Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
How to use setting under Unbound:"Verfiy if CN in certficate matches"
« previous
next »
Print
Pages: [
1
]
Author
Topic: How to use setting under Unbound:"Verfiy if CN in certficate matches" (Read 5543 times)
ryp43
Newbie
Posts: 24
Karma: 0
How to use setting under Unbound:"Verfiy if CN in certficate matches"
«
on:
August 06, 2021, 06:34:25 pm »
Would like to know what shall be entered under the setting under Unbound: "Verfiy if CN in certficate matches" for Cloudflare DNS?
Also, the setting is terribly misspelled.
Logged
ryp43
Newbie
Posts: 24
Karma: 0
Re: How to use setting under Unbound:"Verfiy if CN in certficate matches"
«
Reply #1 on:
August 06, 2021, 07:04:03 pm »
Figured it out - it's CNAME of a DNS server. For Cloudflare, it's 'one.one.one.one'
Logged
franco
Administrator
Hero Member
Posts: 13957
Karma: 1210
Re: How to use setting under Unbound:"Verfiy if CN in certficate matches"
«
Reply #2 on:
August 06, 2021, 09:42:58 pm »
Not entirely the CNAME in the DNS sense, but rather the hostname to verify in the SSL certificate.
https://github.com/opnsense/core/commit/d824e7163b0
Cheers,
Franco
Logged
ryp43
Newbie
Posts: 24
Karma: 0
Re: How to use setting under Unbound:"Verfiy if CN in certficate matches"
«
Reply #3 on:
August 06, 2021, 09:56:07 pm »
Sorry, for calling it "terrible". but you missed the "certificate" misspelling
Logged
franco
Administrator
Hero Member
Posts: 13957
Karma: 1210
Re: How to use setting under Unbound:"Verfiy if CN in certficate matches"
«
Reply #4 on:
August 06, 2021, 10:01:21 pm »
No problem at all. Missed this one. Thanks again!
https://github.com/opnsense/core/commit/25b98610
Cheers,
Franco
Logged
mnaim
Jr. Member
Posts: 50
Karma: 4
Re: How to use setting under Unbound:"Verfiy if CN in certficate matches"
«
Reply #5 on:
August 13, 2021, 02:35:24 pm »
Based on this
https://developers.cloudflare.com/1.1.1.1/dns-over-tls
cloudflare-dns.com is correct CN in certificate
Logged
hushcoden
Sr. Member
Posts: 395
Karma: 17
Re: How to use setting under Unbound:"Verfiy if CN in certficate matches"
«
Reply #6 on:
August 14, 2021, 09:49:19 pm »
1.1.1.1 / 1.0.0.1 <--> cloudflare-dns.com
Block malware:
1.1.1.2 / 1.0.0.2 <--> security.cloudflare-dns.com
EDIT:
Block malware and adult content:
1.1.1.3 / 1.0.0.3 <-->
family
.cloudflare-dns.com
«
Last Edit: November 28, 2021, 11:55:19 am by hushcoden
»
Logged
adk20
Newbie
Posts: 40
Karma: 2
Re: How to use setting under Unbound:"Verfiy if CN in certficate matches"
«
Reply #7 on:
November 27, 2021, 10:48:49 pm »
This setting prevents unbound from starting on my box:
1.1.1.3 / 1.0.0.3 <--> security.cloudflare-dns.com
Any idea what other CN I could try?
Thanks a heap!
EDIT
family.cloudflare-dns.com seems to work. However, unbound failed to start automatically but required a manual restart after adding the DoT CN.
/EDIT
«
Last Edit: November 27, 2021, 11:01:17 pm by adk20
»
Logged
hushcoden
Sr. Member
Posts: 395
Karma: 17
Re: How to use setting under Unbound:"Verfiy if CN in certficate matches"
«
Reply #8 on:
November 28, 2021, 11:54:38 am »
Thanks adk20, I've amended my post
Logged
GiantJack
Jr. Member
Posts: 58
Karma: 1
Re: How to use setting under Unbound:"Verfiy if CN in certficate matches"
«
Reply #9 on:
December 12, 2021, 09:37:31 pm »
Hi !
May I ask how to check if the provided "verify CN" works fine ?
I tried to figure out what to use with quad9...I found it may be dns.quad9.net...can I confirm this with opnsense logs or something?
Logged
One day, I will understand all of this !
Gary7
Jr. Member
Posts: 59
Karma: 6
Re: How to use setting under Unbound:"Verfiy if CN in certficate matches"
«
Reply #10 on:
December 13, 2021, 06:17:09 am »
I took a look at the cloudflare.com SSL certificates.
Here is the list of addresses, Common Names, and Subject Alternative Names (SAN)
Cloudflare SSL certificates
Addresses: 1.1.1.1 & 1.0.0.1
Common name: cloudflare-dns.com
SAN: DNS Name=cloudflare-dns.com
DNS Name=*.cloudflare-dns.com
DNS Name=one.one.one.one
IP Address=1.1.1.1
IP Address=1.0.0.1
IP Address=162.159.36.1
IP Address=162.159.46.1
IP Address=2606:4700:4700:0000:0000:0000:0000:1111
IP Address=2606:4700:4700:0000:0000:0000:0000:1001
IP Address=2606:4700:4700:0000:0000:0000:0000:0064
IP Address=2606:4700:4700:0000:0000:0000:0000:6400
Addresses: 1.1.1.2 & 1.0.0.2
Common name: security.cloudflare-dns.com
SAN: IP Address=2606:4700:4700:0000:0000:0000:0000:1112
IP Address=2606:4700:4700:0000:0000:0000:0000:1002
DNS Name=security.cloudflare-dns.com
DNS Name=*.security.cloudflare-dns.com
IP Address=1.1.1.2
IP Address=1.0.0.2
Addresses: 1.1.1.3 & 1.0.0.3
Common name: family.cloudflare-dns.com
SAN: IP Address=2606:4700:4700:0000:0000:0000:0000:1113
IP Address=2606:4700:4700:0000:0000:0000:0000:1003
DNS Name=family.cloudflare-dns.com
DNS Name=*.family.cloudflare-dns.com
IP Address=1.1.1.3
IP Address=1.0.0.3
Logged
ryp43
Newbie
Posts: 24
Karma: 0
Re: How to use setting under Unbound:"Verfiy if CN in certficate matches"
«
Reply #11 on:
December 13, 2021, 07:47:59 am »
Thanks, wasn't aware of these 4
IP Address=162.159.36.1
IP Address=162.159.46.1
IP Address=2606:4700:4700:0000:0000:0000:0000:0064
IP Address=2606:4700:4700:0000:0000:0000:0000:6400
https://ssl-tools.net/webservers/cloudflare-dns.com
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
How to use setting under Unbound:"Verfiy if CN in certficate matches"
