DoT for dns Local/LAN / adguard home and bind

[RamSense]

Hi, I am wondering if this is possible:
I am running Opnsense with Adguard Home (plugin) and Bind (plugin). So that every DNS/port 53 goes to Adguard home. Adguard Home has 127.0.0.1:5354 as upstream (Bind), bind has no DNS Forwarders. This way every lookup will go to the dns root servers, if not yet unknown/cache. As I have learned in the past from this forum, this gives more privacy while no root dns "has it all" and better than trusting the 1.1.1.1 server or your ISP encrypted dns server who "has it all". This is working great.

However, every local/LAN dns lookup is plain dns / unencrypted. Is there a way to make LAN also DoT? e.g. Adguard Home DoT to Bind? Maybe plain dns is a small risk on LAN, but if it can be secured, why not doing so.

I am eager to learn your solution(s) for this.

[RamSense]

I found Bind supports DoT and I found that I must add the below items in /usr/local/etc/namedb/named.conf

 

      // Listen on port 853 for DoT
        tls-port 853;

      // Path to your certificate and key
       tls-cert "/var/etc/cert.pem";
       tls-key "/var/etc/key.pem";

   // Enable TLS
      listen-on port 853 { 127.0.0.1; };

But when I use above cert, Bind won't start anymore, what is the right cert/key file location? Or how do you generate the needed cert files?

I can than point Adguard home to DoT Bind 853 and set Adguard Home - settings - Encryption settings -> Enable plain DNS -> to disabled

Or?

[dseven]

Where did you get that config? It doesn't appear to be correct. Derived from some random stackexchange Google result, the following "works", but it will clobbered if you make any changes to the Bind config using the OPNsense WebUI...

Add this to the options section:

Code: [Select]

listen-on port 853 tls local-tls { 127.0.0.1; };
and add a new section:

Code: [Select]

tls local-tls {
        cert-file "/var/etc/cert.pem";
        key-file "/var/etc/key.pem";
};
named should start with that, and be listening on port 853, using the cert normally used for the OPNsense WebUI.

I wouldn't expect AGH to trust that cert, though - both in that it's self-signed, and in that its identity (probably) doesn't line up with what AGH will be looking for (the DNS name or IP address that you use in the DoT URL). I don't see any immediately obvious way to tell AGH to trust a given self-signed cert, so even if you could craft one with the required identity, I'm not sure how you'd get AGH to trust it. It might be possible. I'm not sure.

What problem are you actually trying to solve here anyway? It seems like a lot of complexity for a problem that's not really clear (to me)....

[RamSense]

Hi dseven,

thank you for your reply and info.

What problem are you actually trying to solve here anyway? It seems like a lot of complexity for a problem that's not really clear (to me)....

The key idea I came up with is that dns traffic on LAN is plane dns, and was wondering if that could be changed to encrytped dns on LAN. Thisway making it impossible for the utopian case that DNS would be sniffed by something on LAN network

p.s. your config works for Bind. It starts and runs.
From terminal using dig, I can conform using TLS:

dig @127.0.0.1 google.com +tls

; <<>> DiG 9.20.2 <<>> @127.0.0.1 google.com +tls
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25158
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 19fc68c433fb6a90010000006714f4f3deedd5f14a92df93 (good)
;; QUESTION SECTION:
;google.com.         IN   A

;; ANSWER SECTION:
google.com.      300   IN   A   142.250.179.174

;; Query time: 6 msec
;; SERVER: 127.0.0.1#853(127.0.0.1) (TLS)
;; WHEN: Sun Oct 20 14:17:55 CEST 2024
;; MSG SIZE  rcvd: 83

Adguard home - DNS Settings - Upstream DNS Servers - tls://127.0.0.1:853 or 127.0.0.1:853 - don't work or connect.

[dseven]

What problem are you actually trying to solve here anyway? It seems like a lot of complexity for a problem that's not really clear (to me)....

The key idea I came up with is that dns traffic on LAN is plane dns, and was wondering if that could be changed to encrytped dns on LAN. Thisway making it impossible for the utopian case that DNS would be sniffed by something on LAN network

But having Bind do TLS on localhost for AGH doesn't get you there - the clients on your LAN will (presumably) still be talking to AGH over port 53 with no "security".

p.s. your config works for Bind. It starts and runs.

<...snip...>

Adguard home - DNS Settings - Upstream DNS Servers - tls://127.0.0.1:853 or 127.0.0.1:853 - don't work or connect.

I would expect because the cert is not trusted.

[RamSense]

thanks again for the reply and help.

the clients on your LAN will (presumably) still be talking to AGH over port 53 with no "security".

-> I think that is the answer than, clients will use plain dns over port 53, so there is no way to secure DNS more on LAN

[newsense]

Set up encryption for AGH, do your research on how to connect your clients securely to AGH depending on the OS and/or app.

The AGH to Bind is less important if both are running on the FW, there's no rogue traffic there to be concerned about.

[RamSense]

Thanks newsense,

The AGH to Bind is less important if both are running on the FW, there's no rogue traffic there to be concerned about.

good to know. Both are running on the FW.

AGH encryption is setup. What do you mean by connect your cliens securely to AGH?
e.g. Iphone iOS:

Code: [Select]

    From the home screen, tap Settings.
    Choose Wi-Fi in the left menu (it is impossible to configure DNS for mobile networks).
    Tap on the name of the currently active network.
    In the DNS field enter your AdGuard Home server addresses.
This is not needed, it already states my opnsense/AGH ip, while all my DNS queries are sent to AGH by Opnsense.
Or do you mean on iphone itself, under wifi, changing dns ip to manual and add tls://IP-AGH ? or do you mean installing the Adguard for iOS App?

[hushcoden]

I am running Opnsense with Adguard Home (plugin) and Bind (plugin). So that every DNS/port 53 goes to Adguard home. Adguard Home has 127.0.0.1:5354 as upstream (Bind), bind has no DNS Forwarders. This way every lookup will go to the dns root servers, if not yet unknown/cache. As I have learned in the past from this forum, this gives more privacy while no root dns "has it all" and better than trusting the 1.1.1.1 server or your ISP encrypted dns server who "has it all". This is working great.

Hi, I'm still learning about DNS & privacy, and I believe that config - i.e. device on LAN -> ADG Home -> Bind -> root servers -  leaves the lookups to the root DNS servers in plain tex for your ISP to inspect (if they want to): if so, this dosn't give you full privacy, correct?

[Patrick M. Hausen]

@hushcode yes, but I trust my ISP located in the EU and bound by GDPR among other legislation a great deal more than the US companies behind 1.1.1.1 or 8.8.8.8.

As always YMMV.