DNSSEC disabled when i want to use DNS over TLS?

I added DNS servers to [System] -> [Settings] -> [General] and disabled "Allow DNS server list to be overridden by DHCP/PPP on WAN" (46.182.19.48 + 185.95.218.42 + 185.95.218.43)

I also enabled DNSSEC and i added DoT-Servers to [UnBound DNS] -> [Misc] like "46.182.19.48@853 5.9.164.112@853".

How can i verify, that DNS over TLS is used as standard DNS service?

chemlud · January 07, 2021, 01:52:08 PM

The config you have now should not work for DNS-over-TLS. Remove the servers from "System" - "Settings" "General" and start over with the complete text for the unbound Custom Options as posted above (but choose your DNS servers wisely)...

You can do a package capture on WAN port 853, there you can see if DNS-over-TLS is used. The log of unbound is hard to read...

DNSSEC not provided by many DNS servers, but in theory you could use it in addition to DNS-over-TLS.

bringha · January 07, 2021, 02:48:07 PM

Hi there,

Thank you very much for this information. So far I can get this working now with all kind of DoT servers with ipv4 addresses.

But as soon as I put under [UnBound DNS]->[Misc] an ipv6 address and restart unbound, my log file gets flooded with

Code Select


unbound[99672]: [99672:1] debug:    rtt=2494
unbound[99672]: [99672:1] debug: servselect ip4 1.0.0.1 port 853 (len 16)
unbound[99672]: [99672:1] debug: selrtt 275
unbound[99672]: [99672:1] debug: sending to target: <.> 2606:4700:4700::1001#853
--> unbound[99672]: [99672:1] error: outgoing tcp: bind: Can't assign requested address
unbound[99672]: [99672:1] debug:    ip6 2606:4700:4700::1111 port 853 (len 28)
unbound[99672]: [99672:1] debug:    ip4 1.1.1.1 port 853 (len 16)
unbound[99672]: [99672:1] debug: servselect ip6 2606:4700:4700::1111 port 853 (len 28)

(see marked line -->)

Any idea how to get this working too?

Thanks a lot

BR br

chemlud · January 07, 2021, 02:51:16 PM

Do you have ipv6? Does your DNS server support it? Why would you want to use it, if ipv4 works perfectly fine?

"Doc, it hurts so much when I press her!" "Why do you press there?"

bringha · January 07, 2021, 03:21:22 PM

Hmmmm 8)

Yes, I have ipv6 (what sense would it make otherwise to ask for a DoT ipv6 server??). And yes we are in course to transition towards an ipv6 only set up. And yes according to the spec of Unbound, DoT should also work over ipv6. The used ipv6 DNS server addresses are valid ones from the DoT providers.

If I would follow your logic, then we would much likely still use Telex for text messaging. Opnsense' great ipv6 capabilities is one of the main differentiator against many other firewalls around.

Br br

chemlud · January 07, 2021, 03:58:18 PM

...then good luck with this half-bake protocol ;-)

Maybe better to open a new thread though...

bringha · January 08, 2021, 09:45:53 AM

... and this 'new' topic DoT with ipv6 is already there

https://forum.opnsense.org/index.php?topic=20670.0

However, the interest was unfortunately not too high ;)

Br br

Layer8 · January 08, 2021, 04:23:21 PM

Quote from: chemlud on January 07, 2021, 01:52:08 PM
You can do a package capture on WAN port 853, there you can see if DNS-over-TLS is used. The log of unbound is hard to read...

DNSSEC not provided by many DNS servers, but in theory you could use it in addition to DNS-over-TLS.

Good idea!

I captured outgoing WAN-traffic and destination port 853 with normal log level. There is not much to read with normal log level, because of the TLS encryption. All you can see is:

Code Select

1	0.000000	123.123.123.123	5.9.164.112	TLSv1.2	132	Application Data
2	0.017167	5.9.164.112	123.123.123.123	TLSv1.2	386	Application Data
3	0.017193	123.123.123.123	5.9.164.112	TCP	56	22792 %u2192 853 [ACK] Seq=77 Ack=331 Win=507 Len=0 TSval=2814304945 TSecr=256810250
4	0.017292	123.123.123.123	5.9.164.112	TLSv1.2	138	Application Data
5	0.034172	5.9.164.112	123.123.123.123	TLSv1.2	349	Application Data
6	0.034188	123.123.123.123	5.9.164.112	TCP	56	22792 %u2192 853 [ACK] Seq=159 Ack=624 Win=508 Len=0 TSval=2814304965 TSecr=256810267
7	0.034279	123.123.123.123	46.182.19.48	TLSv1.2	143	Application Data
8	0.057196	46.182.19.48	123.123.123.123	TLSv1.2	284	Application Data
9	0.057229	123.123.123.123	46.182.19.48	TCP	56	22086 %u2192 853 [ACK] Seq=88 Ack=229 Win=508 Len=0 TSval=2911856615 TSecr=699134859

You can find a list of some servers for DNS over TLS in the german wikipedia which also includes servers from digitalcourage.de and digitale-gesellschaft.ch . Those shuld be trausful.

I removed all servers from [System] -> [Settings] -> [General] and disabled DNSSEC again.

I will also block Port 53 from outgoing WAN-traffic for standard DNS querys. This should prevent a unnoticed fallback. Here is the rule:

Block - int WAN - out - IPv4+v6 - TCP - src any - dest WAN net - destport DNS

ChrisChros · January 11, 2021, 10:08:38 PM

Hi,
just for my understanding.
If I want to use DoT with unbound I have to insert under Custom Options in the General section the text posted above.
But what is the field DNS over TLS Servers in the Miscellaneous chapter good for? Or is this at the moment just a place holder for a later update of unbound?

Regards Chris

koushun · January 28, 2021, 11:33:33 PM

Check this site: https://www.cloudflare.com/en-gb/ssl/encrypted-sni/

I am just doing this with Unbound and I get a positive result on the "Secure DNS" check above;

Remove DNS Servers from System > Settings > General.

Add 1.1.1.1@853 1.0.0.1@853 under Services > Unbound DNS > Miscellaneous

Voilà.

guest28717 · April 18, 2021, 11:27:28 AM

Can I confirm there is currently no way (OPNsense 21.1.4) to specify the hostname for DoT DNS servers with the web gui (Services > Unbound DNS > Miscellaneous > DNS over TLS Servers)?

At the moment I have specified the DoT servers under Services > Unbound DNS > Custom Options (e.g. 1.1.1.1@853#cloudflare-dns.com).

What is the point of using DoH if you can't specify the hostname to verify the certificate of the DoH server? If your ISP was intercepting DoH traffic for 1.1.1.1 etc, you would have no way to know this.

See this post for full config to do it the manual way: https://forum.opnsense.org/index.php?topic=19345.msg89172#msg89172

Maurice · April 19, 2021, 08:54:41 PM

Quote from: CloudUser on April 18, 2021, 11:27:28 AM
Can I confirm there is currently no way (OPNsense 21.1.4) to specify the hostname for DoT DNS servers with the web gui (Services > Unbound DNS > Miscellaneous > DNS over TLS Servers)?

Yes, still not supported.

Quote from: CloudUser on April 18, 2021, 11:27:28 AM
At the moment I have specified the DoT servers under Services > Unbound DNS > Custom Options (e.g. 1.1.1.1@853#cloudflare-dns.com).

Correct, but Unbound custom options will be removed in 21.7.

Also see: https://github.com/opnsense/core/pull/4858

mimugmail · April 19, 2021, 09:53:58 PM

Quote from: Maurice on April 19, 2021, 08:54:41 PM

Correct, but Unbound custom options will be removed in 21.7.

Also see: https://github.com/opnsense/core/pull/4858

Source please :)

Maurice · April 19, 2021, 10:14:19 PM

You mean a source for "custom options will be removed"? Official roadmap: https://opnsense.org/about/road-map/

(It's in the 'planned' stage, so "will probably be removed" would indeed be more accurate.)

<edit>
Hm, the roadmap says "advanced" configuration removal, not "custom". Franco often mentioned that the custom options will eventually be removed (and so does the help text), so I thought that would be it. But now I'm not sure anymore. There is an Unbound "Advanced" configuration page, but why would you remove that? Clarification welcome.
</edit>

<edit2>
"Advanced configuration" and "Custom options" get mixed up on GitHub, too: https://github.com/opnsense/core/issues/4327
So yes, I'm pretty sure the roadmap item is actually about the custom options now getting finally removed.
</edit2>

How to use DNS over TLS in 20.7.3

chemlud

January 07, 2021, 11:45:23 AM #15

Layer8

January 07, 2021, 12:20:25 PM #16 Last Edit: January 07, 2021, 12:28:25 PM by Layer8

chemlud

January 07, 2021, 01:52:08 PM #17 Last Edit: January 07, 2021, 01:53:40 PM by chemlud

bringha

January 07, 2021, 02:48:07 PM #18 Last Edit: January 07, 2021, 02:49:45 PM by bringha

chemlud

January 07, 2021, 02:51:16 PM #19

bringha

January 07, 2021, 03:21:22 PM #20

chemlud

January 07, 2021, 03:58:18 PM #21

bringha

January 08, 2021, 09:45:53 AM #22

Layer8

January 08, 2021, 04:23:21 PM #23 Last Edit: January 08, 2021, 05:07:59 PM by Layer8

ChrisChros

January 11, 2021, 10:08:38 PM #24

koushun

January 28, 2021, 11:33:33 PM #25

guest28717

April 18, 2021, 11:27:28 AM #26

Maurice

April 19, 2021, 08:54:41 PM #27

mimugmail

April 19, 2021, 09:53:58 PM #28

Maurice

April 19, 2021, 10:14:19 PM #29 Last Edit: April 19, 2021, 11:00:03 PM by Maurice