OPNsense 21.7.1 - New Fresh Guaranteed DNS OVER TLS

Started by directnupe, October 13, 2021, 06:42:51 PM

Previous topic - Next topic
Quote from: comet on November 02, 2021, 12:34:58 PM
To start with I am not in any way knocking you for posting these instructions, I'm sure you took a lot of time to write them up and for that you should be commended.  But what I find incredible is that you have to go through all this in the first place.  I am sorry, but this is just WAAAAAY too difficult for any average user (and maybe some readers think only technically minded people use OPNsense, but that's not necessarily true). This kind of reminds me of the method you had to use to set up an Internet connection back in the very early days of Windows, until Microsoft came out with a version of Windows that made setting up network connectivity relatively painless.

What OPNsense needs is a page specifically for enabling DNS over TLS, that would be used by both OPNsense itself and by any device on the local network that uses the OPNsense IP address for DNS (including devices that use DHCP to get their network connectivity information).  And that page should have exactly two things:


  • A checkbox to enable or disable DNS over TLS
  • A textbox with a list of servers capable of receiving DNS over TLS queries (and/or alternately, checkboxes to enable or disable certain popular and well-known servers)

And that's ALL.  If anything else is needed then OPNsense should assume sensible defaults, and not trouble the user about them.  For those that simply must have the ability to tweak, you could have an Advanced Settings section, but this should be pre-populated with a working configuration.

Features that are hard to use don't get used, except by a very small minority that actually has the knowledge and patience to use them.  OPNsense is really bad about making some features much harder to use than they should be.  Another example of this is intrusion detection - that's another one that ideally should be "just click on a checkbox to turn it on and done (unless you really have a burning desire to tweak the advanced settings)."  When you need an article this long to explain how to do something that should be drop-dead easy, that's a real design failure.  Look at how easy it is to turn on DNS over HTTPS in Firefox - you go to the Network Settings and click one checkbox at the bottom of the Connection Settings pane, and either use the default provider or use a custom one.  That's how easy it should be in any decent router software!  And I HOPE that is how easy it will be in some future version of OPNsense.

See if this is simple enough for you

https://forum.opnsense.org/index.php?topic=25614.0

and if command line work is to daunting a task for you - you can configure AdGuardHome through WEBGUI

Peace

Quote from: opnfwb on November 04, 2021, 11:43:45 PM
Quote from: comet on November 04, 2021, 07:33:54 PM
Thank you for explaining all that.  I took a look at the Unbound configuration and saw what you are talking about, the only thing I don't really understand is that there is a field for "Verify CN" (the help tip is "Verify if CN in certificate matches this value") but I am not sure what you are supposed to put there.  If you look at the list of servers in the top post there is nothing indicated as a "CN"; I do see that most have "tls_pubkey_pinset" entries but I assume that's not the same thing.
With all due respect and I don't mean this negatively but this shows you haven't look in to how DoT works. You'll either need a pinset or ideally, avoid using a pinset and instead have the TLS connection match with the dns name issued to the certificate so that the resolver can verify that the queries are actually coming from an intended source (dns.quad9.net, one.one.one.one, etc. etc.). This is no doubt more complicated than "regular" DNS, but then again so is an Unbound resolver (which OPNsense ships with by default) compared to a dnsmasq based forwarder configuration in most consumer gear.

Quote from: comet on November 04, 2021, 07:33:54 PM
The other thing is there are no default or suggested entries; .....  Or failing that, a link to an article somewhere that contains that information.
Stubby ships with a default config. The DoT providers that you wish to use will need to be your own decision. It's quite normal to not ship a list of defaults because people may not want them or even worse, they could end up being monetized and not in a user's interest for privacy. Again the rule here is if you're going to enable DoT, you'll need to do a small amount of searching to understand it and make the choice which provider you think has your best interests in mind. I wouldn't expect OPNsense devs, or anyone else for that matter, to do that for me.

Again not trying to sound like a "let me google that for you" post but this is all covered extensively here in the forums over many years (DoT was first launched with an Unbound update back in April 2018).

Basic info here and some config examples (note, the config isn't needed because new OPNsense does that for you with the DoT GUI page): https://www.ctrl.blog/entry/unbound-tls-forwarding.html

A discussion about the two major DoT providers, CloudFlare and Quad9, and additional input from Quad9's management. CloudFlare also posts in that thread with their input.: https://www.snbforums.com/threads/cloud9-dns.56918/

Quote from: comet on November 04, 2021, 07:33:54 PM
Maybe DNS over TLS is too new, or there really are that few servers that support it, if so I apologize if I am asking for too much, but I am just trying to understand if this is something that is possible. As for the comment about the article being for those "that wish to try something a bit more performant than Unbound DoT", I guess I would say that while I suppose everyone would like maximum performance (however they define that), not everyone has the time, patience, or ability to learn how to tweak things to the very max (that's as true of computer networking as it is of mechanical things such as car engines).  I would just be happy if it works reliably and doesn't become a bottleneck to network traffic.
If you just want working and reliable DoT with minimal configuration, the built in DoT GUI page in OPNsense is the way to go. Choose a DoT provider, input their port, IP, DNS name and you're up and running.

You also need to be aware of the differences between a resolver and a forwarder. Anytime you go DoT, you're always putting all of your trust in the provider you choose to forward your queries to. You're essentially abdicating the resolver portion of Unbound and just having it forward all of its queries to a chosen provider. Yes, they will be encrypted so that your ISP can't see them, but the provider can still decrypt and see them. So you're exchanging anonymity at the DNS level for anonymity between your ISP and your DNS traffic.

OPNsense ships by default in resolver mode, which means all of your DNS queries are sent in plaintext so that your ISP (or anyone else) in the middle can potentially see them, but the queries are sent randomly to hundreds of various root servers and the local Unbound service within OPNsense resolves them and caches them. OPNsense also has two easy check boxes during the initial setup to enable DNSSEC in resolver mode, which adds an additional layer of security from the root resolvers (there's those nice check boxes again  ;) ) The likelihood that a single DNS provider would be able to get enough metadata on your network activity would be reduced, at the expense of everyone else being able to potentially see it on the wire. It's always a trade off. You need to educate yourself and decide. And yes, most people just give up and use consumer gear or just use the defaults at this stage in the game.


Thanks for taking the time and patience to try to explain things to do guy. God Bless You. Check out my new work :

https://forum.opnsense.org/index.php?topic=25614.0

Peace

@directnupe first of all, great job for the nice guide !

Quick one: I noticed in both Stubby config file and Unbound conf file, you mentioned the round robin mechanism: is it necessary or perhaps is redundant?

Tia.

Probably too late but to your question, it is optional.
In roundrobin, stubby will distribute the calls to the different resolvers. Of course it assumes more than one.
If roundrobin off, it would only move to another resolver if one fails.

Reading through this partially answered may questions, so the only difference between this and the built in method is speed? You can do all of this using unbound, is the point of this a speed increase, and if so, what kind of increase do you see?  Thank you!