Problem with DNS over TLS

Uglybrian

I suggest that you go to Netgates U-Tube page. There he will find a video titled ‘’local DNS with PF sense 2.4.’’ at about 36 minutes in there is a DNS over TLS overview. This information is still relative today and gives you a good foundation.

viragomann

@pietsnot56
Configuring pfSense to use DoT on upstream requests is not really a big deal.

You have to ensure to state host names next to the DNS server IPs in System > General. The host names must match that ones the servers SSL certificate, otherwise the requests fail.

And you have to check these two boxes in the Resolvers general settings:

pietsnot56

I will look to the video.

Probably there is something wrong with the certificates.
That's the next thing to investigate.
Aniway thanks a lot from Belgium.

johnpoz

@pietsnot56 clients don't normally do dot, dot is normally for NS to forward to some other NS.. Clients normally want to use doh.. They are completely different things.

If you want your clients to use dot to pfsense, then yeah you would need to create a cert and use that cert and your clients would need to trust it, and they would need to know and use the fqdn you setup in the cert, or the IP in the san, etc. Use or dot or doh inside your network is a bit over the top to be honest. Is your local network hostile? Is someone able to sniff your dns traffic on your local network that is not you?

If you want to use dot for unbound to forward to say clouldfare that is clickly clickly to setup..

What exactly are you trying to accomplish. Your clients would talk to unbound locally via normal dns, and then unbound would use dot to talk to cloudflare dot servers?

pietsnot56

hi,

My problem seems to be resolved:

I saw in the youtube video this custom settings:

"forward-zone:
name:"."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853"

By adding this in the service and got this result with 1.1.1.1/help

"Debug Information
Connected to 1.1.1.1 Yes
Using DNS over HTTPS (DoH) No
Using DNS over TLS (DoT) Yes
Using DNS over WARP No
AS Name Cloudflare
AS Number 13335
Cloudflare Data Center BRU
Connectivity to Resolver IP Addresses
1.1.1.1 Yes
1.0.0.1 Yes
2606:4700:4700::1111 No
2606:4700:4700::1001 No"

Browsing on internet is ok now!

thanks for your assistance.

johnpoz

@pietsnot56 said in Problem with DNS over TLS:

I saw in the youtube video this custom settings:
"forward-zone:
name:"."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853"

That is old - you no longer need to do that, just need to click the little button. That says forward using tls, and put those in your dns via general.

https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html#configuring-dns-over-tls

pietsnot56

hi johnpoz,

i did the test again without the customs settings and i got the same problems again.
My settings are identical as in those in
https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html#configuring-dns-over-tls

Could there be something else wrong?

johnpoz

@pietsnot56 not sure what you could be doing.. Click Click and using dot to 1.1.1.1

Even did a sniff on wan to validate talking to them over 853

And can see in the resolver status, its only talking to them.

edit: now back to normal resolving - not a fan of dot.

pietsnot56

I have similar results in status/ dns resolver with my settings.

Those are absolutly identical to your setup.

idem for "1.1.1.1/help"

Debug Information
Connected to 1.1.1.1 Yes
Using DNS over HTTPS (DoH) No
Using DNS over TLS (DoT) Yes
Using DNS over WARP No
AS Name Cloudflare
AS Number 13335
Cloudflare Data Center BRU
Connectivity to Resolver IP Addresses
1.1.1.1 Yes
1.0.0.1 Yes
2606:4700:4700::1111 No
2606:4700:4700::1001 No
1.1.1.1 FAQ Terms Privacy Policy Purge Cache

Could there be a wrong firewall rule that makes the custom settings necessary?

johnpoz

@pietsnot56 said in Problem with DNS over TLS:

Could there be a wrong firewall rule that makes the custom settings necessary?

Sure wouldn't think so.. Any firewall rules would apply if using custom or not.. Are you not hitting save somewhere?

You need to set the dns in general, before you set the unbound to forward and dot mode.

pietsnot56

The dns settings in the “general setup” are ok.
I have tested several times with and without the custom settings. Only “with” allows me to browsing on the internet.
As far i can see all the rest seems working correcty : lookup, 1.1.1.1/ help, ect.
I don’t understand that your settings doesn’t working on my firewall. ???

johnpoz

@pietsnot56 the gui settings do what your doing in custom..

So I again set this back with simple click.. And then look in my unbound.conf

cat /var/unbound/unbound.conf

And you will see this

# Forwarding
forward-zone:
        name: "."
        forward-tls-upstream: yes
        forward-addr: 1.1.1.1@853#cloudflare-dns.com
        forward-addr: 1.0.0.1@853#cloudflare-dns.com

then I undo the check marks and it is gone.

while what your doing is doing the same thing really - it makes no sense that you would have to use the custom options to get those settings into your unbound.conf file

You really should be setting the name, or your not actually going to verify your talking to clouldflare.. Are you not doing that with custom?

pietsnot56

Hi,

Version 2.6.0-RELEASE (amd64)
built on Mon Jan 31 19:57:53 UTC 2022
FreeBSD 12.3-STABLE

The system is on the latest version.
Version information updated at Sat Jan 21 14:35:40 -01 2023

DNS Server Settings in General setup
DNS Servers
1.1.1.1
cloudfare-dns.com
1.0.0.1
cloudfare-dns.com
.......
DNS Resolution Behavior

Use local DNS (127.0.0.1), ignore remote DNS Servers

A) Config file

1 ) this is what i have with the "custom settings on" in the config file.

Domain overrides

include: /var/unbound/domainoverrides.conf

Forwarding

forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.1@853#cloudfare-dns.com
forward-addr: 1.0.0.1@853#cloudfare-dns.com

Unbound custom options

server:
private-domain:"plex.direct"
forward-zone:
name:"."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853
server:include: /var/unbound/pfb_dnsbl.*conf

2. by erasing the custom settings:

Domain overrides

include: /var/unbound/domainoverrides.conf

Forwarding

forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.1@853#cloudfare-dns.com
forward-addr: 1.0.0.1@853#cloudfare-dns.com

Unbound custom options

server:
private-domain:"plex.direct"
server:include: /var/unbound/pfb_dnsbl.*conf

3 ) by unchecking "use SSL/TLS for outgoing..."

Domain overrides

include: /var/unbound/domainoverrides.conf

Forwarding

forward-zone:
name: "."
forward-addr: 1.1.1.1
forward-addr: 1.0.0.1

B) error file with Use SSL/TLS for outgoing DNS Queries to Forwarding Servers checked on and without custm settings.
IP6 ????

Can this help you to expain?

##########################

Unbound Configuration

##########################

Server configuration

server:

chroot: /var/unbound
username: "unbound"
directory: "/var/unbound"
pidfile: "/var/run/unbound.pid"
use-syslog: yes
port: 53
verbosity: 1
hide-identity: yes
hide-version: yes
harden-glue: yes
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
module-config: "iterator"
unwanted-reply-threshold: 0
num-queries-per-thread: 4096
jostle-timeout: 200
infra-host-ttl: 900
infra-cache-numhosts: 10000
outgoing-num-tcp: 10
incoming-num-tcp: 10
edns-buffer-size: 512
cache-max-ttl: 86400
cache-min-ttl: 0
harden-dnssec-stripped: yes
msg-cache-size: 4m
rrset-cache-size: 8m

num-threads: 4
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
outgoing-range: 4096
#so-rcvbuf: 4m

prefetch: no
prefetch-key: no
use-caps-for-id: no
serve-expired: no
aggressive-nsec: no

Statistics

Unbound Statistics

statistics-interval: 0
extended-statistics: yes
statistics-cumulative: yes

TLS Configuration

tls-cert-bundle: "/etc/ssl/cert.pem"
tls-port: 853
tls-service-pem: "/var/unbound/sslcert.crt"
tls-service-key: "/var/unbound/sslcert.key"

Interface IP(s) to bind to

interface-automatic: no
interface: 0.0.0.0
interface: 0.0.0.0@853
interface: ::0
interface: ::0@853

Outgoing interfaces to be used

outgoing-interface: 178.116.127.35

DNS Rebinding

For DNS Rebinding prevention

private-address: 127.0.0.0/8
private-address: 10.0.0.0/8
private-address: ::ffff:a00:0/104
private-address: 172.16.0.0/12
private-address: ::ffff:ac10:0/108
private-address: 169.254.0.0/16
private-address: ::ffff:a9fe:0/112
private-address: 192.168.0.0/16
private-address: ::ffff:c0a8:0/112
private-address: fd00::/8
private-address: fe80::/10

Set private domains in case authoritative name server returns a Private IP address

Access lists

include: /var/unbound/access_lists.conf

Static host entries

include: /var/unbound/host_entries.conf

dhcp lease entries

include: /var/unbound/dhcpleases_entries.conf

Domain overrides

include: /var/unbound/domainoverrides.conf

Forwarding

forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com

Unbound custom options

server:include: /var/unbound/pfb_dnsbl.*conf
server:
private-domain: "plex.direct"

Remote Control Config

include: /var/unbound/remotecontrol.conf

johnpoz

@pietsnot56 said in Problem with DNS over TLS:

IP6 ????

Where are you putting in IPv6? I do see it in your output you posted.

And looks like you have stuff in there twice

forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.1@853#cloudfare-dns.com
forward-addr: 1.0.0.1@853#cloudfare-dns.com
Unbound custom options

server:
private-domain:"plex.direct"
server:include: /var/unbound/pfb_dnsbl.*conf

3 ) by unchecking "use SSL/TLS for outgoing..."
Domain overrides

include: /var/unbound/domainoverrides.conf
Forwarding

forward-zone:
name: "."
forward-addr: 1.1.1.1
forward-addr: 1.0.0.1

One would be with tls the other would not be.. You got something messed up that is for sure..

Your info might be easier to read if you used the code option for text so it in specific box vs just long running text..

pietsnot56

@johnpoz said in Problem with DNS over TLS:

code option for text

"code option for text"
how or where can you chose this option?

johnpoz

@pietsnot56

pietsnot56

 that's with custom settings on config file

##########################
# Unbound Configuration
##########################

##
# Server configuration
##
server:

chroot: /var/unbound
username: "unbound"
directory: "/var/unbound"
pidfile: "/var/run/unbound.pid"
use-syslog: yes
port: 53
verbosity: 1
hide-identity: yes
hide-version: yes
harden-glue: yes
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
module-config: "iterator"
unwanted-reply-threshold: 0
num-queries-per-thread: 4096
jostle-timeout: 200
infra-host-ttl: 900
infra-cache-numhosts: 10000
outgoing-num-tcp: 10
incoming-num-tcp: 10
edns-buffer-size: 512
cache-max-ttl: 86400
cache-min-ttl: 0
harden-dnssec-stripped: yes
msg-cache-size: 4m
rrset-cache-size: 8m

num-threads: 4
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
outgoing-range: 4096
#so-rcvbuf: 4m

prefetch: no
prefetch-key: no
use-caps-for-id: no
serve-expired: no
aggressive-nsec: no
# Statistics
# Unbound Statistics
statistics-interval: 0
extended-statistics: yes
statistics-cumulative: yes

# TLS Configuration
tls-cert-bundle: "/etc/ssl/cert.pem"

# Interface IP(s) to bind to
interface-automatic: yes
interface: 0.0.0.0
interface: ::0

# Outgoing interfaces to be used
outgoing-interface: 178.116.127.35

# DNS Rebinding
# For DNS Rebinding prevention
private-address: 127.0.0.0/8
private-address: 10.0.0.0/8
private-address: ::ffff:a00:0/104
private-address: 172.16.0.0/12
private-address: ::ffff:ac10:0/108
private-address: 169.254.0.0/16
private-address: ::ffff:a9fe:0/112
private-address: 192.168.0.0/16
private-address: ::ffff:c0a8:0/112
private-address: fd00::/8
private-address: fe80::/10
# Set private domains in case authoritative name server returns a Private IP address



# Access lists
include: /var/unbound/access_lists.conf

# Static host entries
include: /var/unbound/host_entries.conf

# dhcp lease entries
include: /var/unbound/dhcpleases_entries.conf



# Domain overrides
include: /var/unbound/domainoverrides.conf
# Forwarding
forward-zone:
	name: "."
	forward-tls-upstream: yes
	forward-addr: 1.1.1.1@853#cloudfare-dns.com
	forward-addr: 1.0.0.1@853#cloudfare-dns.com


# Unbound custom options
server:
private-domain:"plex.direct"
forward-zone:
name:"."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853
server:include: /var/unbound/pfb_dnsbl.*conf


###
# Remote Control Config
###
include: /var/unbound/remotecontrol.conf

idem error file``

##########################
# Unbound Configuration
##########################

##
# Server configuration
##
server:

chroot: /var/unbound
username: "unbound"
directory: "/var/unbound"
pidfile: "/var/run/unbound.pid"
use-syslog: yes
port: 53
verbosity: 1
hide-identity: yes
hide-version: yes
harden-glue: yes
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
module-config: "iterator"
unwanted-reply-threshold: 0
num-queries-per-thread: 4096
jostle-timeout: 200
infra-host-ttl: 900
infra-cache-numhosts: 10000
outgoing-num-tcp: 10
incoming-num-tcp: 10
edns-buffer-size: 512
cache-max-ttl: 86400
cache-min-ttl: 0
harden-dnssec-stripped: yes
msg-cache-size: 4m
rrset-cache-size: 8m

num-threads: 4
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
outgoing-range: 4096
#so-rcvbuf: 4m

prefetch: no
prefetch-key: no
use-caps-for-id: no
serve-expired: no
aggressive-nsec: no
# Statistics
# Unbound Statistics
statistics-interval: 0
extended-statistics: yes
statistics-cumulative: yes

# TLS Configuration
tls-cert-bundle: "/etc/ssl/cert.pem"
tls-port: 853
tls-service-pem: "/var/unbound/sslcert.crt"
tls-service-key: "/var/unbound/sslcert.key"

# Interface IP(s) to bind to
interface-automatic: no
interface: 0.0.0.0
interface: 0.0.0.0@853
interface: ::0
interface: ::0@853

# Outgoing interfaces to be used
outgoing-interface: 178.116.127.35

# DNS Rebinding
# For DNS Rebinding prevention
private-address: 127.0.0.0/8
private-address: 10.0.0.0/8
private-address: ::ffff:a00:0/104
private-address: 172.16.0.0/12
private-address: ::ffff:ac10:0/108
private-address: 169.254.0.0/16
private-address: ::ffff:a9fe:0/112
private-address: 192.168.0.0/16
private-address: ::ffff:c0a8:0/112
private-address: fd00::/8
private-address: fe80::/10
# Set private domains in case authoritative name server returns a Private IP address



# Access lists
include: /var/unbound/access_lists.conf

# Static host entries
include: /var/unbound/host_entries.conf

# dhcp lease entries
include: /var/unbound/dhcpleases_entries.conf



# Domain overrides
include: /var/unbound/domainoverrides.conf
# Forwarding
forward-zone:
	name: "."
	forward-tls-upstream: yes
	forward-addr: 1.1.1.1@853#cloudflare-dns.com
	forward-addr: 1.0.0.1@853#cloudflare-dns.com
	forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
	forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com


# Unbound custom options
server:include: /var/unbound/pfb_dnsbl.*conf
server:
private-domain: "plex.direct"


###
# Remote Control Config
###
include: /var/unbound/remotecontrol.conf

```sometimes 
forward-addr: 1.1.1.1@853#cloudfare-dns.com
with #cloudfare-dns.com at the end

and in the custom settings :
forward-addr: 1.1.1.1@853``
without #cloudfare-dns.com.

can this help us to find the reason?

pietsnot56

Thanks everybody,
I founded my error : a typo in the Dnsname!
This case can be closed.