DNS, DoH, DoT, DoQ, DNSCrypt, DNSSEC - Privacy and Filtering

[Mario_Rossi]

Hi, I'm looking for information, but the topic is very complex and fragmented. I'm not sure if this is the right section; if so, I apologize.

The question is simple to say, but far from done.
On the one hand, I'd like my firewall to monitor all DNS queries to filter out ads and other malicious/unwanted content. On the other, I'd like all outgoing queries from my firewall to be secure and anonymized (as much as possible).

I've found several discussions online, but they're starting to get old, so they don't match the latest versions of OPNsense and the various plugins/services, or things have simply changed.

I'd like to start a discussion, perhaps to be updated over time based on the evolution of OPNsense and the world out there. Possibly divided into sections for those who use third-party plugins like PiHole/ADGuard integrated into the OPNsense installation or on other VMs/CTs/devices within their network, those who only use unbound/firewall rules, and those who want to use a combination of these tools. As you can imagine, it's all incredibly complex and has a lot of variables.

[RamSense]

Hi, good ask. From my point of view there is not one way to go. There are multiple roads to follow, just what you like most.
I'm no pro on this topic, but after my extended search/reading/trying; I came to this setup:

Opnsense with Adguard Home plugin + as upstream DNS Opnsense Bind (with DNSSEC) (with NO DNS Forwarders)

This way only the DNS Root servers get queried, and not one DNS server has all your queries, most privacy other than with DoH DoT DNSCrypt.

[OPNenthu]

The privacy question is something we can debate endlessly.  For every argument on why one thing is better, there is likely a valid counterargument.  A lot depends on your specific context.

- Where do you live?
- What is your threat model?
- Who are you trying to hide your DNS queries from?  Who are you OK giving them to?

For example, one argument could be that using Unbound in recursive resolver mode is better for privacy because it spreads your queries and no one server has your full query.

A counterpoint to that is that your ISP can see those and maybe you don't want them selling your data.  In that case, DoT to an upstream resolver like
Quad9 might be better.  (In which case you probably also want a VPN so they don't see the dest. IP in your connections.)

And then someone else will counter-counter with an argument that encryption can be broken and "they" can man-in-the-middle you or decrypt your data anyway.

...


Pick your poison.  At the end of the day someone is going to get your queries.  You choose who you intend to give them to and how, but also accept that unintended audiences can and probably will get them.

[Mario_Rossi]

OK, that's a start.

I would therefore divide the issue into two parts:

• Filter requests from clients within the network
• Smart TVs
• Android devices
• various "smart" systems
• Clients (win/linux/ios/etc)
• Improve privacy.

I know that smart TVs and Android systems with GAPPS are the most complex to filter.
Their manufacturers have vested interests and make a lot of money profiling users, so they do everything they can to obtain as much data as possible.
For other "smart" devices, it's necessary to analyze them on a case-by-case basis.
Clients are potentially the simplest to manage, although much also depends on the individual applications, which could bypass the system DNS and use other ones.

According to my information, the situation is as follows:

• Classic DNS on port 53

Easy to intercept and filter

• DoH TCP/443

Requires MITM to be analyzed

• DoT TCP/853

Requires MITM to be analyzed

• DoQ TCP/853

Requires MITM to be analyzed

• Android (with GApps): DoT TCP/853
• Apple: DoT TCP/853 + DoH TCP/443
• Browser: (Chrome Secure DNS/Firefox TRR): DoH TCP/443 but filterable with an extension like AdGuard

DoH and DoQ are easily blocked if they use port 853; block that with the firewall and the systems must use something else.

There's little you can do about DoH; either you start doing MITM or it passes.
And this could be a separate section.

For firewall exit, I see the following applicable strategies:

• Full recursive (DNSSEC + QNAME minimization)
• Encrypted forwarder (DoT/DoH/DoQ)
• ODoH / Anonymized DNSCrypt

As you rightly said, it's more of a matter of choosing the lesser of two evils.

[nero355]

IMHO people very quickly overcomplicate things and start doing weird stuff that makes no sence at some point so let's keep things simple :

- You have OPNsense.
- You could use it's Unbound for your "Query Root DNS Server needs".
- Or you could use Pi-Hole + Unbound the way it's explained here : https://docs.pi-hole.net/guides/dns/unbound/

Now let's kill the biggest issue here : Your Clients and their Applications !!

Smart TVs

Often you get a lof of weird ads shown because of two things :
- You accepted too many EULA's when setting up your TV !!
For example LG WebOS TV's only need the first two and not all 3/4/5 of them selected ;)

- The software installed/used on the device.
The easiest example here is Android TV :

1. Get rid of the Android TV Home Launcher updates !!
This will (hopefully) set you back to the days when the Launcher did not have any ads shown at all and will make sure you have a clean Home Screen with just the stuff you are using and nothing more than that.

If that fails then start thinking about alternatives : https://duckduckgo.com/?q=alternative+android+tv+home+launcher&ia=web
There are both free and paid ones and all of them can be set as the default via ADB Tools after Enabling Developer Mode ;)

2. Make sure to use so called "Modded Clients" as much as possible !!
The easiest example here is not using the official YouTube app and using SmartTube instead : https://github.com/yuliskov/SmartTube

There are also alternative options for LG WebOS TV's after getting yourself a free Developer Account and installing the Developer Mode app which you can find here : https://github.com/webosbrew/dev-manager-desktop

Android & iOS devices

Basically ditch them completely or at least as much as possible !!

- For Android there two options :
1. Unlock Bootloader and flash completely alternative software like UB Ports Ubuntu Touch or Jolla SailFish.
2. Unlock Bootloader and flash Custom ROMs or even Privacy Minded ROMs like /e/ OS or GrapheneOS for example.

But you really want that YouTube app when running some flavor of Android don't you ?!
Luckily there is https://github.com/MorpheApp/ for that these days! ;)

- For iOS there is not much you can do :
Either ditch it or just use as little services as possible...

Clients (win/linux/ios/etc)

Simple :

Avoid Microsoft/Apple/Google as much as possible.
So NO Windows/MacOS/ChomeOS at all !!

And if you really have to then again try using their software a little as possible :
For example : Need a browser ?
Try LibreWolf or Pale Moon instead of Edge/Safari/Chrome.

And if you are using some kind of webbased software that was developed by one of those fake webdevelopers that like supporting "Internet Explorer 6 v2.0" a.k.a. anything based on Chromium, then there is a modded version of that browser available too : https://github.com/uazo/cromite

DNS over HTTPS - Port 443

All browsers based on Mozilla Firefox have a so called 'Canary Domain' and when combined with Pi-Hole for example the Local DNS Server is respected and used instead of DoH : https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet

That annoying QUIC Protocol

You can ofcourse block it via OPNsense for anything that isn't a browser, but you can also use Advanced/Hidden Settings in browsers to Disable it :
- Mozilla Firefox based browsers : about:config
- Chromium based browsers : chrome://flags
For Microsoft Edge : edge://flags

There are a lot of DNS related Settings in the last two, so make sure you go through all of them and re-check after each update if they have not been reverted to the default settings !!



And that's pretty much it! :)



I wouldn't bother doing anything more than the above to be honest...

[Mario_Rossi]

We've already done the simple things... now let's move on to the complex ones XD

Jokes aside, I agree with what you write.
Anyway, sometimes it's nice to experiment.
At work, we use a PaloAlto firewall; the approach is fundamentally different, but not any simpler... quite the opposite.

Updating Opnsense made my unbound and firewall rules a bit tangled up, so I ran into some serious problems.
I quickly dug up the AdGuard Home CT, which I stored in Proxmox, reset unbound, and redid the basic firewall and DHCP rules.

I've been wanting to experiment with certificates, proxies, and IPs for a while.

I read a lot of requests about DNS management, but they're always very limited to specific cases. I wanted to create a broader discussion so that users looking for information can find a starting point.

Your point remains very valid. I went from a non-smart TV to a 2025 Samsung, and boy, are they full of junk.
I basically reject everything, but if you want to use some things, you have to accept them. I was thinking about switching to a Tegra, but it's always the same old story, the same if I decided to use a mini PC... besides the fact that they're still expensive devices, consume a lot of power, and need maintenance.
Being able to leverage Opnsense and everything else around it to improve the situation wouldn't be bad.


P.S. I use Firefox as my primary browser and Vivaldi as my secondary one.
I'm a Microsoft system administrator, so I can't migrate to Linux :-P

[cookiemonster]

you can if you wanted, run AdGuardHome on your OPNsense. Simple add the os-adguardhome-maxit plugin.