How to use DNS over TLS in 20.7.3

[chemlud]

If i am right, its enough to just add the TLS-enabled DNS-servers to the DNS servers-list under

[System] -> [Settings] -> [General]

AND enabling DNSSEC under

[Services] -> [Unbound DNS] -> [General].


I just noticed this, because "Domain signature validation (DNSSEC)" on the following test page turned from red to green after i just enablded DNSSEC: http://conn.internet.nl/connection/

Seems there is no need to enter TLS-enabled Servers under [Services] -> [Unbound DNS] -> [Miscellaneous].

Can one confirm this?

If you verify it, remember that "TTL for Host cache entries"-value under

[Services] -> [Unbound DNS] -> [Advanced]

is 15min, so set it to 1min to test ist.


Or is it just because my default ISP-Gateway (Vodafone) supports DNSSEC?

Nope, DNS-over-TLS and DNSSEC are completely different things. With DNS-over-TLS you need servers and additional commands as outlined above....

[Layer8]

OK, thanks for reply.

So, should i leave DNSSEC disabled when i want to use DNS over TLS?



I added DNS servers to [System] -> [Settings] -> [General]  and disabled "Allow DNS server list to be overridden by DHCP/PPP on WAN" (46.182.19.48 + 185.95.218.42 + 185.95.218.43)
 
I also enabled DNSSEC and i added DoT-Servers to [UnBound DNS] -> [Misc] like "46.182.19.48@853 5.9.164.112@853".


How can i verify, that DNS over TLS is used as standard DNS service?

[chemlud]

The config you have now should not work for DNS-over-TLS. Remove the servers from "System" - "Settings" "General" and start over with the complete text for the unbound Custom Options as posted above (but choose your DNS servers wisely)...

You can do a package capture on WAN port 853, there you can see if DNS-over-TLS is used. The log of unbound is hard to read...

DNSSEC not provided by many DNS servers, but in theory you could use it in addition to DNS-over-TLS.

[bringha]

Hi there,

Thank you very much for this information. So far I can get this working now with all kind of DoT servers with ipv4 addresses.

But as soon as I put under [UnBound DNS]->[Misc] an ipv6 address and restart unbound, my log file gets flooded with

Code: [Select]

unbound[99672]: [99672:1] debug:    rtt=2494
unbound[99672]: [99672:1] debug: servselect ip4 1.0.0.1 port 853 (len 16)
unbound[99672]: [99672:1] debug: selrtt 275
unbound[99672]: [99672:1] debug: sending to target: <.> 2606:4700:4700::1001#853
--> unbound[99672]: [99672:1] error: outgoing tcp: bind: Can't assign requested address
unbound[99672]: [99672:1] debug:    ip6 2606:4700:4700::1111 port 853 (len 28)
unbound[99672]: [99672:1] debug:    ip4 1.1.1.1 port 853 (len 16)
unbound[99672]: [99672:1] debug: servselect ip6 2606:4700:4700::1111 port 853 (len 28)(see marked line -->)

Any idea how to get this working too?

Thanks a lot

BR br

[chemlud]

Do you have ipv6? Does your DNS server support it? Why would you want to use it, if ipv4 works perfectly fine?

"Doc, it hurts so much when I press her!" "Why do you press there?"

[bringha]

Hmmmm 

Yes, I have ipv6 (what sense would it make otherwise to ask for a DoT ipv6 server??). And yes we are in course to transition towards an ipv6 only set up. And yes according to the spec of Unbound,  DoT should also work over ipv6. The used ipv6 DNS server addresses are valid ones from the DoT providers.

If I would follow your logic, then we would much likely still use Telex for text messaging. Opnsense' great ipv6 capabilities is one of the main differentiator against many other firewalls around.

Br br

[chemlud]

...then good luck with this half-bake protocol ;-)

Maybe better to open a new thread though...

[bringha]

... and this 'new' topic DoT with ipv6 is already there

https://forum.opnsense.org/index.php?topic=20670.0

However, the interest was unfortunately not too high 

Br br

[Layer8]

You can do a package capture on WAN port 853, there you can see if DNS-over-TLS is used. The log of unbound is hard to read...

DNSSEC not provided by many DNS servers, but in theory you could use it in addition to DNS-over-TLS.

Good idea!

I captured outgoing WAN-traffic and destination port 853 with normal log level. There is not much to read with normal log level, because of the TLS encryption. All you can see is:

Code: [Select]

1 0.000000 123.123.123.123 5.9.164.112 TLSv1.2 132 Application Data
2 0.017167 5.9.164.112 123.123.123.123 TLSv1.2 386 Application Data
3 0.017193 123.123.123.123 5.9.164.112 TCP 56 22792 %u2192 853 [ACK] Seq=77 Ack=331 Win=507 Len=0 TSval=2814304945 TSecr=256810250
4 0.017292 123.123.123.123 5.9.164.112 TLSv1.2 138 Application Data
5 0.034172 5.9.164.112 123.123.123.123 TLSv1.2 349 Application Data
6 0.034188 123.123.123.123 5.9.164.112 TCP 56 22792 %u2192 853 [ACK] Seq=159 Ack=624 Win=508 Len=0 TSval=2814304965 TSecr=256810267
7 0.034279 123.123.123.123 46.182.19.48 TLSv1.2 143 Application Data
8 0.057196 46.182.19.48 123.123.123.123 TLSv1.2 284 Application Data
9 0.057229 123.123.123.123 46.182.19.48 TCP 56 22086 %u2192 853 [ACK] Seq=88 Ack=229 Win=508 Len=0 TSval=2911856615 TSecr=699134859
You can find a list of some servers for DNS over TLS in the german wikipedia which also includes servers from digitalcourage.de and digitale-gesellschaft.ch . Those shuld be trausful.

I removed all servers from [System] -> [Settings] -> [General] and disabled DNSSEC again.

I will also block Port 53 from outgoing WAN-traffic for standard DNS querys. This  should prevent a unnoticed fallback. Here is the rule:

Block - int WAN - out - IPv4+v6 - TCP - src any - dest WAN net - destport DNS

[ChrisChros]

Hi,
just for my understanding.
If I want to use DoT with unbound I have to insert under Custom Options in the General section the text posted above.
But what is the field DNS over TLS Servers in the Miscellaneous chapter good for? Or is this at the moment just a place holder for a later update of unbound?

Regards Chris

[koushun]

Check this site: https://www.cloudflare.com/en-gb/ssl/encrypted-sni/

I am just doing this with Unbound and I get a positive result on the "Secure DNS" check above;

Remove DNS Servers from System > Settings > General.

Add 1.1.1.1@853 1.0.0.1@853 under Services > Unbound DNS > Miscellaneous

Voilà.

[guest28717]

Can I confirm there is currently no way (OPNsense 21.1.4) to specify the hostname for DoT DNS servers with the web gui (Services > Unbound DNS > Miscellaneous > DNS over TLS Servers)?

At the moment I have specified the DoT servers under  Services > Unbound DNS > Custom Options (e.g. 1.1.1.1@853#cloudflare-dns.com).

What is the point of using DoH if you can't specify the hostname to verify the certificate of the DoH server? If your ISP was intercepting DoH traffic for 1.1.1.1 etc, you would have no way to know this.

See this post for full config to do it the manual way: https://forum.opnsense.org/index.php?topic=19345.msg89172#msg89172

[Maurice]

Can I confirm there is currently no way (OPNsense 21.1.4) to specify the hostname for DoT DNS servers with the web gui (Services > Unbound DNS > Miscellaneous > DNS over TLS Servers)?

Yes, still not supported.

At the moment I have specified the DoT servers under  Services > Unbound DNS > Custom Options (e.g. 1.1.1.1@853#cloudflare-dns.com).

Correct, but Unbound custom options will be removed in 21.7.

Also see: https://github.com/opnsense/core/pull/4858

[mimugmail]

Correct, but Unbound custom options will be removed in 21.7.

Also see: https://github.com/opnsense/core/pull/4858

Source please

[Maurice]

You mean a source for "custom options will be removed"? Official roadmap: https://opnsense.org/about/road-map/

(It's in the 'planned' stage, so "will probably be removed" would indeed be more accurate.)

<edit>
Hm, the roadmap says "advanced" configuration removal, not "custom". Franco often mentioned that the custom options will eventually be removed (and so does the help text), so I thought that would be it. But now I'm not sure anymore. There is an Unbound "Advanced" configuration page, but why would you remove that? Clarification welcome.
</edit>

<edit2>
"Advanced configuration" and "Custom options" get mixed up on GitHub, too: https://github.com/opnsense/core/issues/4327
So yes, I'm pretty sure the roadmap item is actually about the custom options now getting finally removed.
</edit2>