Problem with DNS over TLS

pietsnot56

hi johnpoz,

i did the test again without the customs settings and i got the same problems again.
My settings are identical as in those in
https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html#configuring-dns-over-tls

Could there be something else wrong?

johnpoz

@pietsnot56 not sure what you could be doing.. Click Click and using dot to 1.1.1.1

Even did a sniff on wan to validate talking to them over 853

And can see in the resolver status, its only talking to them.

edit: now back to normal resolving - not a fan of dot.

pietsnot56

I have similar results in status/ dns resolver with my settings.

Those are absolutly identical to your setup.

idem for "1.1.1.1/help"

Debug Information
Connected to 1.1.1.1 Yes
Using DNS over HTTPS (DoH) No
Using DNS over TLS (DoT) Yes
Using DNS over WARP No
AS Name Cloudflare
AS Number 13335
Cloudflare Data Center BRU
Connectivity to Resolver IP Addresses
1.1.1.1 Yes
1.0.0.1 Yes
2606:4700:4700::1111 No
2606:4700:4700::1001 No
1.1.1.1 FAQ Terms Privacy Policy Purge Cache

Could there be a wrong firewall rule that makes the custom settings necessary?

johnpoz

@pietsnot56 said in Problem with DNS over TLS:

Could there be a wrong firewall rule that makes the custom settings necessary?

Sure wouldn't think so.. Any firewall rules would apply if using custom or not.. Are you not hitting save somewhere?

You need to set the dns in general, before you set the unbound to forward and dot mode.

pietsnot56

The dns settings in the “general setup” are ok.
I have tested several times with and without the custom settings. Only “with” allows me to browsing on the internet.
As far i can see all the rest seems working correcty : lookup, 1.1.1.1/ help, ect.
I don’t understand that your settings doesn’t working on my firewall. ???

johnpoz

@pietsnot56 the gui settings do what your doing in custom..

So I again set this back with simple click.. And then look in my unbound.conf

cat /var/unbound/unbound.conf

And you will see this

# Forwarding
forward-zone:
        name: "."
        forward-tls-upstream: yes
        forward-addr: 1.1.1.1@853#cloudflare-dns.com
        forward-addr: 1.0.0.1@853#cloudflare-dns.com

then I undo the check marks and it is gone.

while what your doing is doing the same thing really - it makes no sense that you would have to use the custom options to get those settings into your unbound.conf file

You really should be setting the name, or your not actually going to verify your talking to clouldflare.. Are you not doing that with custom?

pietsnot56

Hi,

Version 2.6.0-RELEASE (amd64)
built on Mon Jan 31 19:57:53 UTC 2022
FreeBSD 12.3-STABLE

The system is on the latest version.
Version information updated at Sat Jan 21 14:35:40 -01 2023

DNS Server Settings in General setup
DNS Servers
1.1.1.1
cloudfare-dns.com
1.0.0.1
cloudfare-dns.com
.......
DNS Resolution Behavior

Use local DNS (127.0.0.1), ignore remote DNS Servers

A) Config file

1 ) this is what i have with the "custom settings on" in the config file.

Domain overrides

include: /var/unbound/domainoverrides.conf

Forwarding

forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.1@853#cloudfare-dns.com
forward-addr: 1.0.0.1@853#cloudfare-dns.com

Unbound custom options

server:
private-domain:"plex.direct"
forward-zone:
name:"."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853
server:include: /var/unbound/pfb_dnsbl.*conf

2. by erasing the custom settings:

Domain overrides

include: /var/unbound/domainoverrides.conf

Forwarding

forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.1@853#cloudfare-dns.com
forward-addr: 1.0.0.1@853#cloudfare-dns.com

Unbound custom options

server:
private-domain:"plex.direct"
server:include: /var/unbound/pfb_dnsbl.*conf

3 ) by unchecking "use SSL/TLS for outgoing..."

Domain overrides

include: /var/unbound/domainoverrides.conf

Forwarding

forward-zone:
name: "."
forward-addr: 1.1.1.1
forward-addr: 1.0.0.1

B) error file with Use SSL/TLS for outgoing DNS Queries to Forwarding Servers checked on and without custm settings.
IP6 ????

Can this help you to expain?

##########################

Unbound Configuration

##########################

Server configuration

server:

chroot: /var/unbound
username: "unbound"
directory: "/var/unbound"
pidfile: "/var/run/unbound.pid"
use-syslog: yes
port: 53
verbosity: 1
hide-identity: yes
hide-version: yes
harden-glue: yes
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
module-config: "iterator"
unwanted-reply-threshold: 0
num-queries-per-thread: 4096
jostle-timeout: 200
infra-host-ttl: 900
infra-cache-numhosts: 10000
outgoing-num-tcp: 10
incoming-num-tcp: 10
edns-buffer-size: 512
cache-max-ttl: 86400
cache-min-ttl: 0
harden-dnssec-stripped: yes
msg-cache-size: 4m
rrset-cache-size: 8m

num-threads: 4
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
outgoing-range: 4096
#so-rcvbuf: 4m

prefetch: no
prefetch-key: no
use-caps-for-id: no
serve-expired: no
aggressive-nsec: no

Statistics

Unbound Statistics

statistics-interval: 0
extended-statistics: yes
statistics-cumulative: yes

TLS Configuration

tls-cert-bundle: "/etc/ssl/cert.pem"
tls-port: 853
tls-service-pem: "/var/unbound/sslcert.crt"
tls-service-key: "/var/unbound/sslcert.key"

Interface IP(s) to bind to

interface-automatic: no
interface: 0.0.0.0
interface: 0.0.0.0@853
interface: ::0
interface: ::0@853

Outgoing interfaces to be used

outgoing-interface: 178.116.127.35

DNS Rebinding

For DNS Rebinding prevention

private-address: 127.0.0.0/8
private-address: 10.0.0.0/8
private-address: ::ffff:a00:0/104
private-address: 172.16.0.0/12
private-address: ::ffff:ac10:0/108
private-address: 169.254.0.0/16
private-address: ::ffff:a9fe:0/112
private-address: 192.168.0.0/16
private-address: ::ffff:c0a8:0/112
private-address: fd00::/8
private-address: fe80::/10

Set private domains in case authoritative name server returns a Private IP address

Access lists

include: /var/unbound/access_lists.conf

Static host entries

include: /var/unbound/host_entries.conf

dhcp lease entries

include: /var/unbound/dhcpleases_entries.conf

Domain overrides

include: /var/unbound/domainoverrides.conf

Forwarding

forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com

Unbound custom options

server:include: /var/unbound/pfb_dnsbl.*conf
server:
private-domain: "plex.direct"

Remote Control Config

include: /var/unbound/remotecontrol.conf

johnpoz

@pietsnot56 said in Problem with DNS over TLS:

IP6 ????

Where are you putting in IPv6? I do see it in your output you posted.

And looks like you have stuff in there twice

forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.1@853#cloudfare-dns.com
forward-addr: 1.0.0.1@853#cloudfare-dns.com
Unbound custom options

server:
private-domain:"plex.direct"
server:include: /var/unbound/pfb_dnsbl.*conf

3 ) by unchecking "use SSL/TLS for outgoing..."
Domain overrides

include: /var/unbound/domainoverrides.conf
Forwarding

forward-zone:
name: "."
forward-addr: 1.1.1.1
forward-addr: 1.0.0.1

One would be with tls the other would not be.. You got something messed up that is for sure..

Your info might be easier to read if you used the code option for text so it in specific box vs just long running text..

pietsnot56

@johnpoz said in Problem with DNS over TLS:

code option for text

"code option for text"
how or where can you chose this option?

johnpoz

@pietsnot56

pietsnot56

 that's with custom settings on config file

##########################
# Unbound Configuration
##########################

##
# Server configuration
##
server:

chroot: /var/unbound
username: "unbound"
directory: "/var/unbound"
pidfile: "/var/run/unbound.pid"
use-syslog: yes
port: 53
verbosity: 1
hide-identity: yes
hide-version: yes
harden-glue: yes
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
module-config: "iterator"
unwanted-reply-threshold: 0
num-queries-per-thread: 4096
jostle-timeout: 200
infra-host-ttl: 900
infra-cache-numhosts: 10000
outgoing-num-tcp: 10
incoming-num-tcp: 10
edns-buffer-size: 512
cache-max-ttl: 86400
cache-min-ttl: 0
harden-dnssec-stripped: yes
msg-cache-size: 4m
rrset-cache-size: 8m

num-threads: 4
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
outgoing-range: 4096
#so-rcvbuf: 4m

prefetch: no
prefetch-key: no
use-caps-for-id: no
serve-expired: no
aggressive-nsec: no
# Statistics
# Unbound Statistics
statistics-interval: 0
extended-statistics: yes
statistics-cumulative: yes

# TLS Configuration
tls-cert-bundle: "/etc/ssl/cert.pem"

# Interface IP(s) to bind to
interface-automatic: yes
interface: 0.0.0.0
interface: ::0

# Outgoing interfaces to be used
outgoing-interface: 178.116.127.35

# DNS Rebinding
# For DNS Rebinding prevention
private-address: 127.0.0.0/8
private-address: 10.0.0.0/8
private-address: ::ffff:a00:0/104
private-address: 172.16.0.0/12
private-address: ::ffff:ac10:0/108
private-address: 169.254.0.0/16
private-address: ::ffff:a9fe:0/112
private-address: 192.168.0.0/16
private-address: ::ffff:c0a8:0/112
private-address: fd00::/8
private-address: fe80::/10
# Set private domains in case authoritative name server returns a Private IP address



# Access lists
include: /var/unbound/access_lists.conf

# Static host entries
include: /var/unbound/host_entries.conf

# dhcp lease entries
include: /var/unbound/dhcpleases_entries.conf



# Domain overrides
include: /var/unbound/domainoverrides.conf
# Forwarding
forward-zone:
	name: "."
	forward-tls-upstream: yes
	forward-addr: 1.1.1.1@853#cloudfare-dns.com
	forward-addr: 1.0.0.1@853#cloudfare-dns.com


# Unbound custom options
server:
private-domain:"plex.direct"
forward-zone:
name:"."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853
server:include: /var/unbound/pfb_dnsbl.*conf


###
# Remote Control Config
###
include: /var/unbound/remotecontrol.conf

idem error file``

##########################
# Unbound Configuration
##########################

##
# Server configuration
##
server:

chroot: /var/unbound
username: "unbound"
directory: "/var/unbound"
pidfile: "/var/run/unbound.pid"
use-syslog: yes
port: 53
verbosity: 1
hide-identity: yes
hide-version: yes
harden-glue: yes
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
module-config: "iterator"
unwanted-reply-threshold: 0
num-queries-per-thread: 4096
jostle-timeout: 200
infra-host-ttl: 900
infra-cache-numhosts: 10000
outgoing-num-tcp: 10
incoming-num-tcp: 10
edns-buffer-size: 512
cache-max-ttl: 86400
cache-min-ttl: 0
harden-dnssec-stripped: yes
msg-cache-size: 4m
rrset-cache-size: 8m

num-threads: 4
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
outgoing-range: 4096
#so-rcvbuf: 4m

prefetch: no
prefetch-key: no
use-caps-for-id: no
serve-expired: no
aggressive-nsec: no
# Statistics
# Unbound Statistics
statistics-interval: 0
extended-statistics: yes
statistics-cumulative: yes

# TLS Configuration
tls-cert-bundle: "/etc/ssl/cert.pem"
tls-port: 853
tls-service-pem: "/var/unbound/sslcert.crt"
tls-service-key: "/var/unbound/sslcert.key"

# Interface IP(s) to bind to
interface-automatic: no
interface: 0.0.0.0
interface: 0.0.0.0@853
interface: ::0
interface: ::0@853

# Outgoing interfaces to be used
outgoing-interface: 178.116.127.35

# DNS Rebinding
# For DNS Rebinding prevention
private-address: 127.0.0.0/8
private-address: 10.0.0.0/8
private-address: ::ffff:a00:0/104
private-address: 172.16.0.0/12
private-address: ::ffff:ac10:0/108
private-address: 169.254.0.0/16
private-address: ::ffff:a9fe:0/112
private-address: 192.168.0.0/16
private-address: ::ffff:c0a8:0/112
private-address: fd00::/8
private-address: fe80::/10
# Set private domains in case authoritative name server returns a Private IP address



# Access lists
include: /var/unbound/access_lists.conf

# Static host entries
include: /var/unbound/host_entries.conf

# dhcp lease entries
include: /var/unbound/dhcpleases_entries.conf



# Domain overrides
include: /var/unbound/domainoverrides.conf
# Forwarding
forward-zone:
	name: "."
	forward-tls-upstream: yes
	forward-addr: 1.1.1.1@853#cloudflare-dns.com
	forward-addr: 1.0.0.1@853#cloudflare-dns.com
	forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
	forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com


# Unbound custom options
server:include: /var/unbound/pfb_dnsbl.*conf
server:
private-domain: "plex.direct"


###
# Remote Control Config
###
include: /var/unbound/remotecontrol.conf

```sometimes 
forward-addr: 1.1.1.1@853#cloudfare-dns.com
with #cloudfare-dns.com at the end

and in the custom settings :
forward-addr: 1.1.1.1@853``
without #cloudfare-dns.com.

can this help us to find the reason?

pietsnot56

Thanks everybody,
I founded my error : a typo in the Dnsname!
This case can be closed.