Jump to content
TorGuard

OPNsense 21.7.1 - New Fresh Guaranteed DNS OVER TLS

Rate this topic


directnupe
 Share

Recommended Posts

Dear Community,
First you all know the drill by now - " The Intro "  - two throwbacks - https://www.youtube.com/watch?v=m5FCcDEA6mY - lyrics -  https://genius.com/Neil-young-southern-man-lyrics  - and don't you know -  https://www.youtube.com/watch?v=wkA7ok5MySk  -  https://genius.com/Funkadelic-if-you-dont-like-the-effects-dont-produce-the-cause-lyrics  - OK - now that our long standing tradition of public elucidation has been fulfilled - let's get down to the business at hand.

Since version OPNsense 18.7 - you may install stubby and getdns on OPNsense by  simply issuing command # pkg install getdns ( Special Thanks and Kudos to Franco and the marvelous OPNsense Development Team )  - Please disregard and do not use any guides and / or tutorials which predate this one which covers installation and configuration of DNS Privacy  on OPNsense FireWall. This is an updated guide / tutorial which explains how to setup adding DNS-Over-TLS support for OPNsense. However, there has been a minor change ( yet little known ) in UNBOUND on OPNsense 21.7.1 with regard to configure it to work with Stubby for DNS Privacy DNS OVER TLS. So, let's get started strait away. See here for previous more in depth guide concerning the benefits of DNS Privacy :  https://bit.ly/3j0QT1l

So here we go. So go ahead and issue command :

A - # pkg install getdns

in order to get started.  After installing getdns which includes stubby follow the steps below.

1 - Now to put all of this together, The stubby.in file is located here -  /usr/local/etc/rc.d/stubby by default.
First though Stubby needs Unbound root.key - run this command before getting started:

A - # su -m unbound -c /usr/local/sbin/unbound-anchor   Then -
B  - Issue this command : # mv /usr/local/etc/rc.d/stubby /usr/local/etc/rc.d/stubby.sh
Make it executable - I run this command - it works for me:
C - # chmod 755 /usr/local/etc/rc.d/stubby.sh    
D - Yes must enable Stubby Daemon in the file -  open file by :
E - # nano /usr/local/etc/rc.d/stubby.sh
go to line 27  - : ${stubby_enable="NO"} change the setting to : ${stubby_enable="YES"} -
that is all you have to do to this file. It comes already configured. Save and exit.

2 - Now you must configure Stubby to resolve DNS OVER TLS - enter command below :

A -# nano /usr/local/etc/stubby/stubby.yml - make your file match some thing similar to this

################################################################################
######################## STUBBY YAML CONFIG FILE ###############################
################################################################################
# This is a yaml version of the stubby configuration file (it replaces the
# json based stubby.conf file used in earlier versions of getdns/stubby).
#
# For more information see
# https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby
#

resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private : 1
idle_timeout: 9000
listen_addresses:
 - [email protected]
 - 0::[email protected]
tls_connection_retries: 5
tls_backoff_time: 900
timeout: 2000
round_robin_upstreams: 1
tls_ca_file: "/usr/local/share/certs/ca-root-nss.crt"
dnssec_trust_anchors: "/usr/local/etc/unbound/root.key" # add the right path

upstream_recursive_servers:
### IPV4 Servers ###
### DNS Privacy DOT Test Servers ###
## 1 - The getdnsapi.net DNS TLS Server A+ ( NLD )
  - address_data: 185.49.141.37
  - address_data: 2a04:b900:0:100::38
    tls_auth_name: "getdnsapi.net"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=
## 2 - The Surfnet/Sinodun DNS TLS Servers #3  A+ ( NLD )
  - address_data: 145.100.185.18
  - address_data: 2001:610:1:40ba:145:100:185:18
    tls_port: 853
    tls_auth_name: "dnsovertls3.sinodun.com"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8=
## xx - The The Surfnet/Sinodun DNS TLS Server  A ( NLD )
  - address_data: 145.100.185.15
  - address_data: 2001:610:1:40ba:145:100:185:15
    tls_auth_name: "dnsovertls.sinodun.com"
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
## xx - The The Surfnet/Sinodun DNS TLS Server #1  A ( NLD )
  - address_data: 145.100.185.16
  - address_data: 2001:610:1:40ba:145:100:185:16
    tls_auth_name: "dnsovertls1.sinodun.com"
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
## 3 - The dns.cmrg.net DNS TLS Server  A+ ( CAN )
  - address_data: 199.58.81.218
  - address_data: 2001:470:1c:76d::53
    tls_auth_name: "dns.cmrg.net"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=
## 4 - The BlahDNS Japan DNS TLS Server  A+ ( JPN )
  - address_data: 139.162.112.47
  - address_data: 2400:8902::f03c:92ff:fe27:344b
    tls_auth_name: "dot-jp.blahdns.com"
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: /llFOsnvj7GcXasKrojhZl6nRnnn4D8sRuDUKEdiZzM=
## xx - The BlahDNS German DNS TLS Server  A+ ( USA Hosted In DEU )
  - address_data: 78.46.244.143
  - address_data: 2a01:4f8:c17:ec67::1
    tls_auth_name: "dot-de.blahdns.com"
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: c6xmf1GsYo1IFyxc+CWfjYo+xpSV9i98H7InJTDylsU=
## xx - The BlahDNS Finland DNS TLS Server  A+ ( FIN )
  - address_data: 95.216.212.177
  - address_data: 2a01:4f9:c010:43ce::1
    tls_auth_name: "dot-fi.blahdns.com"
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: EVL610kmcSvN01nzJkkzl94IHiIVvW0PovbB5En2QfU=
## xx - The BlahDNS Singapore DNS TLS Server  A+ ( SGP )
  - address_data: 192.53.175.149
  - address_data: 2400:8901::f03c:92ff:fe27:870a
    tls_auth_name: "dot-sg.blahdns.com"
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: B+aX4NBLfDsKlOWf8RM6rjL8yOCF9sZlHQnarDNrrWM=
## xx - The BlahDNS Switzerland DNS TLS Server  A+ ( CHE )
  - address_data: 45.91.92.121
  - address_data: 2a05:9406::175
    tls_auth_name: "dot-ch.blahdns.com"
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: cxti1XR6uW483xAioP3d1ZaoGSy+obY6WaE4fW1A6Nk=
## 5 - The dns.neutopia.org  DNS TLS Server  A+ ( FRA )
  - address_data: 89.234.186.112
    tls_auth_name: "dns.neutopia.org"
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=
## 6 - The Foundation for Applied Privacy DNS TLS Server #1  A+ ( AUT )
  - address_data: 146.255.56.98
  - address_data: 2a02:1b8:10:234::2
    tls_auth_name: "dot1.applied-privacy.net"
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: xhQVPE+X85b9LkORuEhxfsxE1X2EbOm8v5ytxCqg5BI=
## 7 - The Secure DNS Project by PumpleX DNS TLS Server #1  A+ ( GBR )
  - address_data: 51.38.83.141
    tls_auth_name: "dns.oszx.co"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: Am37BK5eBKSafYNJupWsoh5pokR3wwJ5zs7xvniF6XE=
## 8 - The dismail.de DNS TLS Server #1  A+ ( DEU )
  - address_data: 80.241.218.68
    tls_port: 853
    tls_auth_name: "fdns1.dismail.de"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: MMi3E2HZr5A5GL+badqe3tzEPCB00+OmApZqJakbqUU=
## xx - The dismail.de DNS TLS Server #2  A+ ( USA )
  - address_data: 159.69.114.157
    tls_port: 853
    tls_auth_name: "fdns2.dismail.de"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: yJYDim2Wb6tbxUB3yA5ElU/FsRZZhyMXye8sXhKEd1w=
## 9 - The Lorraine Data Network DNS TLS Server A+ ( FRA )
  - address_data: 80.67.188.188
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM=
## This certificate is currently expired which
## does not pose any concerns in SPKI mode
## (in practice with Stubby)
## Source : https://ldn-fai.net/serveur-dns-recursif-ouvert/
## 10 - The ibksturm.synology.me DNS TLS Server  A+ ( CHE )
  - address_data: 213.196.191.96
    tls_auth_name: "ibksturm.synology.me"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: yrMslOFXpWeLoNw0YgQk/pA5vl2mqXfBOASYLLeqDxc=
## 11 - The dns.flatuslifir.is DNS TLS Server  A+ ( ISL )
  - address_data: 46.239.223.80
    tls_auth_name: "dns.flatuslifir.is"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: b9sJFKc+wycfm4FHB9ddNopdeKceru+sZk0w5nz4xfQ=
### Publicly Available DOT Test Servers ###
## 12 - The FEROZ SALAM DNS TLS Server  A+ ( GBR )
  - address_data: 46.101.66.244
    tls_auth_name: "doh.li"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: ugm6mY2NNKi0I/Q+pofAgx0c31tbcW6xYAImZXr5Oqo=
## 13 - The Andrews & Arnold DNS TLS Server #1  A+ ( GBR )
  - address_data: 217.169.20.23
    tls_auth_name: "dns.aa.net.uk"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: sS2Atff8wMigRVTxmS36FbMaXiCWsxLgD3AOtTA9eeU=
## xx - The Andrews & Arnold DNS TLS Server #2  A+ ( GBR )
  - address_data: 217.169.20.22
    tls_auth_name: "dns.aa.net.uk"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: /jchI7afFvSaVm4DCTksJcPHyK7uvbcwNUtTNNV4Bek=
## 14 - The dns.seby.io - Vultr DNS TLS Server  A+ ( AUS )
  - address_data: 45.76.113.31
    tls_auth_name: "dot.seby.io"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: H13Su1659zEn0ZIblEShwjZO+M5gxKK2wXpVKQHgibM=
## xx - The dns.seby.io - OVH DNS TLS Server  A+ ( AUS )
  - address_data: 139.99.222.72
    tls_auth_name: "dot.seby.io"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: /3AxvvuWCQmYQ4/mqHJzPL1rPC7KxaahVPmUkoSVR5A=
## 15 - The Digitale Gesellschaft DNS TLS Server #1  A+ ( CHE )
  - address_data: 185.95.218.43
  - address_data: 2a05:fc84::43
    tls_auth_name: "dns.digitale-gesellschaft.ch"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: sAH7JR5A8WA+hs1ZGXPS/uq3Y1wufBi2wQ8Crk+oR2Q=
## xx - The Digitale Gesellschaft DNS TLS Server #2  A+ ( CHE )
  - address_data: 185.95.218.42
  - address_data: 2a05:fc84::42
    tls_auth_name: "dns.digitale-gesellschaft.ch"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: Fpgt86sGjlL4sbgNmd1WX0BYEIEJ7yQk9rp+uQKxI+w=
## 16 - The Antoine Aflalo DNS TLS Server #1  A+ ( USA )
  - address_data: 168.235.81.167
    tls_auth_name: "dns-nyc.aaflalo.me"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: Dn58VD18MLkmmG9wvzvSs30Tu1Rd65igDLpp1odYaAc=

# Set the acceptable ciphers for DNS over TLS.  With OpenSSL 1.1.1 this list is
# for TLS1.2 and older only. Ciphers for TLS1.3 should be set with the
#tls_ciphersuites option. This option can also be given per upstream.
tls_cipher_list: "EECDH+AESGCM:EECDH+CHACHA20"
# Set the acceptable cipher for DNS over TLS1.3. OpenSSL >= 1.1.1 is required
# for this option. This option can also be given per upstream.
tls_ciphersuites: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
# Set the minimum acceptable TLS version. Works with OpenSSL >= 1.1.1 only.
# This option can also be given per upstream.
tls_min_version: GETDNS_TLS1_2
# Set the maximum acceptable TLS version. Works with OpenSSL >= 1.1.1 only.
# This option can also be given per upstream.
tls_max_version: GETDNS_TLS1_3

When I get some time - next day or two - I will post a separate Forum entry which lists
many more DNS OVER TLS servers that are publicly available for. However, these are more than
enough to get you started.

3 - In order to have OPNsense 21.7.1 use default start up script (  /usr/local/etc/rc.d/stubby.sh )
at boot time it helps to create a boot time start up script for it in /etc/rc.conf.d/.
Not to prolong this - do the following :

# touch /etc/rc.conf.d/stubby   - create the needed new file
# nano /etc/rc.conf.d/stubby   - in the new file enter the following two lines:

stubby_enable="YES"
stubby_bootup_run="/usr/local/etc/rc.d/stubby.sh"

Save and exit / then make the file executable - once again - works for me :

# chmod 755 /etc/rc.conf.d/stubby

4 - Now you must configure your Unbound DNS Server to use Stubby for DNS Over TLS.
This is where there has been a ( major ) change to UNBOUND on OPNsense 21.7.1 .
The bottom line is that there is no longer any option whatsoever for you
to configure UNBOUND Custom Options via OPNsense 21.7.1 WEBGUI.

A - See here for the changes -  https://bit.ly/3vfx1MT - then scroll down to Advanced Configurations.
There you may read about the changes I alluded to earlier.

So here is how we go about configuring Unbound/Stubby combination for OPNsense 21.7.1

Some user combine Unbound (as a caching proxy with other features such as DNS Blacklisting)
and Stubby (as fully featured TLS forwarder). This is what we are out to achieve.

Advanced Configurations
Some installations require configuration settings that are not accessible in the UI. To support these,
individual configuration files with a .conf extension can be put into the
/usr/local/etc/unbound.opnsense.d directory.

Now theoretically - you should be able to create the need file by doing the following below :

B - # touch /usr/local/etc/unbound.opnsense.d/unbound_srv.conf
C - # nano /usr/local/etc/unbound.opnsense.d/unbound_srv.conf

enter the following in the new file as detailed below :

####################################################

### Unbound Advanced Configuration
server:
tls-cert-bundle: "/usr/local/share/certs/ca-root-nss.crt"
hide-trustanchor: yes
harden-glue: yes
harden-dnssec-stripped: yes
num-threads: 4
rrset-cache-size: 256m
msg-cache-size: 128m
so-rcvbuf: 1m
val-clean-additional: yes
minimal-responses: yes
harden-referral-path: yes
aggressive-nsec: yes
prefetch: yes
qname-minimisation: yes
qname-minimisation-strict: yes
rrset-roundrobin: yes
target-fetch-policy: "0 0 0 0 0"
max-udp-size: 3072
harden-below-nxdomain: yes
ip-ratelimit: 300
ip-ratelimit-factor: 10
incoming-num-tcp: 100
edns-buffer-size: 1472

do-not-query-localhost: no
forward-zone:
 name: "."    # Allow all DNS queries
 forward-addr: [email protected]
 forward-addr: 0::[email protected]

##################################################

*** Note that the file you create must end in .conf in order to be automatically
included by the UI generated configuration. Also, Name collisions with plugin code,
which use this extension point e. g. dnsbl.conf, may occur. So be sure to use a unique filename.

unbound_srv.conf is a unique filename on OPNsense 21.7.1 for sure - trust me.

5 - Now, I have one caveat - when I created this file ( as described above ) via SSH - there was
an issue where DNS OVER TLS did not work at all or as it should - the resolvers did not connect.
Perhaps the file needs permissions - you can try -

chmod 664 /usr/local/etc/unbound.opnsense.d/unbound_srv.conf

and see how this works out for you

GUARANTEED SOLUTION:

What I did was use WINSCP in order to have this setup perform as intended. Use your
favorite text editor ( I use EditPad Pro ) and copy Unbound Advanced Configuration above -
into a new file labeled -  unbound_srv.conf - Save this file to a local directory on your
computer. Next, follow the steps below :

A - WINSCP into your OPNsense 21.7.1 Firewall via SFTP protocol - SCP will not
connect on OPNsense. Make sure to use SFTP protocol.
Go into ( open )  the directory below on the right side of WINSCP interface :

/usr/local/etc/unbound.opnsense.d/

B - Go into the directory on your computer where you have the unbound_srv.conf file
which you previously created and filled out with the Unbound Advanced Configuration.
This will be on the left side of WINSCP.

C - Drag and Drop unbound_srv.conf ( on the left side of WINSCP ) into the
/usr/local/etc/unbound.opnsense.d/unbound_srv.conf ( directory which is open )
on the right side of of WINSCP. Done - close and exit

This WINSCP method is GUARANTED to work !!! - I strongly suggest that you choose to
make this your preferred Unbound Advanced Configuration option for OPNsense 21.7.1  !!!

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Easiest Method To Bring Back Unbound Advanced Configuration
For OPNsense 21.7.1 WEBGUI Special Thanks to
cookiemonster from the OPNsense forum.

You can add the mimugmail / opn-repo to your OPNsense 21.7.1 Firewall
found here ( https://tinyurl.com/4r4xdrtp ) see details below :

A - # fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf
B - # pkg update
Then either add plugin os-unboundcustom-maxit from WEBGUI

C - or issue command # pkg install os-unboundcustom-maxit

Then go to Services > Unbound DNS > Custom Options - you may enter your
Unbound Advanced Configuration entries here - enable Custom Options -
then restart Unbound DNS and then issue command

F - # /usr/local/etc/rc.d/stubby.sh restart

FYI - os-unboundcustom-maxit plugin while adding Custom Options to WEBGUI - creates
a file named custom-maxit.conf in the /usr/local/etc/unbound.opnsense.d/ directory

ALTERNATE METHOD TO INSTALL mimugmail /opn-repo

Sometimes you may get an error with fetch command ( SSL ) when trying to add
mimugmail /opn-repo . This is a workaround to add mimugmail /opn-repo manually.

touch /usr/local/etc/pkg/repos/mimugmail.conf
nano /usr/local/etc/pkg/repos/mimugmail.conf

Then enter the contents contained between the lines below :

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

mimugmail: {
  url: "https://opn-repo.routerperformance.net/repo/${ABI}",
  priority: 190,
  enabled: yes
}


XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX


Next after manually adding mimugmail /opn-repo to OPNsense 21.7.1
continue as normal :

# pkg update
# pkg install os-unboundcustom-maxit

You are then all set

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

6 - Next -Under System > Settings  > General Settings

A - Set the first DNS Server to 127.0.0.1   with no gateway selected  /
 
Make sure that DNS server option

B - Allow DNS server list to be overridden by DHCP/PPP on WAN -  Is Not I repeat - Is Not Checked !

and DNS server option

C -  Do not use the DNS Forwarder/Resolver as a DNS server for the firewall Is Not  - I repeat - Is Not Checked !

D - Save and Apply

Reboot your router or run command # /usr/local/etc/rc.d/stubby.sh restart

You are all set up and now. You are now running DNS OVER TLS with GETDNS plus STUBBY
( a fully featured TLS forwarder ) along with an Unbound DNS Caching Server.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...