OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 20.7 Legacy Series »
  • How to use DNS over TLS in 20.7.3
« previous next »
  • Print
Pages: [1] 2

Author Topic: How to use DNS over TLS in 20.7.3  (Read 12871 times)

decalpha

  • Newbie
  • *
  • Posts: 13
  • Karma: 1
    • View Profile
How to use DNS over TLS in 20.7.3
« on: September 28, 2020, 01:08:31 pm »
I have this set-up in with 20.1.x     
forward-zone:
      name: "."
      forward-ssl-upstream: yes
      forward-addr: 1.1.1.1@853 # Cloudflare DNS
      forward-addr: 1.0.0.1@853 # Cloudflare DNS

How to set-up the same in 20.7.3 ?
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6296
  • Karma: 433
    • View Profile
Re: How to use DNS over TLS in 20.7.3
« Reply #1 on: September 28, 2020, 01:10:07 pm »
Backup custom, remove custom, go to Misc submenu and add 1.1.1.1@853,1.0.0.1@853
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

decalpha

  • Newbie
  • *
  • Posts: 13
  • Karma: 1
    • View Profile
Re: How to use DNS over TLS in 20.7.3
« Reply #2 on: September 28, 2020, 01:36:21 pm »
 
Quote from: mimugmail on September 28, 2020, 01:10:07 pm
Backup custom, remove custom, go to Misc submenu and add 1.1.1.1@853,1.0.0.1@853


Thanks, am assuming:
1. Save configuration before upgrade.
2. Upgrade.
3. Remove from custom
4. Add entries under Misc.
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6296
  • Karma: 433
    • View Profile
Re: How to use DNS over TLS in 20.7.3
« Reply #3 on: September 28, 2020, 01:45:56 pm »
Correct
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

Mks

  • Sr. Member
  • ****
  • Posts: 260
  • Karma: 19
    • View Profile
Re: How to use DNS over TLS in 20.7.3
« Reply #4 on: September 28, 2020, 04:04:01 pm »
Hi, don't get it. I've 20.7.3 running, Custom Options are still available in Unbound.

Please elaborate.

br
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6296
  • Karma: 433
    • View Profile
Re: How to use DNS over TLS in 20.7.3
« Reply #5 on: September 28, 2020, 04:45:14 pm »
Quote from: Mks on September 28, 2020, 04:04:01 pm
Hi, don't get it. I've 20.7.3 running, Custom Options are still available in Unbound.

Please elaborate.

br

Yes it's still available, whats the deal?
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

decalpha

  • Newbie
  • *
  • Posts: 13
  • Karma: 1
    • View Profile
Re: How to use DNS over TLS in 20.7.3
« Reply #6 on: September 28, 2020, 05:09:38 pm »
Quote from: mimugmail on September 28, 2020, 01:45:56 pm
Correct
Thanks.
Logged

Mks

  • Sr. Member
  • ****
  • Posts: 260
  • Karma: 19
    • View Profile
Re: How to use DNS over TLS in 20.7.3
« Reply #7 on: September 28, 2020, 09:01:20 pm »
Hi, sorry my fault, I misunderstand the question.

One question, is certificate verification, e.g 185.95.218.42@853#dns.digitale-gesellschaft.ch supported?

br

Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6296
  • Karma: 433
    • View Profile
Re: How to use DNS over TLS in 20.7.3
« Reply #8 on: September 29, 2020, 06:07:06 am »
It's not yet in there, sorry
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

RFGuy_KCCO

  • Newbie
  • *
  • Posts: 11
  • Karma: 2
    • View Profile
Re: How to use DNS over TLS in 20.7.3
« Reply #9 on: September 29, 2020, 02:16:27 pm »
Quote from: Mks on September 28, 2020, 09:01:20 pm
Hi, sorry my fault, I misunderstand the question.

One question, is certificate verification, e.g 185.95.218.42@853#dns.digitale-gesellschaft.ch supported?

br

Yes, this works if you use the custom options. Frankly, there is no point in doing DoT if you aren't also validating the certs. I am back to using Unbound as a recursive server, so I am no longer doing DoT, but this was my working config before I switched. Just choose which DNS provider you want to use and delete the rest.

Quote
tls-cert-bundle: "/etc/ssl/cert.pem"
forward-zone:
  name: "."
  forward-tls-upstream: yes
 
# Quad9 - No EDNS
  forward-addr: 2620:fe::fe@853#dns.quad9.net
  forward-addr: 2620:fe::9@853#dns.quad9.net
  forward-addr: 9.9.9.9@853#dns.quad9.net
  forward-addr: 149.112.112.112@853#dns.quad9.net
# Quad9 - EDNS
  forward-addr: 2620:fe::11@853#dns.quad9.net
  forward-addr: 2620:fe::fe:11@853#dns.quad9.net
  forward-addr: 9.9.9.11@853#dns.quad9.net
  forward-addr: 149.112.112.11@853#dns.quad9.net
# Cloudflare DNS
  forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
  forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
  forward-addr: 1.1.1.1@853#cloudflare-dns.com
  forward-addr: 1.0.0.1@853#cloudflare-dns.com
# Comcast
  forward-addr:  2001:558:fe21:6b:96:113:151:145@853#dot.xfinity.com
  forward-addr:  96.113.151.145@853#dot.xfinity.com
# Google
  forward-addr: 2001:4860:4860::8888@853#dns.google
  forward-addr: 2001:4860:4860::8844@853#dns.google
  forward-addr: 8.8.8.8@853#dns.google
  forward-addr: 8.8.4.4@853#dns.google
Logged
OPNsense 20.7.4
SuperMicro SuperServer E300-8D (primary WAN)
Protectli Vault FW1 (secondary WAN)
TRENDnet TEG-30284

Mks

  • Sr. Member
  • ****
  • Posts: 260
  • Karma: 19
    • View Profile
Re: How to use DNS over TLS in 20.7.3
« Reply #10 on: September 29, 2020, 06:42:14 pm »
Hi,

I've it configured via Custom Options  ;)

br
Logged

spkrb7

  • Newbie
  • *
  • Posts: 7
  • Karma: 0
    • View Profile
Re: How to use DNS over TLS in 20.7.3
« Reply #11 on: September 30, 2020, 11:07:51 am »
Hello, I've just jumped into Opnsense and first up is trying to stop the dns leaks (next will be a Wireguard server). In my previous rig I've relied on dnsmasq and stubby DoT, but I'm trying to setup Unbound and getting confused. Is there a howto for it or a better hardened privacy method? Sorry for the greenhorn intrusion. :)

I have verified unbound working, I have added DoT servers in Unbound->miscellaneous. DNSSEC is enabled. Do I still need to add something into the custom field, download a cert package? Do i need unbound-plus?
« Last Edit: September 30, 2020, 11:39:54 am by spkrb7 »
Logged
OPNsense 20.7.3
Protetcli FW4
Asus RT-AC86U (AP)

mimugmail

  • Hero Member
  • *****
  • Posts: 6296
  • Karma: 433
    • View Profile
Re: How to use DNS over TLS in 20.7.3
« Reply #12 on: September 30, 2020, 01:21:12 pm »
Unbound-plus is gone .. it's now part of the core system
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

spkrb7

  • Newbie
  • *
  • Posts: 7
  • Karma: 0
    • View Profile
Re: How to use DNS over TLS in 20.7.3
« Reply #13 on: October 03, 2020, 05:26:52 am »
Thanks, glad DoT is working so simply on Opensense. Great work!
Logged
OPNsense 20.7.3
Protetcli FW4
Asus RT-AC86U (AP)

Layer8

  • Full Member
  • ***
  • Posts: 160
  • Karma: 4
    • View Profile
Re: How to use DNS over TLS in 20.7.3
« Reply #14 on: January 07, 2021, 11:33:31 am »
If i am right, its enough to just add the TLS-enabled DNS-servers to the DNS servers-list under

[System] -> [Settings] -> [General]

AND enabling DNSSEC under

[Services] -> [Unbound DNS] -> [General].


I just noticed this, because "Domain signature validation (DNSSEC)" on the following test page turned from red to green after i just enablded DNSSEC: http://conn.internet.nl/connection/

Seems there is no need to enter TLS-enabled Servers under [Services] -> [Unbound DNS] -> [Miscellaneous].

Can one confirm this?

If you verify it, remember that "TTL for Host cache entries"-value under

[Services] -> [Unbound DNS] -> [Advanced]

is 15min, so set it to 1min to test ist.


Or is it just because my default ISP-Gateway (Vodafone) supports DNSSEC?
« Last Edit: January 07, 2021, 11:37:24 am by Layer8 »
Logged

  • Print
Pages: [1] 2
« previous next »
  • OPNsense Forum »
  • Archive »
  • 20.7 Legacy Series »
  • How to use DNS over TLS in 20.7.3
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2