Unbound DoT uncertainty

Started by Imnot A Robot, December 09, 2021, 05:48:34 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 09, 2021, 05:48:34 PM
The 1.1.1.1/help webpage shows "NO" on using DNS over TLS.  However, Connectivity to Resolver IP Address is "YES"

I guess it's a Cloudflare engineering issue as per this post: https://community.cloudflare.com/t/cloudflare-dot-and-dnssec/118414/17

Still, any concerns with this log?

[65483:1] info: Verified that unsigned response is INSECURE
[65483:1] info: NSEC3s for the referral proved no DS.
[65483:1] info: reply from <.> 1.1.1.1#853

I already have FIREWALL and NAT>PORT FORWARD rules for port 53 as per OPNsense forum: https://forum.opnsense.org/index.php?topic=9245.0

Do I have to include port 853 rules anywhere in the firewall?


Thanks,
Chris
21.7.6
December 25, 2021, 10:55:46 AM #1
i´m having simlar problem, it have been working but it is not anymore i found out when i randomly checked the 1.1.1.1/help page

021-12-25T10:55:06   unbound[60183]   [60183:0] info: Verified that unsigned response is INSECURE   
2021-12-25T10:55:06   unbound[60183]   [60183:0] info: NSEC3s for the referral proved no DS.   
2021-12-25T10:55:06   unbound[60183]   [60183:0] info: resolving amazonaws.com. DS IN   
2021-12-25T10:55:06   unbound[60183]   [60183:0] info: Verified that unsigned response is INSECURE   
2021-12-25T10:55:06   unbound[60183]   [60183:0] info: NSEC3s for the referral proved no DS.   
2021-12-25T10:55:06   unbound[60183]   [60183:0] info: resolving netflix.com. DS IN   
2021-12-25T10:55:06   unbound[60183]   [60183:0] info: query response was ANSWER   
2021-12-25T10:55:06   unbound[60183]   [60183:0] info: reply from <.> 9.9.9.10#853

ideas?
Qotom i7-7500u 16gb 128ssd
December 27, 2021, 01:41:05 AM #2
I'm finding that if I turn off DNSSEC it works.  From what I have read elsewhere DNSSEC becomes irrelivant if using DoT.  I'm not sure if that is correct.
I'd love it if someone set up a simple, correct guide on how to get DoT up and running with CF.  A lot of config options have changed from the gui being updated and I cant really make heads or tails of it anymore.
I have it running, i'm just not sure if it's the correct way, as it seems to choke a bit sometimes.
December 27, 2021, 08:52:13 AM #3
Quote from: Reactive on December 27, 2021, 01:41:05 AM
From what I have read elsewhere DNSSEC becomes irrelivant if using DoT.
Ah, WRONG.

DoT, DoH and DoQ only takes care of the privacy of your DNS Querys.
DNSSEC takes care of the authenticity of the answer.
More here: https://www.netmeister.org/blog/doh-dot-dnssec.html.

KH
Print
Go Up Pages1
User actions