pfSense 2.5.2 - New Fresh Guaranteed DNS OVER TLS

[directnupe]

Dear Community,
First you all know the drill by now - " The Intro " - as a peace loving man and in light of the turbulent times we all must endure - here we go without no further ado - Kool and The Gang / https://www.youtube.com/watch?v=JgxWC3iZh7A and the lyrics if you care to sing along - https://genius.com/Kool-and-the-gang-love-and-understanding-lyrics and one of my favorites - The Chambers Brothers -  https://www.youtube.com/watch?v=BvCH-6kOAGs  - lyrics here : https://genius.com/The-chambers-brothers-love-peace-and-happiness-lyrics

This is a new updated guide designed to assist you in installing DNS Privacy DNS OVER TLS on pfSense 2.5.2 . Please disregard and do not use any guides and / or tutorials which predate this one. The setup features getdns and Stubby forwarded to and integrated with Unbound. You may refer to my earlier guide / tutorial here for additional 
information regarding the benefits of DNS Privacy DNS OVER TLS  - see link here -  https://bit.ly/3p0AGwX

OK - Here go - let's get down to the business at hand. The first thing we must do is install all the necessary packages for this to work properly. Now you need to know that when you try to view the packages on the FreeBSD servers by way of their url - for example , https://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/  - you will get the 403 Forbidden message. There is a remedy / workaround that will allow you to check out exactly what are the most recent package versions for you to install. Go to https://pkgs.org/  - once there - you will see a search box in the upper right hand corner. Just enter the package you wish to find there - then go down to FreeBSD 12 ( the distributions are listed alphabetically - next click on FreeBSD amd64 ( the distro pfSense 2.5.2 is based on ) - finally, go down to the Download section and copy your download url found next to the Binary Package section. 

1 - There are four dependency packages required before actually installing the getdns package. Two are available in the pfSense package repositories and two from the FreeBSD repository. Lastly the getdns package itself is also in the FreeBSD repository.

So to begin enter these commands below in the order :
A # pkg install libuv  B # pkg install libyaml ( both of these will install from native pfSense 2.5.2 box ) . 
The following packages must be installed from FreeBSD.
C # pkg add https://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/libev-4.33,1.txz
D # pkg add https://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/libidn-1.35.txz
Now - here is where this guide diverges from its' predecessors. There is a new specific iteration of Unbound which pfSense 2.5.2 has installed.
The package is called - unbound112-1.12.0_1 . Now if you attempt to add getdns-1.5.2_4.txz package via pkg add url method - see below :

( #  pkg add https://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/getdns-1.5.2_4.txz )   ###  this will not work !

the installation will fail and complain that " missing dependency Unbound " is the reason. 
so here is the solution to that dilemma below :

enter the following command E # fetch https://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/getdns-1.5.2_4.txz

From there you can enter command # ls -a  / and you will see that getdns-1.5.2_4.txz package is now in your root directory. Next just enter the command
F # pkg install getdns-1.5.2_4.txz 
follow the prompts answering " yes " to any all. 
By the way, once this package is successfully installed it must remain in your root
directory otherwise DNS OVER TLS will stop working if you remove it for any reason.

Now you may proceed as in the usual fashion. 
2 - Now to put all of this together, The stubby.in file is located here -  /usr/local/etc/rc.d/stubby by default. 
First though Stubby needs Unbound root.key - run this command before getting started:
# su -m unbound -c /usr/local/sbin/unbound-anchor   Then -
A - Issue this command :
# mv /usr/local/etc/rc.d/stubby /usr/local/etc/rc.d/stubby.sh
Make it executable - I run two commands - it works for me:
# chmod 755 /usr/local/etc/rc.d/stubby.sh  
B - Yes must enable Stubby Daemon in the file -  open file by : nano /usr/local/etc/rc.d/stubby.sh
go to line 27  - : ${stubby_enable="NO"} change the setting to : ${stubby_enable="YES"} - 
that is all you have to do to this file. It comes pre-configured. Save and exit.

3 - Now you must configure Stubby to resolve DNS OVER TLS - 

A -# nano /usr/local/etc/stubby/stubby.yml

################################################################################
######################## STUBBY YAML CONFIG FILE ###############################
################################################################################
# This is a yaml version of the stubby configuration file (it replaces the
# json based stubby.conf file used in earlier versions of getdns/stubby).
#
# For more information see
# https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby
#

resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private : 1
idle_timeout: 9000
listen_addresses:
 - [email protected]
 - 0::[email protected]
tls_connection_retries: 5
tls_backoff_time: 900
timeout: 2000
round_robin_upstreams: 1
tls_ca_file: "/usr/local/share/certs/ca-root-nss.crt"
dnssec_trust_anchors: "/usr/local/etc/unbound/root.key" # add the right path

upstream_recursive_servers:
### IPV4 Servers ###
### DNS Privacy DOT Test Servers ###
## 1 - The getdnsapi.net DNS TLS Server A+ ( NLD )
  - address_data: 185.49.141.37
  - address_data: 2a04:b900:0:100::38
    tls_auth_name: "getdnsapi.net"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=
## 2 - The Surfnet/Sinodun DNS TLS Servers #3  A+ ( NLD )
  - address_data: 145.100.185.18
  - address_data: 2001:610:1:40ba:145:100:185:18
    tls_port: 853
    tls_auth_name: "dnsovertls3.sinodun.com"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8=
## xx - The The Surfnet/Sinodun DNS TLS Server  A ( NLD )
  - address_data: 145.100.185.15
  - address_data: 2001:610:1:40ba:145:100:185:15
    tls_auth_name: "dnsovertls.sinodun.com"
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
## xx - The The Surfnet/Sinodun DNS TLS Server #1  A ( NLD )
  - address_data: 145.100.185.16
  - address_data: 2001:610:1:40ba:145:100:185:16
    tls_auth_name: "dnsovertls1.sinodun.com"
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
## 3 - The dns.cmrg.net DNS TLS Server  A+ ( CAN )
  - address_data: 199.58.81.218
  - address_data: 2001:470:1c:76d::53
    tls_auth_name: "dns.cmrg.net"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=
## 4 - The BlahDNS Japan DNS TLS Server  A+ ( JPN )
  - address_data: 139.162.112.47
  - address_data: 2400:8902::f03c:92ff:fe27:344b
    tls_auth_name: "dot-jp.blahdns.com"
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: /llFOsnvj7GcXasKrojhZl6nRnnn4D8sRuDUKEdiZzM=
## xx - The BlahDNS German DNS TLS Server  A+ ( USA Hosted In DEU )
  - address_data: 78.46.244.143
  - address_data: 2a01:4f8:c17:ec67::1
    tls_auth_name: "dot-de.blahdns.com"
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: c6xmf1GsYo1IFyxc+CWfjYo+xpSV9i98H7InJTDylsU=
## xx - The BlahDNS Finland DNS TLS Server  A+ ( FIN )
  - address_data: 95.216.212.177
  - address_data: 2a01:4f9:c010:43ce::1
    tls_auth_name: "dot-fi.blahdns.com"
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: EVL610kmcSvN01nzJkkzl94IHiIVvW0PovbB5En2QfU=
## xx - The BlahDNS Singapore DNS TLS Server  A+ ( SGP )
  - address_data: 192.53.175.149
  - address_data: 2400:8901::f03c:92ff:fe27:870a
    tls_auth_name: "dot-sg.blahdns.com"
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: B+aX4NBLfDsKlOWf8RM6rjL8yOCF9sZlHQnarDNrrWM=
## xx - The BlahDNS Switzerland DNS TLS Server  A+ ( CHE )
  - address_data: 45.91.92.121
  - address_data: 2a05:9406::175
    tls_auth_name: "dot-ch.blahdns.com"
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: cxti1XR6uW483xAioP3d1ZaoGSy+obY6WaE4fW1A6Nk=
## 5 - The dns.neutopia.org  DNS TLS Server  A+ ( FRA )
  - address_data: 89.234.186.112
    tls_auth_name: "dns.neutopia.org"
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=
## 6 - The Foundation for Applied Privacy DNS TLS Server #1  A+ ( AUT )
  - address_data: 146.255.56.98
  - address_data: 2a02:1b8:10:234::2
    tls_auth_name: "dot1.applied-privacy.net"
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: xhQVPE+X85b9LkORuEhxfsxE1X2EbOm8v5ytxCqg5BI=
## 7 - The Secure DNS Project by PumpleX DNS TLS Server #1  A+ ( GBR )
  - address_data: 51.38.83.141
    tls_auth_name: "dns.oszx.co"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: Am37BK5eBKSafYNJupWsoh5pokR3wwJ5zs7xvniF6XE=
## 8 - The dismail.de DNS TLS Server #1  A+ ( DEU )
  - address_data: 80.241.218.68
    tls_port: 853
    tls_auth_name: "fdns1.dismail.de"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: MMi3E2HZr5A5GL+badqe3tzEPCB00+OmApZqJakbqUU=
## xx - The dismail.de DNS TLS Server #2  A+ ( USA )
  - address_data: 159.69.114.157
    tls_port: 853
    tls_auth_name: "fdns2.dismail.de"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: yJYDim2Wb6tbxUB3yA5ElU/FsRZZhyMXye8sXhKEd1w=
## 9 - The Lorraine Data Network DNS TLS Server A+ ( FRA )
  - address_data: 80.67.188.188
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM=
## This certificate is currently expired which
## does not pose any concerns in SPKI mode
## (in practice with Stubby)
## Source : https://ldn-fai.net/serveur-dns-recursif-ouvert/
## 10 - The ibksturm.synology.me DNS TLS Server  A+ ( CHE )
  - address_data: 213.196.191.96
    tls_auth_name: "ibksturm.synology.me"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: yrMslOFXpWeLoNw0YgQk/pA5vl2mqXfBOASYLLeqDxc=
## 11 - The dns.flatuslifir.is DNS TLS Server  A+ ( ISL )
  - address_data: 46.239.223.80
    tls_auth_name: "dns.flatuslifir.is"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: b9sJFKc+wycfm4FHB9ddNopdeKceru+sZk0w5nz4xfQ=
### Publicly Available DOT Test Servers ###
## 12 - The FEROZ SALAM DNS TLS Server  A+ ( GBR )
  - address_data: 46.101.66.244
    tls_auth_name: "doh.li"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: ugm6mY2NNKi0I/Q+pofAgx0c31tbcW6xYAImZXr5Oqo=
## 13 - The Andrews & Arnold DNS TLS Server #1  A+ ( GBR )
  - address_data: 217.169.20.23
    tls_auth_name: "dns.aa.net.uk"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: sS2Atff8wMigRVTxmS36FbMaXiCWsxLgD3AOtTA9eeU=
## xx - The Andrews & Arnold DNS TLS Server #2  A+ ( GBR )
  - address_data: 217.169.20.22
    tls_auth_name: "dns.aa.net.uk"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: /jchI7afFvSaVm4DCTksJcPHyK7uvbcwNUtTNNV4Bek=
## 14 - The dns.seby.io - Vultr DNS TLS Server  A+ ( AUS )
  - address_data: 45.76.113.31
    tls_auth_name: "dot.seby.io"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: H13Su1659zEn0ZIblEShwjZO+M5gxKK2wXpVKQHgibM=
## xx - The dns.seby.io - OVH DNS TLS Server  A+ ( AUS )
  - address_data: 139.99.222.72
    tls_auth_name: "dot.seby.io"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: /3AxvvuWCQmYQ4/mqHJzPL1rPC7KxaahVPmUkoSVR5A=
## 15 - The Digitale Gesellschaft DNS TLS Server #1  A+ ( CHE )
  - address_data: 185.95.218.43
  - address_data: 2a05:fc84::43
    tls_auth_name: "dns.digitale-gesellschaft.ch"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: sAH7JR5A8WA+hs1ZGXPS/uq3Y1wufBi2wQ8Crk+oR2Q=
## xx - The Digitale Gesellschaft DNS TLS Server #2  A+ ( CHE )
  - address_data: 185.95.218.42
  - address_data: 2a05:fc84::42
    tls_auth_name: "dns.digitale-gesellschaft.ch"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: Fpgt86sGjlL4sbgNmd1WX0BYEIEJ7yQk9rp+uQKxI+w=
## 16 - The Antoine Aflalo DNS TLS Server #1  A+ ( USA )
  - address_data: 168.235.81.167
    tls_auth_name: "dns-nyc.aaflalo.me"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: Dn58VD18MLkmmG9wvzvSs30Tu1Rd65igDLpp1odYaAc=

# Set the acceptable ciphers for DNS over TLS.  With OpenSSL 1.1.1 this list is
# for TLS1.2 and older only. Ciphers for TLS1.3 should be set with the
#tls_ciphersuites option. This option can also be given per upstream.
tls_cipher_list: "EECDH+AESGCM:EECDH+CHACHA20"
# Set the acceptable cipher for DNS over TLS1.3. OpenSSL >= 1.1.1 is required
# for this option. This option can also be given per upstream.
tls_ciphersuites: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
# Set the minimum acceptable TLS version. Works with OpenSSL >= 1.1.1 only.
# This option can also be given per upstream.
tls_min_version: GETDNS_TLS1_2
# Set the maximum acceptable TLS version. Works with OpenSSL >= 1.1.1 only.
# This option can also be given per upstream.
tls_max_version: GETDNS_TLS1_3

When I get some time - next day or two - I will post a separate Forum entry which lists
many more DNS OVER TLS servers that are publicly available for all. However, these are more than
enough to get you started.

4 - In order to have pfSense 2.5.2 use default start up script (  /usr/local/etc/rc.d/stubby.sh ) 
at boot time it helps to create a boot time start up script for it in /etc/rc.conf.d/. 
Not to prolong this - do the following :

# touch /etc/rc.conf.d/stubby - create the needed new file
# nano /etc/rc.conf.d/stubby - in the new file enter the following two lines:

stubby_enable="YES"
stubby_bootup_run="/usr/local/etc/rc.d/stubby.sh"

Save and exit / then make the file executable - once again - works for me : 

# chmod 755 /etc/rc.conf.d/stubby 

5- Now you must configure your Unbound DNS Server to use Stubby for DNS Over TLS.

Go to Services > DNS RESOLVER > General Settings > Display Custom Options

In the Custom options Box - enter the following below :

server:
do-not-query-localhost: no
forward-zone:
 name: "."    # Allow all DNS queries
 forward-addr: [email protected]
 forward-addr: 0::[email protected]

Save and Apply

6 - Next -Under System > General Setup > DNS Server Settings

A - Set the first DNS Server to 

127.0.0.1

add no other DNS Servers here

B - DNS Server Override - make sure this is unchecked 

C - DNS Resolution Behavior

Use local DNS (127.0.0.1), fall back to remote DNS SERVERS (Default)

Save and Apply 

Reboot your router or run command # /usr/local/etc/rc.d/stubby.sh restart

You are all set up and now. You are now running DNS OVER TLS with GETDNS plus STUBBY 
( a fully featured TLS forwarder ) along with an Unbound DNS Caching Server.