I need HELP on DNS RESOLVER!

emirefek

@johnpoz Okayyy Im back. I was do some researchs and we cannot pass DNS injection with TLS. Our ISP reseting tcp connetions and we cannot do any http handshake to servers can ping can dig but nothing more. I want to try VPN option now. And I need help on here. You said you need to chose vpn interface am I need to connect another box to pfsense box to use vpn ?

johnpoz

Huh? Your saying they are blocking your TLS to specific nameservers? Sure ok..

Do you have a vpn setup already? You do not need to connect another box to pfsense - but you need a VPN to connect to out on the internet.

emirefek

@johnpoz said in I need HELP on DNS RESOLVER!:

a VPN to c

I have couple trying bucks on gcloud I gonna try it on here. Which vpn type am I need to set?

And In turkish netgate forum I was ask some peoples and they were already try to passthrough with TLS but we can resolve thats hostnames but we cannot do more, ISP isnt allowing handshakes.

johnpoz

Handshakes to what? So your being blocked from talking to 1.1.1.1 on port 843??

You need a vpn box - doesn't matter what type, ipsec, openvpn, L2tp past your blocks if you want to be able to query for dns through that vpn.

bfeitell

This post is deleted!

bfeitell

@emirefek

@gertjan said in I need HELP on DNS RESOLVER!:

https://serverfault.com/questions/404840/when-do-dns-queries-use-tcp-instead-of-udp

There are DNS over TLS providers other than CloudFlare and Quad9. Some of them even offer service on port 443, which might be useful if the blocking you are seeing is targeted specifically at DNS and DNS over TLS. You might want to test some of these to see if you can get around the block without resorting to a VPN.

https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers

emirefek

@johnpoz @bfeitell

Deep Packet Injection. Thats name of what ISP doing. Ve cannot doing more than resolving with TLS. Dns encryption not working useless. Can we setup vpn without any box to pfsense?

johnpoz

No you need something on the other end of the vpn to connect too ;) It could be a service sure.. You can not have a vpn without 2 ends to the tunnel..

It is not possible to do DPI inside a tls tunnel without decryption of the tunnel - ie MITM... So if your saying your ISP/Gov is doing DPI on your traffic inside a tls tunnel a vpn is not going to help you either ;)

Gertjan

Hummm.
Government is decrypting VPN ? Pretty serious then.
I'm pretty sure they can't. The States ..... don't ask ^^
Thy will probably block known VPN end-points ... they are all known.
Or they "discover" initial handshaking when the tunnel is set up, and "drop that.

johnpoz

Yeah its easy enough to block tls to 1.1.1.1, or block traffic to some known vpn service..

So you just fire up some vps somewhere on the internet, then either run some vpn or dns via tls on that vps box you... Highly unlikely they would block say port 443 to some what amounts to some rando IP on the internet..

bfeitell

This post is deleted!

bfeitell

@emirefek

Try this:

Turn off forwarding mode, and DNS over TLS in unbound, because you are going to configure it manually at the top of the "custom options" box.

Add the following text to the "custom options" box:

### TESTING DNS OVER TLS ON PORT 443
server:
tls-cert-bundle: /usr/local/share/certs/ca-root-nss.crt
forward-zone:
name: "."
forward-ssl-upstream: yes
### SERVERS on non-standard ports from: 
### https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
### ^^^ THREE EXAMPLES FOR PORT 443, CHECK LINK FOR MORE ^^^
forward-addr: 145.100.185.15@443#dnsovertls.sinodun.com
forward-addr: 145.100.185.16@443#dnsovertls1.sinodun.com
forward-addr: 89.234.186.112@443#dns.neutopia.org
### QUAD9 SERVERS
#forward-addr: 2620:fe::fe@853#dns.quad9.net
#forward-addr: 9.9.9.9@853#dns.quad9.net
#forward-addr: 2620:fe::9@853#dns.quad9.net
#forward-addr: 149.112.112.112@853#dns.quad9.net
### CLOUDFLARE SERVERS
#forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
#forward-addr: 1.1.1.1@853#cloudflare-dns.com
#forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
#forward-addr: 1.0.0.1@853#cloudflare-dns.com

Turn logging up to level 4 on the advanced options page so that you can check that server authentication is taking place. Be sure to turn logging down when you are done. I think that authentication failures may not preclude service, so it is possible that someone could MITM your connection until unbound adds functions to prevent communicating with spoofed servers. At least I recall having read at some point that the functionality isn't there yet.