How to use DNS over TLS in 20.7.3

[decalpha]

I have this set-up in with 20.1.x     
forward-zone:
      name: "."
      forward-ssl-upstream: yes
      forward-addr: 1.1.1.1@853 # Cloudflare DNS
      forward-addr: 1.0.0.1@853 # Cloudflare DNS

How to set-up the same in 20.7.3 ?

[mimugmail]

Backup custom, remove custom, go to Misc submenu and add 1.1.1.1@853,1.0.0.1@853

[decalpha]

 

Backup custom, remove custom, go to Misc submenu and add 1.1.1.1@853,1.0.0.1@853

Thanks, am assuming:
1. Save configuration before upgrade.
2. Upgrade.
3. Remove from custom
4. Add entries under Misc.

[mimugmail]

Correct

[Mks]

Hi, don't get it. I've 20.7.3 running, Custom Options are still available in Unbound.

Please elaborate.

br

[mimugmail]

Hi, don't get it. I've 20.7.3 running, Custom Options are still available in Unbound.

Please elaborate.

br

Yes it's still available, whats the deal?

[decalpha]

Correct

Thanks.

[Mks]

Hi, sorry my fault, I misunderstand the question.

One question, is certificate verification, e.g 185.95.218.42@853#dns.digitale-gesellschaft.ch supported?

br

[mimugmail]

It's not yet in there, sorry

[RFGuy_KCCO]

Hi, sorry my fault, I misunderstand the question.

One question, is certificate verification, e.g 185.95.218.42@853#dns.digitale-gesellschaft.ch supported?

br

Yes, this works if you use the custom options. Frankly, there is no point in doing DoT if you aren't also validating the certs. I am back to using Unbound as a recursive server, so I am no longer doing DoT, but this was my working config before I switched. Just choose which DNS provider you want to use and delete the rest.

tls-cert-bundle: "/etc/ssl/cert.pem"
forward-zone:
  name: "."
  forward-tls-upstream: yes
 
# Quad9 - No EDNS
  forward-addr: 2620:fe::fe@853#dns.quad9.net
  forward-addr: 2620:fe::9@853#dns.quad9.net
  forward-addr: 9.9.9.9@853#dns.quad9.net
  forward-addr: 149.112.112.112@853#dns.quad9.net
# Quad9 - EDNS
  forward-addr: 2620:fe::11@853#dns.quad9.net
  forward-addr: 2620:fe::fe:11@853#dns.quad9.net
  forward-addr: 9.9.9.11@853#dns.quad9.net
  forward-addr: 149.112.112.11@853#dns.quad9.net
# Cloudflare DNS
  forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
  forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
  forward-addr: 1.1.1.1@853#cloudflare-dns.com
  forward-addr: 1.0.0.1@853#cloudflare-dns.com
# Comcast
  forward-addr:  2001:558:fe21:6b:96:113:151:145@853#dot.xfinity.com
  forward-addr:  96.113.151.145@853#dot.xfinity.com
# Google
  forward-addr: 2001:4860:4860::8888@853#dns.google
  forward-addr: 2001:4860:4860::8844@853#dns.google
  forward-addr: 8.8.8.8@853#dns.google
  forward-addr: 8.8.4.4@853#dns.google

[Mks]

Hi,

I've it configured via Custom Options 

br

[spkrb7]

Hello, I've just jumped into Opnsense and first up is trying to stop the dns leaks (next will be a Wireguard server). In my previous rig I've relied on dnsmasq and stubby DoT, but I'm trying to setup Unbound and getting confused. Is there a howto for it or a better hardened privacy method? Sorry for the greenhorn intrusion.

I have verified unbound working, I have added DoT servers in Unbound->miscellaneous. DNSSEC is enabled. Do I still need to add something into the custom field, download a cert package? Do i need unbound-plus?

[mimugmail]

Unbound-plus is gone .. it's now part of the core system

[spkrb7]

Thanks, glad DoT is working so simply on Opensense. Great work!

[Layer8]

If i am right, its enough to just add the TLS-enabled DNS-servers to the DNS servers-list under

[System] -> [Settings] -> [General]

AND enabling DNSSEC under

[Services] -> [Unbound DNS] -> [General].


I just noticed this, because "Domain signature validation (DNSSEC)" on the following test page turned from red to green after i just enablded DNSSEC: http://conn.internet.nl/connection/

Seems there is no need to enter TLS-enabled Servers under [Services] -> [Unbound DNS] -> [Miscellaneous].

Can one confirm this?

If you verify it, remember that "TTL for Host cache entries"-value under

[Services] -> [Unbound DNS] -> [Advanced]

is 15min, so set it to 1min to test ist.


Or is it just because my default ISP-Gateway (Vodafone) supports DNSSEC?