Tutorial: How to Configure DoT on OPNsense Firewall?

Started by beki, February 27, 2024, 10:06:06 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 27, 2024, 10:06:06 AM
Dear beloved Zenarmor Users,

All DNS queries are routed in plaintext. Your ISP or a hacker can intercept transmissions via UDP and TCP protocol 53 in plaintext to compromise the site's DNS queries and responses. For this reason, we should encrypt our DNS queries for security purposes. DNS over TLS (DoT) is a security protocol that utilizes Transport Layer Security (TLS) to encrypt DNS traffic and is one of the most common DNS security solutions.

This tutorial will help you configure the OPNsense DNS resolver to encrypt all DNS queries in order to prevent surveillance and enhance your online privacy and security.

https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-dot-on-opnsense

Best Regards,

Zenarmor Team
February 27, 2024, 09:08:30 PM #1 Last Edit: February 27, 2024, 09:43:59 PM by Monviech
Does this really improve security and privacy though?

You are giving a recursive DNS Server of a provider like google and cloudflare all of your DNS queries, they can easily profile you, undermining the privacy statement.

Additionally, DNS over TLS doesn't secure you from hackers. The recursive DNS servers still have to query the DNS root servers, which communicate unencrypted (also with each other authorative DNS Server of a domain). That means now the hacker has an easy single point to poison DNS entries, the big centralized recursive DNS providers. And everybody has a false sense of security. And since DNS is based on trust anyway (since everybody is allowed to publish DNS records on their authorative DNS servers) you can't prevent malicious data sources that replicate through DNS, even if you then get it encrypted from your centralized recursive resolver (like Google and Cloudflare). Its all automatic after all.

In my opinion, the best way to ensure your privacy and security is to use your own recursive DNS resolver, which is the standard configuration of Unbound in the OPNsense. It leverages the decentral structure of DNS.
Hardware:
DEC740
February 27, 2024, 10:28:50 PM #2
Quote from: Monviech on February 27, 2024, 09:08:30 PM
In my opinion, the best way to ensure your privacy and security is to use your own recursive DNS resolver, which is the standard configuration of Unbound in the OPNsense. It leverages the decentral structure of DNS.
Amen, brother. (emphasis mine)
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 28, 2024, 11:17:57 AM #3
Quote from: Patrick M. Hausen on February 27, 2024, 10:28:50 PM
Quote from: Monviech on February 27, 2024, 09:08:30 PM
In my opinion, the best way to ensure your privacy and security is to use your own recursive DNS resolver, which is the standard configuration of Unbound in the OPNsense. It leverages the decentral structure of DNS.
Amen, brother. (emphasis mine)

Bless you both, holy words. I agree.

Even thou DoT is "nice to have" is partially a placebo effect for people thinking they are super duper secure on the DNS side, created by misconception and miss-understatement how it works behind the dedicated DoT DNS server on the "last mile"

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
February 28, 2024, 08:12:24 PM #4
I have DoT to Quad9. Not a commercial organization. Logs are kept for 24 hours, only to prevent abuse.

I trust that Quad9 operators know what they do. And that is above my pay grade.
OPNsense HW:

Minisforum Venus series UN100C, 16 GB RAM, 512 GB SSD
T-bao N9N Pro, 16 GB RAM, 512 GB SSD
February 28, 2024, 08:14:54 PM #5
The interesting question is what they are going to do when the feds knock on their door with a national security letter?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 28, 2024, 08:18:44 PM #6
Quad9 is run by a cooperation of several national Police organizations. So, they are not enemies of the FBI.

And if the Police wants to know what I do with my computers/mobile phones, they are legally allowed to intercept my traffic and hack my devices.

Anyway: for the law-abiding citizens, Police is their friend, not their enemy.
OPNsense HW:

Minisforum Venus series UN100C, 16 GB RAM, 512 GB SSD
T-bao N9N Pro, 16 GB RAM, 512 GB SSD
February 28, 2024, 09:45:09 PM #7
Quote from: almodovaris on February 28, 2024, 08:12:24 PM
I have DoT to Quad9. Not a commercial organization. Logs are kept for 24 hours, only to prevent abuse.

I trust that Quad9 operators know what they do. And that is above my pay grade.

Look at their Sponsors who pay the bills. LOL
February 28, 2024, 09:53:44 PM #8
If you only want to use something perfect: DNS is by default not perfect, so you should not use it.

What can they find about me through DNS calls? That I use Wikipedia and that I'm an Usenet leecher. Usenet leeching is not prosecuted in my country.
OPNsense HW:

Minisforum Venus series UN100C, 16 GB RAM, 512 GB SSD
T-bao N9N Pro, 16 GB RAM, 512 GB SSD
December 03, 2024, 04:36:59 AM #9
Speaking of man-in-the-middle, in my case, I prefer using DNS-over-TLS with Cloudflare because of thier no-tracking/logging policies, but also because it it's one less way my ISP (Verizon) can track the home usage.

For those who have similar ISPs that love to log everything and sell customer data, DoT could be useful.
December 30, 2024, 09:34:32 AM #10
How to configure unbound as recursive DNS resolver??
December 30, 2024, 09:38:09 AM #11
Quote from: peterwkc on December 30, 2024, 09:34:32 AMHow to configure unbound as recursive DNS resolver??

Simple: install OPNsense. It's the default.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 08, 2025, 08:42:25 AM #12
Thanks @Patrick
Print
Go Up Pages1
User actions