Using DNS over TLS (DoT)not working

[Julien]

Hi guys,
i previously had Dot working fine, the tutoriali i followed is this https://www.dnsknowledge.com/unbound/opnsense-set-up-and-configure-dns-over-tls-dot/

after the latest update the DoT seems stopped working, atleast the https://1.1.1.1/help shows its NO.

when i run

tcpdump -i igb1853

it shows some 853 succecfull connections.
can someone please advies of the Dot behaivor has been changed on the latest release?

DNSLEAK shows my DNS is correct "see screenshot:.
the logs shows the Dot.

Code: [Select]

2021-11-16T00:40:11 unbound[38963] [38963:1] info: Verified that unsigned response is INSECURE
2021-11-16T00:40:11 unbound[38963] [38963:1] info: NSEC3s for the referral proved no DS.
2021-11-16T00:40:11 unbound[38963] [38963:1] info: resolving azure.com. DS IN
2021-11-16T00:40:11 unbound[38963] [38963:1] info: Verified that unsigned response is INSECURE
2021-11-16T00:40:11 unbound[38963] [38963:1] info: NSEC3s for the referral proved no DS.
2021-11-16T00:40:11 unbound[38963] [38963:1] info: resolving trafficmanager.net. DS IN
2021-11-16T00:40:11 unbound[38963] [38963:1] info: Verified that unsigned response is INSECURE
2021-11-16T00:40:11 unbound[38963] [38963:1] info: NSEC3s for the referral proved no DS.
2021-11-16T00:40:11 unbound[38963] [38963:1] info: query response was nodata ANSWER
2021-11-16T00:40:11 unbound[38963] [38963:1] info: reply from <.> 1.1.1.1#853
2021-11-16T00:40:11 unbound[38963] [38963:1] info: response for microsoft.com. DS IN
2021-11-16T00:40:11 unbound[38963] [38963:1] info: resolving microsoft.com. DS IN
2021-11-16T00:40:11 unbound[38963] [38963:1] info: query response was ANSWER
2021-11-16T00:40:11 unbound[38963] [38963:1] info: reply from <.> 1.1.1.1#853
2021-11-16T00:40:11 unbound[38963] [38963:1] info: response for teams.events.data.microsoft.com. A IN
2021-11-16T00:40:11 unbound[38963] [38963:1] info: resolving teams.events.data.microsoft.com. A IN
2021-11-16T00:40:11 unbound[38963] [38963:1] info: query response was CNAME
2021-11-16T00:40:11 unbound[38963] [38963:1] info: reply from <.> 1.1.1.1#853
2021-11-16T00:40:11 unbound[38963] [38963:1] info: response for teams.events.data.microsoft.com. A IN
2021-11-16T00:40:11 unbound[38963] [38963:1] info: resolving teams.events.data.microsoft.com. A IN

what am i doing wrong?

Thank you

[KHE]

Hi,

the field Verify CN was added . There you can provide the Common Name of the DoT server.
For the cloudflare DNS server you can use one.one.one.one. 1.1.1.1 has also some other names which I do not remember.
Also, did you enable DNSSEC?

And if you disabled the Forwarding Mode and the unbound is still working, then DoT still works.
Also, I am not sure if https://1.1.1.1/help only analyzes your client, and between your computer and opnsense no DoT is used.

KH

[Julien]

Hi,

the field Verify CN was added . There you can provide the Common Name of the DoT server.
For the cloudflare DNS server you can use one.one.one.one. 1.1.1.1 has also some other names which I do not remember.
Also, did you enable DNSSEC?

And if you disabled the Forwarding Mode and the unbound is still working, then DoT still works.
Also, I am not sure if https://1.1.1.1/help only analyzes your client, and between your computer and opnsense no DoT is used.

KH

Thank you for your answer
what cn name is cloudflare using?

when i use cloudflar-dns.com my clients stops working, and the log on the dns keeps showing.
without CN the requests are not encrypted.

Code: [Select]

2021-11-16T02:21:23 unbound[40850] [40850:4] notice: ssl handshake failed 1.1.1.1 port 853
2021-11-16T02:21:23 unbound[40850] [40850:4] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2021-11-16T02:21:23 unbound[40850] [40850:4] notice: ssl handshake failed 1.1.1.1 port 853
2021-11-16T02:21:23 unbound[40850] [40850:4] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2021-11-16T02:21:23 unbound[40850] [40850:4] notice: ssl handshake failed 1.0.0.1 port 853
2021-11-16T02:21:23 unbound[40850] [40850:4] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2021-11-16T02:21:23 unbound[40850] [40850:4] notice: ssl handshake failed 1.0.0.1 port 853
2021-11-16T02:21:23 unbound[40850] [40850:4] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2021-11-16T02:21:18 unbound[40850] [40850:4] notice: ssl handshake failed 1.0.0.1 port 853
2021-11-16T02:21:18 unbound[40850] [40850:4] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2021-11-16T02:21:18 unbound[40850] [40850:4] notice: ssl handshake failed 1.0.0.1 port 853
2021-11-16T02:21:18 unbound[40850] [40850:4] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

Edit : issue is resolved.
after doing some reasch the cn is

1.1.1.1 / 1.0.0.1  <--> cloudflare-dns.com

Block malware:
1.1.1.2 / 1.0.0.2  <--> security.cloudflare-dns.com

Block malware and adult content:
1.1.1.3 / 1.0.0.3  <--> security.cloudflare-dns.com


the internet is working however the https://1.1.1.1/help still shwoing Dot is No.

what am i doing wrong?

[Reactive]

https://community.cloudflare.com/t/dns-over-dot-with-unbound-opnsense/339348/3

Looks like I got them to ticket themselves over the /help and esni checker.. finally