***call for testing*** DNS TLS encryption using Quad9 and Cloudflare DNS servers

[miroco]

Upgrading to 18.1.10 I stayed with the OpenSSL version for a few hours, my default. I had no issues. It was a plain upgrade from 18.1.9 without any changes to the configuration. I then switched to the LibreSSL version (I did not forget the compulsory upgrade) and for the first time, dns-over-tls worked equally well as with OpenSSL. At least as far as I can assess. It's been close to 24 h since I made the switch.

[crt333]

I tried again today without any config changes, and 18.1.10 openssl. Everything is running fine after about 15 hours. Not sure why it failed quickly yesterday and is fine today.

[nle]

Anyone of you that experience ~1 second when you visit a new domain?


Sent from my iPhone using Tapatalk Pro

[franco]

This is what resolvers do: ask DNS root servers for your query and it takes a while. Afterwards the answer is cached and considerably faster to respond on subsequent queries.


Cheers,
Franco

[nle]

Yes, but a second per query? And the ttl does not exactly last long.


Sent from my iPhone using Tapatalk Pro

[franco]

You ask "why", but it's easily possible to say "why not"?

It heavily depends on your network conditions and it's not super unlikely to be 1 second.


Cheers,
Franco

[nle]

Thanks. I'm on a 260mbit / 20 mbit cable connection.

But this got me to dig a bit deeper, and it seems like an internal server (10.233.128.1) of the ISP is the problem. Apparently, it is their DHCP server.

Code: [Select]

traceroute to 1.1.1.1 (1.1.1.1), 64 hops max, 40 byte packets
 1  10.233.128.1 (10.233.128.1)  969.363 ms  363.980 ms  47.442 ms
 2  cm-<redacted>.getinternet.no (<redacted>)  112.461 ms  102.901 ms  22.952 ms
 3  ae6.no-323-rt1.get.no (185.1.55.18)  7.610 ms  16.708 ms  23.552 ms
 4  185.1.55.41 (185.1.55.41)  27.113 ms  22.835 ms  26.102 ms
 5  1dot1dot1dot1.cloudflare-dns.com (1.1.1.1)  24.120 ms  23.919 ms  24.059 ms

Code: [Select]

traceroute to 1.1.1.1 (1.1.1.1), 64 hops max, 52 byte packets
 1  opnsense (10.0.0.1)  1.053 ms  0.784 ms  0.743 ms
 2  10.233.128.1 (10.233.128.1)  246.141 ms  13.284 ms  105.476 ms
 3  cm-<redacted>.getinternet.no (<redacted>)  1147.611 ms  555.554 ms  462.964 ms
 4  ae6.no-323-rt1.get.no (185.1.55.18)  10.045 ms  16.408 ms  24.218 ms
 5  185.1.55.41 (185.1.55.41)  164.107 ms  21.188 ms  23.941 ms
 6  1dot1dot1dot1.cloudflare-dns.com (1.1.1.1)  270.039 ms  175.628 ms  12.147 ms

Code: [Select]

traceroute to 1.1.1.1 (1.1.1.1), 64 hops max, 52 byte packets
 1  opnsense (10.0.0.1)  3.347 ms  0.780 ms  1.008 ms
 2  10.233.128.1 (10.233.128.1)  47.112 ms  891.952 ms  297.987 ms
 3  cm-<redacted>.getinternet.no (<redacted>)  288.130 ms  17.094 ms  126.216 ms
 4  ae6.no-323-rt1.get.no (185.1.55.18)  89.709 ms  19.233 ms  16.726 ms
 5  185.1.55.41 (185.1.55.41)  8.411 ms  13.376 ms  9.940 ms
 6  1dot1dot1dot1.cloudflare-dns.com (1.1.1.1)  19.957 ms  7.618 ms  16.547 ms
Not sure what's going on, but I guess I should contact my ISP.

[franco]

Unfortunately some ISPs meddle with DNS resolution when you don't use their servers. :/


Cheers,
Franco

[miroco]

This helped me speed up DNS resolution.

Finally, Under Services, DHCP Server, set your DNS Server to your pfSense’s LAN IP.  As your DHCP clients renew their lease they’ll start using pfSense for DNS.

As far as performance if you have low latency to your ISPs DNS you probably won’t notice anything.  But if you’re on a high latency connection  with 70ms pings like I am, this makes a big difference.

https://b3n.org/hijacked-slow-dns-unbound-pfsense/

[nle]

My ISP scheduled maintenance in my area today, and that fixed the problem.

Code: [Select]

traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 64 hops max, 40 byte packets
 1  10.233.128.1 (10.233.128.1)  5.552 ms  5.609 ms  6.073 ms
 2  cm-<redacted>.getinternet.no (<redacted>)  6.184 ms  5.962 ms  5.686 ms
 3  ae6.no-323-rt1.get.no (185.1.55.18)  6.356 ms  6.060 ms  5.798 ms
 4  185.1.55.41 (185.1.55.41)  6.215 ms  3.942 ms  6.099 ms
 5  1dot1dot1dot1.cloudflare-dns.com (1.1.1.1)  5.686 ms  5.894 ms  6.002 ms
Their "IT department" has tried to get a hold of me every day this week (except today), but I haven't been able to pick up the phone in time. Calling back I just get the default customer service, and they apparently sees that it's "IT" that tries to contact me, but they can't put me through since they are not allowed ("IT" decides for themselves when to call – pretty typical I think).

Anyhow, seems like my reporting lit a fire under their ass, and it seems fixed.

[franco]

Cool, glad to hear! 

[thereaper]

I'm OPNsense noob, but have few years behind as a sysadmin. Beware of Cloudflare DNS. They do CDN+SSL, effectively MITMing the client website, terminating SSL to plaintext at edge nodes, and inserting/modifying scripts and html. They can see your passwords for these sites as plaintext and you'll have no idea if the site is behing Cloudflare. Same as with Google DNS, your browsing history (DNS requests) is probably linked to your IP/fingerprint, and then to your profile.

[Serius]

I'm trying to setup DNS over TLS in unbound as per this thread and I don't get it working. So far I've tested with the custom options included by the OP and mjh, but as long as I enter any "forward-zone" or the line "ssl-upstream" it does stop resolving.
Also tried those instructions without success: https://forum.opnsense.org/index.php?topic=9197.msg41265#msg41265

Is it that something changed in opnsense recently or is my isp that is blocking TSL? I've tried with Quad9 non secure dns in general settings and does work.

An example of my custom options that doesn't work:

Code: [Select]

#include:/var/unbound/ad-blacklist.conf

#server:
    log-replies: yes

#    hide-trustanchor: yes
#    harden-large-queries: yes
#    minimal-responses: yes
#    harden-algo-downgrade: yes
#    qname-minimisation-strict: yes
#    ignore-cd-flag: yes
#    use-caps-for-id: yes

#    ssl-upstream: yes

forward-zone:
 name: "."
    forward-ssl-upstream: yes
    forward-addr: 9.9.9.9@853
    forward-addr: 149.112.112.112@853
Edit: The next day those settings are working. Don't know what could be, but it seems true that anything get fixed with some rest.

[chemlud]

Did anybody try with newer versions of LibreSSL recently to make this work? Had to switch to openssl to make it work (again?) in summer...

[chemlud]

OK, tried it myself, switched a completely updated x64 full install from openSSL to libreSSL, but within 3 minutes Unbound is ended, the general log says:

Code: [Select]

Oct 12 11:34:47 kernel: pid 50815 (unbound), uid 59: exited on signal 11

and unbound log says:

Code: [Select]

Oct 12 11:34:47 unbound: [50815:0] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:1] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:0] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:1] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:2] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:0] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:1] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:2] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:0] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:1] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:2] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:0] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:1] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:2] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:0] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:1] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:2] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:0] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:1] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:2] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:0] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:1] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:2] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:1] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:2] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:1] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:2] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:1] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:2] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:1] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:2] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:1] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:2] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:1] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:2] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:1] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:2] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:1] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:2] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:1] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:2] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:2] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:2] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:2] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Oct 12 11:34:47 unbound: [50815:0] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
OPNsense (c) 2014-2018 Deciso B.V.
-------------------

Manually restarting unbound doesn't help for long:

Code: [Select]

Oct 12 11:40:51 kernel: -> pid: 28971 ppid: 1 p_pax: 0x850<SEGVGUARD,ASLR,NODISALLOWMAP32BIT>
Oct 12 11:40:51 kernel: [HBSD SEGVGUARD] [unbound (28971)] Suspension expired.
Oct 12 11:40:51 kernel: pid 28971 (unbound), uid 59: exited on signal 11

in the general log, but no corresponding entries in the unbound log.