English Forums > Zenarmor (Sensei)

Tutorial: How to Configure DoT on OPNsense Firewall?

(1/2) > >>

beki:
Dear beloved Zenarmor Users,

All DNS queries are routed in plaintext. Your ISP or a hacker can intercept transmissions via UDP and TCP protocol 53 in plaintext to compromise the site's DNS queries and responses. For this reason, we should encrypt our DNS queries for security purposes. DNS over TLS (DoT) is a security protocol that utilizes Transport Layer Security (TLS) to encrypt DNS traffic and is one of the most common DNS security solutions.

This tutorial will help you configure the OPNsense DNS resolver to encrypt all DNS queries in order to prevent surveillance and enhance your online privacy and security.

https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-dot-on-opnsense

Best Regards,

Zenarmor Team

Monviech:
Does this really improve security and privacy though?

You are giving a recursive DNS Server of a provider like google and cloudflare all of your DNS queries, they can easily profile you, undermining the privacy statement.

Additionally, DNS over TLS doesn't secure you from hackers. The recursive DNS servers still have to query the DNS root servers, which communicate unencrypted (also with each other authorative DNS Server of a domain). That means now the hacker has an easy single point to poison DNS entries, the big centralized recursive DNS providers. And everybody has a false sense of security. And since DNS is based on trust anyway (since everybody is allowed to publish DNS records on their authorative DNS servers) you can't prevent malicious data sources that replicate through DNS, even if you then get it encrypted from your centralized recursive resolver (like Google and Cloudflare). Its all automatic after all.

In my opinion, the best way to ensure your privacy and security is to use your own recursive DNS resolver, which is the standard configuration of Unbound in the OPNsense. It leverages the decentral structure of DNS.

Patrick M. Hausen:

--- Quote from: Monviech on February 27, 2024, 09:08:30 pm ---In my opinion, the best way to ensure your privacy and security is to use your own recursive DNS resolver, which is the standard configuration of Unbound in the OPNsense. It leverages the decentral structure of DNS.

--- End quote ---
Amen, brother. (emphasis mine)

Seimus:

--- Quote from: Patrick M. Hausen on February 27, 2024, 10:28:50 pm ---
--- Quote from: Monviech on February 27, 2024, 09:08:30 pm ---In my opinion, the best way to ensure your privacy and security is to use your own recursive DNS resolver, which is the standard configuration of Unbound in the OPNsense. It leverages the decentral structure of DNS.

--- End quote ---
Amen, brother. (emphasis mine)

--- End quote ---

Bless you both, holy words. I agree.

Even thou DoT is "nice to have" is partially a placebo effect for people thinking they are super duper secure on the DNS side, created by misconception and miss-understatement how it works behind the dedicated DoT DNS server on the "last mile"

Regards,
S.

almodovaris:
I have DoT to Quad9. Not a commercial organization. Logs are kept for 24 hours, only to prevent abuse.

I trust that Quad9 operators know what they do. And that is above my pay grade.

Navigation

[0] Message Index

[#] Next page