How to use setting under Unbound:"Verfiy if CN in certficate matches"

Started by ryp43, August 06, 2021, 06:34:25 PM

Previous topic - Next topic
Would like to know what shall be entered under the setting under Unbound: "Verfiy if CN in certficate matches" for Cloudflare DNS?

Also, the setting is terribly misspelled.

Figured it out - it's CNAME of a DNS server. For Cloudflare, it's 'one.one.one.one'

Not entirely the CNAME in the DNS sense, but rather the hostname to verify in the SSL certificate.

https://github.com/opnsense/core/commit/d824e7163b0 ;)


Cheers,
Franco

Sorry, for calling it "terrible". but you missed the "certificate" misspelling



1.1.1.1 / 1.0.0.1  <--> cloudflare-dns.com

Block malware:
1.1.1.2 / 1.0.0.2  <--> security.cloudflare-dns.com

EDIT:
Block malware and adult content:
1.1.1.3 / 1.0.0.3  <--> family.cloudflare-dns.com

This setting prevents unbound from starting on my box:

1.1.1.3 / 1.0.0.3  <--> security.cloudflare-dns.com

Any idea what other CN I could try?

Thanks a heap!

EDIT
family.cloudflare-dns.com seems to work. However, unbound failed to start automatically but required a manual restart after adding the DoT CN.
/EDIT



Hi !
May I ask how to check if the provided "verify CN" works fine ?
I tried to figure out what to use with quad9...I found it may be dns.quad9.net...can I confirm this with opnsense logs or something?
One day, I will understand all of this !

I took a look at the cloudflare.com SSL certificates.
Here is the list of addresses, Common Names, and Subject Alternative Names (SAN)

Cloudflare SSL certificates

Addresses: 1.1.1.1  &  1.0.0.1
Common name: cloudflare-dns.com
                SAN: DNS Name=cloudflare-dns.com
                        DNS Name=*.cloudflare-dns.com
                        DNS Name=one.one.one.one
                        IP Address=1.1.1.1
                        IP Address=1.0.0.1
                        IP Address=162.159.36.1
                        IP Address=162.159.46.1
                        IP Address=2606:4700:4700:0000:0000:0000:0000:1111
                        IP Address=2606:4700:4700:0000:0000:0000:0000:1001
                        IP Address=2606:4700:4700:0000:0000:0000:0000:0064
                        IP Address=2606:4700:4700:0000:0000:0000:0000:6400


Addresses:  1.1.1.2  &  1.0.0.2
Common name: security.cloudflare-dns.com
                SAN: IP Address=2606:4700:4700:0000:0000:0000:0000:1112
                        IP Address=2606:4700:4700:0000:0000:0000:0000:1002
                        DNS Name=security.cloudflare-dns.com
                        DNS Name=*.security.cloudflare-dns.com
                        IP Address=1.1.1.2
                        IP Address=1.0.0.2

Addresses:  1.1.1.3  &  1.0.0.3
Common name: family.cloudflare-dns.com
                SAN: IP Address=2606:4700:4700:0000:0000:0000:0000:1113
                        IP Address=2606:4700:4700:0000:0000:0000:0000:1003
                        DNS Name=family.cloudflare-dns.com
                        DNS Name=*.family.cloudflare-dns.com
                        IP Address=1.1.1.3
                        IP Address=1.0.0.3


Thanks, wasn't aware of these 4

IP Address=162.159.36.1
IP Address=162.159.46.1
IP Address=2606:4700:4700:0000:0000:0000:0000:0064
IP Address=2606:4700:4700:0000:0000:0000:0000:6400

https://ssl-tools.net/webservers/cloudflare-dns.com