How to use DNS over TLS in 20.7.3

Started by decalpha, September 28, 2020, 01:08:31 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
September 28, 2020, 01:08:31 PM
I have this set-up in with 20.1.x     
forward-zone:
      name: "."
      forward-ssl-upstream: yes
      forward-addr: 1.1.1.1@853 # Cloudflare DNS
      forward-addr: 1.0.0.1@853 # Cloudflare DNS

How to set-up the same in 20.7.3 ?
September 28, 2020, 01:10:07 PM #1
Backup custom, remove custom, go to Misc submenu and add 1.1.1.1@853,1.0.0.1@853
September 28, 2020, 01:36:21 PM #2
 
Quote from: mimugmail on September 28, 2020, 01:10:07 PM
Backup custom, remove custom, go to Misc submenu and add 1.1.1.1@853,1.0.0.1@853


Thanks, am assuming:
1. Save configuration before upgrade.
2. Upgrade.
3. Remove from custom
4. Add entries under Misc.
September 28, 2020, 01:45:56 PM #3
Correct
September 28, 2020, 04:04:01 PM #4
Hi, don't get it. I've 20.7.3 running, Custom Options are still available in Unbound.

Please elaborate.

br
September 28, 2020, 04:45:14 PM #5
Quote from: Mks on September 28, 2020, 04:04:01 PM
Hi, don't get it. I've 20.7.3 running, Custom Options are still available in Unbound.

Please elaborate.

br

Yes it's still available, whats the deal?
September 28, 2020, 05:09:38 PM #6
September 28, 2020, 09:01:20 PM #7
Hi, sorry my fault, I misunderstand the question.

One question, is certificate verification, e.g 185.95.218.42@853#dns.digitale-gesellschaft.ch supported?

br

September 29, 2020, 06:07:06 AM #8
It's not yet in there, sorry
September 29, 2020, 02:16:27 PM #9
Quote from: Mks on September 28, 2020, 09:01:20 PM
Hi, sorry my fault, I misunderstand the question.

One question, is certificate verification, e.g 185.95.218.42@853#dns.digitale-gesellschaft.ch supported?

br

Yes, this works if you use the custom options. Frankly, there is no point in doing DoT if you aren't also validating the certs. I am back to using Unbound as a recursive server, so I am no longer doing DoT, but this was my working config before I switched. Just choose which DNS provider you want to use and delete the rest.

Quotetls-cert-bundle: "/etc/ssl/cert.pem"
forward-zone:
  name: "."
  forward-tls-upstream: yes
 
# Quad9 - No EDNS
  forward-addr: 2620:fe::fe@853#dns.quad9.net
  forward-addr: 2620:fe::9@853#dns.quad9.net
  forward-addr: 9.9.9.9@853#dns.quad9.net
  forward-addr: 149.112.112.112@853#dns.quad9.net
# Quad9 - EDNS
  forward-addr: 2620:fe::11@853#dns.quad9.net
  forward-addr: 2620:fe::fe:11@853#dns.quad9.net
  forward-addr: 9.9.9.11@853#dns.quad9.net
  forward-addr: 149.112.112.11@853#dns.quad9.net
# Cloudflare DNS
  forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
  forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
  forward-addr: 1.1.1.1@853#cloudflare-dns.com
  forward-addr: 1.0.0.1@853#cloudflare-dns.com
# Comcast
  forward-addr:  2001:558:fe21:6b:96:113:151:145@853#dot.xfinity.com
  forward-addr:  96.113.151.145@853#dot.xfinity.com
# Google
  forward-addr: 2001:4860:4860::8888@853#dns.google
  forward-addr: 2001:4860:4860::8844@853#dns.google
  forward-addr: 8.8.8.8@853#dns.google
  forward-addr: 8.8.4.4@853#dns.google
OPNsense 20.7.4
SuperMicro SuperServer E300-8D (primary WAN)
Protectli Vault FW1 (secondary WAN)
TRENDnet TEG-30284
September 29, 2020, 06:42:14 PM #10
Hi,

I've it configured via Custom Options  ;)

br
September 30, 2020, 11:07:51 AM #11 Last Edit: September 30, 2020, 11:39:54 AM by spkrb7
Hello, I've just jumped into Opnsense and first up is trying to stop the dns leaks (next will be a Wireguard server). In my previous rig I've relied on dnsmasq and stubby DoT, but I'm trying to setup Unbound and getting confused. Is there a howto for it or a better hardened privacy method? Sorry for the greenhorn intrusion. :)

I have verified unbound working, I have added DoT servers in Unbound->miscellaneous. DNSSEC is enabled. Do I still need to add something into the custom field, download a cert package? Do i need unbound-plus?
OPNsense 20.7.3
Protetcli FW4
Asus RT-AC86U (AP)
September 30, 2020, 01:21:12 PM #12
Unbound-plus is gone .. it's now part of the core system
October 03, 2020, 05:26:52 AM #13
Thanks, glad DoT is working so simply on Opensense. Great work!
OPNsense 20.7.3
Protetcli FW4
Asus RT-AC86U (AP)
January 07, 2021, 11:33:31 AM #14 Last Edit: January 07, 2021, 11:37:24 AM by Layer8
If i am right, its enough to just add the TLS-enabled DNS-servers to the DNS servers-list under

[System] -> [Settings] -> [General]

AND enabling DNSSEC under

[Services] -> [Unbound DNS] -> [General].


I just noticed this, because "Domain signature validation (DNSSEC)" on the following test page turned from red to green after i just enablded DNSSEC: http://conn.internet.nl/connection/

Seems there is no need to enter TLS-enabled Servers under [Services] -> [Unbound DNS] -> [Miscellaneous].

Can one confirm this?

If you verify it, remember that "TTL for Host cache entries"-value under

[Services] -> [Unbound DNS] -> [Advanced]

is 15min, so set it to 1min to test ist.


Or is it just because my default ISP-Gateway (Vodafone) supports DNSSEC?
Print
Go Up Pages1 2
User actions