Anyone using DoT or recommend added security for my new OPNsense install?

[g0nz0uk]

Hello,

I've finally moved over from pfSense to OPNsense and it's all working nice at home.

I used pfBlocker and Suricata and I also had Pi Hole on my single ESXi host.

I've now had a clear out and what to start again with security.

I don't have any VMs now at home apart from Grafana for my nice Dashboard for OPNsense.

My DNS is setup to point to Cloudfare's 1.1.1.3 for their family DNS (blocks certain categories) and I use 1.1.1.1 for my guest network where isn't not blocked.

3 areas I'd like to sortout is:

1.) Have control over what categories I block.
2.) Have some sort of monitoring/stats
3.) Security - I love to encrypt our DNS with DoT.

What options do I have for the above?  What do you use?

My home hardware is:

HP T730 with Intel quad card for OPNsense
Intel NUC - 32GB mem with 1TB SSD for ESXi 7 host for VMs
24 port Mikrotik switch
2 x Cisco 3700 APs with a few SSIDs on separate VLANs

Thanks

[rhubarb]

I use Quad 9 but all the same.  You can use this guide to set up Unbound DNS on OPNSense:

https://sahlitech.com/opnsense-setup-unbound-dns/

Just comment the servers you don't want to use and add the ones you do. It's not as slick as PIHole but it's cleaner to have it in the same box.

[g0nz0uk]

Thanks, I'm not sure that link enables DoT though, unless I'm wrong?

[rhubarb]

I believe the following line does enable DoT:

forward-addr: 1.1.1.1@853   #CloudFlare

Port 853 is typically set for DoT.

https://developers.cloudflare.com/1.1.1.1/dns-over-tls

[opnfwb]

The guide posted is decent however, the custom options are sloppy and won't result in a fully functioning setup. Ideally we want the router to do cert validation with the DoT DNS provider to ensure that the responses we're getting on 853 match the domain (cloudflare, quad9, etc.).

The way that guide is formatting the custom options will cause some confusion. I would suggest something like this instead for a full DoT implementation. Season to taste with you preferred provider and paste to custom options. This will do cert validation, the #domain.name is key here.

Code Select Expand

# TLS Config
tls-cert-bundle: "/etc/ssl/cert.pem"
# Forwarding Config
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 2620:fe::9@853#dns9.quad9.net
forward-addr: 9.9.9.9@853#dns9.quad9.net
forward-addr: 149.112.112.9@853#dns9.quad9.net

[g0nz0uk]

Thanks, I'll try this today.

Seems many miss off the cert section.

[norgan]

I have been through dnscrypt, pihole and now I'm on AdGuard home. I use it on my raspi and on my opnsense router for primary and secondary. I really like it, it's quick and supports anything you need. Only thing missing is clustering, but if your requirements are simple then double entering isn't the end of the world.
There's an AdGuard plugin for OPNsense, also for Home Assistant.

[rhubarb]

The guide posted is decent however, the custom options are sloppy and won't result in a fully functioning setup.
...

Thanks for this suggestion.  I reached out to the author of the guide, and they updated it with your suggestions. 

[Cadish]

I'm using Cloudflare Teams and Unbound as well. This way I also can set some extra policies at Cloudflare to increase my security level even more.

This is my config:

Code Select Expand

# TLS Config
tls-cert-bundle: "/etc/ssl/cert.pem"
# Forwarding Config
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 172.64.36.1@853#xxxxxxxxx.cloudflare-gateway.com
forward-addr: 172.64.36.2@853#xxxxxxxxx.cloudflare-gateway.com
forward-addr: 2a06:98c1:54::28a@853#xxxxxxxxx.cloudflare-gateway.com

[g0nz0uk]

That's what I'm trying to do with Cloudfare.

Did you add the above to Custom options with your gateway ID?

Under Miscellaneous do you have anything under DNS over TLS Servers?

Do you have DoT setup (https://1.1.1.1/help)?

[Nnyan]

Great post, I had used the same guide not knowing it wasn't the best. 

Cadish, your example has a bunch of XXXX in it, is that default or are we supposed to plug in some type of information there?

Thank you all!

[Cadish]

Hi all,

First of all, this is to setup DoT using Cloudflare Teams, not just Cloudflare. Teams is free under 50 users.

Do you have DoT setup (https://1.1.1.1/help)?

Yes! This is my result: https://1.1.1.1/help#eyJpc0NmIjoiTm8iLCJpc0RvdCI6IlllcyIsImlzRG9oIjoiTm8iLCJyZXNvbHZlcklwLTEuMS4xLjEiOiJZZXMiLCJyZXNvbHZlcklwLTEuMC4wLjEiOiJZZXMiLCJyZXNvbHZlcklwLTI2MDY6NDcwMDo0NzAwOjoxMTExIjoiTm8iLCJyZXNvbHZlcklwLTI2MDY6NDcwMDo0NzAwOjoxMDAxIjoiTm8iLCJkYXRhY2VudGVyTG9jYXRpb24iOiJCUlUiLCJpc1dhcnAiOiJObyIsImlzcE5hbWUiOiJDbG91ZGZsYXJlIiwiaXNwQXNuIjoiMTMzMzUifQ==

Did you add the above to Custom options with your gateway ID?

Under Miscellaneous do you have anything under DNS over TLS Servers?

Yes, you should add the above code into Custom Options, but change the xxxxxxxxx with your gateway ID from Cloudflare.
Both fields under Miscellaneous are empty.

Cadish, your example has a bunch of xxxxxxxxx in it, is that default or are we supposed to plug in some type of information there?

Yes, the xxxxxxxxx is something you need to replace with your Gateway ID from Cloudflare. It's an ID which is linked to a Location that you've set. You can find it in your Cloudflare Teams Dashboard > Gateway > Locations > Edit (on a location). On that page, you can find the ID's to replace the xxxxxxxxx with.

Once you've setup this, you should see the DNS requests in the logs on your Cloudflare Teams Dashboard as well (Logs > Gateway).

[Nnyan]

Awesome!  Thank you.  I had tried it with just the xxxx's and that did not play well.  =  )  I now see the requests in the Teams logs.

[Nnyan]

I ended up going back to just plain Cloudflare DNS IPs.  The CF team's DNS added extra lag to all my computers (mostly during the "resolving host" which normally goes really fast but also "connecting" and "waiting for cache"). Soon as I switched back everyone's browsing was back to normal.

[Antaris]

I think you should give a try to the Sensei addon. You can set "Moderate Control" in the default policy and add desired websites to "Auto Whitelist Hosts". This is one of the many things Sensei can filter and monitor. Look at the "App Controls" to filter specific services or apps. I've blocked M$ updates and telemetry in my home network, so no sudden lags and restart on my computers anymore.